1. Data Collected
I may collect the following types of data:

• Identity Data: first name, last name, username, marital status, title, gender.
• Contact Data: billing address, delivery address, email address, telephone numbers.
• Financial Data: bank account and payment card details.
• Transaction Data: details about payments and purchases.
• Technical Data: IP addresses, browser type, time zone, location, operating system, platform, and other device technology.
• Profile Data: username, password, purchases or orders, preferences, feedback, survey responses.

• Usage Data: information about how you use my website, products, and services.
• Marketing and Communications Data: preferences for receiving marketing communications.
  
  

Sensitive Data: I do not collect any sensitive data, including details about race, religion, sexual orientation, political opinions, trade union membership, health, or biometric data.

Contractual Commitments: Where required by law or contract, I must collect certain data to provide services. If not provided, services may be cancelled with notification.

Data Collection Methods:
Direct Interactions: Data provided via forms, email, phone, or feedback.
Automatic Collection: Technical and usage data collected via the website.

2. Scope
This policy applies only to actions of Kirsty Bowen Photography and users with respect to this website. It does not extend to external websites linked from my site.

I am the data controller, determining the purposes and manner of data processing.

3. Data Storage and Security

• Images are stored securely on password-protected business systems.
• No data is stored on unencrypted devices (personal phones, USB sticks).
• Hard copies of data/photos are kept in locked storage.
• Only business-owned equipment is used for photography.
• Images are retained for the agreed ordering period (up to 18 months) and then securely deleted, unless specific marketing consent has been given.

4. Sharing Data and Third Parties
Data may be shared with:

• Employees, agents, or professional advisors to enable service delivery.
• IT and system administration service providers.
• Print labs.
• Professional advisers (lawyers, auditors, bankers, insurers).
• HM Revenue & Customs and other regulatory authorities.

All third parties must respect data security, process data only for specified purposes, and comply with GDPR.

• Current third-party processors include:
• Client Management System: Dubsado
• Client Photo Galleries: PicTime
• School Photo Galleries: GotPhoto

Security Measures:

• Access to accounts is controlled by unique username/password.
• Data is stored on secure servers.

5. Rights of Individuals
Individuals have the right to:

• Access: request copies of information held, or modifications/deletions.
• Correct: rectify inaccurate or incomplete data.
• Erase: request deletion of data.
• Restrict: block or limit data use.
• Data Portability: request transfer or copying of data.
• Object: object to processing, including where legitimate interests are used.

6. Safeguarding
I follow a safeguarding policy: Safeguarding Policy

7. Consent for Photography

• Photography consent is obtained and confirmed by the school or nursery. I do not obtain consent directly from parents or children. 
• Where consent is not given, discreet systems (e.g., colored stickers) are used to avoid photographing children without singling them out.
• Children are never excluded from activities for lack of photography consent.

8. Data Breaches and Incident Response

• All breaches are assessed and contained immediately.
• If the breach could affect individuals’ rights or safety, I will notify the Information Commissioner’s Office (ICO) within 72 hours.
• Parents, schools, and affected individuals will be informed of high-risk breaches.
• Records of all breaches, actions taken, and outcomes are maintained.
  
  

9. Data Retention
Kirsty Bowen Photography will only keep personal data and images for as long as necessary to provide the agreed services and comply with legal obligations.

• Student data and class lists will be securely deleted within 3 months after gallery delivery.
• Edited images will be retained for up to 18 months for reorders or dispute resolution. 
• RAW/ files will be kept for up to 6 months.
• Contracts, invoices, and financial records will be kept for 6 years in line with HMRC requirements.
•  Any images used for marketing or promotion will only be retained with valid consent and deleted within 2 years of consent withdrawal.

All personal data is stored securely and handled in accordance with UK GDPR and the Data Protection Act 2018.

10. Marketing and Image Use

• Marketing communications are sent only to those who have requested information, purchased services, or provided consent.
• Opt-out is available via links in messages or by contacting hello@kirstybowen.com.
• Images for marketing, portfolio, or website use are only used with separate, explicit parental consent.
• Promotional photography is planned and agreed with parents and schools.

11. Accountability and Policy Updates

• I am responsible for GDPR compliance.
• Procedures are regularly reviewed to ensure compliance.
• Changes to this policy will be communicated via my website.
• A record of processing activities is maintained, detailing purposes, categories, storage, retention, and sharing.
• All third-party providers comply with GDPR, with contracts in place.

12. Contact Information & Reporting Concerns
For any concerns, please contact: Kirsty Bowen- Business Owner Email: kirsty@kirstybowen.com www.schools.kirstybowen.com

This policy is reviewed annually.

Policy last reviewed: January 2025
Signed: Kirsty Bowen