1. Data Collected
I may collect the following types of data:

• Identity Data: first name, last name, username, marital status, title, gender.
• Contact Data: billing address, delivery address, email address, telephone numbers.
• Financial Data: bank account and payment card details.
• Transaction Data: details about payments and purchases.
• Technical Data: IP addresses, browser type, time zone, location, operating system, platform, and other device technology.
• Profile Data: username, password, purchases or orders, preferences, feedback, survey responses.

• Usage Data: information about how you use my website, products, and services.
• Marketing and Communications Data: preferences for receiving marketing communications.
  
  

Sensitive Data: I do not collect any sensitive data, including details about race, religion, sexual orientation, political opinions, trade union membership, health, or biometric data.

Contractual Commitments: Where required by law or contract, I must collect certain data to provide services. If not provided, services may be cancelled with notification.

Data Collection Methods:
Direct Interactions: Data provided via forms, email, phone, or feedback.
Automatic Collection: Technical and usage data collected via the website.

2. Scope
This policy applies only to actions of Kirsty Bowen Photography and users with respect to this website. It does not extend to external websites linked from my site.

I am the data controller, determining the purposes and manner of data processing.

3. Data Storage and Security

• Images are stored securely on password-protected business systems.
• No data is stored on unencrypted devices (personal phones, USB sticks).
• Hard copies of data/photos are kept in locked storage.
• Only business-owned equipment is used for photography.
• Images are retained for the agreed ordering period (up to 18 months) and then securely deleted, unless specific marketing consent has been given.

4. Sharing Data and Third Parties
Data may be shared with:

• Employees, agents, or professional advisors to enable service delivery.
• IT and system administration service providers.
• Print labs.
• Professional advisers (lawyers, auditors, bankers, insurers).
• HM Revenue & Customs and other regulatory authorities.

All third parties must respect data security, process data only for specified purposes, and comply with GDPR.

• Current third-party processors include:
• Client Management System: Dubsado
• Client Photo Galleries: PicTime
• School Photo Galleries: GotPhoto

Security Measures:

• Access to accounts is controlled by unique username/password.
• Data is stored on secure servers.

5. Rights of Individuals
Individuals have the right to:

• Access: request copies of information held, or modifications/deletions.
• Correct: rectify inaccurate or incomplete data.
• Erase: request deletion of data.
• Restrict: block or limit data use.
• Data Portability: request transfer or copying of data.
• Object: object to processing, including where legitimate interests are used.

6. Safeguarding
I follow a safeguarding policy: Safeguarding Policy

7. Consent for Photography

• Photography consent is obtained and confirmed by the school or nursery. I do not obtain consent directly from parents or children. 
• Where consent is not given, discreet systems (e.g., colored stickers) are used to avoid photographing children without singling them out.
• Children are never excluded from activities for lack of photography consent.

8. Data Breaches and Incident Response

• All breaches are assessed and contained immediately.
• If the breach could affect individuals’ rights or safety, I will notify the Information Commissioner’s Office (ICO) within 72 hours.
• Parents, schools, and affected individuals will be informed of high-risk breaches.
• Records of all breaches, actions taken, and outcomes are maintained.

9. Marketing and Image Use

• Marketing communications are sent only to those who have requested information, purchased services, or provided consent.
• Opt-out is available via links in messages or by contacting hello@kirstybowen.com.
• Images for marketing, portfolio, or website use are only used with separate, explicit parental consent.
• Promotional photography is planned and agreed with parents and schools.

10. Accountability and Policy Updates

• I am responsible for GDPR compliance.
• Procedures are regularly reviewed to ensure compliance.
• Changes to this policy will be communicated via my website.
• A record of processing activities is maintained, detailing purposes, categories, storage, retention, and sharing.
• All third-party providers comply with GDPR, with contracts in place.

11. Contact Information & Reporting Concerns
For any concerns, please contact: Kirsty Bowen- Business Owner Email: kirsty@kirstybowen.com www.schools.kirstybowen.com

This policy is reviewed annually.

Policy last reviewed: January 2025
Signed: Kirsty Bowen