menu

GDPR

Last Updated
Last updated: May 1, 2025

1. Who We Are

Red Apple Tree Photography (“we”, “our”, “us”) is an independently owned wedding, portrait, and commercial photography business based in West Kelowna, British Columbia, Canada.
Data Controller: Keith Carson, Owner & Lead Photographer
Website: https://www.redappletreephotography.com
Email (data–protection enquiries): redappletreephotography@gmail.com

Because our site can be accessed by individuals in the European Economic Area (“EEA”) and United Kingdom (“UK”), we process personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”) and the UK GDPR.
2. Scope of this Policy

This policy explains:

    what personal data we collect through our website, client onboarding, and online galleries;

    the lawful bases and purposes for using that data;

    how long we keep it, how we protect it, and with whom we share it;

    your privacy rights and how to exercise them.

3. Personal Data We Collect
Context Categories of Data Typical Source
Website contact or booking form Name, email, phone, event/portrait details, message content You
Client intake & contract Postal address, event location, participant names, payment information, signed contracts You
Image galleries & digital downloads Email address, download logs, favourites, comments You or authorised gallery users
Newsletter opt-in Name, email, marketing preferences You (consent)
Analytics & cookies IP address, device type, browser, pages visited, referring site, cookie identifiers Your device via cookies / pixels
Social media Public profile information, comments, messages Social platform APIs

We do not intentionally collect special-category data (e.g., health, religious beliefs). If such information is volunteered (e.g., accessibility needs, dietary restrictions), we process it only to fulfil the requested service and delete it as soon as practicable.
4. Purposes & Lawful Bases
Purpose Lawful Basis (Art. 6 GDPR) Examples
Responding to enquiries, scheduling sessions, providing quotes Art 6 (1)(b) Contract Preparing or performing a photography contract
Delivering photographic services, editing, and delivering images Art 6 (1)(b) Contract Shooting, editing, hosting gallery, print orders
Processing payments & accounting Art 6 (1)(c) Legal obligation Canadian tax requirements
Website operations & security Art 6 (1)(f) Legitimate interest Server logs, fraud prevention
Marketing emails & newsletters Art 6 (1)(a) Consent Email campaigns after explicit opt-in
Showcasing portfolio (blog, social media, sample albums) Art 6 (1)(f) Legitimate interest; consent where required by local law Using select images to promote our work
Analytics & performance cookies Art 6 (1)(a) Consent (via cookie banner) Google Analytics, Meta Pixel

You may withdraw consent at any time (see § 10).
5. Cookies & Similar Technologies

Our site uses necessary cookies for security and functionality and, with your consent, analytics/advertising cookies. On your first visit we display a banner allowing you to:

    Accept all cookies

    Reject non-essential cookies

    Manage granular preferences

You can also delete or block cookies in your browser settings. Detailed information is available in our standalone Cookie Policy.
6. Children

Our services are not directed at children under 16. If we discover that we have received personal data from a child without verified parental consent, we will delete that data promptly.
7. Sharing Your Data

We share data only when necessary for the purposes above:

    Website & email hosting – e.g., SiteGround (EU servers) or similar

    Online gallery & file delivery – Pixieset Inc. (Canada)

    Payment processors – Square Payments, PayPal (subject to PCI-DSS)

    Analytics & marketing – Google Analytics, Meta Platforms, MailerLite

    Professional partners – second shooters, album printers, only under written confidentiality agreements

All third-party processors act only on our instructions and are bound by contractual data-processing terms that meet GDPR requirements.
8. International Transfers

We are located in Canada, a country recognised by the European Commission as providing adequate data protection for commercial organisations subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). When data is transferred to partners in the United States or other non-adequate jurisdictions, we rely on:

    Standard Contractual Clauses (SCCs) approved by the European Commission, or

    Your explicit consent where appropriate.

9. Data Retention
Data Type Retention Period
Client contracts, invoices & tax records 7 years (legal obligation)
Galleries & image backups 3 years after final delivery, unless you request earlier deletion or agree to archive
Enquiry emails (no booking) 12 months
Marketing email list Until you unsubscribe (we refresh consent every 3 years)
Analytics data 26 months (Google Analytics standard)

We will securely delete or anonymise data when the retention period expires.
10. Your Rights (EEA & UK Residents)

Under GDPR you may:

    Access – obtain a copy of your personal data.

    Rectify – correct inaccurate or incomplete data.

    Erase – request deletion (“right to be forgotten”).

    Restrict – limit processing under certain conditions.

    Object – to processing based on legitimate interests or direct marketing.

    Port – receive your data in a structured, machine-readable format and transmit it to another controller.

    Withdraw consent – at any time, without affecting prior lawful processing.

    Lodge a complaint – with your local Supervisory Authority (e.g., CNIL – France, ICO – UK).

To exercise any right, email privacy@redappletreephotography.com. We respond within one month (extensions possible for complex requests).
11. Data Security

We implement appropriate technical and organisational measures, including:

    TLS/SSL encryption for all website traffic and gallery downloads

    Secure, access-controlled cloud storage with redundancy

    Regular software updates, malware scanning & firewalls

    Role-based access for employees/contractors

    ISO 27001-compliant third-party vendors where feasible

Despite these measures, no Internet transmission is 100 % secure. You acknowledge this residual risk when providing data online.
12. Changes to This Policy

We may update this policy to reflect legal, technical, or business changes. New versions will be posted on our website with a new “Last updated” date. Material changes will be announced via a website banner or direct email where feasible.
13. How to Contact Us

For questions about this policy or your data, use our contact page.