Privacy Policy

Effective Date: May 9, 2026 · Last Updated: May 9, 2026

1. Introduction & Scope

Armani WC Photography ("Armani WC Photography," "we," "us," or "our") respects your privacy and is committed to protecting personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard personal information when you visit our website (the "Site"), engage our photography services, communicate with us, or otherwise interact with us.

This Policy applies to personal information processed by Armani WC Photography in our capacity as a controller (under the EU/UK General Data Protection Regulation, "GDPR") or a business (under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, "CCPA/CPRA").

Please read this Policy carefully. By using the Site or our Services, you acknowledge that you have read and understood this Policy. This Policy is incorporated by reference into our Terms of Service.

2. Information We Collect

We collect categories of personal information described below. The CCPA/CPRA category labels (e.g., "Identifiers") appear in brackets where applicable.

2.1 Information You Provide

  • Contact Details [Identifiers; Customer Records] — name, email address, phone number, mailing address.
  • Inquiry Content [Customer Records] — messages, event details (date, location, type), service preferences submitted through forms or email.
  • Booking & Transaction Data [Commercial Information; Financial Information] — service selections, contract terms, invoices, receipts, payment confirmation. We do not directly collect or store full payment-card numbers; payments are handled by third-party processors.
  • Account Credentials [Identifiers] — email and hashed password if you have an authorized administrative account.
  • Photographs & Media [Visual Information; Biometric Information (where photographs of you are involved)] — images of you or your event when you engage us for photography services.

2.2 Information Collected Automatically

  • Device & Usage Data [Internet/Network Activity; Identifiers] — IP address, approximate geolocation derived from IP, browser type and version, operating system, device identifiers, referring URL, pages visited, links clicked, time and date of access, time on page.
  • Cookies & Similar Technologies — see Section 8.
  • Server Logs & Security Events [Internet/Network Activity] — for performance monitoring, abuse prevention, and incident response.

2.3 Information We Do Not Knowingly Collect

We do not request or knowingly collect government identification numbers (e.g., SSN), precise GPS geolocation, financial account numbers, racial or ethnic origin, religious or philosophical beliefs, trade-union membership, genetic data, biometric identifiers for unique identification, health data, or sex-life or sexual-orientation data. If you voluntarily submit such information, please do not, as it is unnecessary for our services.

3. Sources of Information

  • Directly from you (forms, email, phone, in-person communications);
  • Automatically when you use the Site (cookies, analytics, server logs);
  • From service providers acting on our behalf (analytics, hosting, communications);
  • From people who hire us on your behalf (e.g., a wedding planner providing your contact information).

4. How We Use Personal Information

  • Provide Services — respond to inquiries, prepare quotes, fulfill bookings, deliver final images, and provide customer support;
  • Communicate — send transactional messages (booking confirmations, scheduling, deliverable links, invoices) and, with your consent, marketing or promotional content (which you can opt out of at any time);
  • Operate & Improve the Site — maintain availability, troubleshoot, analyze trends, develop new features;
  • Portfolio & Marketing — subject to the model release in our Terms, display photographs in our portfolio and marketing materials;
  • Security & Fraud Prevention — detect, investigate, and prevent unauthorized access, abuse, and unlawful activity;
  • Legal Compliance — comply with applicable laws, regulations, court orders, lawful subpoenas, and tax/accounting obligations;
  • Business Transactions — in connection with corporate transactions such as a merger, acquisition, or sale of assets, subject to this Policy.

We do not use personal information for automated decision-making that produces legal or similarly significant effects, and we do not engage in profiling beyond standard analytics.

6. How We Share Information

We do not sell personal information for monetary consideration. We do not knowingly "share" personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We may disclose personal information in the following circumstances:

  • Service Providers — vendors performing services on our behalf under written agreements that limit use to the purposes for which we engaged them. See Section 7.
  • Affiliates & Successors — in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our business.
  • Legal Process — to comply with applicable law, regulation, legal process, or governmental request, or to protect our rights, property, or safety, or that of our clients or others.
  • With Your Consent — for any other purpose disclosed at the time we collect the information or with your explicit consent.

7. Service Providers / Sub-Processors

We rely on a small number of trusted vendors to operate the Site and Services, including:

  • Cloud hosting & database (application hosting and PostgreSQL database);
  • Cloud object storage (Amazon Web Services S3, U.S. region) for image storage;
  • Email delivery (transactional notifications);
  • Analytics (privacy-respecting aggregate usage analytics);
  • Client gallery delivery (Pixieset) for distributing finished work to clients.

Each provider is contractually obligated to maintain the confidentiality and security of personal information and to use it only for the services they provide to us. A current list of sub-processors is available on request.

8. Cookies & Tracking Technologies

We use cookies and similar technologies to operate the Site and improve your experience. For full details, see the Cookie Policy section of our Terms of Service. Cookie categories used on this Site include strictly necessary, functionality, performance/analytics, and security cookies. We do not use advertising or cross-site tracking cookies.

9. Data Retention

We retain personal information only for as long as necessary for the purposes set out in this Policy, unless a longer retention period is required or permitted by law. Specific retention periods include:

  • Inquiries that do not result in booking — up to 12 months from last contact.
  • Booking and transaction records — up to 7 years to comply with tax, accounting, and statute-of-limitations requirements.
  • Edited photographs from completed engagements — retained indefinitely for archival, portfolio, and marketing purposes (subject to model-release rights and any opt-out you provide).
  • Raw/unedited captures — typically purged within 90 days of final delivery.
  • Server logs & security events — up to 12 months.
  • Authentication session data — for the duration of the session plus a brief grace period.

When personal information is no longer needed, we delete it or anonymize it so it can no longer be associated with an identifiable individual.

10. Security

We implement administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, alteration, disclosure, or destruction. These include: encryption of data in transit using TLS 1.2+; encryption at rest in our database and object storage; password hashing using industry-standard algorithms (bcrypt); access controls limiting personal information to authorized personnel; rate limiting and abuse detection on public APIs; and regular review of security practices.

No security measure is perfect. Internet transmission and electronic storage are inherently subject to risk. You are responsible for safeguarding your account credentials and using strong, unique passwords.

11. International Data Transfers

We are located in the United States, and the personal information we collect is processed and stored in the United States. If you access the Site from outside the United States, please be aware that your information may be transferred to, stored, and processed in the U.S. Where required, we rely on appropriate transfer mechanisms (such as the European Commission's Standard Contractual Clauses) to lawfully transfer personal information from the EEA, UK, or Switzerland to the United States. A copy of the applicable transfer mechanism is available on request.

12. Your Rights (EEA, UK & Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the following rights, subject to applicable conditions and exceptions:

  • Access — a copy of your personal information.
  • Rectification — correction of inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — deletion of personal information when no longer necessary, consent has been withdrawn, or processing is unlawful.
  • Restriction — limit processing in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format and have it transmitted to another controller where technically feasible.
  • Objection — to processing based on legitimate interests, including direct marketing.
  • Withdraw consent — for any processing based on consent, without affecting prior lawful processing.
  • Lodge a complaint — with your local data protection authority. A list of EEA authorities is available at edpb.europa.eu/about-edpb/about-edpb/members.

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the CCPA, as amended by the CPRA:

  • Right to Know — categories and specific pieces of personal information we collected, sources, purposes, and categories of recipients in the past 12 months.
  • Right to Delete — deletion of personal information we have collected from you, subject to statutory exceptions.
  • Right to Correct — correction of inaccurate personal information.
  • Right to Opt Out of Sale or Sharing — we do not sell or share personal information for cross-context behavioral advertising. There is therefore nothing to opt out of, but you may submit a request, and we will confirm our practices.
  • Right to Limit Use of Sensitive Personal Information — we do not use sensitive personal information beyond what is necessary to provide our Services as defined in 11 CCR § 7027.
  • Right to Non-Discrimination — we will not deny services, charge different prices, or provide a different level or quality of service because you exercised your privacy rights.

Categories of personal information collected, disclosed, and retained. In the preceding 12 months we collected the categories of personal information described in Section 2 from the sources in Section 3, for the purposes in Section 4. We disclosed the following categories to service providers for business purposes: Identifiers, Customer Records, Internet/Network Activity, and Visual Information. We did not sell or share personal information.

Authorized Agent. You may designate an authorized agent to make a request on your behalf. The agent must provide written authorization signed by you, and we will verify your identity and the agent's authority before processing the request.

"Shine the Light" (Cal. Civ. Code § 1798.83). California residents may request a notice describing what categories of personal information we share with third parties for direct-marketing purposes. We do not share personal information with third parties for their direct-marketing purposes.

14. Other U.S. State Privacy Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states with comprehensive privacy laws may have rights similar to those described above, including the right to access, correct, delete, and obtain a portable copy of personal information, and to opt out of targeted advertising, the sale of personal data, and certain types of profiling. We do not engage in targeted advertising or sales of personal information. To exercise rights, follow Section 15.

Appeals. Where state law provides an appeals process, you may appeal a denial of your request by replying to our denial response within a reasonable time. We will respond to your appeal within the period required by the applicable state law.

15. How to Exercise Your Rights

You can submit a privacy rights request by email to [email protected] or by phone at 256-321-8900. In your request, please tell us which right you are exercising and provide enough information for us to verify your identity (typically the email and name on file).

We will respond to verifiable requests within 45 days, with a one-time extension of an additional 45 days where reasonably necessary, and we will notify you of any extension within the initial 45 days. There is no fee for exercising your rights, but we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive, as permitted by law.

16. Do Not Track & Global Privacy Control

Most browsers offer a "Do Not Track" (DNT) signal. Because there is no industry-standard interpretation of DNT, we currently do not respond to DNT signals. We do honor the Global Privacy Control (GPC) browser signal where applicable law (including California law) requires us to treat the signal as an opt-out of sale or sharing.

17. Third-Party Links & Social Media

The Site contains links to third-party websites and platforms (such as Pixieset client galleries, Facebook, and Instagram). We are not responsible for the privacy practices of those third parties, and the personal information you submit to them is governed by their own privacy policies. We encourage you to review them before providing information.

18. Children's Privacy

The Site is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13 in violation of the Children's Online Privacy Protection Act (15 U.S.C. §§ 6501–6506) or applicable similar laws. If we become aware that a child under 13 has provided personal information without verifiable parental consent, we will delete it. Parents or guardians who believe their child has submitted personal information should contact us using the information in Section 21.

For users between 13 and 16 in jurisdictions where the age of digital consent is higher, we will rely on a parent or guardian's consent where required.

19. Data Breach Notification

In the event of a data breach involving your personal information, we will notify affected individuals and applicable regulators as required by U.S. state breach notification laws, the GDPR (within 72 hours where feasible), and other applicable laws. Notice will include, where known, the nature of the breach, categories of personal information involved, likely consequences, and the measures taken or proposed to address it.

20. Changes to This Policy

We may update this Policy from time to time. When we do, we will revise the "Last Updated" date above. If we make material changes, we will provide additional notice (such as a prominent banner on the Site or, where required, direct notice). Your continued use of the Site after changes constitutes acceptance of the updated Policy. Prior versions are available on request.

21. Contact & Complaints

We are the "controller" (GDPR) and "business" (CCPA/CPRA) responsible for personal information processed under this Policy. For privacy questions, requests, or complaints, please contact us:

We do not have a designated EU/UK representative under Articles 27 GDPR/UK GDPR because our processing of EEA/UK personal data is occasional and does not include large-scale processing of special categories. EEA/UK residents may still contact us directly using the information above.

Terms of ServiceAccessibility

© 2026 Armani WC Photography. All rights reserved. This Policy was last updated on May 9, 2026.