Privacy Policy

Chromafolio Inc. (“Chromafolio,” “we,” “our,” or “us”) operates chromafolio.com and its subdomains, including the client gallery platform and the Leads Marketplace. This Privacy Policy explains what personal information we collect, how we use it, and the choices you have. By using the platform you agree to the practices described here.

1. Information We Collect

Information you provide directly

• Account information: name, email address, and password when you register. Google OAuth sign-in shares your name and email with us.
• Profile information: for photographers, this includes your business name, bio, specialties, service area, and a profile photo.
• Leads Marketplace data: clients provide their name, email, phone number, event type, date, location, and budget when posting a photography request.
• Payment information: billing details (card number, billing address) are collected directly by Stripe and are never stored on Chromafolio servers. We retain the Stripe customer ID and subscription status.
• Photos and media: photographers upload images, which may contain EXIF metadata (GPS coordinates, camera model, capture time, lens settings). We store this data alongside the image.
• Communications: messages sent through the platform between photographers and clients.

Information collected automatically

• Album view activity: when a gallery is opened, we log the viewer’s IP address, browser user agent, device type, referrer URL, and approximate geographic location (city/region derived from IP).
• Download activity: we record which photos are downloaded, by whom, and when.
• Log data: server logs capturing request timestamps, pages visited, and error events.
• Cookies: see Section 3 below.

2. How We Use Information

We use the information we collect to:

• Operate and improve the client gallery and Leads Marketplace features.
• Authenticate users and maintain secure sessions via the chromafolio_token cookie.
• Process subscription payments and manage billing through Stripe.
• Match photographers to relevant leads based on specialty, location, and availability.
• Send transactional emails (gallery share links, lead notifications, billing receipts) via Resend.
• Send SMS notifications for time-sensitive lead alerts via Twilio (only when you opt in).
• Provide photographers with gallery analytics: views, device breakdown, referrer sources, and download counts.
• Detect and prevent fraud, abuse, and unauthorized access.
• Comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information. We do not use your data for advertising on third-party platforms.

3. Cookies & Tracking

Chromafolio uses a single first-party authentication cookie:

• chromafolio_token — stores your authentication session. Set on login, expires after 7 days. This cookie is not httpOnly, which allows the client application to read your login state. It is set with theSameSite=Lax attribute.

We do not use third-party advertising cookies or tracking pixels. Gallery view analytics are collected server-side using your IP address and user agent; no JavaScript tracker is injected into client galleries.

You may block or delete cookies through your browser settings. Disabling the authentication cookie will require you to log in on each visit.

4. Third-Party Services

Chromafolio integrates with the following third-party services. Each is governed by its own privacy policy:

• Stripe — payment processing. Stripe handles all card data in compliance with PCI DSS. Privacy policy: stripe.com/privacy.
• Google OAuth — optional sign-in method. Google shares your name and email with us upon authorization. Privacy policy: policies.google.com/privacy.
• Resend — transactional email delivery (gallery links, notifications, receipts).
• Twilio — SMS notifications for lead alerts (opt-in only).
• Cloudflare R2 — primary object storage for uploaded photos and gallery assets.
• Backblaze B2 — cold archive storage for long-term photo retention.

We enter into data processing agreements with service providers as required by applicable law. These providers may only process data on our behalf and in accordance with our instructions.

5. Data Storage & Security

Your photos are stored on Cloudflare R2 with long-lived copies archived to Backblaze B2. Database records and account data are stored on servers located in the United States. If you are located outside the United States, your information is transferred to and processed in the United States.

We protect your data using TLS encryption in transit and encrypted storage at rest. Access to production systems is restricted by role and requires multi-factor authentication. Despite these measures, no system is completely secure and we cannot guarantee absolute security.

6. Data Retention

• Account data is retained for the life of your account plus 90 days after deletion, unless a longer period is required by law.
• Photos and galleries are retained until you delete them or close your account. Archived copies in Backblaze B2 may persist for up to 180 days after deletion.
• Gallery analytics logs (IP, user agent, location) are retained for 12 months then aggregated and anonymized.
• Payment records are retained for 7 years to comply with financial and tax regulations.
• Leads Marketplace data is retained for 24 months from the date of the request to support dispute resolution.

7. Your Rights (GDPR & CCPA)

Depending on your location, you may have the following rights regarding your personal information:

• Access: request a copy of the personal data we hold about you.
• Correction: request that inaccurate data be corrected.
• Deletion: request erasure of your personal data (subject to legal retention requirements).
• Portability: receive your data in a machine-readable format.
• Objection / Restriction: object to or restrict certain processing activities.
• Opt out of sale (CCPA): we do not sell personal information, so no opt-out is required.

To exercise any of these rights, email support@chromafolio.com with the subject line “Privacy Request.” We will respond within 30 days (GDPR) or 45 days (CCPA) of receiving a verifiable request.

8. Children’s Privacy

Chromafolio is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child, please contact us at support@chromafolio.com and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page and send registered users an email notification at least 14 days before changes take effect. Your continued use of the platform after the effective date constitutes acceptance of the updated policy.

10. Contact Us

Questions about this Privacy Policy or how we handle your data? Reach us at:

• Email: support@chromafolio.com
• Mail: Chromafolio Inc., Privacy Team, [Address]

If you are located in the European Economic Area, you have the right to lodge a complaint with your local data protection supervisory authority.