Privacy Policy — Chromafolio

Thank you for using Chromafolio or visiting our website. We are committed to protecting the privacy of your data and this policy explains what we collect and how we use your personal information. This policy may be amended as we release new features or when legal requirements arise. We encourage you to review this policy from time to time to stay informed of any changes that might affect you.

1. Definitions

When we say “Chromafolio,” “we,” or “us,” we are referring to Chromafolio Inc. Chromafolio provides users with tools to help them create and manage client galleries, a Leads Marketplace, and other photography business tools through its web application, website hosting services, and related services (the “Services”).

Users — photographers and other customers who sign up for an account and use our Services.
Clients— individuals who visit or interact with a User’s gallery, submit a photography request through the Leads Marketplace, or purchase from a User’s store.

2. What Information We Collect

Information you provide directly

Account information: name, email address, and password when you register. Google OAuth sign-in shares your name and email with us.
Profile information: for photographers, this includes your business name, bio, specialties, service area, and profile photo.
Leads Marketplace data: Clients provide their name, email, phone number, event type, date, location, and budget when posting a photography request.
Payment information: billing details (card number, billing address) are collected directly by Stripe and are never stored on Chromafolio servers. We retain the Stripe customer ID and subscription status.
Photos and media: photographers upload images, which may contain EXIF metadata (GPS coordinates, camera model, capture time, lens settings). We store this data alongside the image.
Communications: messages sent through the platform between photographers and Clients.

Information collected automatically

Log data: when you access or use our website or Services, our servers automatically record log data which may include IP addresses, device and browser configurations, date and time of access, browsing times, and loading errors if applicable.
Album view activity:when a gallery is opened, we log the viewer’s IP address, browser user agent, device type, referrer URL, and approximate geographic location (city/region derived from IP).
Download activity: we record which photos are downloaded, by whom, and when.
Usage data: we may collect data on how you use the Services, such as gallery creation timestamps, feature interactions, and communications sent via your account.

Information from other sources

Third-party integrations: we may collect information through other services you integrate with (such as editing software). Information collected will be in accordance with the authorization procedures of those services.
Support and social channels: we may collect additional information when you contact us for support, communicate with us via social media, or contact us through third-party services.

3. How We Collect Your Information

Directly from you: when you sign up for an account, fill out your profile, create galleries, post lead requests, or communicate through the platform.
Automatically from your use of the Services: when you visit the website or use the Services, we collect information about your activity and usage. This is mainly collected using cookies or similar technology (see Section 5 below).
From other sources: we may receive information from third-party service providers, payment processors, or advertising services, including device and location information, limited payment card details, and prior website visits.

4. How We Use the Information We Collect

We use the information collected primarily to provide you with the Services you signed up for and to support our legitimate interests in operating our Services and business.

To provide the Services: we use the information you provided to enable you to create galleries, communicate with Clients, facilitate payment and order processing, match photographers to relevant leads, and provide any other services requested by you. This includes sharing information with third-party service providers as necessary. When we share information, we ensure only the minimum necessary data is shared and that it is protected in accordance with this policy.
To maintain and improve our Services: we use the information collected to analyze site performance, measure feature usage, and improve the platform experience.
To provide gallery analytics: we provide photographers with gallery analytics including views, device breakdown, referrer sources, and download counts.
To verify your identity: when we need to authenticate your account to provide support, or if concerns arise regarding identity theft.
To personalize your experience: we may use information to conduct advertising and marketing campaigns. You may opt out of certain ad targeting and retargeting services with third-party advertising networks directly.
To communicate with you: we send emails about transactions on your account, technical notices, feature announcements, and lead notifications. SMS notifications for time-sensitive lead alerts are sent via Twilio only when you opt in. You may change your notification settings in your account at any time.
To provide support: when you contact us for help, we use the information to assist you in your use of the Services.
To detect and prevent abuse: we use information to detect and prevent fraud, spam, and unauthorized access to the platform.
To meet legal requirements: we may use the information to comply with legal requests such as court orders, requests by public authorities, and other appropriate legal mechanisms.

We do not sell your personal information. We do not use your content for advertising on third-party platforms.

5. Cookies & Tracking

Chromafolio uses a single first-party authentication cookie:

chromafolio_token — stores your authentication session. Set on login, expires after 7 days. This cookie is set with the SameSite=Lax attribute.

We do not use third-party advertising cookies or tracking pixels. Gallery view analytics are collected server-side using your IP address and user agent; no JavaScript tracker is injected into client galleries.

You may block or delete cookies through your browser settings. Disabling the authentication cookie will require you to log in on each visit.

6. How We Share the Information We Collect

Third-party service providers: we share your information with third-party service providers who provide and support our Services. We only share information necessary for the third party to complete the service and require them to use the information in a manner consistent with this policy. Examples include hosting and content delivery services (Cloudflare R2), archive storage (Backblaze B2), email delivery (Resend), SMS notifications (Twilio), and payment processing (Stripe).
On your instruction: we share and disclose personal information on your instruction, provided these are part of the functionality of the Services and in compliance with applicable law. For example, when a photographer shares a gallery link with a Client.
Change in business: in the case of a merger, acquisition, financing, reorganization, or sale, information collected may be shared on the basis that it is subject to standard confidentiality arrangements.
To comply with the law: information may be disclosed if deemed necessary to comply with the law and court orders, to protect the rights of individuals, and to fulfill law enforcement requirements.
Marketing: we may share limited information with third-party advertising networks in order to deliver relevant advertisements and manage our communications with you. We do not use your photos or gallery content for this purpose.

7. How We Protect Your Information

Chromafolio follows industry standards for the management of personal information. We employ technical and administrative safeguards intended to protect against accidental or unlawful destruction, loss, alteration, and disclosure of personal information.

Encryption: all data is encrypted in transit using TLS and at rest using encrypted storage.
Access controls: access to production systems is restricted by role and requires multi-factor authentication.
Infrastructure: we maintain security measures including the use of redundancies and employ firewalls to protect against unlawful access and network vulnerabilities.

No method of storage and transfer of information over the Internet is absolutely secure. While we have safeguards in place, we cannot guarantee the absolute security of your personal information.

8. Data Retention

We retain your information for as long as your account is active or as long as needed to provide you with the Services. We may also retain and use your information to comply with our legal obligations, resolve disputes, enforce our agreements, and protect our and others’ interests.

Account data: retained for the life of your account plus 90 days after deletion, unless a longer period is required by law.
Photos and galleries: retained until you delete them or close your account. Archived copies in cold storage may persist for up to 180 days after deletion.
Gallery analytics logs: IP addresses, user agents, and location data are retained for 12 months, then aggregated and anonymized.
Payment records: retained for 7 years to comply with financial and tax regulations.
Leads Marketplace data: retained for 24 months from the date of the request to support dispute resolution.

You may delete your account from your account dashboard or by contacting us at support@chromafolio.com, in which case your information will be deleted in accordance with the retention periods above. Anonymized information that is not identifiable to a person may be retained to help us improve our Services.

9. International Information Transfer

Your photos are stored on Cloudflare R2 with long-lived copies archived to Backblaze B2. Database records and account data are stored on servers located in the United States. If you are located outside the United States, your personal information is transferred to and processed in the United States.

Chromafolio will ensure these transfers are completed in compliance with mechanisms recognized under relevant data protection legislation as providing an adequate level of protection for data transfers. For residents of the European Economic Area (EEA), we ensure data transfers are completed in accordance with the Standard Contractual Clauses (EU Model Clauses) and other applicable legal frameworks.

10. Your Rights

You have rights over your personal information. Subject to any exemptions provided by law, we take reasonable steps to allow you to access, correct, amend, delete, port, or limit the use of your personal information. You can usually manage your information by logging in to your account and editing your information directly in the dashboard.

Access: request a copy of the personal data we hold about you.
Correction: request that inaccurate data be corrected.
Deletion: request erasure of your personal data (subject to legal retention requirements).
Portability: receive your data in a machine-readable format.
Objection / Restriction: object to or restrict certain processing activities.
Opt out of sale (CCPA): we do not sell personal information, so no opt-out is required.

If you are located in the EEA, we will normally collect personal information from you only where (a) we have your consent, (b) we need your personal information to fulfill a contract with you, or (c) the processing is in our legitimate interest in providing the Services. In most cases, if you do not provide the requested information, we will not be able to provide the service to you.

For Users: to exercise these rights, contact us at support@chromafolio.comwith the subject line “Privacy Request.” We will respond within 30 days (GDPR) or 45 days (CCPA) of receiving a verifiable request. We may ask you for proof of account ownership and/or identity before fulfilling your request.

For Clients: if you are a Client of a User and wish to exercise these rights, please contact the User (photographer) you interacted with directly — we serve as a processor on their behalf and can only forward your request to them.

11. Children’s Privacy

Chromafolio is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child, please contact us at support@chromafolio.com and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page and send registered users an email notification at least 14 days before changes take effect. Your continued use of the platform after the effective date constitutes acceptance of the updated policy.

13. Contact Us

Questions about this Privacy Policy or how we handle your data? Reach us at:

Email: support@chromafolio.com
Mail: Chromafolio Inc., Privacy Team, [Address]

If you are located in the European Economic Area, you have the right to lodge a complaint with your local data protection supervisory authority.