Privacy Policy

1. Data Controller

The personal data controller within the meaning of Art. 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) is MK Media, an entity with registered office in the United Kingdom, operating the FotoSesja.ai platform. Full registration details of the Controller (registration number, registered office address) are available upon request at the contact address. The Controller processes personal data in accordance with GDPR and the Personal Data Protection Act of 10 May 2018. Contact for data protection matters: email address: kontakt@fotosesja.ai, contact form available on the Platform website at /contact. The Controller has not appointed a Data Protection Officer (DPO) as it does not meet the conditions requiring mandatory DPO appointment specified in Art. 37 GDPR. Nevertheless, all enquiries regarding personal data protection should be directed to the above email address and will be handled with the utmost care. This Privacy Policy defines the rules for processing personal data by the Controller, purposes and legal bases of processing, rights of data subjects, and information about entities to whom data may be disclosed.

2. What Data We Collect

The Controller collects and processes the following categories of personal data: (a) Data provided by the User (registration data): first and last name, email address (simultaneously serving as login), contact telephone number, photography studio name (optional), URL slug (unique name used in gallery addresses), access password (stored in hashed form using bcrypt algorithm), language preferences (Platform interface language), branding settings (logo, company colours, email footer). For Clients (end persons browsing galleries): first and last name, email address, telephone number (if provided), print order information (delivery address, preferred delivery option). (b) Data collected automatically (technical and analytical data): IP address of the device from which connection to the Platform occurs, browser type and version, operating system, screen resolution, device information (desktop/mobile/tablet), Platform activity data (login date and time, viewed subpages, session duration), server logs containing HTTP request information (method, URL, response code, size of transmitted data), cookies and similar technologies (details in the cookies section). (c) Data uploaded as part of Platform services (photos and content): reference photos uploaded by the Photographer (may contain images of natural persons, which constitute personal data within the meaning of GDPR), photo metadata (EXIF: capture date, camera settings, location - if not removed by Photographer), photos generated by artificial intelligence based on reference photos, comments and notes added by Photographer or Client within galleries. (d) Financial and transactional data: history of Credit package purchases (date, amount, selected payment method), Stripe transaction identifier (we do not store payment card data - it is processed directly by Stripe), Credit spending history (date, number of Credits, session identifier), VAT invoices and accounting documents in accordance with tax law requirements.

3. Purpose of Data Processing

The Controller processes personal data for the following purposes, in each case based on a specific legal basis: (1) Provision of Platform services - processing necessary for performance of a contract for electronic service provision to which the data subject is party (Art. 6(1)(b) GDPR). This includes: registration and management of User account, uploading and storing reference photos on AWS S3 servers, generating AI content using Google Gemini API, creating and sharing galleries for Clients, enabling placement of print orders by Clients, managing the Credits system. (2) Payment processing - processing necessary for performance of contract (Art. 6(1)(b) GDPR) and fulfilment of legal obligation incumbent on the Controller (Art. 6(1)(c) GDPR), including: processing payments for Credits through Stripe, issuing VAT invoices in accordance with tax regulations, storing accounting and financial documentation for the legally required period (5 years). (3) Communication with User - pursuit of Controller's legitimate interests (Art. 6(1)(f) GDPR), consisting of: sending email notifications regarding service changes, security warnings, order confirmations, responding to enquiries directed through contact form or email, providing technical support and assistance. (4) Analysis and service improvement - pursuit of Controller's legitimate interests (Art. 6(1)(f) GDPR), consisting of: analysing Platform usage statistics to optimise service operation, identifying and fixing technical errors, studying User behaviour to improve interface (UX/UI), planning development of new functionalities based on User needs. (5) Fulfilment of legal obligations - processing necessary to fulfil legal obligation incumbent on the Controller (Art. 6(1)(c) GDPR), including: storing accounting documentation in accordance with Accounting Act, storing transactional data in accordance with tax regulations, cooperation with law enforcement authorities to the extent required by law, fulfilment of obligations arising from GDPR (e.g. responding to data access requests). (6) Direct marketing of own services - pursuit of Controller's legitimate interests (Art. 6(1)(f) GDPR) in relation to Users who are Platform customers or consent (Art. 6(1)(a) GDPR) in case of persons who are not customers, comprising: sending newsletter with information about new functionalities, promotions, tips on Platform use, informing about changes in pricing or service provision conditions. The User has the right at any time to withdraw consent to receive marketing communications by clicking the unsubscribe link in the email message or changing settings in the Platform panel.

4. Third-Party Data Sharing

The Controller uses external processing entities (sub-processors) to provide Platform services. Personal data may be shared with the following categories of recipients: (1) Amazon Web Services, Inc. (AWS) - Purpose: hosting reference and AI-generated photos on S3 servers, hosting MySQL database, server infrastructure. Location: eu-west-2 region (London, United Kingdom - third country with adequacy decision based on European Commission decision). Legal basis: Data Processing Addendum (DPA) available on AWS website. AWS meets PCI DSS, ISO 27001, SOC 2 Type II requirements. More information: https://aws.amazon.com/compliance/gdpr-center/. (2) Google LLC (Google Cloud, Gemini API) - Purpose: processing reference photos by Gemini artificial intelligence model to generate AI content. Location: data may be processed in Google Cloud data centres outside the European Economic Area (EEA), including in the United States. Legal basis: Standard Contractual Clauses (SCC) approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021. Google meets ISO 27001, SOC 2 Type II requirements. Important information: Photos uploaded to Gemini API are not used by Google to train AI models according to Google Cloud Data Processing Addendum. More information: https://cloud.google.com/terms/data-processing-addendum. (3) Stripe, Inc. - Purpose: processing payments for Credits, handling payment card and BLIK transactions, managing subscriptions and invoices. Location: United States (third country - transfer occurs based on SCC and adequacy decision under EU-US Data Privacy Framework). Legal basis: Stripe is a certified payment operator compliant with PCI DSS Level 1 (highest security level for processing payment card data). Stripe does not provide the Controller with Users' payment card data - the Controller receives only transaction identifier and payment status information. More information: https://stripe.com/privacy. (4) Amazon Simple Email Service (AWS SES) - Purpose: sending email notifications, transactional emails (registration confirmations, password reset, order notifications), newsletters. Location: eu-west-2 region (London). Legal basis: Data Processing Addendum within AWS. (5) Nginx, Plesk, server infrastructure - Purpose: application hosting, server logs, WAF (Web Application Firewall) security. Location: servers located in the European Union. Statement on non-disclosure of data: The Controller declares that it does not sell, rent, or share Users' personal data with third parties for marketing purposes. Personal data may be shared only with processing entities acting on behalf of the Controller based on data processing agreements and public authorities to the extent required by legal provisions (e.g. tax authorities, law enforcement authorities based on valid court order).

5. Data Retention Period

The Controller processes personal data for no longer than is necessary to achieve processing purposes, taking into account legal obligations requiring longer retention periods. Detailed retention periods for individual data categories: (1) User account data (first name, last name, email, telephone, preferences) - retained for the period of Platform service use and for 30 calendar days from account deletion date. After this period expires, data is permanently and irreversibly deleted from the database. The User may within 30 days of account deletion request its restoration by contacting the Controller. (2) Financial and transactional data (VAT invoices, Credit purchase history, Stripe transaction identifiers) - retained for 5 years from the end of the tax year in which the transaction was conducted, in accordance with Art. 112 of the Act of 11 March 2004 on tax on goods and services and Art. 74(2) of the Act of 29 September 1994 on accounting. After this period expires, data is archived or deleted. (3) Reference photos and AI-generated photos - stored on AWS S3 servers for the period of Platform service use and for 30 calendar days from the Photographer's account deletion date. After this period expires, all photo files are permanently deleted from AWS servers. The Photographer has the right to delete selected photos or entire galleries at any time from the Platform panel. Photos deleted by the Photographer are permanently erased from AWS S3 within 24 hours. (4) Server logs (IP addresses, HTTP requests, error logs) - retained for 90 calendar days from their creation date. After this period expires, logs are automatically deleted. Server logs may be retained for a longer period if necessary to establish, pursue, or defend legal claims. (5) Data concerning email correspondence, complaint submissions, enquiries directed to the Controller - retained for the period necessary to resolve the matter and for 3 years from the date of matter closure to safeguard against potential claims. (6) Data concerning marketing consents - retained until consent is withdrawn by the User. After consent withdrawal, data is processed solely to document the fact of consent being granted and withdrawn (accountability requirement under Art. 7(1) GDPR). (7) End Client data (persons browsing galleries) - retained for the period determined by the Photographer (controller of this data) and for 30 days from Photographer's account deletion. The Platform Controller processes this data as a processor in accordance with Photographer's instructions.

6. User Rights

Under GDPR provisions, the data subject has the following rights: (1) Right of access to data (Art. 15 GDPR) - right to obtain from the Controller confirmation as to whether personal data concerning the person is being processed and, where that is the case, right of access to that data and information about processing purposes, data categories, data recipients, planned retention period, rights of the data subject. The User may at any time request a copy of their data by sending a request to: kontakt@fotosesja.ai. The Controller will respond within 30 days of receiving the request. (2) Right to rectification (Art. 16 GDPR) - right to request from the Controller immediate rectification of inaccurate personal data and to supplement incomplete personal data. The User may at any time update their data in the account settings panel or send a data rectification request to: kontakt@fotosesja.ai. (3) Right to erasure - 'right to be forgotten' (Art. 17 GDPR) - right to request immediate erasure of personal data in cases specified in Art. 17 GDPR, including when: data is no longer necessary for purposes for which it was collected, the person has withdrawn consent and there is no other legal basis for processing, data was unlawfully processed, data must be erased to comply with legal obligation. Note: the right to erasure does not apply if processing is necessary to fulfil legal obligation (e.g. retention of accounting data for 5 years). The User may delete their account at any time from the settings panel. (4) Right to restriction of processing (Art. 18 GDPR) - right to request restriction of data processing in cases specified in Art. 18 GDPR, including when: the person contests data accuracy, processing is unlawful and the person opposes data erasure, the Controller no longer needs the data but the person needs it to establish, pursue, or defend claims. A request for processing restriction can be sent to: kontakt@fotosesja.ai. (5) Right to data portability (Art. 20 GDPR) - right to receive one's personal data in a structured, commonly used machine-readable format (e.g. JSON, CSV) and right to transmit that data to another controller without hindrance from the Controller. This right applies to data processed on the basis of consent or contract and processed in an automated manner. The User may request export of their data by contacting: kontakt@fotosesja.ai. (6) Right to object to processing (Art. 21 GDPR) - right to object to processing of personal data where processing is based on the Controller's legitimate interests (Art. 6(1)(f) GDPR). In such case, the Controller may no longer process that data unless it demonstrates compelling legitimate grounds for processing that override interests, rights, and freedoms of the data subject. An objection may be raised particularly to data processing for marketing purposes. (7) Right to withdraw consent (Art. 7(3) GDPR) - where data processing is based on consent (Art. 6(1)(a) GDPR), the data subject has the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. The User may withdraw consent to data processing for marketing purposes by clicking the unsubscribe link in the email message or by changing settings in the account panel. Method of exercising rights: To exercise the above rights, a request should be sent to: kontakt@fotosesja.ai, providing first name, last name, email address associated with the account, and indicating which right the person wishes to exercise. The Controller will examine the request within 30 days of receipt and provide a response by email. In justified cases (complex request, large number of requests), the deadline may be extended by an additional 60 days, about which the Controller will inform the person submitting the request.

7. Cookies

The Platform uses cookies and similar tracking technologies (localStorage, sessionStorage, web beacons) to ensure proper website functioning and for analytical purposes. In accordance with Art. 173 of the Act of 16 July 2004 - Telecommunications Law, use of certain types of cookies requires obtaining User consent. Cookie categories: (1) Strictly necessary cookies - these are cookies absolutely essential for proper Platform operation. Without these cookies, the Platform cannot function correctly. These cookies do not require User consent based on Art. 173(3) of Telecommunications Law. Examples: Laravel session cookie (laravel_session) - stores information about logged-in User's session, CSRF token (XSRF-TOKEN) - protects against Cross-Site Request Forgery attacks, language preference cookie (locale) - remembers selected interface language. Retention period: until browser closure (session cookies) or up to 1 year (persistent cookies). (2) Functional cookies - serve to remember choices made by the User (e.g. display preferences, font size, interface colours) and to provide advanced Platform functionalities. These cookies require User consent. Examples: cookie remembering preferred gallery display method (grid/list), cookie remembering recently viewed galleries, cookie remembering sidebar panel expand/collapse state. Retention period: up to 12 months. (3) Analytical/performance cookies - serve to analyse website traffic, study User behaviour, identify most popular features, and detect technical errors. These cookies require User consent. The Platform does not currently use external analytical tools (such as Google Analytics). If implemented in the future, the User will be informed and asked for consent. Retention period: up to 24 months. (4) Advertising cookies - The Platform does not currently use cookies for marketing purposes or to track the User on third-party websites. Managing cookies: The User may at any time change cookie settings in their web browser. Most browsers accept cookies by default, but the User can change settings so that the browser blocks all cookies or notifies about their sending. Instructions for managing cookies in popular browsers: Chrome: https://support.google.com/chrome/answer/95647, Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer, Safari: https://support.apple.com/en-gb/guide/safari/sfri11471/mac, Edge: https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09. Important note: Blocking strictly necessary cookies will prevent use of the Platform (inability to log in). Blocking functional cookies may limit Platform functionality (e.g. settings will not be remembered between sessions).

8. Data Security

The Controller applies appropriate technical and organisational measures to ensure security of personal data processing in accordance with Art. 32 GDPR, including in particular to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to personal data transmitted, stored, or otherwise processed. Technical measures: (1) Data encryption in transit - all connections to the Platform are encrypted using TLS 1.2 or higher (Transport Layer Security) protocol. SSL certificate is issued by Let's Encrypt and is automatically renewable. All HTTP requests are automatically redirected to HTTPS. (2) Data encryption at rest - all photos stored on AWS S3 servers are encrypted at rest using AES-256 encryption. Data in MySQL database is stored on volumes encrypted by AWS EBS. (3) Password hashing - Users' passwords are hashed using bcrypt algorithm with cost of 10 iterations, ensuring resistance to brute-force attacks. Passwords are never stored in plain text. (4) Regular backups - automatic database backups are created daily and stored in a separate location for 30 days. Backups are encrypted and accessible only to authorised administrators. (5) Access control - access to server infrastructure and database is restricted to minimum number of persons and requires multi-factor authentication (MFA). Access to Users' personal data is logged and monitored. Super Admin panel is protected by dedicated authentication system and is accessible only to Platform administrators. (6) Attack protection - Platform is protected by Web Application Firewall (WAF) configured by Plesk and Nginx, which blocks popular attacks (SQL Injection, XSS, CSRF, RCE). Rate limiting system is implemented, which limits number of requests from one IP address to protect against brute-force and DDoS attacks. All forms are protected against CSRF attacks by Laravel tokens. User inputs are validated and sanitised to protect against XSS and SQL Injection attacks. (7) Security updates - Laravel framework, PHP libraries, Node.js, and operating systems are regularly updated to patch known security vulnerabilities. The Controller monitors vulnerability reports (CVE) and implements fixes urgently. Organisational measures: (1) Information security policy - The Controller has implemented internal information security policy defining rules for processing personal data, access management, backups, and incident response. (2) Employee training - Persons with access to personal data are trained in GDPR provisions and secure data processing principles. (3) Data processing agreements - All entities processing data on behalf of the Controller (AWS, Google, Stripe) are bound by Data Processing Agreements (DPAs) meeting Art. 28 GDPR requirements. (4) Breach notification procedure - The Controller has implemented personal data breach notification procedure in accordance with Arts. 33 and 34 GDPR. In case of breach, the Controller will conduct risk assessment and, if necessary, notify the supervisory authority within 72 hours and inform affected data subjects.

9. Data Transfer Outside EEA

The Controller processes personal data primarily on the territory of the European Union. Nevertheless, in connection with use of processing entity services located outside the European Economic Area (EEA), personal data may be transferred to third countries. Data transfer outside EEA occurs solely on the basis of appropriate legal safeguards ensuring compliance with Arts. 44-49 GDPR. Details of data transfers outside EEA: (1) Amazon Web Services (AWS) - photo and database hosting - Location: eu-west-2 region (London, United Kingdom). The United Kingdom is a third country (outside EEA after Brexit), but the European Commission issued an adequacy decision on 28 June 2021 (Commission Implementing Decision (EU) 2021/1772), under which the United Kingdom was recognised as providing appropriate level of personal data protection. Data transfer to the United Kingdom is therefore compliant with Art. 45 GDPR and does not require additional safeguards. (2) Google LLC (Google Cloud, Gemini API) - AI photo processing - Location: photos uploaded to Gemini API may be processed in Google data centres located in the United States and other countries outside EEA. Safeguard: transfer occurs on the basis of Standard Contractual Clauses (SCC) approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021. Google Cloud is covered by EU-US Data Privacy Framework (DPF), which provides additional guarantees for protection of personal data of EU citizens processed in the United States. More information: https://cloud.google.com/privacy/gdpr. Important information: According to Google Cloud Data Processing Addendum, photos uploaded to Gemini API are not used by Google to train AI models or for purposes other than generating content as commissioned by the User. Data is deleted from Google servers after the generation process is completed. (3) Stripe, Inc. - payment processing - Location: United States. Safeguard: Stripe is a certified participant in EU-US Data Privacy Framework (DPF). Transfer also occurs on the basis of Standard Contractual Clauses (SCC). More information: https://stripe.com/privacy. User rights in connection with data transfer: The User has the right to obtain a copy of safeguards concerning data transfer outside EEA (e.g. copy of Standard Contractual Clauses) by contacting the Controller at: kontakt@fotosesja.ai. Controller's declaration: The Controller declares that it does not transfer personal data to third countries in respect of which the European Commission has not issued an adequacy decision and which are not covered by appropriate safeguards (such as SCC or Binding Corporate Rules). The Controller monitors changes in regulations and case law (including CJEU judgments such as Schrems II) and adjusts data protection measures as necessary.

10. Contact and Complaints

For any questions, doubts, or requests concerning processing of personal data by the Controller, please contact: email address: kontakt@fotosesja.ai, contact form available on the Platform website at /contact. The Controller will make every effort to respond to the enquiry within 30 days of receipt. In justified cases (complex enquiry, large number of requests), the deadline may be extended by an additional 60 days, about which the Controller will inform the person submitting the enquiry. Right to lodge a complaint with supervisory authority: The data subject has the right to lodge a complaint with a supervisory authority dealing with personal data protection if they consider that processing of their personal data infringes GDPR provisions. The competent supervisory authority in Poland is: President of the Personal Data Protection Office (UODO), address: ul. Stawki 2, 00-193 Warsaw, Poland, telephone: +48 22 531 03 00, email: kancelaria@uodo.gov.pl, website: www.uodo.gov.pl. A complaint may be lodged using the form available on the UODO website, by post, by email, or in person at the Office headquarters. Lodging a complaint with the supervisory authority is free of charge. Procedure for examining complaints concerning data protection: Before lodging a complaint with UODO, we encourage direct contact with the Controller for amicable resolution of the matter. The Controller makes every effort to process personal data in accordance with GDPR provisions and to fully respect rights of data subjects. Complaints concerning data protection may be sent to: kontakt@fotosesja.ai with note 'Personal data protection - complaint'. The Controller will examine the complaint within 14 business days of receipt and provide a response by email. In case of complaint rejection, the Controller will indicate reasons for rejection and inform about the right to lodge a complaint with UODO. Out-of-court dispute resolution methods: A User who is a consumer (natural person using services for purposes unrelated to business activity) has the right to use out-of-court methods of examining complaints and pursuing claims, including: using ODR (Online Dispute Resolution) platform available at: https://ec.europa.eu/consumers/odr/, contacting permanent consumer arbitration court operating at Trade Inspection, contacting voivodeship inspector of Trade Inspection with request to initiate mediation proceedings, using free assistance of district (municipal) consumer advocate. Changes to Privacy Policy: The Controller reserves the right to introduce changes to this Privacy Policy in case of changes in legal provisions, changes in data processing methods, introduction of new Platform functionalities, or changes in structure of processing entities. Users will be informed of material changes to Privacy Policy by email with at least 14 days notice. The current version of the Privacy Policy together with date of last update is always available at /privacy-policy.