GDPR & Your Rights
Last updated: January 1, 2025
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to individuals in the European Economic Area (EEA) and the United Kingdom. This page explains your rights under GDPR and how ShutterLove complies with these regulations.
Quick Summary
- We only collect data necessary to provide our service
- Your photos are encrypted and automatically deleted
- We never sell your personal data
- You can request your data or deletion at any time
- Contact: privacy@shutterlove.ai
1. Your Rights Under GDPR
If you are located in the EEA or UK, you have the following rights regarding your personal data:
1.1 Right to Access (Article 15)
You have the right to request a copy of the personal data we hold about you. This includes:
- What data we have collected
- How we use your data
- Who we share your data with
- How long we retain your data
1.2 Right to Rectification (Article 16)
You have the right to request correction of any inaccurate or incomplete personal data we hold about you.
1.3 Right to Erasure / "Right to be Forgotten" (Article 17)
You have the right to request deletion of your personal data in certain circumstances, including:
- The data is no longer necessary for the purpose it was collected
- You withdraw consent (where consent was the legal basis)
- You object to processing and there are no overriding legitimate grounds
- The data was unlawfully processed
1.4 Right to Restriction of Processing (Article 18)
You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of your data.
1.5 Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
1.6 Right to Object (Article 21)
You have the right to object to processing of your personal data:
- For direct marketing purposes (absolute right)
- Based on legitimate interests (we must demonstrate compelling grounds)
1.7 Right Not to be Subject to Automated Decision-Making (Article 22)
You have the right not to be subject to decisions based solely on automated processing that significantly affect you. Our photo animation process uses AI, but does not make decisions that produce legal or similarly significant effects.
2. Legal Basis for Processing
We process your personal data under the following legal bases:
| Data Type | Legal Basis | Purpose |
|---|---|---|
| Photos | Contract Performance | Creating your animated video order |
| Email Address | Contract Performance | Delivering your order and order updates |
| Payment Information | Contract Performance | Processing your payment |
| Marketing Emails | Consent | Sending promotional content (opt-in only) |
| Analytics Data | Legitimate Interest | Improving our Service |
| Order Records | Legal Obligation | Tax and accounting compliance |
3. Data Protection Measures
We implement robust technical and organizational measures to protect your data:
Technical Measures
- Encryption in Transit: All data is transmitted using TLS 1.3 encryption
- Encryption at Rest: All stored data is encrypted using AES-256
- Access Controls: Strict role-based access to personal data
- Security Monitoring: Continuous monitoring for security threats
- Regular Audits: Periodic security assessments and penetration testing
Organizational Measures
- Data Minimization: We only collect data necessary for our service
- Staff Training: All employees receive data protection training
- Vendor Assessment: Third-party vendors are evaluated for GDPR compliance
- Incident Response: Documented procedures for data breach response
4. International Data Transfers
ShutterLove is based in the United States. When you use our Service, your data may be transferred to and processed in the US.
We ensure adequate protection for international transfers through:
- Standard Contractual Clauses (SCCs): EU-approved contractual safeguards with our processors
- Supplementary Measures: Additional technical and organizational protections as needed
5. Data Retention
We retain your data only as long as necessary:
| Data Type | Retention Period |
|---|---|
| Uploaded Photos | 30 days after order completion (auto-deleted) |
| Order Records | 7 years (legal requirement) |
| Account Information | Until account deletion request |
| Analytics Data | 26 months (anonymized thereafter) |
6. Third-Party Processors
We work with carefully selected third-party processors who are GDPR compliant:
- Stripe (Payment Processing): US-based, certified under the EU-US Data Privacy Framework
- SendGrid (Email Delivery): US-based, uses SCCs for data transfers
- Google Analytics: Analytics with IP anonymization enabled
- Cloud Infrastructure: Enterprise-grade providers with SOC 2 and ISO 27001 certifications
7. Exercising Your Rights
To exercise any of your GDPR rights, you can:
Contact Our Privacy Team
Email: privacy@shutterlove.ai
We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.
What to Include in Your Request
- Your full name
- Email address associated with your orders
- The specific right you wish to exercise
- Any additional details that may help us locate your data
8. Right to Lodge a Complaint
If you believe we have not handled your data appropriately, you have the right to lodge a complaint with your local data protection authority:
- UK: Information Commissioner's Office (ICO)
- EU: Your national data protection authority (Find your DPA)
We encourage you to contact us first at privacy@shutterlove.ai so we can address your concerns directly.
9. Updates to This Page
We may update this GDPR information page from time to time to reflect changes in our practices or legal requirements. We will post updates on this page with a revised "Last updated" date.