What is the General Data Protection Regulation (GDPR)?

GDPR

The General Data Protection Regulation is a privacy legislation that replaced the 95/46/EC Directive on Data Protection of 24 October 1995 on May 25, 2018. GDPR lays out specific requirements for businesses and organizations who are established in Europe or who serve users in Europe. The GDPR:

  • Regulates how businesses can collect, use, and store personal data
  • Builds upon current documentation and reporting requirements to increase accountability
  • Authorizes fines on businesses who fail to meet its requirements

Our Commitment to the GDPR

Our team at PhotoPrism UG ("PhotoPrism", "we" or "us") supports initiatives that prioritize and improve the security and privacy of our customers' personal data. We want you to feel secure as a customer when using our services in light of GDPR requirements. When you partner with us, we support your GDPR compliance efforts by:

  • Committing in our contracts to comply with the GDPR with respect to the processing of customer personal data in all of our apps and services
  • Offering additional security features that can help you better protect the most sensitive personal data
  • Provide documentation and resources to help you evaluate our services in terms of data privacy
  • Continually evolve our capabilities as the regulatory environment changes

We have created this GDPR Compliance Statement to explain our approach to implementing our GDPR compliance program. It describes how we implement our data protection tasks, policies, procedures, controls and measures to ensure ongoing compliance with the GDPR.

GDPR Principles

PhotoPrism takes the privacy and security of individuals and their personal information very seriously. Our principles for processing personal information are:

  • We will process all personal information fairly and lawfully
  • We will only process personal information for specified and lawful purposes
  • Where practical, we will keep personal information up to date
  • We will not keep personal information for longer than is necessary

Your personal data may only be used and disclosed when necessary to:

  • Respond to your requests, validate and verify service requests, and provide the requested services
  • Let you know about upcoming changes or improvements to our services
  • Notify you of suspicious activity, quota limits, or other issues related to your account
  • Protect our rights, property or safety, our users and the public
  • Comply with applicable laws, regulations, legal process, or governmental requests
  • Enforce our Privacy Policy and Terms of Service, including investigating potential violations
  • Detect, prevent, or otherwise address fraud, security, or technical issues, including prevention of spam/malware

Data Subjects Rights under GDPR

If you are a resident of the European Economic Area (includes the EU, Iceland, Liechtenstein, and Norway), you have the following data protection rights:

(a) If you wish to access, correct, update or request deletion of your personal information, you may do so at any time by sending an email to privacy@photoprism.app with the necessary information to identify your personal records, such as the email address you registered with.

(b) You may also contact us by email to object to the processing of your personal data, to request the restriction of the processing of your personal data or to request the portability of your personal data.

(c) If you have signed up to receive newsletters and/or general product notifications, you can unsubscribe at any time. To do so, click the "unsubscribe" or "opt-out" link in the emails you receive. Even if you opt out, we may continue to contact you if there are problems with your customer account, such as failed transactions, and to provide the services you have requested, help you resolve problems, answer questions, comply with applicable laws and regulations, and for similar purposes.

(d) Even if we have collected and processed your personal data with your consent, you may withdraw your consent at any time. Withdrawal of your consent will not affect the lawfulness of the processing carried out by us prior to your withdrawal, nor will it affect the processing of your personal data carried out on the basis of lawful grounds for processing other than consent. Data required for billing, tax or other legal purposes will be retained for as long as required by law.

(e) When personal data is deleted from our systems, the data may still be present in backup copies. This is to better serve our customers in case someone has accidentally deleted their account, or for disaster recovery purposes. The backup copies are kept secure and isolated from any further processing. They are completely deleted when the retention period has expired.

(f) You have the right to complain to a data protection authority about our collection and use of your personal data. For more information, please contact your local data protection authority.

Requests for a copy, update and/or deletion of data will be honored within 14 days after we have received the information necessary to identify your personal data, with the exceptions noted above.

GDPR Compliance Plan

Here's an overview of our steps that we are taking to ensure compliance with GDPR at PhotoPrism:

  • We conducted a data mapping inventory and analysis of collected personal information in our systems and records
  • We have established procedures and policies to restrict processing of personal information
  • We have updated our procedures for data breaches and incident responses
  • We have updated our company’s Privacy Policy, Terms of Service, and Security Policy
  • We have reviewed all processing activities to identify the legal basis for processing personal information and to ensure that each basis is appropriate for the activity it relates to

Questions?

You may contact us at privacy@photoprism.app if you have any questions about this GDPR Compliance Statement, our Privacy Policy, our practices, or other privacy-related topics. Visit photoprism.app/contact to view our full contact information as required by law. We do our best to respond within five business days or less.