Privacy Policy

1. Introduction

This Privacy Policy explains how ShootMySurf.com (“ShootMySurf”, “we”, “us”, “our”) collects, uses and protects personal data of users (“you”, “Users”) in connection with the use of the ShootMySurf platform (the “Platform”).

ShootMySurf operates an online marketplace where independent surf photographers (“Photographers”) can upload and sell digital photos to customers (“Customers”). We are committed to processing your personal data in accordance with applicable data protection laws, in particular the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

By using the Platform, you agree to this Privacy Policy. If you do not agree, you should not use the Platform.

2. Data Controller

The operator of the website www.shootmysurf.com (the “Platform”) and the controller of personal data is:

3. Information We Collect

3.1 Account Information (Photographers and Customers)

• Name and surname
• Email address
• Country of residence
• Username (if applicable)
• Password (stored in hashed form only)

3.2 Purchase Information (Customers)

• Email address used for the purchase
• Purchased Content details (album, date, time)
• Transaction amount and currency
• Partial payment information (e.g., last 4 digits of the card) provided by Stripe
• Date and time of purchase

We do not store full card numbers or CVV codes. These are processed directly by our payment provider (Stripe).

3.3 Payout and Banking Information (Photographers)

To process royalty payouts to Photographers, we may collect:

• IBAN (or equivalent bank account identifier)
• Account holder name
• Account holder address (registered address of the account owner)
• Bank name (if required for transfers)
• Payout history (amounts, dates, currencies)

These data are used solely to send payouts and to comply with legal obligations.

3.4 Content and Metadata

• Photos and other Content uploaded by Photographers
• Associated metadata (location, date, time, description)
• Internal IDs and links to cloud storage

3.5 Technical Data

• IP address
• Device type, operating system, browser
• Logs of access, login and basic usage of the Platform
• Cookie identifiers and similar technologies

3.6 Analytics Data

• Aggregated data about page views, clicks, time on page, conversion events
• Referrer (where you came from – social media, search, etc.)

4. How We Use Your Information

4.1 Operating the Platform

• To allow you to register an account and log in
• To enable Photographers to upload, manage and sell Content
• To allow Customers to browse, purchase, download and access Content

4.2 Processing Purchases (Customers)

• To process payments via Stripe
• To issue purchase confirmations and receipts
• To provide access to purchased Content (download links, emails)

4.3 Processing Royalty Payouts (Photographers)

We use payout and banking information (IBAN, account holder name and account holder address) to:

• send royalty payments to Photographers in accordance with the Terms of Use,
• verify that payout details belong to the correct person,
• comply with accounting, tax and financial regulations,
• keep internal records of payouts.

When Photographers request a payout, they confirm via the Platform that the payout details provided are true and belong to them.

4.4 Security and Fraud Prevention

• To monitor suspicious activity and prevent fraud or abuse
• To protect the Platform, our Users and our infrastructure
• To investigate misuse or violations of the Terms of Use

4.5 Legal and Accounting Obligations

• To comply with accounting, tax, anti-fraud and record-keeping laws
• To keep transaction and payout records for the legally required periods

4.6 Communication

• To respond to support requests and questions
• To send important notifications related to your account, security or changes to Terms/Policies

We do not send aggressive marketing spam; any optional marketing communication will be based on your consent and can be withdrawn at any time.

4.7 Analytics and Improvement

• To understand how the Platform is used
• To improve usability, performance and features
• To analyse which types of Content and campaigns perform best

5. Legal Bases for Processing (GDPR)

• Performance of a contract (Art. 6(1)(b) GDPR)
  For example, to create and manage your account, process purchases, deliver Content, and execute royalty payouts.
• Compliance with legal obligations (Art. 6(1)(c) GDPR)
  For example, to comply with accounting, tax and record-keeping laws and to cooperate with lawful requests by authorities.
• Legitimate interests (Art. 6(1)(f) GDPR)
  For example, to ensure security of the Platform, prevent fraud, maintain service quality and improve our products.
• Consent (Art. 6(1)(a) GDPR)
  For certain optional features (e.g. some cookies or marketing emails), we may rely on your consent which you can withdraw at any time.

6. Cookies and Similar Technologies

• enable basic Platform functionality (session cookies, login)
• remember your preferences (language, cookie choices)
• measure traffic and usage (analytics)

Where required by law, we will request your consent to non-essential cookies (such as analytics). You can manage your cookie preferences in your browser or via our cookie banner (if implemented).

7. Sharing of Personal Data

We do not sell your personal data. We may share personal data only with:

7.1 Payment Provider (Stripe)

We share limited information with Stripe to process payments and payouts. Stripe acts as an independent controller or processor, depending on the context. Stripe’s own privacy terms apply in addition to ours.

7.2 Banks and Payment Service Providers

For photographer payouts, we may share necessary data (such as IBAN and account holder name) with our bank or payment providers to execute SEPA or other transfers.

7.3 Cloud and Hosting Providers

We use third-party providers to host the Platform and store Content, backups and logs.

7.4 Analytics Providers

We use analytics tools (e.g. Google Analytics or similar) to understand how users interact with the Platform. These tools may place cookies and collect usage data in an anonymised or pseudonymised way.

7.5 Legal Compliance and Protection

We may disclose personal data if required to do so by law, court order or at the request of authorities, or to protect our rights, assets, Users or the public.

In all cases, we share only the minimum data necessary for the given purpose.

8. International Transfers

Some of our service providers (e.g. cloud or analytics) may be located outside the EU/EEA. In such cases, we ensure that appropriate safeguards are in place, such as:

• adequacy decisions by the European Commission, or
• standard contractual clauses (SCCs) approved by the European Commission.

9. Data Retention

We retain personal data only as long as necessary to fulfil the purposes described above or as required by law.

For example:

• Account data – for the duration of your account and for a reasonable period after closure (e.g. to resolve disputes).
• Purchase and payout records – up to 10 years, in line with accounting and tax obligations.
• Technical and analytics logs – for a shorter period, typically from several months up to 2 years, unless longer retention is required for security reasons.

After the retention period expires, data will be deleted or anonymised.

10. Your Rights (GDPR)

As a data subject, you have the following rights:

• Right of access – to know whether we process your data and to obtain a copy.
• Right to rectification – to correct inaccurate or incomplete data.
• Right to erasure – to request deletion of your data in certain cases.
• Right to restriction of processing – to limit how we use your data in specific situations.
• Right to data portability – to receive your data in a structured, commonly used format and to transmit it to another controller.
• Right to object – to object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent – where processing is based on consent, you can withdraw it at any time.

You can exercise your rights by contacting us at hello@shootmysurf.com. We may need to verify your identity before fulfilling your request.

You also have the right to lodge a complaint with your local supervisory authority, in particular in the EU Member State of your habitual residence, place of work or place of alleged infringement.

12. Third-Party Links

The Platform may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any external sites you visit.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, technology or our services. The up-to-date version will always be available on the Platform, together with its effective date.

If changes are material, we will notify you via the Platform or by email where appropriate.