Privacy Policy

Last updated: 16 April 2026

This English version is provided for information only. Only the French version is legally binding.

Data controller: Charles d'Anthouard de Vraincourt, sole trader

SIRET: 942 207 580 00013

GDPR contact: snapspotparis@gmail.com

1. Introduction

This privacy policy describes how SnapSpot Paris (hereinafter "we", "our" or "the Platform") collects, uses, stores and protects your personal data when you use our service connecting clients and photographers.

We are committed to respecting your privacy in accordance with the General Data Protection Regulation (GDPR - EU Regulation 2016/679) and the French Data Protection Act of 6 January 1978 as amended.

2. Data collected

2.1 Data you provide to us

Category	Data	Purpose
User account	First name, last name, email address, password (bcrypt-hashed)	Creation and management of your account
Profile picture	Uploaded image (optional)	Profile personalisation, display in the app
Bookings	Date, time, location, chosen pack, price	Performance of the service contract, history
Messages	Content of conversations between client and photographer	Communication between parties, moderation in case of dispute
Reviews	Rating (1-5), text comment	Service improvement, trust between users
Payment	Card details are processed directly by Stripe (we never store your card numbers)	Secure payment of services

2.2 Additional data for photographers

Category	Data	Purpose
Professional profile	Bio, specialties, languages, availability	Presentation to clients, search
Portfolio	Photographs, captions	Professional showcase
Posts (Snappies)	Photos, captions, tags, locations	Community feed, visibility

2.3 Data collected automatically

Session data: IP address, browser (User-Agent), date and time of connection — for account security and abuse prevention.
Session cookies: authentication cookie strictly necessary for the service to function (exempt from consent under CNIL guidelines).

We do not collect any geolocation data, and we do not use any advertising cookies or third-party analytics tools (no Google Analytics, no Meta Pixel).

3. Legal bases for processing

Processing	Legal basis (GDPR Art. 6)
Account creation, bookings, payment, communication	Performance of the contract (Art. 6.1.b)
Moderation of messages in case of dispute	Legitimate interest (Art. 6.1.f) — user safety and dispute resolution
Retention of invoices and accounting data	Legal obligation (Art. 6.1.c) — Art. L123-22 French Commercial Code (10 years)
Sending transactional emails (confirmation, reminder)	Performance of the contract (Art. 6.1.b)
Account security (IP, rate-limit, abuse detection)	Legitimate interest (Art. 6.1.f)

4. Moderation of conversations

In the event of a dispute, report or abusive behaviour, the SnapSpot Paris moderation team may access the messages exchanged between a client and a photographer in order to resolve the matter fairly.

This access is:

Limited to authorised administrators;
Strictly necessary to resolve the dispute;
Logged in our internal records (who accessed, when, why);
Based on our legitimate interest in ensuring safety and trust on the platform.

By registering, you accept this moderation possibility, which is essential for the proper functioning of the service.

5. Data recipients

Your personal data is accessible only to:

Charles d'Anthouard de Vraincourt (platform administrator);
Your counterparty in a booking (the client sees the photographer's name/profile and vice versa);

It is processed by the following sub-processors, acting on our behalf:

Sub-processor	Function	Location	DPA
Supabase Inc.	PostgreSQL database	EU-West-3 (Paris, France)	DPA
Stripe Inc.	Online payments	USA (SCC signed)	DPA
Cloudflare Inc.	File storage (R2), backups	USA / EU (SCC signed)	DPA
Hostinger International Ltd	Server hosting (VPS)	EU (Lithuania / France)	DPA
Google (Gmail SMTP)	Sending transactional emails	USA (SCC signed)	DPA

Sub-processors based in the United States have signed the European Commission's Standard Contractual Clauses (SCC), in accordance with article 46 of the GDPR, ensuring an adequate level of protection of your data.

6. Transfers outside the EU

Some data may be transferred outside the European Economic Area (EEA), exclusively to the sub-processors listed above. These transfers are governed by:

The Standard Contractual Clauses (SCC) approved by the European Commission;
The EU-US Data Privacy Framework for certified sub-processors.

7. Retention period

Data	Retention period	Justification
Active user account	As long as the account is active	Performance of the contract
Account after deletion	Anonymised immediately, accounting data kept 10 years	Art. L123-22 French Commercial Code
Messages	Deleted when the account is deleted	Right to erasure
Session data (IP, user-agent)	Until session expiry	Security
Invoices / bookings	10 years (anonymised if account deleted)	Legal accounting obligation
Encrypted backups (R2)	30-day rolling window	Disaster recovery

8. Your rights

In accordance with the GDPR, you have the following rights over your personal data:

Right of access (Art. 15): obtain a copy of all the data we hold about you. Available directly from your profile > "Download my data".
Right to rectification (Art. 16): correct inaccurate or incomplete data. Editable in your profile settings.
Right to erasure (Art. 17): request the deletion of your account and personal data. Available directly from your profile > "Delete my account".
Right to portability (Art. 20): receive your data in a structured, machine-readable format (JSON). Same button as the right of access.
Right to object (Art. 21): object to processing based on legitimate interest.
Right to restriction (Art. 18): request the suspension of the processing of your data in certain cases.

To exercise your rights, contact us at: snapspotparis@gmail.com

We will respond within a maximum of 30 days of receiving your request.

9. Data security

We implement the following technical and organisational measures to protect your data:

Encryption in transit (HTTPS/TLS on all communications);
Encryption at rest (Supabase database, Cloudflare R2 backups);
Password hashing (bcrypt, irreversible);
Rate-limiting against brute-force attacks;
HTTP security headers (Helmet.js: X-Frame-Options, X-Content-Type-Options, etc.);
Row Level Security (RLS) enabled on all database tables;
Administrator access restricted by role and authentication;
Automatic daily backups with 30-day retention.

10. Data breach

In the event of a personal data breach likely to create a risk to your rights and freedoms, we undertake to:

Notify the CNIL within 72 hours (Art. 33 GDPR);
Inform you as soon as possible if the risk is high (Art. 34 GDPR);
Take all necessary corrective measures.

11. Complaint

If you believe that the processing of your data does not comply with the regulations, you have the right to lodge a complaint with the CNIL:

Commission Nationale de l'Informatique et des Libertes (CNIL)

3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France

Website: www.cnil.fr

12. Changes

We may update this privacy policy at any time. In the event of a substantial change, we will inform you by email or in-app notification. The date of the last update appears at the top of this document.