Privacy Policy & Cookie Policy
Last updated: 11 June 2026
1. Data Controller
The data controller for headshotqueue.com is:
TimmiStudio di VD
Trading as PortraitDesk / Headshot Queue
Italy
Email: info@headshotqueue.com
For any questions relating to this policy or to exercise your rights, contact us at the email above.
2. Data We Collect
2.1 Data you provide directly
- Account registration: name, email address, password (hashed), studio name.
- Payment: billing name and email. Card details are processed directly by Stripe and never stored on our servers.
- Support enquiries: any information you include when contacting us by email.
2.2 Data collected automatically
- Usage data: pages visited, time on page, referring URL, browser type, operating system, screen resolution, approximate geographic location (country/city level) — collected via Google Analytics 4.
- Cookies and similar technologies: see the Cookie Policy section below.
- Server logs: IP address, request timestamp, HTTP status code. Retained for 30 days for security purposes.
2.3 Data about your clients (photographers only)
If you are a photographer using the platform, you may upload or collect data about your own clients (names, email addresses, photographs, booking details). In this context you are the data controller for your clients' data and we act as a data processor on your behalf. We process this data solely to provide the platform service and never use it for our own purposes.
If you use the Sales Console feature, we also store client purchase records (product type, quantity, price, Stripe session ID, payment status) on your behalf. These records are visible to you in the Sales Console and are deleted when the associated job data is deleted.
3. Legal Basis for Processing
- Contract performance (Art. 6(1)(b) GDPR): processing your account and payment data to provide the service you subscribed to.
- Legitimate interests (Art. 6(1)(f) GDPR): server log retention for security and fraud prevention.
- Consent (Art. 6(1)(a) GDPR): analytics and non-essential cookies, collected only after you accept via the cookie consent banner.
- Legal obligation (Art. 6(1)(c) GDPR): retaining transaction records as required by Italian fiscal law.
4. How We Use Your Data
- To create and manage your account.
- To process payments and send transaction receipts.
- To operate, maintain and improve the platform.
- To send transactional emails (gallery notifications, password resets). We do not send marketing emails without explicit opt-in.
- To measure and analyse platform usage (only with your consent).
- To detect, investigate and prevent security incidents and abuse.
- To comply with legal obligations.
5. Third-Party Services
We share data with the following third parties to operate the platform. We do not sell your data to any third party.
5.1 Stripe
Payment processing. When you subscribe, you are redirected to Stripe's secure payment form. Stripe collects and processes your card data under their own privacy policy. We receive a payment confirmation and customer reference only. Stripe is certified to PCI DSS Level 1.
Privacy policy: stripe.com/privacy
5.2 Stripe Connect
If you use the Sales Console, you connect your own Stripe account via Stripe Connect. When your clients make purchases, their payment data is processed directly by Stripe under Stripe's own privacy policy. We receive only payment confirmation metadata (session ID, status) — we never receive card details or funds. Stripe acts as an independent data controller for payment processing.
Privacy policy: stripe.com/privacy
5.3 Google Analytics 4 (via Google Tag Manager)
Used to analyse website traffic and user behaviour — only when you have given consent. Google may process data in the United States. We have enabled IP anonymisation and do not use Google Analytics advertising features.
Privacy policy: policies.google.com/privacy
Opt out: Google Analytics Opt-out Browser Add-on
5.4 Google Tag Manager
A tag management system that loads analytics scripts on our pages — only after consent is given. GTM itself does not collect personal data independently.
Privacy policy: policies.google.com/privacy
5.5 Google Fonts
We load the DM Sans typeface from Google Fonts. When your browser requests the font file, your IP address is transmitted to Google's servers. We use the standard Google Fonts API with display=swap.
Privacy policy: policies.google.com/privacy
5.6 Hosting provider
The platform is hosted on a server based in the European Union. The hosting provider processes server access logs containing IP addresses for security purposes.
6. Data Retention
- Account data: retained for the duration of your account and for 2 years after account deletion, to comply with legal obligations.
- Payment records: retained for 10 years as required by Italian fiscal law.
- Client data uploaded by photographers: deleted within 30 days of account deletion or on written request.
- Analytics data: retained for 14 months in Google Analytics, then automatically deleted.
- Server logs: retained for 30 days.
- Consent records: retained for 3 years as evidence of consent.
7. Your Rights Under GDPR
As a data subject in the EU you have the following rights. To exercise any of them, contact us at info@headshotqueue.com. We will respond within 30 days.
- Right of access (Art. 15): request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): request correction of inaccurate data.
- Right to erasure (Art. 17): request deletion of your data where there is no legal obligation to retain it.
- Right to restriction (Art. 18): request that we limit how we use your data.
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
- Right to object (Art. 21): object to processing based on legitimate interests.
- Right to withdraw consent: withdraw consent for analytics cookies at any time via the cookie settings link in the footer.
- Right to lodge a complaint: you may lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) at garanteprivacy.it.
8. International Data Transfers
Google Analytics and Google Tag Manager may transfer data to the United States. These transfers are made under the EU-US Data Privacy Framework and Google's Standard Contractual Clauses, which provide appropriate safeguards under Art. 46 GDPR. Stripe operates under Standard Contractual Clauses for any transfers outside the EEA.
9. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- HTTPS encryption on all pages (TLS 1.2+).
- Passwords stored as bcrypt hashes — never in plain text.
- Payment card data never stored on our servers — handled entirely by Stripe.
- Access to production systems limited to authorised personnel only.
- Regular security reviews and dependency updates.
No method of transmission over the internet is 100% secure. In the event of a data breach that poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by Art. 33–34 GDPR.
10. Cookie Policy
Cookies are small text files stored on your device by your browser. Below is a full list of cookies used on headshotqueue.com.
10.1 Strictly necessary cookies
These cookies are required for the platform to function. They do not require consent under GDPR.
| Cookie name | Provider | Purpose | Duration |
|---|---|---|---|
PHPSESSID | Headshot Queue | Maintains your login session. Without this cookie the platform cannot identify you between page loads. | Session (deleted when browser closes) |
10.2 Analytics cookies (require consent)
These cookies are only set after you accept analytics cookies via the consent banner.
| Cookie name | Provider | Purpose | Duration |
|---|---|---|---|
_ga | Google Analytics | Distinguishes unique users by assigning a randomly generated number as a client identifier. | 2 years |
_ga_* | Google Analytics 4 | Used to persist session state for GA4. | 2 years |
_gid | Google Analytics | Distinguishes users. Used to throttle request rate. | 24 hours |
10.3 Managing and withdrawing consent
You can change your cookie preferences at any time by clicking "Cookie settings" in the footer of any page. You can also refuse or delete cookies through your browser settings — note that refusing strictly necessary cookies will prevent you from using the platform.
11. Changes to This Policy
We may update this policy from time to time to reflect changes in our practices or applicable law. When we make material changes we will update the effective date at the top of this page. We encourage you to review this policy periodically. Continued use of the platform after changes constitutes acceptance of the updated policy.
12. Contact
For any questions about this policy or to exercise your rights:
TimmiStudio di VD (trading as Headshot Queue / PortraitDesk)
Italy
info@headshotqueue.com
We aim to respond to all requests within 30 days. For complex requests we may extend this by a further two months, in which case we will inform you of the extension within the first 30 days.