Zenfolio Privacy Notice
Last updated: November 17, 2020
SOME USEFUL DATA PRIVACY FACTS FROM YOUR FRIENDS AT ZENFOLIO
We’ve provided this Privacy Notice to help you understand how Zenfolio, Inc. (“Zenfolio,” “we,” “us,” or “our”) collects and uses personally-identifiable data and, for California residents, to inform them of the categories of personal information we collect and the purposes for which the categories of personal information will be used, as required under the California Consumer Privacy Act of 2018 (“CCPA”).
What does Zenfolio do?
Zenfolio offers two online platforms, one at www.zenfolio.com that allows photographers to exhibit, organize, print, sell, exchange, and share digital images, videos and related products, and the other at www.photobooker.com that allows photographers and their prospective customers to arrange photoshoots (such websites referred to collectively as the “Site” and the Site, together with the corresponding services, referred to as the “Services”).
Why does Zenfolio need personal information?
Operation of our Services necessarily requires in the collection of “personal information,” which is defined in the CCPA broadly to include data that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household or device. The categories of personal information that we collect are listed below, but here are a few examples of why we need to collect personal information:
For example, in order to establish accounts for photographers at www.zenfolio.com, we need basic information about them, such as their names, addresses, phone numbers, email addresses, payment information and payout information. And in order to process orders, we collect similar information from the photographers’ customers, such as, such as name, shipping address, email address, phone number and payment information.
As another example, when photographers and customers book photoshoots through photobooker.com, we collect their contact information, including names, email addresses, phone and numbers, in order to maintain the scheduling information for the photoshoot and to enable communications between the photographer and the customer.
We only collect personal information from you when you use our Services or interact with our customer support personnel. We don’t collect any personal information from any other source.
Also, we don’t sell your personal information. We use it only to enable the Services. Please note that we cannot provide the Services if you don’t allow us to use your personal information, so if you don’t like that your personal information will be used for that purpose, we can’t provide Services to you. By user our Services, you are expressly consenting to our use of your personal information for that purpose.
What categories of personal information does Zenfolio collect?
Below is a summary of the categories of personal information we may have collected from consumers within the last twelve (12) months and the main purpose for its collection. Please note that not all of the information identified below is collected from every end user.
|Category||Examples||General Business Purpose|
|To provide our Services and communicate with subscribers|
|Photographer financial information||Credit Card number|
|To provide our Services, to process transactions for our Services and for our photographer subscribers|
|Customer transaction information||Name|
|To provide our Services, to enable ecommerce transactions, to fulfill orders, and to communicate with customers|
|Photoshoot information||IP address|
|To provide our Services and to enable our photoshoot scheduling|
|Technical information||IP Address|
Social media contact info.
|To provide our Services, to enable logon sessions, to learn more about our visitors, and to improve our Services|
|To provide our Services and to provide support to our photographer subscribers and to customers|
|Sensitive personal information||Information about images uploaded by photographers, which may include facial recognition data. Photographers, not Zenfolio, control the use of facial recognition tools and the identification of facial recognition data to a name or identity of an individual.||For sorting or organizing photographs in a gallery.|
We will not collect additional categories of personal information from you or use it differently than as described unless we provide you with advance notice and obtain your consent.
What are other uses of personal information?
In addition to the uses described above, we may use or disclose the personal information we collect for one or more of the following business purposes:
- To fulfill or meet the reason for which the information is provided. For example, if you contact our customer support, we may use your email address to communicate with you about your support issue.
- To provide you with information, products or services that you request from us.
- To provide you with alerts and other notices concerning our products or services.
- To carry out our obligations and enforce our rights under the Zenfolio Terms of Service and/or Photobooker Terms of Service.
- For testing, research, analysis and product development to improve our Services.
- To protect the rights, property or safety of us, our subscribers or others and to respond to legal requests.
- As described to you when collecting your personal information or as otherwise set forth in the CCPA.
Is Zenfolio a “controller” or a “processor”?
How does Zenfolio work with third parties?
Zenfolio engages third parties to provide hosting, printing, transactional and other services. Those third parties, under contract with Zenfolio, provide (i) the backend, hosting, technology, and communications systems necessary for the Services to function (“Back End Providers”), (ii) print and order fulfillment providers that fulfill print orders for the Zenfolio Service and enable financial transactions (“Fulfillment Providers”); and (iii) analytics services and customer support platforms (“Service Providers”). We have contractual agreements with those third parties that require them to adhere to applicable data privacy and confidentiality requirements, including GDPR-specific addendums where applicable.
Where is the data held?
Zenfolio utilizes data centers in the United States, where all of our necessary systems are located. Some of our support programs leverage affiliated companies in the European Union (EU) to provide customer support, and those European-based customer support teams may have remote access to account information, but they do not store that information. Transfers of personal data to and among our affiliates are subject to terms of intercompany agreements governing the transfer of data to the United States and protection of that data under applicable law. Also, we require that you acknowledge and agree to allow us to transfer data to the United States, so if you’re not willing to provide that consent, you shouldn’t use our products and services.
What safeguards does Zenfolio utilize to protect data?
We take appropriate technical and organizational measures for our systems to comply with data privacy to ensure a level of data protection appropriate to the risk resulting from the processing of personal data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the severity and likelihood of realization of risks for the rights and freedoms of folks who’ve provided the data.
What are my rights as a California resident?
The CCPA provides California residents with specific rights regarding their personal information, as described below
Opt Out of the Sale of Personal Information
The CCPA requires that we notify you of your right to opt out of the sale of your personal information. However, we don’t sell your personal information as contemplated under the CCPA, so there’s no need for you to opt out of the sale of your personal information.
Access to Specific Information and Data Portability Rights
You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Note that under the CCPA you may only make a verifiable consumer request for access or data portability twice within a 12-month period. Once we receive and confirm your verifiable consumer request, we will disclose to you:
- The categories of personal information we collected about you.
- The categories of sources for the personal information we collected about you.
- Our business or commercial purpose for collecting or selling that personal information.
- The categories of third parties with whom we share that personal information.
- The specific pieces of personal information we collected about you (also called a data portability request).
- If we sold or disclosed your personal information for a business purpose:
- The categories of personal information that we’ve sold about you and the categories of third parties to whom the personal information was sold.
- The categories of personal information that we disclosed for a business purpose. .
For more information about the specific personal information we may have collected about you in the past 12 months, please send us an email request to do so at [email protected] or a written request at our office address set forth at the end of this notice.
Deletion Request Rights
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions.
As discussed above, we can’t provide any Services to you without your personal information, so if you ask us to delete your personal information, we will have to terminate your accounts on our system and you will no longer be able to use the Services for their intended purpose.
If you still want us to delete your personal information, you have to send us a verifiable request for us to do so. To send a deletion request to use, please send us an email request to do so at [email protected] or a written request at our office address set forth at the end of this notice.
Please note that the CCPA includes a number of exceptions that allow us to retain your personal data despite your deletion request, so we may retain your personal data under those exceptions.
A note on verification
If you’ve sent us a request as noted above, we will need to verify who you are. We may be able to verify you via email or through your account with the Services if you’re a subscriber. However, if you’re not a subscriber or a customer, or if we don’t have sufficient data about you, we may not be able to verify who you are.
Also, where we act as a service provider to a photographer, we will pass on your verified request to the applicable photographer and will treat your personal information in compliance with our legal obligations to our photographers and under the CCPA.
What do I do if I have concerns about use of my data?
Attn: Legal Department – Privacy
3515-A Edison Way
Menlo Park, California 94025
Information We Collect: When you interact with us through the Services, we may collect Personal Data and other information from you, as further described below:
Personal Data That You Provide Through the Services: We collect Personal Data from you when you voluntarily provide such information, such as when you contact us with inquiries, register for access to the Services, purchase products, or use certain Services where Personal Data is required. Personal Data may include your name, address, email address, telephone number, and billing information, such as credit card numbers and billing address. We ask that in using our Services, you keep your information as up-to-date as possible, so please go to your Account to make any necessary changes.
You have a right to access the personal information held about you. You can obtain a copy of your personal information and request changes or deletion of your personal information and/or account by emailing us at [email protected]. For your protection, you may be required to provide proof of your identity before obtaining a copy of your personal information.
Individuals may have the right to limit the use and disclosure of their personal information as required by the Privacy Shield’s Principles, such as whether your personal information is disclosed to a third party or used for purposes materially different from the purpose for which the personal information was originally collected or subsequently authorized by you. If you wish to limit the use and disclosure of personal information in accordance with the Privacy Shield Principles, please contact us at [email protected].
Personal Data We Receive as a Processor: We may receive Personal Data about you from photographers who upload that data to our platform for use with certain features of our Services (“Processor Data”). Management of Processor Data is solely in the control of the applicable photographer, and our only use of Processor Data is to store it and to make it available to the applicable photographers as part of the Services provided to them. We require photographers to obtain your consent in order for us to use Processor Data as described above, and we comply with applicable laws as a processor in that regard. To exercise rights or choices with respect to Processor Data, please make your request directly to the applicable photographer for whom we process that data.
Non-Identifiable Data: When you interact with us through the Services, we receive and store certain personally non-identifiable information. Such information, which is collected passively using various technologies, cannot presently be used to specifically identify you. We may store such information itself or such information may be included in databases owned and maintained by our affiliates, agents or service providers, and is used as provided in our Terms of Service. The Services may use such information and pool it with other information to track, for example, the total number of visitors to our Site, the number of visitors to each page of our Site, and the domain names of our visitors’ Internet service providers. It is important to note that no Personal Data is available or used in this process.
Aggregated and Anonymized Personal Data: In an ongoing effort to better understand and serve the users of the Services, we often conduct research on its customer demographics, interests and behavior based on the Personal Data and other information provided to us. This research may be compiled and analyzed on an aggregate basis, and we may share this aggregate data with its affiliates, agents, business partners and customers. This aggregate information does not identify you personally. We may also disclose aggregated user statistics in order to describe our services to current and prospective business partners, and to other third parties for other lawful purposes.
Our Disclosure of Your Personal Data and Other Information: We are not in the business of selling your information. We consider this information to be a vital part of our relationship with you. There are, however, certain circumstances in which we may share your Personal Data with certain third parties without further notice to you, as set forth below:
Business Transfers: As we develop our business, we might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, dissolution or similar event, Personal Data may be part of the transferred assets.
Agents, Photographers, Consultants and Related Third Parties: We, like many businesses, sometimes hire other companies to perform certain business-related functions. Examples of such functions include mailing information, order processing and fulfillment, maintaining databases and processing payments. When we employ another entity to perform a function of this nature, we only provide them with the information that they need to perform their specific function. And when we fulfill orders, we may share that order information with the applicable photographer.
Legal Requirements: We may disclose your Personal Data if required to do so by law or in the good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect and defend our rights or property, (iii) act in urgent circumstances to protect the personal safety of users of the Services or the public, or (iv) protect against legal liability.
You can visit the Site without providing any Personal Data. If you choose not to provide any Personal Data, you may not be able to use certain Services.
Integrating Social Networking Services: You may wish to share information and activities from the Services with social media platforms. To utilize social media sharing features, you will be prompted to grant permissions within those platforms, as you choose. For Facebook updates, you will need to allow account login and publishing permissions. This enables you to: post questions and content to a feed, upload photos/videos, add likes and comments, create notes and post to events and groups. However, please remember that the manner in which social networking services use, store and disclose your information is governed by the policies of such third parties, and we shall have no liability or responsibility for the privacy practices or other actions of any social networking services that may be enabled within the Services.
Security: Zenfolio uses standard industry security practices to protect Your personal information including Secure Socket Layer (SSL) transmission technology for all sensitive information exchanges. This technology encrypts information You send us to avoid it being intercepted before reaching our secure HTTPS servers. We follow generally accepted industry standards, including physical, electronic and managerial safeguards to protect the Personal Data submitted to us from unauthorized access or disclosure. These safeguards are regularly reviewed to protect against unauthorized access, disclosure and improper use of your information, and to maintain the accuracy and integrity of that data. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security. We assume no liability for any disclosure of data due to errors in transmission, unauthorized third-party access, or other acts of third parties.
In compliance with the Privacy Shield Principles, we commit to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union and Swiss individuals with Privacy Shield inquiries or complaints should first contact us at: [email protected]. As noted above, for issues regarding Processor Data, you should contact the applicable photographer. However, if the photographer does not time address your concerns, please contact us at: [email protected] with details about your issue.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact JAMS, our U.S.-based third party dispute resolution provider (free of charge), at https://www.jamsadr.com/eu-us-privacy-shield.
If you have a Privacy Shield complaint that cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
Last updated: March 30, 2020