In addition to non-persistent cookies strictly necessary for the delivery of the service provided by this website (e.g. basket, authenticated login, ...), this website may also use "tracking cookies" through third-party services.
Such third-parties include embedded content providers like e.g. You Tube, and tracking cookies might be required for the delivery of some content on this website.
This website sets tracking cookies unless you decline them.
Data related to PhotoDeck members and visitors
PhotoDeck is Data Controller for data concerning our members (subscribers) and visitors.
Subscriber's personal data
We further distinguish data that we must legally keep for at least 10 years: account creation date (contract acceptance), first and last names, e-mail addresses, language, security information linked to logins (date and IP address, login failures), orders (including IP address), subscriptions, invoices and financial transactions. We also keep e-mail correspondance with our members and other contacts.
Other data is automatically deleted from the operational database when the grace period (up to 2 months) following the last subscription expires (contract termination): password (encrypted and salted), address book, payment details and preferences, carts, referral URLs and campaigns, affiliate links ...
These pieces of data are stored on servers located in OVH datacentres, in France, and are partially accessible by the contractor(s) we employ to provide technical support to our members.
We also occasionnaly send an email newsletter to our current and former members to keep them informed about our product's developments. For that, we require and record explicit consent, that is kept without time limit but that is revokable (unsubscription) at any time.
Unidentifiable aggregate data
Aggregate data about the service (e.g. subscribers number, usage rate of certain features, etc...) are produced and kept without duration limitation, but are not linked nor linkable to identifiable individuals.
We also use Google Analytics for a global traffic analysis of our websites, without using features that would allow to link that data to identifiable individuals.
Members' websites' and clients' data
A PhotoDeck member is responsible (Data Controller) for his own (PhotoDeck-powered) website's data and for that website's clients' data.
PhotoDeck is then a subcontractor (Data Processor) in the GDPR sense: we process data on behalf and under instruction of the member, and we don't use that data outside of the scope of the service contracted by that member.
In other words, the data of a member's website and customers belong exclusively to that member, who control them fully.
This data includes, beside the member's images/video clips, website customization and configuration settings, any other personal data stored via the tools provided by PhotoDeck: for example, the customers' login credentials, carts, selections (lightboxes), orders, comments left on the website, IP address, physical addresses, et...
This data is mainly stored on servers located in OVH datacentres, in France. The files imported by our members, as well as websites' static code parts, are stored on the Amazon cloud. The data is partly accessible by the contractor(s) we use to provide technical support to our members.
The data are transmitted to third-parties, other than the subcontractors we use (and within the GDPR requirements), only upon instruction from the member (for example, order details transmitted to a lab for fulfillment).
The data is automatically deleted from our operational database at the end of the grace period (up to 2 months) following the last subscription (contract termination). The uploaded images, video clips and documents may be kept for an additional 2 months.
Our commitment to our members
we don't use their customers' data to our own benefit, nor collect data from their customers for any other purpose than serving our members
we maintain high data security standards and inform without undue delay of any identified data breach
we inform them of any new subcontractor that might process their data
we help them, via features in the PhotoDeck service, to conform with the applicable regulations, including the GDPR
A general database backup (excluding files uploaded by our members) is maintained at all times. This general backup is a contingency for a potential disastrous technical failure concerning the whole database, and is also meant to help analyse and repair a potential issue occuring progressively over time in the database. As it is a "low-level" backup, data in this backup file are not directly accessible or usable.
Each backup file is encrypted before being stored on the Amazon S3 Cloud (Ireland), and is kept for two years.
Subcontractors and data location
The main data is stored with OVH (France).
Static files (uploaded by our members, general backups, order delivery files...) are stored on the Amazon Cloud, in Ireland or in the USA, within the GDPR requirements, and/or with OVH.
Technical support to our members may be provided by a contractor, located in Europe or in the USA.
Physical access to the data, to the servers and the datacentres it is located in, is guaranteed by OVH and Amazon, respectively.
PhotoDeck ensures remote access security by limiting access at several software layers, on a "prohibited if not explicitely allowed" basis. Administrative access to the servers and the overal database is limited to the strict minimum.
Members' and administrators' connections to the web service, from outside the datacentres, is secured (SSL encryption). Connections to the members websites are also secured with SSL when personal data is transmitted (e.g. checkout pages, login, ...).
The general backups are encrypted before being stored with the cloud provider who ensures the physical security of the encrypted files. The decryption key is stored separately, offline.
The contractor(s) providing support to members have a limited remote access, via a web interface secured with individual credentials.
Computer system security updates are performed as soon as possible following their release, as a result of specialized communication channels monitoring.