GotPhoto data protection and compliance information

Table of contents

• Overview
• Where is GotPhoto data stored?
• How does GotPhoto comply with privacy regulations?
• What security measures protect customer data?
• What personal data does GotPhoto process?
• Who is the Controller and who is the Processor?
• Does GotPhoto own your photos?
• What happens in case of a data breach?
• How long does GotPhoto retain data?
• What privacy rights do you have?
• Where can I find GotPhoto’s data processing agreement (DPA)?
• Where can I access additional GotPhoto privacy documentation?
• FAQs
• The takeaway

Overview

Use this article when a school, league, or organization asks you for official information about GotPhoto’s data protection, data storage, or legal compliance.  You can copy and share the links below directly with your contacts. This information explains where GotPhoto stores data, which regulations apply, and how customer data is protected.

For any privacy-related questions, contact privacy@gotphoto.com.
For a comprehensive overview of GotPhoto's privacy commitments, data storage practices, and security standards, share this link directly with schools or organizations: https://www.gotphoto.com/privacy-data-handling. This page includes details on where data is stored, who has access, SOC 2 compliance, and a full Privacy & Data Processing FAQ.

Where is GotPhoto data stored?

Understand where GotPhoto hosts data and under which jurisdiction it falls.

• Server location: GotPhoto securely stores all data on Amazon Web Services (AWS) servers located in Frankfurt, Germany, within the European Union (EU). The specific services used include AWS Aurora and DynamoDB for secure database storage.
• Data warehouse: GotPhoto uses Snowflake as an encrypted data warehouse, also based in the European Union (Frankfurt, Germany).
• Jurisdiction: Because the servers are located in the EU, all stored data is subject to EU jurisdiction.
• Encryption and data separation: GotPhoto applies encryption, access controls, and logical data separation to all stored data.
• International data transfers: Data may also be processed in the United States, Germany, the EU/EEA, and other jurisdictions with appropriate legal safeguards in place.

This ensures consistent handling of data under EU legal and regulatory standards.

How does GotPhoto comply with privacy regulations?

Review the legal frameworks that govern GotPhoto’s data processing practices.

• GDPR compliance: GotPhoto fully complies with the EU’s General Data Protection Regulation (GDPR), one of the world’s strictest data protection laws.
• Market-specific policies: Compliance details differ by region and are documented in dedicated GotPhoto privacy policies.
• No sale of personal data: GotPhoto does not sell personal data for money. Where certain analytics or advertising technologies may legally qualify as “sharing” under U.S. state laws, GotPhoto provides opt-out mechanisms via its preference management system.
• No automated decision-making: GotPhoto does not use automated decision-making that produces legal or similarly significant effects (e.g., credit, employment, or insurance decisions).

Access official GotPhoto privacy policies here:

• GotPhoto Privacy Policy (UK version)
• GotPhoto Privacy Policy (US & Canada version)

These documents are also available:

• In the footer of your GotPhoto admin area
• On the GotPhoto Trust Center

What security measures protect customer data?

Learn how GotPhoto safeguards sensitive information.

• SOC 2 compliance: GotPhoto is SOC 2 compliant. GotPhoto aligns its infrastructure and internal controls with the SOC 2 framework, a widely recognized standard for data security, availability, and confidentiality. This means GotPhoto implements robust safeguards, strict access controls, and structured security processes designed to protect the personal data processed within the platform.
• Technical and organizational measures (TOMs): GotPhoto applies comprehensive Technical and Organizational Measures (TOMs) to protect confidentiality, integrity, and availability of data.
• Access controls: Access to data is strictly limited to authorized GotPhoto personnel and carefully selected subprocessors — only where necessary to operate, support, and secure the platform. All parties are bound by confidentiality and data protection obligations.

Specific security measures include:

• Secure cloud infrastructure
• Logical separation of customer data
• Access controls and authentication
• Encryption
• Confidentiality obligations for staff
• Ongoing security monitoring
• Vulnerability detection
• Secure deletion procedures
• Cloud security monitoring systems to detect vulnerabilities and prevent data exposure

Review detailed documentation here:

• GotPhoto Privacy & Data Handling page (US & Canada overview)
• GotPhoto Technical and Organizational Measures (TOMs) USA

The GotPhoto Trust Center provides additional details on product security, data security, network security, app security, endpoint security, and corporate security.

What personal data does GotPhoto process?

Understand the types of personal data that GotPhoto may process depending on your use of the platform.

A) Studio Account Data

• Name, email, phone
• Studio/shop details
• Billing and payment information
• Account activity

B) Job & Customer Data (processed on your behalf)

• Photos of individuals
• First and last names
• Class/group/teacher information
• Contact details
• Order and shipping details
• Payment information
• Online shop usage data

This data is uploaded by you or entered by your customers.

C) Technical & Website Data

When you use the GotPhoto website or admin system, the following may be collected:

• IP address (anonymized where applicable)
• Browser/device information
• Operating system
• Session and usage data
• Interaction events (clicks, visits)

GotPhoto processes personal data to operate and secure the platform, host password-protected galleries, process and fulfill orders, enable automatic photo sorting, send important notifications, provide support, improve system performance, and offer product updates and training resources. GotPhoto does not process data for unrelated purposes.

Who is the Controller and who is the Processor?

Your role depends on how you collect the data:

If you collect data directly from parents or individuals:

• You are the Controller (you determine the purpose and means of processing).
• GotPhoto acts as your Processor.

If you receive data from a school/nursery under their agreement:

• The school is the Controller.
• You are the Processor.
• GotPhoto acts as your Subprocessor.

In all cases, GotPhoto processes personal data strictly under the Principal Contract with you. GotPhoto processes personal data only as contractually agreed, only based on your documented instructions, or where legally required. If GotPhoto believes an instruction violates the law, they will notify you.

Your responsibilities as the Studio: You are responsible for determining whether processing is lawful, obtaining valid consent (especially for minors), providing required notices to individuals, ensuring you have authority to share data with GotPhoto, and (if acting as a processor) ensuring authorization to engage subprocessors.

Does GotPhoto own your photos?

No. GotPhoto does not claim ownership of the photos you upload to the platform and does not acquire any ownership rights in them.

As the photographer, you control the photos and the related customer data you upload. GotPhoto processes that data solely on your behalf in order to provide the services you signed up for.

To operate the platform, you grant GotPhoto a worldwide, non-exclusive, royalty-free license to use your photos only as necessary to provide services. This includes:

• Securely storing your photos
• Creating thumbnails and previews
• Reproducing images for prints and photo products
• Adjusting or formatting files for production
• Displaying images in online galleries (including password-protected galleries)
• Processing and fulfilling customer orders

This license is strictly limited to operating and delivering the GotPhoto services. GotPhoto does not use your photos for unrelated purposes and does not sell or commercialize your photos outside of fulfilling orders and providing the platform.

What happens in case of a data breach?

If a data security breach occurs involving personal data, GotPhoto will:

• Inform you without undue delay
• Provide relevant details available
• Assist you with regulatory reporting obligations (to the extent required by law)

How long does GotPhoto retain data?

GotPhoto retains personal data:

• For the duration of the Principal Contract
• As required for legal, accounting, tax, or contractual obligations
• Typically between 3–7 years depending on legal requirements

Upon termination or request:

• GotPhoto deletes personal data processed on your behalf
• Subprocessors are required to delete or return data
• Residual copies are destroyed in a non-recoverable manner

GotPhoto may retain limited documentation where legally required.

What privacy rights do you have?

Depending on your jurisdiction, you may have rights to:

• Access your data
• Correct inaccuracies
• Request deletion (subject to legal exceptions)
• Request portability
• Opt out of sale/sharing (where applicable)
• Appeal denied requests

To exercise your rights, contact: privacy@gotphoto.com

If a parent, student, or customer contacts GotPhoto directly about access, correction, deletion, “Do Not Sell” requests, or unsubscribe requests, GotPhoto will direct them back to you (the Studio), notify you of the request, and act only based on your instructions. GotPhoto does not independently decide how to respond to individual rights requests unless legally required.

Where can I find GotPhoto’s data processing agreement (DPA)?

Access the applicable GotPhoto Data Processing Agreement (DPA) for your region and share it with schools or organizations if requested.

• GotPhoto Data Processing Agreement (US)
• GotPhoto Data Processing Agreement (Canada)
• GotPhoto Data Processing Agreement (UK)

When you create an account and accept GotPhoto’s Terms & Conditions, you also enter into a Data Processing Agreement (DPA). Together with the Privacy Notice, this governs how GotPhoto handles personal data in connection with the platform.

Where can I access additional GotPhoto privacy documentation?

Use these official GotPhoto resources for complete transparency and compliance reference:

• GotPhoto Trust Center
• Privacy Policy (UK version);  Privacy Policy (US & Canada version)
• GotPhoto Privacy & Data Handling overview
• GotPhoto Technical and Organizational Measures (TOMs)

These pages provide detailed explanations of compliance standards, infrastructure, and data protection practices.

FAQs

Can I share this information directly with schools?

Yes. You can copy the links in this article and send them directly to schools, leagues, or organizations that request official compliance documentation.

Is GotPhoto GDPR compliant?

Yes. GotPhoto fully complies with the EU General Data Protection Regulation (GDPR). All data is handled in accordance with EU data protection standards.

Where are GotPhoto servers located?

All data is securely stored on Amazon Web Services (AWS) servers located in Frankfurt, Germany, within the European Union.

Is GotPhoto SOC 2 compliant?

Yes. GotPhoto is SOC 2 compliant and applies strict technical and organizational security controls.

Does GotPhoto sell personal data?

No. GotPhoto does not sell personal data for money. Where certain analytics or advertising technologies may legally qualify as “sharing” under U.S. state laws, GotPhoto provides opt-out mechanisms via its preference management system.

Does GotPhoto own the photos I upload?

No. GotPhoto does not claim ownership of the photos you upload. You retain control of your photos and customer data. GotPhoto only uses your photos as necessary to provide the platform services.

How long does GotPhoto retain my data?

GotPhoto retains personal data for the duration of the contract and as required by legal, accounting, or tax obligations — typically between 3–7 years. Upon termination or request, data is deleted in a non-recoverable manner.

What happens if a parent contacts GotPhoto directly about their data?

GotPhoto will redirect them to you (the Studio), notify you of the request, and act only based on your instructions.

Where can I download GotPhoto’s Data Processing Agreement (DPA)?

You can download the region-specific GotPhoto DPA here:

• GotPhoto DPA (US)
• GotPhoto DPA (Canada)
• GotPhoto DPA (UK)

How can I contact GotPhoto about privacy?

For any privacy-related questions, contact privacy@gotphoto.com.

The takeaway

If a school or organization requests data protection documentation, share the relevant GotPhoto links from this article. Additionally, ensure you publish your own Privacy Notice in your shop. Confirm it accurately reflects your services and data collection practices. Always follow applicable local data privacy regulations and consult legal counsel if you are unsure about your obligations.

TABLE OF CONTENTS

• Overview
• Where is GotPhoto data stored?
• How does GotPhoto comply with privacy regulations?
• What security measures protect customer data?
• What personal data does GotPhoto process?
  • A) Studio Account Data
  • B) Job & Customer Data (processed on your behalf)
  • C) Technical & Website Data
• Who is the Controller and who is the Processor?
  • If you collect data directly from parents or individuals:
  • If you receive data from a school/nursery under their agreement:
• Does GotPhoto own your photos?
• What happens in case of a data breach?
• How long does GotPhoto retain data?
• What privacy rights do you have?
• Where can I find GotPhoto’s data processing agreement (DPA)?
• Where can I access additional GotPhoto privacy documentation?
• FAQs
  • Can I share this information directly with schools?
  • Is GotPhoto GDPR compliant?
  • Where are GotPhoto servers located?
  • Is GotPhoto SOC 2 compliant?
  • Does GotPhoto sell personal data?
  • Does GotPhoto own the photos I upload?
  • How long does GotPhoto retain my data?
  • What happens if a parent contacts GotPhoto directly about their data?
  • Where can I download GotPhoto’s Data Processing Agreement (DPA)?
  • How can I contact GotPhoto about privacy?
• The takeaway
• TABLE OF CONTENTS
  • Overview
  • Where is GotPhoto data stored?
  • How does GotPhoto comply with privacy regulations?
  • What security measures protect customer data?
  • What personal data does GotPhoto process?
    • A) Studio Account Data
    • B) Job & Customer Data (processed on your behalf)
    • C) Technical & Website Data
  • Who is the Controller and who is the Processor?
    • If you collect data directly from parents or individuals:
    • If you receive data from a school/nursery under their agreement:
  • Does GotPhoto own your photos?
  • What happens in case of a data breach?
  • How long does GotPhoto retain data?
  • What privacy rights do you have?
  • Where can I find GotPhoto’s data processing agreement (DPA)?
  • Where can I access additional GotPhoto privacy documentation?
  • FAQs
    • Can I share this information directly with schools?
    • Is GotPhoto GDPR compliant?
    • Where are GotPhoto servers located?
    • Is GotPhoto SOC 2 compliant?
    • Does GotPhoto sell personal data?
    • Does GotPhoto own the photos I upload?
    • How long does GotPhoto retain my data?
    • What happens if a parent contacts GotPhoto directly about their data?
    • Where can I download GotPhoto’s Data Processing Agreement (DPA)?
    • How can I contact GotPhoto about privacy?
  • The takeaway