The photographer search is a service of Portraitbox - Shop system for photographers.
(as of 21.02.2023)
We take the protection of personal data very seriously and comply with the relevant legal regulations. The following declaration informs you about what type of personal data is collected by us as the responsible body on this website and for what purpose, and to what extent this data is made accessible to third parties.
Portraitbox GmbH
Am Steinhof 4a
33106 Paderborn, Germany
David Wendt (CEO)
Email: office@heyphoto.com (No support requests)
Phone: +49 5254 9478080
2.1 This privacy policy explains the nature, scope and purpose of the processing of personal data within our online offering and the associated websites, functions and content (hereinafter collectively referred to as "online offering" or "website"). The privacy policy applies regardless of the domains, systems, platforms and devices (e.g. desktop or mobile) on which the online offer is executed.
2.2 We refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR) for the terms used, such as "personal data" or their "processing".
2.3. The personal data of users processed within the scope of this online offering includes inventory data (e.g., names and addresses of customers), contract data (e.g., services used, names of contact persons, payment information), usage data (e.g., the websites visited within our online offering, interest in our products) and content data (e.g., entries in the contact form).
2.4. The term "user" encompasses all categories of persons affected by data processing. These include our business partners, customers, interested parties, and other visitors to our online offering. The terms used, such as "user," are to be understood as gender-neutral.
2.5. We process users' personal data only in compliance with the relevant data protection regulations. This means that user data will only be processed if we have legal permission to do so. This applies in particular if data processing is necessary for the performance of our contractual services (e.g., processing orders) and online services, or if it is required by law, if we have obtained the user's consent, or if it is necessary for our legitimate interests (i.e., interest in the analysis, optimization, and economic operation and security of our online offering within the meaning of Art. 6 para. 1 lit. f. GDPR, in particular for the measurement of reach, the creation of profiles for advertising and marketing purposes, and the collection of access data and the use of third-party services.
2.6. We would like to point out that the legal basis for consent is Art. 6 para. 1 lit. a. and Art. 7 GDPR, the legal basis for processing for the fulfillment of our services and the implementation of contractual measures is Art. 6 para. 1 lit. b. GDPR, the legal basis for processing to fulfill our legal obligations is Art. 6 para. 1 lit. c. GDPR, and the legal basis for processing to protect our legitimate interests is Art. 6 para. 1 lit. f. GDPR.
3.1. We take organizational, contractual, and technical security measures in accordance with the state of the art to ensure that the provisions of data protection laws are observed and to protect the data processed by us against accidental or intentional manipulation, loss, destruction, or access by unauthorized persons.
3.2. Security measures include, in particular, the encrypted transmission of data between your browser and our server. Customers with a white label function, i.e., who use their own domain, can order an SSL certificate to encrypt their websites. If customers with a white label function do not order an SSL certificate, data transmission on these pages will be unencrypted.
4.1. Data will only be passed on to third parties within the scope of legal requirements. We only pass on user data to third parties if this is necessary, for example, on the basis of Art. 6 (1) lit. b) GDPR for contractual purposes or on the basis of legitimate interests pursuant to Art. 6 (1) lit. f) GDPR for the economic and effective operation of our business.
4.2. If we use subcontractors to provide our services, we will take appropriate legal precautions and implement appropriate technical and organizational measures to ensure that personal data is protected in accordance with the relevant legal provisions.
4.3. If content, tools, or other resources from other providers (hereinafter collectively referred to as "third-party providers") are used within the scope of this privacy policy and their registered office is located in a third country, it must be assumed that data will be transferred to the third-party providers' countries of residence. Third countries are countries in which the GDPR is not directly applicable, i.e. countries outside the EU or the European Economic Area. Data is transferred to third countries either if an adequate level of data protection is ensured, if the user has given their consent or if there is other legal permission to do so.
5.1. We process inventory data (e.g., names and addresses as well as contact details of users), contract data (e.g., services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services in accordance with Art. 6 para. 1 lit b. GDPR.
5.2. Users may optionally create a user account, which allows them to view their orders in particular. The required mandatory information will be communicated to users during registration. If users have terminated their user account, their data will be deleted with regard to the user account, subject to retention for commercial or tax reasons in accordance with Art. 6 (1) lit. c GDPR. It is the responsibility of users to back up their data before the end of the contract upon termination. We are entitled to irretrievably delete all user data stored during the term of the contract.
5.3. When you register, log in again, or use our online services, we store your IP address and the time of the respective user action. This data is stored on the basis of our legitimate interests and the user's interests in protection against misuse and other unauthorized use. This data will not be passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so in accordance with Art. 6 para. 1 lit. c GDPR.
5.4. We process usage data (e.g., the websites visited on our online offering, interest in our products) and content data (e.g., entries in the contact form or user profile) for advertising purposes in a user profile in order to display product information to the user based on the services they have used in the past.
6.1. When contacting us (via contact form or email), the user's details will be processed for the purpose of processing the contact request and its handling in accordance with Art. 6 para. 1 lit. b) GDPR.
6.2. The user's information may be stored in our CRM system or a comparable inquiry organization system.
6.3. Contact inquiries will be deleted after 12 months at the latest.
7.1. When users leave comments or other contributions, their IP addresses are stored for seven days based on our legitimate interests within the meaning of Art. 6 (1) lit. f. GDPR.
7.2. This is done for our security in case someone leaves illegal content in comments and posts (insults, prohibited political propaganda, etc.). In this case, we ourselves may be prosecuted for the comment or post and are therefore interested in the identity of the author.
8.1. Based on our legitimate interests within the meaning of Art. 6 para. 1 lit. f. GDPR, we collect data about every access to the server on which this service is located (so-called server log files). The access data includes the name of the website accessed, the file accessed, the date and time of access, the amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address, and the requesting provider.
8.2. Log file information is stored for security reasons (e.g., to investigate misuse or fraud) for a maximum period of seven days and then deleted. Data that must be retained for further storage for evidence purposes is excluded from deletion until the respective incident has been finally clarified.
9.1. Cookies are pieces of information that are transferred from our web server or third-party web servers to users' web browsers and stored there for later retrieval. Cookies can be small files or other types of information storage.
9.2. We use "session cookies," which are only stored for the duration of your visit to our website (e.g., to store your login status or shopping cart function and thus enable you to use our online offering). A randomly generated unique identification number, known as a session ID, is stored in a session cookie. A cookie also contains information about its origin and storage period. These cookies cannot store any other data. Session cookies are deleted when you have finished using our online offering and, for example, log out or close your browser.
9.3. Users are informed about the use of cookies for pseudonymous reach measurement in this privacy policy.
9.4. If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in their browser settings. Stored cookies can be deleted in the browser settings. The exclusion of cookies may lead to functional restrictions of this online offer.
9.5. You can opt out of cookies used for reach measurement and advertising purposes via the deactivation page of the Network Advertising Initiative (https://optout.networkadvertising.org/?c=1) and additionally the US website (https://optout.aboutads.info/?c=2&lang=EN) or the European website (https://www.youronlinechoices.com/uk/your-ad-choices).
10.1. Based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering within the meaning of Art. 6 para. 1 lit. f. GDPR), we use Google Analytics, a web analytics service provided by Google Inc. ("Google"). Google uses cookies. The information generated by the cookie about the use of the online offer by the users is usually transferred to a Google server in the USA and stored there.
10.2. Google is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
10.3. Google will use this information on our behalf to evaluate the use of our online offering by users, to compile reports on activities within this online offering, and to provide us with further services related to the use of this online offering and the Internet. Pseudonymous user profiles may be created from the processed data.
10.4. We use Google Analytics to display ads placed within Google's advertising services and those of its partners only to users who have shown an interest in our online offering or who have certain characteristics (e.g. interest in certain topics or products determined on the basis of the websites visited) that we transmit to Google (so-called "remarketing" or "Google Analytics audiences"). With the help of remarketing audiences, we also want to ensure that our ads correspond to the potential interests of users and do not appear annoying.
10.5. We only use Google Analytics with IP anonymization enabled. This means that the IP address of users is shortened by Google within member states of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the US and shortened there.
10.6. The IP address transmitted by the user's browser is not merged with other data from Google. Users can prevent the storage of cookies by adjusting their browser software settings accordingly; users can also prevent Google from collecting the data generated by the cookie and relating to their use of the online offer and from processing this data by downloading and installing the browser plug-in available at the following link:https://tools.google.com/dlpage/gaoptout?hl=de.
10.7. Further information on data use by Google, settings and options for objection can be found on Google's websites: https://policies.google.com/technologies/partner-sites?hl=de ("Google's use of data when you use our partners' websites or apps"), https://policies.google.com/technologies/ads ("Data use for advertising purposes"), https://adssettings.google.de/authenticated ("Manage information that Google uses to show you ads").
11.1. Based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering within the meaning of Art. 6 para. 1 lit. f. GDPR), we use the marketing and remarketing services (hereinafter referred to as "Google Marketing Services") of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").
11.2. Google is certified under the Privacy Shield Agreement and thus offers a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
11.3. Google Marketing Services allow us to display advertisements for and on our website in a more targeted manner in order to present users only with advertisements that are potentially relevant to their interests. If, for example, a user is shown advertisements for products that they have previously viewed on other websites, this is referred to as “remarketing.” For these purposes, when you visit our website and other websites on which Google Marketing Services are active, a code from Google is executed directly by Google and so-called (re)marketing tags (invisible graphics or code, also known as “web beacons”) are integrated into the website. With their help, an individual cookie, i.e. a small file, is stored on the user's device (comparable technologies may also be used instead of cookies). The cookies may be set by various domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com, or googleadservices.com. This file records which websites the user has visited, which content they are interested in and which offers they have clicked on, as well as technical information about the browser and operating system, referring websites, visit time and other information about the use of the online offer. The IP address of the user is also recorded, whereby we declare within the framework of Google Analytics that the IP address will be truncated within member states of the European Union or in other signatory states to the Agreement on the European Economic Area and only in exceptional cases will it be transferred in full to a Google server in the USA and truncated there. The IP address is not merged with user data within other Google services. The above information may also be linked by Google to information from other sources. If the user subsequently visits other websites, advertisements tailored to their interests may be displayed.
11.4. User data is processed pseudonymously within the scope of Google Marketing Services. This means that Google does not store or process the name or email address of users, but processes the relevant data in a cookie-related manner within pseudonymous user profiles. This means that, from Google's perspective, the ads are not managed and displayed for a specifically identified person, but for the cookie holder, regardless of who that cookie holder is. This does not apply if a user has expressly permitted Google to process the data without this pseudonymization. The information collected by Google Marketing Services about users is transmitted to Google and stored on Google's servers in the US.
11.5. The Google marketing services we use include the online advertising program "Google Ads." In the case of Google Ads, each AdWords customer receives a different "conversion cookie." Cookies cannot therefore be tracked across the websites of AdWords customers. The information collected using the cookie is used to generate conversion statistics for AdWords customers who have opted for conversion tracking. AdWords customers are informed of the total number of users who clicked on their ad and were redirected to a page tagged with a conversion tracking tag. However, they do not receive any information that can be used to personally identify users.
11.6. We may also use the "Google Optimizer" service. Google Optimizer allows us to use "A/B testing" to understand how various changes to a website affect its performance (e.g., changes to input fields, design, etc.). Cookies are stored on users' devices for these testing purposes. Only pseudonymous user data is processed.
11.7. Furthermore, we may use "Google Tag Manager" to integrate and manage Google's analytics and marketing services on our website.
11.8. For more information about Google's use of data for marketing purposes, please visit the overview page: https://policies.google.com/technologies/ads. Google's privacy policy is available at https://policies.google.com/privacy.
11.9. If you wish to object to interest-based advertising by Google Marketing Services, you can use the settings and opt-out options provided by Google: https://adssettings.google.com/anonymous?hl=de.
12.1. The following information explains the content of our newsletter, the registration, dispatch and statistical evaluation procedures, and your rights of objection. By subscribing to our newsletter, you agree to receive it and to the procedures described.
12.2. Content of the newsletter: We send newsletters, emails, and other electronic notifications with promotional information (hereinafter referred to as "newsletters") only with the consent of the recipient or with legal permission. If the content of the newsletter is specifically described during the registration process, this description is decisive for the consent of the user. Our newsletters also contain information about our products, offers, promotions, and our company.
12.3. Double opt-in and logging: Registration for our newsletter takes place in a so-called double opt-in procedure. This means that after registering, you will receive an email asking you to confirm your registration. This confirmation is necessary to prevent anyone from registering with someone else's email address. Newsletter registrations are logged in order to be able to verify the registration process in accordance with legal requirements. This includes storing the time of registration and confirmation, as well as the IP address. Any changes to your data stored by the shipping service provider are also logged.
12.4. Mailing service provider: Sendinblue is used as the mailing service provider for newsletters. Your data will be transmitted to Sendinblue GmbH. Sendinblue is not permitted to sell your data or use it for any purpose other than sending newsletters. Sendinblue is a German provider that has been selected in accordance with the requirements of the General Data Protection Regulation and the Federal Data Protection Act. Further information can be found here.
If you do not want sendinblue to analyze your data, you must unsubscribe from the newsletter. We provide a link for this purpose in every newsletter message. You can also unsubscribe from the newsletter directly on the website.
12.5. Furthermore, according to its own information, the shipping service provider may use this data in pseudonymous form, i.e. without assignment to a user, for the optimization or improvement of its own services, e.g. for the technical optimization of the shipping and presentation of the newsletter or for statistical purposes to determine from which countries the recipients come. However, the mailing service provider does not use the data of our newsletter recipients to write to them itself or pass it on to third parties.
12.6. Registration data: To subscribe to the newsletter, it is sufficient to provide your email address.
12.7. Statistical surveys and analyses. The newsletters contain a so-called "web beacon," i.e., a pixel-sized file that is retrieved from the server of the mailing service provider when the newsletter is opened. During this retrieval, technical information, such as information about your browser and your system, as well as your IP address and the time of retrieval, is collected. This information is used to improve the services based on the technical data or the target groups and their reading behavior based on their retrieval locations (which can be determined using the IP address) or the access times. The statistical surveys also include determining whether the newsletters are opened, when they are opened, and which links are clicked. For technical reasons, this information can be assigned to individual newsletter recipients. However, it is neither our intention nor that of the mailing service provider to monitor individual users. The evaluations serve us much more to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.
12.8. The use of the mailing service provider, the performance of statistical surveys and analyses, and the logging of the registration process are based on our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR. Our interest is in using a user-friendly and secure newsletter system that serves both our business interests and meets the expectations of users.
12.9. Termination/revocation - You can unsubscribe from our newsletter at any time, i.e., revoke your consent. This will also revoke your consent to its dispatch by the dispatch service provider and to statistical analysis. Unfortunately, it is not possible to separately revoke the dispatch by the dispatch service provider or the statistical analysis. A link to unsubscribe from the newsletter can be found at the end of each newsletter. If users have only subscribed to the newsletter and have unsubscribed, their personal data will be deleted.
13.1. We use third-party content and services within our online offering on the basis of our legitimate interests (i.e. interest in the analysis, optimization, and economic operation of our online offering within the meaning of Art. 6 para. 1 lit. f. GDPR) to integrate content or services from third-party providers, such as videos or fonts (hereinafter referred to uniformly as "content"). This always requires that the third-party providers of this content are aware of the IP address of the users, as they would not be able to send the content to their browsers without the IP address. The IP address is therefore necessary for the display of this content. We endeavor to use only content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. Pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may include technical information about the browser and operating system, referring websites, time of visit, and other information about the use of our online offering, and may be linked to such information from other sources.
13.2. The following list provides an overview of third-party providers and their content, along with links to their privacy policies, which contain further information on data processing and, in some cases, already mentioned here, options for objection (so-called opt-out):
14.1. Users have the right to request information free of charge about the personal data we have stored about them.
14.2. In addition, users have the right to correct inaccurate data, restrict the processing and deletion of their personal data, if applicable, to assert their rights to data portability and, in the event of unlawful data processing, to lodge a complaint with the competent supervisory authority.
14.3. Users may also revoke their consent, in principle with effect for the future.
15.1. The data stored by us will be deleted as soon as it is no longer required for its intended purpose and there are no legal obligations to retain it. If the user's data is not deleted because it is required for other, legally permissible purposes, its processing will be restricted. This means that the data will be blocked and not processed for other purposes. This applies, for example, to user data that must be retained for commercial or tax reasons.
15.2. In accordance with legal requirements, data will be retained for 6 years in accordance with Section 257 (1) 1 HGB (commercial books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting documents, etc.) and for 10 years in accordance with § 147 para. 1 AO (books, records, management reports, accounting documents, commercial and business letters, documents relevant for taxation, etc.).
Users may object to the future processing of their personal data at any time in accordance with the statutory provisions. The objection may be raised in particular against processing for direct marketing purposes.
If you have any questions about the collection, processing, or use of personal data, or if you require information or wish to correct, block, or delete data, or revoke your consent, please contact:
Portraitbox GmbH
Am Steinhof 4a
33106 Paderborn, Germany
David Wendt (CEO)
Email: office@heyphoto.com (No support requests)
Phone: +49 5254 9478080
19.1. We reserve the right to change the privacy policy to adapt it to changed legal situations or in the event of changes to the service or data processing. However, this only applies to statements regarding data processing. If user consent is required or if provisions of the contractual relationship with users are included in the privacy policy, changes will only be made with the consent of the users.
19.2. Users are requested to regularly review the content of the privacy policy.
The photographer search is a service of Portraitbox - Shop system for photographers.