Shotfolio
Sign inStart free

Privacy Policy

Last updated July 1, 2026

This Privacy Policy explains how Shotfolio (“we,” “us”) handles personal information in connection with the Shotfolio website and service (the “Service”). Shotfolio is an independent project operated by an individual, not a company. The Service is a toolkit for student, emerging, and independent photographers: hosting client photo galleries, taking session bookings, and collecting client intake questionnaires.

In short: we collect the minimum we need to run the Service. We don't sell your personal information or use it for advertising. Photographers control the client and guest data they put into Shotfolio; for that data we act on the photographer's behalf.

1. Who this policy covers, and our two roles

Shotfolio serves three kinds of people, and our responsibilities differ for each:

  • Photographers — the account holders who sign in and use the dashboard. For their account data, Shotfolio is the “controller” (GDPR) / “business” (US state privacy laws).
  • Clients — the people a photographer books, invoices, or sends intake questionnaires to.
  • Guests — people who open a shared gallery link to browse or download event photos, with no account.

For client and guest information that a photographer collects or uploads through Shotfolio (for example, a client's booking details, questionnaire answers, or photos of guests), the photographer decides why and how that data is used. Shotfolio acts as a “processor” / “service provider” on the photographer's behalf and only handles that data to operate the Service. If you are a client or guest, the photographer is your first point of contact for privacy questions — see “Clients and guests” below.

2. Information we collect

Account information (photographers)

Shotfolio uses Google or Microsoft sign-in only — there are no passwords. When you sign in, your provider shares your name, email address, and (for Google) profile picture with us. We use your email address as your account identifier. We never receive your Google or Microsoft password.

Content you create in the Service

  • Studio settings — your studio name and default watermark text.
  • Bookings — your bookable session details and availability, plus each client's name, email, and chosen date/time.
  • Questionnaires — client intake answers about an event, such as the couple's or client's names, event date, venue, expected attendance, key moments, and free-text notes.
  • Galleries and photos — images you upload, along with titles, event dates, and per-gallery settings (watermark text, accent color, link expiry).

Photos may show identifiable people, and event photos may incidentally include children. You are responsible for having the rights and consents needed to upload and share this content — see the Terms of Service.

Information collected automatically

  • IP address — read transiently from your request to enforce rate limits and protect the Service from abuse. We do not build advertising profiles from it.
  • Usage and performance analytics — we use Vercel Web Analytics and Speed Insights, which are privacy-friendly and do not use cookies or track you across other websites. They give us aggregate, non-identifying measurements of page views and performance.
  • Gallery counters — when a guest opens a shared gallery or downloads a photo, we increment an aggregate count for that gallery (e.g. “142 views”). These are running totals only; we do not automatically store a guest-by-guest log, name, or profile.
  • Photo selections — if a guest chooses to send the photographer their photo picks, we store the name and optional note the guest types in, along with the chosen photos, and show them to that gallery's photographer. Guests are never required to do this to view a gallery.
  • Server logs — standard diagnostic logs that may include IP address, timestamps, and error details.

3. How we use information

  • Provide and operate the Service — authenticate sign-in, store your content, generate booking slots, and serve gallery links.
  • Send transactional emails — such as booking confirmations and calendar links, cancellation notices, and questionnaire notifications. We do not send marketing email without your consent.
  • Secure the Service — detect and prevent abuse, fraud, and technical issues, including rate limiting.
  • Maintain and improve the Service — using aggregate analytics and diagnostics.
  • Comply with law — meet legal obligations and respond to lawful requests.

5. Cookies and similar technologies

Shotfolio uses a single essential cookie: a signed, HttpOnly session cookie that keeps you logged in after sign-in. It is required for the dashboard to work and is not used for tracking or advertising. Our analytics are cookieless. Public gallery, booking, invoice, and questionnaire pages do not require sign-in and do not set tracking cookies.

6. How we share information (service providers)

We do not sell your personal information and we do not share it for cross-context behavioral advertising. We share information only with the service providers we use to run Shotfolio, under contracts that limit them to processing it on our behalf:

  • Google — sign-in / authentication.
  • Microsoft — sign-in / authentication.
  • Amazon Web Services (AWS) — photo storage (S3) and database (DynamoDB), hosted in the United States (us-east-1).
  • Vercel — application hosting plus cookieless usage and performance analytics.
  • Upstash — Redis used for rate limiting (processes IP-derived identifiers).
  • Resend — delivery of transactional emails.

We may also disclose information if required by law, to enforce our Terms, or in connection with a merger, acquisition, or sale of assets (with notice where required).

8. Data retention

  • Account and the content you create are kept while your account is active and until you delete the content or your account.
  • Photos are kept until you delete the gallery; deleting a gallery removes its photos from storage.
  • Rate-limit data is short-lived (minutes), and server logs are retained for a limited period for security and diagnostics.

9. How we protect information

We use encryption in transit (HTTPS), a private storage bucket with short-lived signed URLs, signed HttpOnly session cookies, server-side input validation, and rate limiting. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

10. Your privacy rights

Depending on where you live, you may have rights to access, correct, delete, or receive a copy of your personal information, and to object to or restrict certain processing.

California residents (CCPA/CPRA) have the right to know, delete, and correct personal information, to opt out of “sale” or “sharing” (we do neither), and not to be discriminated against for exercising these rights. EEA/UK residents (GDPR) additionally have the right to data portability, to withdraw consent, and to lodge a complaint with a supervisory authority. To exercise any right, contact us at hello@shotfolio.app. We will verify your request before acting on it.

11. Clients and guests

If you are a client or guest of a photographer who uses Shotfolio, the photographer (not Shotfolio) decides what data to collect about you and why, so they are your first point of contact for access or deletion requests. We will help the photographer respond to your request as required by law. If you are unsure who the photographer is, you can still contact us and we will route your request.

12. Children

The Service is intended for photographers and is not directed to children, and we do not knowingly create accounts for anyone under the age required in their jurisdiction. Event photos uploaded by photographers may include minors; photographers are responsible for obtaining any consents required to photograph and share images of children. If you believe a child's information has been provided to us improperly, contact us so we can address it.

13. International data transfers

Shotfolio is operated from, and stores data in, the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, where data-protection laws may differ from those in your country. Where required, we rely on appropriate safeguards (such as standard contractual clauses) with our service providers.

14. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the date at the top and, where appropriate, provide additional notice.

15. Contact us

Questions about this policy or your personal information — including a request to access or delete your data? Email us at hello@shotfolio.app.