Legal
Privacy Policy
Globally applicable notice, drafted in accordance with: EU Regulation 2016/679 (GDPR) and Italian Legislative Decree 196/2003 as amended (Italy/EU), UK GDPR + Data Protection Act 2018 (United Kingdom), California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA, USA), Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, LGPD (Brazil), PIPEDA (Canada), Privacy Act 1988 (Australia).
Last updated: June 16, 2026
1. Data Controller
The data controller is Palumbo Schiavone Giulio, a sole proprietorship (artisan business) based in Portici (NA), Italy, Italian tax code PLMGLI87L29A509H, VAT ID 09223291213, registered with the Naples Business Registry under REA NA‑1020907 (the “Controller” or “Galerist”).
For any request relating to your personal data you can email privacy@galerist.photo or write to the certified email giulio.palumboschiavone@pec.it. The complete street address is provided on written request to the same contacts, pursuant to art. 7 of Italian Legislative Decree 70/2003.
Galerist is not required to appoint a Data Protection Officer (DPO) under art. 37 GDPR because it does not fall within the listed cases (public authority, large‑scale systematic monitoring, large‑scale special‑category data). The situation will be reassessed if the business evolves.
2. Our dual role (important)
Galerist is a tool used by professional photographers and videographers (“Users”) to share galleries with their end clients and with the persons depicted (“End Data Subjects”). We therefore play two distinct roles:
- We act as Data Controller for personal data collected directly from professional Users (account, email, billing, access logs). This policy describes that processing.
- We act as Data Processor under art. 28 GDPR for data of the persons photographed and uploaded by professionals into their galleries. In this case the Controller is the photographer who uploaded the photos; their obligations toward End Data Subjects (notice, consent/release, request handling) remain entirely with them. Galerist acts only on the photographer's instructions within the limits of the DPA accepted at registration.
3. Categories of data processed
3.1 Data of the professional User
- Identification and contact data: name, email, studio name, optional phone
- Credentials: Supabase Auth password hash, session data
- Payment data: we do NOT store card data; it is handled by the third‑party payment provider (Stripe Payments Europe Ltd., DPA in place). We receive only transaction identifiers and subscription status
- Usage data: galleries created, chosen subdomain, administrative access log
- Billing data: VAT ID, tax code, address (only for Users who request an invoice)
3.2 Data collected automatically during use
- IP address and User‑Agent at the time of upload (anti‑abuse audit, retained for 6 months)
- Sentry technical logs: error stack traces, pseudonymised IP
- Technical session cookies (see Cookie Policy)
3.3 Data of End Data Subjects (handled as Processor)
- Photos and videos uploaded by professionals, including images of identifiable persons
- EXIF metadata possibly present in the files
- For authenticated galleries: email of the end client (if entered by the photographer to send the link), download logs
- For proofing galleries: annotations, selections, client IP and User‑Agent at the time of review (anti‑abuse)
Except for the optional Face Recognition feature described below, we do not intentionally process special categories of data (art. 9 GDPR) nor personal data of children under 16 as autonomous data subjects. The professional is responsible for obtaining the necessary releases from depicted persons (including minors), under image rights legislation (arts. 96 and 97 of Italian Law 633/1941, art. 10 Italian Civil Code, and equivalent provisions in other jurisdictions).
Face Recognition (biometric data, art. 9 GDPR). If — and only if — the professional enables the optional Face Recognition feature on a gallery, we generate, on the professional's instructions and as data processor (art. 28 GDPR), numeric facial‑feature vectors (“embeddings”) of the persons depicted in that gallery's photos, to group and search the photos by person. These embeddings are biometric data (special category, art. 9 GDPR). The professional acts as data controller and is responsible for the art. 9 legal basis (typically the explicit consent of the data subjects); the feature is off by default and requires the professional to affirm this basis before it can be activated. Embeddings are stored only for the lifetime of the gallery and are deleted when the photo or gallery is deleted or expires (see Retention). When a visitor uses the optional “find my photos” selfie search, the selfie and its embedding are processed transiently in memory only to run that search and are never stored.
4. Legal bases for processing
Under art. 6 GDPR, the legal bases we rely on are:
- Performance of contract (art. 6.1.b): service delivery, authentication, gallery hosting, billing
- Legitimate interests (art. 6.1.f): fraud prevention, upload audit logs, information security, handling of abuse reports
- Legal obligation (art. 6.1.c): invoicing, retention of accounting records (10 years under art. 2220 Italian Civil Code), response to authority requests (including CSAM enforcement under Italian Law 38/2006)
- Consent (art. 6.1.a): only for any future promotional communications (none sent today)
5. Recipients and sub‑processors
Your data may be processed by the following vendors, all bound by DPAs and adequate security measures. We do not sell your data to any third party and we do not use it for advertising profiling.
| Vendor | Purpose | Region |
|---|---|---|
| Supabase Inc. | Database, auth, edge functions | EU (Frankfurt) |
| Cloudflare, Inc. | R2 storage, Stream video, CDN, CSAM scanning, Email Routing | EU + Global edge |
| Vercel Inc. | Application hosting | USA (with EU SCC 2021/914) |
| Railway Corp. | Face‑recognition inference (biometric embeddings) — optional feature, stateless | USA (with EU SCC 2021/914) |
| Resend Inc. | Transactional email | EU (Ireland) |
| Sentry / Functional Software Inc. | Error monitoring | EU |
| Stripe Payments Europe Ltd. | Payment processing | EU (Ireland) |
Transfers to third countries (in particular Vercel in the USA) take place under Standard Contractual Clauses (SCC) approved by the European Commission in Implementing Decision 2021/914. The updated list of sub‑processors is communicated with 30 days' advance notice in case of change.
6. Retention periods
| Data category | Retention |
|---|---|
| Active User account | For the duration of the contractual relationship |
| Account after deletion | 30 days (grace period), then deletion |
| Galleries and photos/videos | According to the chosen plan (gallery TTL) |
| Face‑recognition data (biometric embeddings), if the feature is enabled | Same as the gallery (gallery TTL); deleted immediately when the photo/gallery is deleted or expires. Visitor selfies are never stored. |
| Gallery view statistics (hashed IP) | According to the chosen plan: 30–90 days, then automatic deletion |
| Upload logs (IP, User‑Agent) | 6 months, then automatic nullification |
| Tax records (invoices) | 10 years (art. 2220 Italian Civil Code) |
| Abuse reports | 5 years (legitimate interest in legal defense) |
| Content removed for unlawful conduct | 6 months in a restricted bucket (for authority investigations) |
7. Your rights
As a data subject you may exercise, at any time and free of charge, the rights provided by arts. 15‑22 GDPR:
- Access to your data and a copy of it
- Rectification of inaccurate or incomplete data
- Erasure (“right to be forgotten”)
- Restriction of processing
- Portability in a structured, machine‑readable format
- Objection to processing based on legitimate interest
- Withdrawal of consent where processing is based on consent
To exercise them email privacy@galerist.photo or use the report form selecting “Right to erasure (GDPR art. 17)”. We will respond within 30 days (art. 12.3 GDPR).
If you believe the processing breaches the GDPR you may lodge a complaint with the Italian Data Protection Authority (garanteprivacy.it) or with the supervisory authority of the EU Member State where you reside.
7.1 U.S. residents (CCPA/CPRA + other State Privacy Laws)
If you reside in California, Virginia, Colorado, Connecticut, Utah, or in other U.S. states that have adopted consumer privacy laws, you have additional rights: access (right to know), deletion, correction, portability, opt‑out of the sale or sharing of personal data, opt‑out of profiling for significant automated decisions, non‑discrimination for exercising your rights. Galerist does not sell and does not share personal data within the meaning of CCPA/CPRA. To exercise your rights email privacy@galerist.photo indicating your state of residence; we will respond within 45 days (CCPA) or 30 days (Virginia/Colorado/Connecticut/Utah), extendable once. California residents may also authorize a delegated agent.
7.2 UK residents (UK GDPR)
UK GDPR and the Data Protection Act 2018 apply. Rights are substantially equivalent to EU GDPR. Complaints to the Information Commissioner's Office (ico.org.uk).
7.3 Brazil residents (LGPD)
The Lei Geral de Proteção de Dados (Law no. 13.709/2018) applies. Rights are substantially equivalent to the GDPR. Supervisory authority: ANPD (gov.br/anpd).
7.4 Other countries (Canada, Australia, etc.)
For residents in Canada, federal PIPEDA applies, and in Quebec, Loi 25. For residents in Australia, the Privacy Act 1988 (Cth) and the Australian Privacy Principles apply. In every case we adopt the GDPR as our reference standard and apply to data subjects the equivalent rights provided by their local law.
7.5 DMCA copyright notices (USA)
For copyright infringement notices under the Digital Millennium Copyright Act (17 U.S.C. § 512) you may use the report form selecting “Copyright”. The designated agent is registered with the US Copyright Office DMCA Directory; complete physical contact details are available in the public directory. Counter‑notices follow the same procedure.
If you are an End Data Subject (e.g. a person depicted) and wish to exercise your rights regarding photos/videos in a gallery, please first contact the photographer who owns the gallery, who is the Controller of that data. Galerist will act as Processor on their instruction. If you receive no response within 30 days you may contact us directly.
8. Security measures
We adopt appropriate technical and organisational measures (art. 32 GDPR): HTTPS/TLS encryption in transit, encryption at rest on storage buckets, RLS (Row Level Security) access control at the database level, bcrypt‑hashed passwords, gallery authentication via generated password, upload audit logs, error monitoring. We notify any personal data breach to the competent authority within 72 hours of becoming aware of it (art. 33 GDPR) and to affected data subjects without undue delay if the conditions of art. 34 apply.
9. Automated decisions and profiling
We do not carry out automated decision‑making, including profiling, that produces legal effects on you. Any automated systems detecting illegal content (e.g. CSAM matching via the PhotoDNA database provided by Cloudflare) perform a general security function and do not replace the human assessment of follow‑up actions.
10. Changes to this policy
We update this notice when purposes or recipients change. Material changes will be communicated by email at least 30 days in advance; minor updates will be reflected here in the “Last updated” date.
References: EU Regulation 2016/679 (GDPR), Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018, Italian Data Protection Authority Provision of June 10, 2021 on cookies, Italian Law 38/2006 on online CSAM enforcement, EU Regulation 2022/2065 (Digital Services Act).