Privacy.

This policy applies to visitors of holdstill.app, photographers and studio staff who create accounts, and individuals who interact with published galleries (for example when they open a link, enter a passphrase you set, download an image, or use favourites). Some provisions apply only to account holders; others describe processing we perform on behalf of galleries where the photographer is typically the data controller for client-side personal data. We describe both roles in plain language so you can map responsibilities to your own privacy notices, wedding contracts, and vendor assessments. If you are a gallery visitor and have questions, the fastest path is usually to contact the photographer who sent you the link; we still honour direct requests that concern data for which we are controller.

Holdstill operates the service described on this site. For personal data related to your account, authentication, billing, security telemetry, and our own product analytics, we act as a data controller. You can contact our privacy team at privacy@holdstill.app for access, rectification, erasure, restriction, objection, portability, and questions about international transfers. We respond within thirty calendar days unless the request is unusually voluminous or requires clarifying identity information. For regulatory correspondence we maintain records of processing activities internally and can provide a high-level summary for vendor reviews when you represent a studio or corporate client.

Account and identity data include name, email address, locale preferences, and authentication events when you use passwordless sign-in. Content data includes photographs, videos where applicable, filenames, technical metadata generated by cameras or uploads, gallery titles, event dates, and publication settings you choose. Delivery and engagement data includes access logs you enable, download events, favourites, and optional notifications you configure. Support and communications include messages you send us, crash diagnostics you approve, and invoices or tax identifiers required for payments. We do not require sensitive categories under Article 9 GDPR to use the core product; if you voluntarily place special-category imagery in a gallery, you remain responsible for lawful grounds as controller.

We process account and content data to perform our contract with you: hosting galleries, generating previews, applying access controls, and delivering features you enable. We process usage and diagnostics under legitimate interests to keep the service secure, debug failures, and understand aggregate feature adoption — where those interests could be overridden by your rights we offer opt-outs where practical. We process billing data to meet legal obligations. Where we rely on consent, for example optional marketing communications not tied to the core service, you may withdraw consent without affecting lawfulness of earlier processing. When you publish a gallery, additional processing on behalf of your clients is described in our Data Processing Agreement.

We use strictly necessary cookies and tokens for session continuity, CSRF protection, and resilience. Preference storage may remember language or UI choices. We use privacy-respecting, EU-hosted analytics without third-party advertising identifiers. We do not sell personal data or build cross-site profiles. You can control many cookies through your browser; disabling essential cookies may prevent sign-in. For a granular list see our Cookies page, which should be read together with this policy.

Primary storage, compute, and backups for the product are located in the European Union. We maintain a named subprocessor list with categories of processing and locations. If we introduce a subprocessor outside the EU/EEA, we will rely on adequacy decisions, Standard Contractual Clauses, or other mechanisms recognised by EU law, supplemented by technical measures such as encryption in transit and at rest where appropriate. We do not move your gallery originals to opportunistic global caches for convenience.

We retain account data while your account remains active. Gallery content is retained for the duration of your subscription and any grace period described in your plan, unless you delete earlier. Backups roll off on documented schedules designed to balance recovery objectives with minimisation. When you delete a gallery or asset, we remove it from active systems promptly and from backups within the window stated in our DPA. Some billing and accounting records may be retained longer where tax or commercial law requires. If you close your account, we provide export paths before deletion where feasible.

We implement administrative, technical, and organisational measures including least-privilege access, encryption in transit and at rest where appropriate, logging, vulnerability management, and periodic testing proportionate to risk. If we become aware of a breach likely to result in risk to individuals, we will notify supervisory authorities and affected controllers without undue delay as required by law, and we will coordinate communications to end users when we process as processor on documented instructions.

When your clients interact with a gallery, you typically determine the purposes and means of processing their personal data and we process on your instructions as processor. That relationship is governed by our DPA. We do not use your clients' data to market other services to them, and we do not combine visitor activity across unrelated photographers. You remain responsible for notices, consents, and contracts with your clients under applicable law.

Depending on context, you may have rights of access, rectification, erasure, restriction, objection, and data portability, and the right to lodge a complaint with a supervisory authority. To exercise rights against Holdstill as controller, email privacy@holdstill.app from your account address or provide information we can use to verify your request safely. Where we act as processor, we will forward or action requests in line with your instructions when technically feasible. We do not charge a fee for reasonable requests unless they are manifestly unfounded or excessive.

Holdstill is not directed at children and we do not knowingly collect personal data from children for marketing purposes. If you believe we hold information about a child inappropriately, contact us and we will investigate and delete where required. You may not use the service to stalk, harass, or distribute unlawful content; accounts engaged in abuse may be suspended or terminated consistent with our Terms.

Optional AI features assist with sequencing and drafting inside the product; they do not make legally significant decisions about you without human review. When enabled, AI processing is governed additionally by our AI Terms, including limitations on training uses and regional constraints. You may disable AI features per gallery or account-wide as described there.

We may update this policy to reflect product, legal, or organisational changes. Material changes will be communicated by email or in-product notice before they take effect where required. Continued use after the effective date constitutes acceptance of the updated policy except where stricter consent rules apply. The date at the top of this page indicates the latest revision.

Questions about this policy: privacy@holdstill.app. General support: hello@holdstill.app. If you reside in the EEA and believe we have infringed applicable privacy law, you may contact your local supervisory authority in addition to contacting us. We welcome good-faith dialogue and will work with you to resolve concerns where we have legal room to do so.