Privacy Policy - Serena Morandi Photography

Privacy Policy – Serena Morandi Photography

Last updated: January 28, 2025

Introduction

We respect your privacy and are committed to protecting it through our compliance with this privacy policy (“Policy”). This Policy describes the types of information we may collect from you or that you may provide (“Personal Information”) on the serenamorandi.com website (“Website”), and any of their related products and services (collectively, “Services”), and our practices for collecting, using, maintaining, protecting, and disclosing that Personal Information. It also describes the choices available to you regarding our use of your Personal Information and how you can access and update it.

This Policy is a legally binding agreement between you (“User”, “you” or “your”) and Serena Morandi Photography (“Operator”, “we”, “us” or “our”). If you are entering into this agreement on behalf of a business or other legal entity, you represent that you have the authority to bind such entity to this agreement, in which case the terms “User”, “you” or “your” shall refer to such entity. If you do not have such authority, or if you do not agree with the terms of this agreement, you must not accept this agreement and may not access and use the Services. By accessing and using the Services, you acknowledge that you have read, understood, and agree to be bound by the terms of this Policy. This Policy does not apply to the practices of companies that we do not own or control, or to individuals that we do not employ or manage.

Legal Framework

This privacy policy is governed by and complies with:

Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR)
Italian Legislative Decree No. 196/2003 (Personal Data Protection Code), as amended by Legislative Decree No. 101/2018
ePrivacy Directive 2002/58/EC as implemented in Italian law
Italian Data Protection Authority (Garante) guidelines on cookies and tracking technologies (updated 2025)

Collection of Information

Our top priority is customer data security and, as such, we exercise a data minimization policy. We may process only minimal user data, only as much as it is absolutely necessary to maintain the Services and conduct our photography business. Information collected automatically is used only to identify potential cases of abuse and establish statistical information regarding the usage and traffic of the Services.

Types of Personal Information We May Collect:

Information you provide directly:

Name and contact information (email address, phone number, postal address)
Photography session details and preferences
Payment information (processed through secure third-party payment processors)
Communication records (emails, messages, consultation notes)
Event dates and locations for photography services
Images and videos you provide for editing or consultation purposes

Information collected automatically:

IP address (anonymized in compliance with Italian DPA guidelines)
Browser type and version
Device information
Pages visited and time spent on our website
Referring website
General location information (city/country level only)

Privacy of Children

Photography services often involve minors, and we take special care to protect children’s privacy in accordance with GDPR requirements.

For children under 16 years of age:

We obtain explicit consent from parents or legal guardians before collecting any personal information
We do not process children’s personal data for marketing purposes
Parents/guardians have the right to access, rectify, or delete their child’s personal information at any time
We implement enhanced security measures for any data involving minors

For photography sessions involving children:

Written consent is obtained from parents/guardians before the session
Image usage rights are clearly defined and limited to agreed purposes
Parents/guardians can withdraw consent and request image deletion at any time

If you have reason to believe that a child under the age of 16 has provided Personal Information to us without proper parental consent, please contact us immediately to request deletion of that information.

Use and Processing of Collected Information

We act as a data controller when handling your Personal Information. Any information we collect from you may be used for the following purposes:

Photography Business Operations:

Scheduling and managing photography sessions
Providing photography services and delivering final products
Processing payments and managing contracts
Communicating about your photography needs and services
Improving our photography services and customer experience

Website and Digital Services:

Operating and maintaining our website
Providing customer support
Sending administrative information and updates
Analyzing website usage to improve user experience
Ensuring website security and preventing fraud

Marketing (with your explicit consent):

Sending promotional emails about our photography services
Sharing portfolio updates and special offers
Following up on inquiries and consultations

Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

Contract Performance: Processing necessary for providing photography services you’ve requested
Consent: For marketing communications and non-essential cookies (freely given, specific, and withdrawable)
Legitimate Interest: For website security, fraud prevention, and improving our services (balanced against your privacy rights)
Legal Obligation: For tax records, financial reporting, and compliance with Italian law

Disclosure of Information

We may share your information with trusted third parties in the following circumstances:

Service Providers:

Payment processors (for secure transaction handling)
Cloud storage providers (for image backup and delivery)
Email service providers (for communication and marketing)
Website hosting and security services
Professional labs for printing services (when requested)

Legal Requirements:

When required by Italian or EU law
To protect our legal rights or comply with legal proceedings
To prevent fraud or ensure website security

We will never:

Sell your personal information to third parties
Share your images without explicit permission
Disclose personally identifiable information for marketing purposes to unaffiliated third parties

All service providers are required to maintain GDPR-compliant data protection standards and are bound by strict confidentiality agreements.

International Data Transfers

As an Italian-based photography business, we primarily process data within the European Union. When transfers outside the EU are necessary (e.g., for certain cloud services), we ensure:

Adequate protection through European Commission adequacy decisions
Appropriate safeguards via Standard Contractual Clauses
Your explicit consent for specific transfers when required
Regular monitoring of international service providers’ compliance

Retention of Information

We retain your Personal Information only as long as necessary for the purposes outlined in this policy:

Photography Services:

Client information and contracts: 7 years (as required by Italian tax law)
Session images (edited): As agreed in our photography contract (typically 1-2 years unless extended storage is requested)
Raw/unedited images: 90 days after final delivery
Payment records: 10 years for tax and accounting purposes

Website Data:

Website analytics: 26 months maximum
Marketing consents: Until consent is withdrawn
Technical cookies: Session-based or as specified in cookie policy

After the retention period expires, Personal Information is securely deleted. The right to access, erasure, rectification, and data portability cannot be enforced after the expiration of the retention period.

Cookies and Tracking Technologies

Updated for 2025 Italian DPA Guidelines

Our website uses cookies and similar tracking technologies in compliance with the latest Italian Data Protection Authority guidelines and GDPR requirements.

Cookie Categories:

Technical/Strictly Necessary Cookies (no consent required):

Session management and website functionality
Security and fraud prevention
Load balancing and performance optimization

Analytics Cookies (consent required):

Website usage statistics (anonymized)
Performance monitoring
User experience improvements

Marketing Cookies (consent required):

Social media integration
Advertising and remarketing
Conversion tracking

Your Cookie Choices:

Prior Consent: Non-essential cookies are blocked until you provide explicit consent
Granular Control: You can choose which cookie categories to accept
Easy Withdrawal: Change your preferences at any time via our cookie preference center
Reject All: Close the cookie banner without accepting non-essential cookies

Cookie Consent Requirements:

Consent is required before setting non-technical cookies
Scrolling or browsing does not constitute consent
Consent is valid for 12 months (if accepted) or 6 months (if rejected)
We maintain detailed logs of all consent decisions as required by Italian DPA

You can manage your cookie preferences through your browser settings or our cookie preference center accessible from any page footer.

Data Analytics

We use privacy-compliant analytics tools to understand how visitors use our website and improve our services:

Google Analytics with IP anonymization enabled
Privacy-first configuration to minimize data collection
No cross-site tracking or user profiling
Aggregated data only – no individual user identification

Analytics data is used solely for:

Understanding website performance
Improving user experience
Identifying technical issues
Generating anonymous usage statistics

We do not use analytics data for advertising or share it with third parties for marketing purposes.

Do Not Track Signals

We respect Do Not Track (DNT) browser signals. When DNT is enabled:

We do not track your browsing across other websites
Third-party analytics are disabled
Marketing cookies are automatically blocked
Only essential technical cookies are used

Our website does not track visitors across different websites over time for advertising purposes.

Social Media Features

Our website may include social media features such as Facebook, Instagram, and Pinterest sharing buttons. These features:

Are provided by the respective social media platforms
May collect your IP address and page visit information
Use cookies to function properly
Are governed by the privacy policies of their respective providers

Your interactions with social media features are subject to the privacy policies of those platforms, not this policy.

Email Marketing

GDPR-Compliant Email Communications

We offer email newsletters and marketing communications with your explicit consent:

Subscription Process:

Double opt-in confirmation required
Clear purpose explanation at signup
Easy unsubscribe in every email
Separate consent for different types of communications

What We Send:

Photography portfolio updates
Special offers and promotions
Photography tips and behind-the-scenes content
Session availability and booking reminders

Your Rights:

Withdraw consent at any time
Update your email preferences
Request data about your email interactions
Complete deletion of your email data

We maintain email records in accordance with Italian law and GDPR requirements. Your email address is never shared with third parties for their marketing purposes.

Links to Other Resources

Our website contains links to other websites and social media platforms that are not owned or controlled by us. We are not responsible for the privacy practices of these external sites. We encourage you to review the privacy statements of each website you visit that may collect Personal Information.

Information Security

We implement comprehensive security measures to protect your Personal Information:

Technical Safeguards:

SSL/TLS encryption for all data transmission
Regular security updates and vulnerability patches
Secure hosting with EU-based servers
Access controls limiting data access to authorized personnel only
Regular backups with encryption at rest

Administrative Safeguards:

Staff training on data protection and privacy
Incident response procedures for potential breaches
Regular security audits and compliance reviews
Data minimization practices to reduce exposure

Physical Safeguards:

Secure facilities for equipment and data storage
Environmental controls protecting against physical threats
Disposal procedures for secure deletion of hardware

Despite our best efforts, no data transmission over the Internet can be guaranteed to be 100% secure. We strive to protect your Personal Information but cannot guarantee absolute security.

Data Breach

In the event of a data breach that may affect your Personal Information:

Our Response:

Immediate containment and investigation
Risk assessment of potential harm to individuals
Notification to Italian DPA within 72 hours (when required)
Individual notification when high risk to your rights and freedoms exists

What We’ll Tell You:

Nature of the breach and affected data
Likely consequences and potential risks
Measures taken to address the breach
Steps you can take to protect yourself
Contact information for further inquiries

We maintain detailed incident response procedures and work with cybersecurity experts to minimize the impact of any potential breaches.

Your Rights Under GDPR

As a data subject, you have the following rights regarding your Personal Information:

Right of Access (Article 15)

Request confirmation of data processing
Obtain a copy of your personal data
Information about processing purposes and recipients

Right to Rectification (Article 16)

Correct inaccurate personal data
Complete incomplete information

Right to Erasure/”Right to be Forgotten” (Article 17)

Request deletion of personal data when:
- No longer necessary for original purpose
- Consent is withdrawn
- Data processed unlawfully
- Required for legal compliance

Right to Restrict Processing (Article 18)

Limit how we use your data in certain circumstances
Maintain storage but suspend processing

Right to Data Portability (Article 20)

Receive your data in a structured, machine-readable format
Transfer data to another service provider

Right to Object (Article 21)

Object to processing based on legitimate interests
Opt-out of direct marketing at any time

Rights Related to Automated Decision-Making (Article 22)

Protection against solely automated decision-making
Right to human intervention and explanation

How to Exercise Your Rights:

Email us at: privacy@serenamorandi.com
Use our online rights request form
Contact us via phone during business hours
Send written requests to our postal address

We will respond to your requests within one month and provide assistance in your preferred language when possible.

Data Protection Officer

While not legally required for our size of business, we have designated a Data Protection Officer (DPO) to ensure GDPR compliance:

DPO Contact Information:

Email: dpo@serenamorandi.com
Phone: [Phone number]
Address: [Physical address]

The DPO is responsible for:

Monitoring GDPR compliance
Conducting privacy impact assessments
Serving as contact point for data protection authorities
Providing data protection guidance and training
Handling data subject requests and complaints

Changes and Amendments

We reserve the right to modify this Policy at any time to reflect:

Changes in applicable law or regulations
Updates to our business practices
New technologies or services
Feedback from users or authorities

How We Notify You of Changes:

Email notification to registered users
Prominent website notice for 30 days
Updated date at the top of this policy
Version history available upon request

Continued use of our Services after changes take effect constitutes acceptance of the revised policy. For material changes affecting your rights, we may require fresh consent.

Acceptance of This Policy

You acknowledge that you have read this Policy and agree to all its terms and conditions. By accessing and using the Services and submitting your information, you agree to be bound by this Policy. If you do not agree to abide by the terms of this Policy, you are not authorized to access or use the Services.

This privacy policy complies with Italian and EU data protection law as of January 2025 and incorporates the latest guidelines from the Italian Data Protection Authority (Garante per la protezione dei dati personali).

Contacting Us

If you have any questions, concerns, or complaints regarding this Policy, wish to exercise your rights, or need assistance with data protection matters, please contact us:

Primary Contact:

Serena Morandi Photography

Email: info@serenamorandi.com
Privacy Email: privacy@serenamorandi.com
Phone: [Your phone number]
Address: [Your business address]
Website: https://www.serenamorandi.com

Data Protection Officer:

Email: dpo@serenamorandi.com

Italian Data Protection Authority:

If you believe your data protection rights have been violated, you have the right to lodge a complaint with:

Garante per la protezione dei dati personali

Address: Piazza Venezia 11, 00187 Roma, Italy
Website: https://www.garanteprivacy.it
Email: garante@gpdp.it
Certified Email: protocollo@pec.gpdp.it

We will attempt to resolve complaints and disputes and make every reasonable effort to honor your requests as quickly as possible and in any event, within the timescales provided by applicable data protection laws.

Document Information:

Last Updated: January 28, 2025
Version: 2.0
Language: English
Applicable Law: Italian and EU Data Protection Law
Jurisdiction: Italy

This privacy policy was created in compliance with GDPR, Italian Legislative Decree No. 196/2003 (as amended), and the latest Italian Data Protection Authority guidelines on cookies and data protection.