Privacy Policy

1. Controller

The controller responsible for the processing of your personal data under this Privacy Policy is:

LARUM.photography
Bonner Strasse 327
50825 Cologne, Germany
Email: [email protected]
Phone: +49 151 23046283

2. Data We Collect

We collect and process the following categories of personal data:

• Account Data: first name, last name, email address, encrypted password, account creation date.
• Contact & Billing Data: postal address, country, VAT number (where applicable) — collected at checkout.
• Payment Data: processed exclusively by Stripe or PayPal. We do not store full card numbers or PayPal credentials. We retain transaction identifiers and invoice amounts for tax and legal purposes.
• Usage Data: IP address, browser type, pages visited, albums viewed, access timestamps, referring URLs. IP addresses are anonymized after 30 days. Access logs are deleted after 365 days.
• Consent Records: which consents you gave, the version of the policy text at the time, your IP address at the time of consent, and the timestamp.
• Communications Data: email correspondence and support tickets you send us.
• Push Notification Subscriptions: browser endpoint URI, stored only for the duration of your active subscription.

3. Legal Bases for Processing

We process your personal data on the following legal bases under Article 6 GDPR:

• Performance of a contract (Art. 6(1)(b) GDPR): account management, subscription fulfillment, delivering content you have paid for, billing, and customer support.
• Compliance with a legal obligation (Art. 6(1)(c) GDPR): retention of invoices and payment records for 10 years under § 147 AO (German Tax Code) and § 257 HGB (German Commercial Code).
• Consent (Art. 6(1)(a) GDPR): sending marketing newsletters (you may withdraw at any time); web push notifications (you may disable at any time in your account settings).
• Legitimate interests (Art. 6(1)(f) GDPR): fraud prevention, abuse detection, security monitoring, and improving our Services. Our legitimate interests are balanced against your rights.

4. How We Use Your Data

• Creating and managing your account
• Processing payments and issuing invoices
• Delivering the content and Services you have purchased
• Sending transactional emails (registration confirmation, purchase receipts, withdrawal confirmation)
• Sending newsletters and promotional emails (with your consent)
• Sending push notifications about new content (with your consent)
• Preventing fraud, detecting abuse, and enforcing our Terms of Use
• Complying with tax, accounting, and legal obligations
• Improving our website and Services through anonymized analytics

5. Sharing Your Data

We do not sell your personal data. We share it only with:

• Stripe Inc. (USA): payment processing. Data transfer is based on the EU Standard Contractual Clauses (SCCs). See Stripe Privacy Policy.
• PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg): payment processing. See PayPal Privacy Policy.
• Brevo SAS (France): transactional email and newsletters. Data is processed on EU servers. See Brevo Privacy Policy.
• vatstack.com: EU VAT rate synchronization — only the country code of a transaction is shared to look up the applicable VAT rate; no personal data.
• Law enforcement or public authorities: if required by applicable law, court order, or governmental authority.

6. International Data Transfers

Stripe Inc. is headquartered in the United States. We transfer data to Stripe on the basis of Standard Contractual Clauses approved by the European Commission (Art. 46(2)(c) GDPR), as reflected in Stripe's Data Processing Agreement. All other third-party processors listed above are established in the EU/EEA or process data on EU servers.

7. Retention Periods

• Invoice and payment records: 10 years from the date of issuance, pursuant to § 147 AO and § 257 HGB.
• Access logs (media access): automatically deleted after 365 days.
• IP addresses: anonymized after 30 days.
• Account data: retained for the duration of your account. Upon deletion request, your account is anonymized (email address replaced with a hash, name cleared) within 30 days, provided no active subscription exists and the 10-year invoice retention period has expired for all associated invoices.
• Consent records: retained for as long as the account exists (required as evidence of lawful processing).
• Push notification endpoints: deleted when you disable notifications or your subscription ends.

8. Cookies & Similar Technologies

We use only strictly necessary cookies. We do not use advertising, tracking, or analytics cookies.

• Session cookie (NextAuth.js): keeps you logged in during your browser session. Expires when you close your browser or log out.
• Theme preference cookie (le-theme): remembers your light/dark mode choice for 1 year.
• Language preference cookie (le-locale): remembers your chosen language for 1 year.

None of these cookies are shared with third parties or used for profiling. Because they are strictly necessary for site functionality, we do not require a separate consent banner under Art. 5(3) ePrivacy Directive / § 25 TTDSG.

9. Web Push Notifications

If you enable web push notifications, we store your browser's push endpoint URI. This is used solely to send you notifications about new content. You can withdraw consent and delete the endpoint at any time in your account settings. Endpoints are automatically deleted when your subscription ends.

10. Security

We implement appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Measures include:

• TLS encryption for all data in transit
• Bcrypt hashing for passwords
• Signed, short-lived URLs for protected media content
• Rate limiting and bot detection on all API endpoints
• Access controls limiting staff access to personal data on a need-to-know basis

11. Your Rights

Under the GDPR, you have the following rights:

• Right of access (Art. 15 GDPR): obtain a copy of the personal data we hold about you.
• Right to rectification (Art. 16 GDPR): request correction of inaccurate data.
• Right to erasure (Art. 17 GDPR): request deletion of your data, subject to our legal retention obligations.
• Right to restriction of processing (Art. 18 GDPR): request that we limit processing of your data in certain circumstances.
• Right to data portability (Art. 20 GDPR): receive your data in a structured, machine-readable format.
• Right to object (Art. 21 GDPR): object to processing based on legitimate interests.
• Right to withdraw consent: where processing is based on consent, you may withdraw at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at [email protected]. We will respond within one month (extendable by two further months for complex requests). Account deletion is also available in your account settings once no active subscription exists.

12. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement. The supervisory authority for the State of North Rhine-Westphalia, where LARUM.photography is based, is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestraße 2–4, 40213 Düsseldorf
www.ldi.nrw.de

13. Newsletter

If you subscribe to our newsletter, we will use your email address to send you periodic updates about new content and offers. We use the double opt-in procedure: you will receive a confirmation email and must click the link to activate your subscription. You may unsubscribe at any time via the link in every newsletter or by contacting us. The legal basis is your consent (Art. 6(1)(a) GDPR).

14. Automated Decision-Making & Profiling

We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR.

15. Children's Privacy

Our Services are not directed to children under the age of 14. We do not knowingly collect personal data from anyone under 14. If you believe a child under 14 has registered, please contact us immediately and we will delete the account.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Material changes will be communicated by posting the revised policy on the Site with an updated "Last revised" date, and, where required by law, by notifying you by email. Your continued use of the Services after the effective date constitutes acceptance of the revised policy.

17. Contact

For any questions about this Privacy Policy or to exercise your rights, please contact:

LARUM.photography
Bonner Strasse 327, 50825 Cologne, Germany
Email: [email protected]
Phone: +49 151 23046283