Privacy Policy

1. Data Controller

The data controller is VanSkyStudio di Nathan Cohen, with registered address at Via Teatro Greco 5, Taormina ME 98039, Italy.

Email: hello@vanskystudio.com | Data Protection Officer: privacy@vanskystudio.com

VAT: IT03452780831. We are registered with the Registro delle Imprese di Messina.

2. Data We Collect

Inquiry data: name, email address, phone number, event date, event type, venue, and any message you submit via our inquiry form. Retained for 3 years from last contact.

Client session data: name, email, event details, delivery preferences, and access credentials for the client portal. Retained for the duration of our contract plus 7 years for accounting purposes.

Photographic works: finished images and edits stored in our MinIO object storage instance. Retained for 7 years after delivery unless a longer retention is agreed in writing.

Analytics data: anonymised browsing behaviour collected via Google Analytics 4 (GA4). IP addresses are anonymised before storage. Retained per Google's default retention settings (14 months).

Marketing data: ad-interaction signals collected via Facebook Pixel and Google Ads conversion tracking, used to measure campaign effectiveness.

Payment data: transactions are processed entirely by SumUp Europe S.à r.l. We do not store card numbers, CVVs, or full bank details on our systems.

3. Legal Basis for Processing

Contract performance (Art. 6(1)(b) GDPR): processing inquiry and client data to fulfil our photography services contract.

Legitimate interests (Art. 6(1)(f) GDPR): analytics to improve our website and services, provided these interests are not overridden by your rights.

Consent (Art. 6(1)(a) GDPR): analytics and marketing cookies, which you can grant or withdraw at any time via our cookie banner.

Legal obligation (Art. 6(1)(c) GDPR): retaining financial records for 7 years as required by Italian fiscal law (DPR 633/72).

4. Third-Party Sub-Processors

Google LLC (GA4, Google Ads) — analytics and conversion tracking. Data may be transferred to the USA under Standard Contractual Clauses. See Google's Privacy Policy at policies.google.com.

Meta Platforms Ireland Ltd (Facebook Pixel) — advertising audience measurement. See Meta's Data Policy at facebook.com/privacy/policy.

SumUp Europe S.à r.l. — payment processing under PCI DSS. See sumup.com/en/privacy.

MinIO / self-hosted object storage — photographic files stored on European servers operated by VanSkyStudio. No transfer outside the EEA.

Vercel Inc — website hosting and edge delivery. Data processed in the EEA region. See vercel.com/legal/privacy-policy.

5. Cookies and Tracking

We use essential cookies required for the site to function (session management, CSRF protection), analytics cookies (GA4: _ga, _gid, _ga_*), and marketing cookies (Facebook Pixel: _fbp, _fbc; Google Ads: _gcl_au).

Non-essential cookies are only placed after you grant consent via our cookie banner. You can change your preferences at any time.

See our full Cookie Policy for a detailed list of cookies, their purposes, and retention periods.

6. Your GDPR Rights

Right of access (Art. 15): you may request a copy of all personal data we hold about you.

Right to rectification (Art. 16): you may ask us to correct inaccurate or incomplete data.

Right to erasure (Art. 17): you may ask us to delete your data, subject to our legal retention obligations.

Right to restriction of processing (Art. 18): you may ask us to limit how we use your data while a dispute is resolved.

Right to data portability (Art. 20): you may request your data in a structured, machine-readable format.

Right to object (Art. 21): you may object to processing based on legitimate interests, including direct marketing.

Rights related to automated decision-making (Art. 22): we do not use fully automated decision-making that produces legal effects.

To exercise any right, email privacy@vanskystudio.com. We will respond within 30 days. You also have the right to lodge a complaint with the Garante per la protezione dei dati personali (www.garanteprivacy.it).

7. Data Security

We implement appropriate technical and organisational measures including TLS 1.3 in transit, AES-256 encryption at rest for stored images, role-based access controls, and regular security reviews.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the Garante within 72 hours and inform affected individuals without undue delay.

8. International Transfers

Where personal data is transferred outside the EEA (e.g., to Google or Meta servers), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or on adequacy decisions where applicable.

9. Changes to This Policy

We may update this policy periodically. Material changes will be communicated via email to active clients and via a notice on our website. The 'Last updated' date at the top of this page reflects the most recent revision.

10. Contact

VanSkyStudio di Nathan Cohen, Via Teatro Greco 5, Taormina ME 98039, Italy.

Email: privacy@vanskystudio.com | Phone: +39 0942 000000