Privacy Policy

    Last updated: 16th April 2026

    This privacy policy outlines how Mea Fabula Studio ("I", "me", "my") collects, uses, protects, and erases any information that you provide when you use this website or my photography services, including the client portal for viewing and purchasing photographs.

    Data Controller

    Mea Fabula Studio is the data controller responsible for your personal data under UK GDPR and the Data Protection Act 2018.

    Information I Collect

    I may collect the following information:

    • Your name and contact information, including email address and telephone number.
    • Event details, such as dates, venues, and timings, relevant to the photography services requested.
    • Information you provide through the contact form on my website.
    • Photographs and images captured during a photoshoot, which may be considered personal data.
    • Client portal accounts: if you are invited to the private client portal, I store your name and email address to provide you with secure access to your gallery and to process any digital download purchases.
    • Purchase records: if you purchase digital downloads through the portal, I retain a transaction record containing the order total, Stripe session reference, date, and a non-personal customer reference number. No payment card data is stored by me.

    How I Use Your Information

    I use this information to understand your needs and provide you with a better service, and in particular for the following reasons:

    • To respond to your enquiries and communicate with you about your booking.
    • To provide photography services as agreed in our contract.
    • For internal record keeping and administrative purposes.
    • To deliver your photographs to you.
    • To operate the client portal, provide access to your private gallery, and fulfil digital download purchases.
    • To retain financial transaction records as required by HMRC under UK tax law.
    • With your explicit consent, I may use your images for promotional purposes, such as on my website portfolio, social media, or in print.

    Data Security & Encryption

    I am committed to ensuring that your information is secure. For client portal accounts, your personal data (name and email address) is encrypted at rest using industry-standard authenticated encryption. This means that even in the unlikely event of a database-level breach, your personal details are exposed only as unreadable ciphertext.

    Access to the client portal is protected by a one-time passcode delivered to your registered email address. No passwords are stored.

    Data Retention

    I retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, including any legal or accounting obligations.

    • Client portal accounts: your name and email address are retained for the duration of our working relationship and your active gallery access. You may request deletion at any time (see "Your Rights" below).
    • Transaction records: under HMRC regulations, financial records must be retained for a minimum of six years from the end of the relevant tax year. After your account is deleted, any purchase records are retained solely for this purpose. They contain no personal data — they are identified only by a non-personal customer reference number (e.g. CN0042), the order total, the Stripe session reference, and the transaction date.

    Payment Processing

    Digital download purchases are processed by Stripe, a third-party payment processor. When you make a purchase, you are directed to Stripe's secure checkout. I do not see or store your payment card details at any point.

    Stripe retains your payment and transaction data under their own privacy policy and Data Processing Agreement in accordance with applicable law. You can review Stripe's privacy policy at stripe.com/gb/privacy.

    Image Rights & Usage

    All images are copyrighted by Mea Fabula Studio. As the photographer, I retain the copyright to all images taken.

    You, the client, are granted a licence to use the images for personal, non-commercial use. This includes printing, sharing with friends and family, and on your personal social media profiles.

    Use of images for commercial purposes, sale, or any use that benefits a third party is not permitted without my prior written consent.

    I will not use your images for my own promotional purposes without your explicit consent, which will be sought separately from our main contract.

    Data Sharing & Third Parties

    I will not sell, distribute, or lease your personal information to third parties unless I have your permission or am required by law to do so.

    I may share your information with the following trusted third-party providers only to the extent necessary for my business operations:

    • Stripe — payment processing for digital download purchases (see "Payment Processing" above).
    • Supabase — secure cloud database and authentication infrastructure, hosted in the EU. Your personal data is encrypted at rest before storage.
    • Print labs or album suppliers, solely for the purpose of fulfilling physical print orders.

    Your Rights

    Under UK data protection law (UK GDPR), you have the following rights:

    • Right of access — you have the right to ask for copies of your personal information.
    • Right to rectification — you have the right to ask to rectify information you think is inaccurate. You can update your name and email address directly from your profile page in the client portal.
    • Right to erasure — you have the right to request deletion of your personal data. Client portal users can exercise this right immediately and without contacting me by using the Delete My Account option on the Profile page of the portal. Deletion is permanent and instantaneous: your name, email address, and login credentials are erased from all systems. Transaction records are retained in anonymised form only, as required by HMRC (see "Data Retention" above).
    • Right to restriction of processing — you have the right to ask to restrict the processing of your information in certain circumstances.
    • Right to object to processing — you have the right to object to the processing of your personal data in certain circumstances.
    • Right to data portability — you have the right to ask that I transfer the information you gave me to another organisation, or to you, in certain circumstances.

    To exercise any of these rights, or if you have any questions about this privacy policy or my privacy practices, please contact me via the Contact Page.

    Cookies

    This website uses only functional cookies required for authentication and session management. No tracking or advertising cookies are used.

    Changes to This Policy

    I may update this privacy policy from time to time. Any changes will be posted on this page with an updated revision date.