Privacy Policy

# Privacy Policy

## 1. Data We Collect
- **Gallery Access**: QR token (hashed), optional display name
- **Photos**: Your child's photos (preview and original)
- **Favorites**: Photos you mark as favorites
- **Orders**: Billing name, address, email, order details
- **Payments**: Transaction data (processed by SimplePay)

## 2. How We Use Your Data
- To provide gallery access and ordering functionality
- To process and fulfill your orders
- To send order confirmations (if enabled by institution)
- To comply with legal obligations (invoicing, accounting)

## 3. Data Retention
- **Gallery photos and access**: Deleted 30 days after ordering deadline
- **Orders and invoices**: Retained as required by law (typically several years)
- **Favorites and cart**: Deleted with gallery data

## 4. Data Security
- QR tokens are hashed (not stored in plain text)
- Secure HTTPS connections
- Access restricted to authorized personnel

## 5. Your Rights
- Access your data through your QR code
- Request deletion (subject to legal retention requirements)
- Contact us for data-related questions

## 6. Third-Party Services
- **SimplePay**: Payment processing (see SimplePay privacy policy)
- **Email**: Mailtrap SMTP (if notifications enabled)

## 7. Contact
For privacy questions, contact your photographer.

Last updated: January 2026