Legal
Privacy Policy
Last updated: March 2026
1. Who We Are
ViewFinder is a photography booking marketplace connecting clients with professional photographers across the UK. We are the data controller responsible for personal data processed through this platform.
2. What Data We Collect
Account data
Name, email address, and an encrypted password, managed via Supabase Auth. We never see your raw password.
Photographer profiles
Bio, location, pricing, availability, and portfolio images you upload. Images are stored via UploadThing.
Booking data
Session details, dates, locations, and messages exchanged between photographers and clients in connection with a booking.
Payment data
Payments are processed entirely by Stripe. ViewFinder never stores card numbers or full payment details — these go directly to Stripe's secure servers and are subject to their privacy policy.
Communications
Transactional emails — such as booking confirmations and notifications — sent via Resend. We do not send marketing emails without your explicit consent.
Usage data
Browser type, device information, approximate location, and pages visited. Used solely to maintain and improve the service.
3. How We Use Your Data
Under UK GDPR Article 6, we rely on the following legal bases:
Contract performance
To operate bookings, process payments, and deliver the services you request. This is necessary to fulfil our contract with you.
Legitimate interests
To prevent fraud, ensure platform security, resolve disputes, and improve the service — where these interests are not overridden by your rights.
Consent
For any optional marketing emails. You may withdraw consent at any time by clicking "Unsubscribe" in any email or contacting us directly.
4. Third-Party Processors
We use the following sub-processors. Each is contractually bound to protect your data and may only use it for the stated purpose.
| Processor | Location |
|---|---|
| Supabase | EU / USSCCs apply |
| Stripe | UK / EUAdequacy decision |
| UploadThing | USSCCs apply |
| Resend | USSCCs apply |
Where processors are based outside the UK/EEA, transfers are protected by Standard Contractual Clauses (SCCs) or an adequacy decision.
5. Data Retention
- Account data — retained until you delete your account
- Booking & transaction records — 7 years, as required by UK tax and financial legislation
- Payment records — per Stripe's data retention policies
- Uploaded photos — retained until you delete them or close your account
6. Your Rights
As a UK resident, you have the following rights under UK GDPR:
7. Cookies
We use essential cookies only — specifically to maintain your login session via Supabase Auth. These are strictly necessary for the service to function and do not require your consent under PECR.
We do not currently use third-party tracking, advertising, or analytics cookies. If we introduce these in future, this policy will be updated and consent will be obtained where required under PECR.
8. Children
ViewFinder is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
9. Changes to This Policy
We may update this privacy policy from time to time. For material changes, we will notify you by email or by displaying a prominent notice on the platform before the change takes effect. The "last updated" date at the top of this page reflects the most recent revision.
10. Contact & Complaints
If you have any questions about this policy or how we handle your data, please get in touch:
© 2026 ViewFinder · Privacy Policy