1. Introduction
ShotLace LLC ("we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share information when you use the ShotLace platform at shotlace.com (the "Service").
This policy applies to all users of the Service:
- Photographers and studio owners ("Photographers") who create accounts and manage events
- Couples ("Couples") who complete wedding questionnaires via links provided by their Photographer
- Crew members ("Crew") who access shared checklists on the wedding day via PIN-protected links
Wedding data is inherently personal and sensitive. We recognize that names, relationships, and event details shared through ShotLace carry personal significance, and we treat all wedding-related data with the care it deserves.
2. Data Controller and Data Processor Roles
Understanding who controls your data is important:
- For Photographer account data: ShotLace LLC is the data controller. We determine why and how your account information is processed.
- For Couple and Crew data: The Photographer is the data controller. They decide to collect your wedding party details via our questionnaire. ShotLace acts as a data processor on the Photographer's behalf, processing your data only as necessary to provide the Service.
If you are a Couple or Crew member and have questions about how your data is used, please contact your Photographer directly. If your Photographer is unable to help, you may also contact us at support@shotlace.com.
3. Information We Collect
3.1 Information You Provide Directly
| Data Type | Examples | Who Provides It | Legal Basis (GDPR) |
|---|---|---|---|
| Account information | Email address, studio name, password (hashed) | Photographers | Contract performance |
| Event details | Couple names, wedding date, venue, locations | Photographers | Contract performance |
| Wedding party information | Names, roles (bride, groom, bridesmaid, etc.) | Photographers, Couples | Legitimate interest / Photographer's consent |
| Questionnaire responses | Wedding party details, special requests, location preferences | Couples | Legitimate interest (Photographer's contract with Couple) |
| Studio branding | Logos, studio settings, email signature logos | Photographers | Contract performance |
| Payment information | Processed directly by Stripe; we never receive or store card numbers | Photographers | Contract performance |
3.2 Information Collected Automatically
| Data Type | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Usage data (pages visited, features used, timestamps) | Service improvement, bug detection | Legitimate interest |
| Device information (browser type, operating system, screen size) | Responsive design, compatibility | Legitimate interest |
| IP address | Security, rate limiting, fraud prevention | Legitimate interest |
Authentication cookie (auth_token) | Keeping you logged in (see Section 8) | Contract performance (essential) |
3.3 Information from Third Parties
- Stripe: After a payment, Stripe sends us confirmation details (payment status, amount, subscription status). We do not receive your full card number.
4. How We Use Your Information
We use your information for the following purposes:
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Provide the Service (generate shot lists, manage events, process questionnaires, share crew checklists) | Account info, event details, wedding party data, questionnaire responses | Contract performance |
| Process payments and manage subscriptions | Email, payment details (via Stripe) | Contract performance |
| Send transactional emails (account creation, password resets, questionnaire notifications, plan confirmations) | Email addresses | Contract performance |
| Improve the Service (analyze usage patterns, fix bugs, develop new features) | Usage data, device information | Legitimate interest |
| Provide customer support | Email, account info, event details as needed | Legitimate interest |
| Ensure security (detect and prevent fraud, abuse, unauthorized access) | IP addresses, usage patterns, authentication data | Legitimate interest |
| Comply with legal obligations (tax records, law enforcement requests) | Payment records, account info | Legal obligation |
- Sell, rent, or trade your personal data to any third party
- Use your data for third-party advertising or marketing
- Share wedding party information with anyone other than the Photographer who owns the event
- Train artificial intelligence or machine learning models on your data
- Profile you for automated decision-making
5. How We Share Your Information
We share your information only in the following limited circumstances:
| Recipient | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processing | Email, payment details (processed directly by Stripe; we never see full card numbers) | United States |
| Resend | Transactional email delivery | Recipient email addresses, email content | United States |
| Hostinger (VPS hosting) | Infrastructure — hosting the Service | All data stored on the Service (encrypted at rest) | United States |
We may also disclose information if required to do so by law, court order, subpoena, or governmental authority, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
6. Questionnaire and Crew Data
6.1 For Couples
When you complete a questionnaire, your Photographer has invited you to provide wedding party details and preferences. Your responses are stored in the Photographer's ShotLace account. The Photographer is the data controller for this information and is responsible for:
- Informing you about how your data will be used
- Obtaining any necessary consent from wedding party members whose names are provided
- Responding to requests from wedding party members about their data
We act as a data processor on the Photographer's behalf and process your questionnaire data only to provide the Service.
Your rights as a Couple: You may contact your Photographer to request access to, correction of, or deletion of your questionnaire data. If your Photographer is unresponsive, contact us at support@shotlace.com and we will assist in facilitating your request.
6.2 For Crew Members
Crew checklists are accessed via a PIN-protected link shared by the Photographer. No account creation is required. We do not collect personal data from Crew members beyond standard automatically collected data (IP address, browser information) necessary for delivering the page and maintaining security.
6.3 Wedding Party Members
If your name has been included in a wedding questionnaire or event by a Photographer or Couple, you may contact us at support@shotlace.com to request information about what data is stored, or to request its correction or deletion. We will coordinate with the relevant Photographer to fulfill your request.
7. Data Storage and Security
- Storage: Your data is stored in a SQLite database on a secured virtual private server hosted by Hostinger in the United States.
- Passwords: Hashed using bcrypt with a cost factor of 10. We never store or log plaintext passwords.
- Authentication: JWT tokens stored in httpOnly, Secure, SameSite cookies. Tokens expire after 7 days.
- Transmission: All data transmitted over HTTPS with TLS encryption. HTTP requests are redirected to HTTPS.
- Backups: Daily automated database backups retained for 30 days, then permanently deleted.
- Access control: Production server access is restricted to authorized personnel via SSH key authentication only.
- File uploads: Studio logos and signature images are stored on the server filesystem. Only the uploading Photographer's account can access their uploads.
While we implement industry-standard security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any vulnerabilities discovered.
8. Cookies
We use a single, strictly essential cookie:
| Cookie Name | Purpose | Duration | Type |
|---|---|---|---|
auth_token | Keeps you logged in after authentication | 7 days | Essential (httpOnly, Secure, SameSite=Strict) |
We do not use:
- Tracking or analytics cookies
- Advertising or marketing cookies
- Third-party tracking scripts or pixels
- Cookie consent banners (because we only use one essential cookie that does not require consent)
Note: The Service also uses localStorage in your browser to store your authentication token and user display information for the client-side interface. This data is cleared when you log out.
9. Data Retention
| Data Type | Retention Period | What Happens After |
|---|---|---|
| Active Photographer accounts | For the life of the account | Deleted within 30 days of account deletion request |
| Archived Photographer accounts | Until the Photographer requests deletion or the primary admin removes the account | Deleted within 30 days |
| Event data (including questionnaire responses) | Until the Photographer deletes the event or closes their account | Deleted with the event or account |
| Server access logs (IP addresses) | 90 days | Automatically purged |
| Database backups | 30 days (rolling) | Automatically overwritten |
| Payment and billing records | 7 years (legal requirement for tax records under U.S. law) | Deleted after retention period |
| Support correspondence | 2 years after resolution | Deleted |
| Usage analytics (aggregated) | Indefinitely (no personal data) | N/A (anonymized) |
When data is deleted, we remove it from our active database. Residual copies may persist in encrypted backups for up to 30 days before being permanently overwritten.
10. Your Rights
10.1 All Users
Regardless of your location, you have the right to:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request deletion of your account and associated data
- Data portability: Request an export of your data in JSON or CSV format
- Objection: Object to processing based on legitimate interest
- Restriction: Request that we restrict processing of your data while a dispute is resolved
How to exercise your rights: Email support@shotlace.com with the subject line "Privacy Request" and describe your request. We will verify your identity and respond within 30 days. Data export requests will be fulfilled in JSON or CSV format within 30 days.
10.2 Rights for EEA/UK Residents (GDPR)
If you are located in the European Economic Area or United Kingdom, you also have the right to:
- Withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
- Lodge a complaint: File a complaint with your local data protection authority (supervisory authority) if you believe your rights have been violated
- Data portability: Receive your data in a structured, commonly used, machine-readable format
The legal basis for each type of processing is specified in the tables in Sections 3 and 4 above.
10.3 Rights for California Residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:
- Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
- Right to delete: You may request deletion of your personal information, subject to certain exceptions (e.g., legal obligations).
- Right to correct: You may request correction of inaccurate personal information.
- Right to opt out of sale/sharing: We do not sell or share (as defined by CCPA/CPRA) your personal information. We have not sold or shared personal information in the preceding 12 months.
- Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
Categories of personal information collected (per CCPA categories): Identifiers (email, name, IP address); commercial information (payment history, subscription plan); internet or electronic network activity (usage data, browser information); professional information (studio name).
To exercise your California rights, email support@shotlace.com with the subject line "California Privacy Request." We will verify your identity and respond within 45 days.
11. Data Breach Notification
In the event of a data breach that affects your personal information, we will:
- Notify affected users via email within 72 hours of becoming aware of the breach, as required by applicable law (including New Jersey's data breach notification law, N.J.S.A. 56:8-163, and GDPR Article 33 for EEA/UK residents)
- Describe the nature of the breach, the types of data affected, and the steps we are taking to address it
- Provide guidance on steps you can take to protect yourself (e.g., changing your password)
- Notify relevant authorities as required by applicable law, including the relevant supervisory authority for GDPR purposes
12. International Data Transfers
The Service is operated from the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States.
For EEA/UK residents: The United States does not have an adequacy decision from the European Commission for all data transfers. Where we transfer personal data from the EEA/UK to the United States, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable
- The necessity of the transfer for the performance of our contract with you (Article 49(1)(b) GDPR)
You may request a copy of the safeguards we use for international transfers by contacting support@shotlace.com.
For all international users: By creating an account or using the Service, you acknowledge that your data will be processed in the United States, where data protection laws may differ from those in your jurisdiction.
13. Children's Privacy
The Service is designed for professional photographers and is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that we have inadvertently collected data from a child under 18, we will delete it promptly and notify the relevant account holder.
Note: Wedding questionnaires may include the names of minors who are part of the wedding party (e.g., flower girl, ring bearer). These names are provided by the Photographer or Couple, who are responsible for obtaining appropriate consent from the minor's parent or guardian.
14. Third-Party Services
The Service integrates with or links to the following third-party services, each with their own privacy policies:
- Stripe (payment processing): stripe.com/privacy
- Resend (email delivery): resend.com/legal/privacy-policy
We encourage you to review the privacy policies of these third-party services. We are not responsible for the privacy practices of third parties.
15. Do Not Track
Some browsers send a "Do Not Track" (DNT) signal. Because we do not engage in cross-site tracking and do not use tracking cookies or third-party analytics, our Service inherently respects DNT signals. Your experience with ShotLace is the same regardless of your DNT setting.
16. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:
- Material changes: We will notify registered Photographers via email at least 30 days before the changes take effect
- Minor changes: We will update the "Last updated" date at the top of this page
Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree with a change, you may delete your account.
17. Contact Us
If you have questions about this Privacy Policy, our data practices, or wish to exercise your privacy rights, contact us at:
ShotLace LLC
Email: support@shotlace.com
Website: shotlace.com
We aim to respond to all privacy-related inquiries within 30 days. If you are not satisfied with our response, you may lodge a complaint with your local data protection authority.