Visuals by VS — Wedding Photography

01 Who We Are

This Privacy Policy applies to https://visualsbyvs.com/, operated by Visuals by VS ("we", "us", "our"), a videography business based in 77270, France.

Data Controller
Visuals by VS
Villeparisis, — 77270
SIRET : 92465139100014
Email : visualbyvs@gmail.com
Phone : +33767131339

We take your privacy seriously. This policy explains what personal data we collect when you visit our website, create an account, submit an enquiry, or receive communications from us — and how we handle it in compliance with the EU GDPR 2016/679 and French data protection law enforced by the CNIL.

02 Data We Collect

Account & Login Data

Email address — primary login identifier and transactional communications
Phone number — used for SMS one-time passcode (OTP) login, and with your explicit consent, marketing SMS
Hashed password (where applicable)
Account creation date and last login timestamp

Enquiry & Contact Data

Name, email address, phone number, event date, and message submitted via contact forms

Push Notification Data

Push subscription token (generated by your browser, managed by OneSignal)
Device type, browser, and operating system
Notification delivery and interaction events

Client Gallery & Delivery Data

Email and/or phone used to verify access to your private client gallery
Viewing activity on delivered films and photos

Technical & Usage Data

IP address (anonymised after session ends where possible)
Browser type, version, and operating system
Pages visited, referring URL, and session duration
Cookie identifiers (see Section 10)

We do not store payment card data. Payments are processed directly by Stripe on their PCI-DSS compliant infrastructure. We never see or store your card number, CVV, or banking credentials.

03 How We Use Your Data

Purpose	Data used	Legal basis
Account login & authentication	Email, phone (OTP)	Contract / Legitimate interest
Responding to enquiries	Name, email, phone, message	Pre-contractual steps
Delivering your private gallery	Email, phone	Contract performance
Push notifications	Push token, device info	Consent
Marketing emails	Email address	Consent
Marketing SMS	Phone number	Consent
Payment processing	Passed directly to Stripe	Contract performance
Website analytics & security	IP, usage data	Legitimate interest
Legal compliance	All categories as required	Legal obligation

04 Legal Basis (GDPR Art. 6)

Art. 6(1)(a) — Consent: Push notifications, marketing emails, and marketing SMS. You may withdraw consent at any time.
Art. 6(1)(b) — Contract: Delivering your gallery, responding to booking enquiries, and managing your account.
Art. 6(1)(c) — Legal obligation: Retention of invoices and financial records (Art. L.123-22 Code de commerce — 10 years).
Art. 6(1)(f) — Legitimate interests: Website security, fraud prevention, and service improvement.

Where processing is based on consent, you may withdraw it at any time via the unsubscribe link in any email, by replying STOP to any SMS, or by revoking push notification permission in your browser settings.

05 Third-Party Services

Each processor below is bound by a GDPR-compliant DPA or Standard Contractual Clauses (SCCs) where data leaves the EU:

Service	Purpose	Data shared	Location
Hostinger UAB	Web hosting & database	All server-side data	EU — Lithuania ✓
OneSignal	Push notifications	Push token, device, IP	USA (SCCs)
Stripe, Inc.	Payment processing	Payment details (direct)	USA/EU (SCCs)
Google LLC (Drive / APIs)	Media delivery & embeds	IP, access logs	USA/EU (SCCs)
SMS provider	OTP & marketing SMS	Phone number, message	EU / varies (SCCs)
Email / SMTP provider	Transactional & marketing email	Email address, name	EU / varies (SCCs)
Google Fonts CDN	Typography	IP (on page load)	USA (SCCs)
Cloudflare CDN	Bootstrap CSS delivery	IP (on page load)	USA/EU (SCCs)

✓ = data remains within the EU. SCCs = Standard Contractual Clauses, Commission Decision 2021/914.

We do not sell, rent, or trade your personal data to any third party for their own marketing purposes.

06 Push Notifications — OneSignal

We use OneSignal, Inc. to send browser and mobile push notifications about your client gallery, new films, and promotions. Push notifications are only sent with your explicit opt-in consent.

What OneSignal collects on subscription

A unique push token generated by your browser or device
Device type, browser name and version, operating system
IP address at time of subscription
Notification delivery and interaction events (delivered / opened / dismissed)

How to withdraw & opt out

Chrome: Settings → Privacy & Security → Site Settings → Notifications → find visualsbyvs.com → Block
Firefox: Preferences → Privacy & Security → Permissions → Notifications → Settings
Safari: Preferences → Websites → Notifications → remove this site
Via email: visualbyvs@gmail.com

OneSignal privacy policy: onesignal.com/privacy_policy. Transfers to the USA are covered by SCCs and the EU–US Data Privacy Framework.

07 SMS & Email Communications

Transactional messages

We send transactional SMS and emails necessary to operate our service — OTP login codes, booking confirmations, and gallery delivery notifications. These are sent on the basis of contract performance and do not require separate marketing consent.

Marketing messages

Promotional SMS and email communications are only sent with your explicit prior consent, collected at account registration or via a dedicated opt-in form. Each marketing message includes a clear opt-out:

Email: Unsubscribe link in every marketing email footer
SMS: Reply STOP to any marketing SMS to unsubscribe immediately

OTP authentication via SMS

When you log in with your phone number, a one-time passcode (OTP) is sent via SMS to verify your identity. This code expires after a short period and is never stored in plaintext. Your phone number is not shared with third parties beyond the SMS delivery provider.

Opting out of marketing does not affect login. You will still receive OTP and transactional messages required to use the service.

08 Data Retention

Data type	Retention period	Basis
Account data (email, phone)	Until deletion + 30-day backup purge	Contract
Enquiry / contact messages	3 years from last communication	Legitimate interest
OTP SMS logs	30 days	Security / fraud prevention
Push notification tokens	Until revoked or 12 months inactivity	Consent
Marketing consent records	Until withdrawn + 5 years	Legal obligation (proof)
Server access logs	90 days (Hostinger default)	Legitimate interest
Invoices & financial records	10 years	Art. L.123-22 Code de commerce

After the applicable period, data is securely deleted or irreversibly anonymised.

09 Your Rights

Under GDPR, you have the following rights. We respond to all verified requests within 30 days:

Art. 15 — Access: Request a copy of all personal data we hold about you.
Art. 16 — Rectification: Ask us to correct inaccurate or incomplete data.
Art. 17 — Erasure: Request deletion of your data, subject to legal retention obligations.
Art. 18 — Restriction: Ask us to pause processing while a dispute is resolved.
Art. 20 — Portability: Receive your data in a machine-readable format (JSON/CSV).
Art. 21 — Object: Object to processing based on legitimate interests or for direct marketing.
Art. 7(3) — Withdraw consent: Withdraw consent for push, marketing emails, or marketing SMS at any time.

Email visualbyvs@gmail.com with subject line "GDPR Request". We may ask you to verify your identity. No fee for standard requests.

Right to complain — CNIL

You may lodge a complaint with France's data protection authority:

Website: www.cnil.fr
Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
Phone: +33 1 53 73 22 22

10 Cookies

Cookie	Category	Purpose	Expires
PHPSESSID	Strictly necessary	Maintains your login session	7 days / browser close
onesignal-notification-prompt	Functional	Stores your push permission choice	1 year
onesignal-pageview-count	Functional	Times the push opt-in prompt	1 year
os_pageViews	Functional	OneSignal session tracking	Session
Google Fonts cache	Technical	Browser font caching — no user tracking	Browser cache

Strictly necessary cookies cannot be disabled — they are essential for login to work. You can manage all others via your browser's cookie settings.

11 International Transfers

Our website is hosted by Hostinger UAB in the EU (Lithuania). Your data stays within the EU for primary hosting and database storage.

Certain services (OneSignal, Google, Stripe, Cloudflare) transfer data to the USA or other countries outside the EEA. These transfers are protected by:

EU Standard Contractual Clauses (SCCs) — Commission Decision 2021/914
EU–US Data Privacy Framework (DPF) — where the processor is certified
Adequacy decision — where applicable

You may request a copy of relevant safeguards by contacting us.

12 Children's Privacy

Our website is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has submitted data, please contact visualbyvs@gmail.com and we will delete it promptly.

13 Changes to This Policy

We may update this policy to reflect changes in our services or legal requirements. For material changes we will update the date at the top of this page, post a notice on our homepage, and where required by law notify you by email or in-app notification.

14 Contact & Data Controller

For any questions about this policy or to exercise your rights:

Visuals by VS

Villeparisis, — 77270, France

SIRET : 92465139100014

Email : visualbyvs@gmail.com

Phone : +33767131339

Use subject line "GDPR Request" for data rights enquiries. Response within 5 business days.

↑ Back to top