Privacy Policy

The data controller within the meaning of the GDPR is the operator of FindAShoot.

Contact: privacy@findashoot.com

At registration: email address, password (hashed), display name, role (Model / Photographer / MUA).

In your profile (optional): stage name, bio, city, country, categories, photos, Instagram URL.

During use: messages (stored encrypted), booking inquiries, favorites, activity logs (login, logout, profile changes).

Identity verification (temporary): when verification is requested, a selfie and a photo of a valid identity document — retained solely for the duration of the verification process, then permanently deleted.

Support requests: subject, message, category, email address, name (for non-logged-in users), IP address and browser type.

Technical: IP address, browser type (for security and abuse prevention), session cookie.

Providing platform features (profile, search, messaging, booking inquiries).

Platform moderation and safety.

Showing recent activity status (last sign-in) to administrative staff for moderation and support purposes.

Communication for account requests, password reset, and notifications.

Legal obligations (e.g. upon request from authorities).

Art. 6(1)(b) GDPR — Contract performance: for all features necessary to use the platform.

Art. 6(1)(a) GDPR — Consent: for newsletter (if subscribed) and optional profile data.

Art. 6(1)(f) GDPR — Legitimate interests: for security monitoring and abuse prevention.

Art. 6(1)(c) GDPR — Legal obligation: upon request from authorities.

Uploaded photos are stored on our servers and are visible as part of your public profile.

By uploading, you confirm that you own all necessary rights to the images.

Photos can be deleted at any time from your dashboard. Changes to publicly visible photos are subject to admin review.

For identity verification, users may be asked to upload a selfie and a photo of a valid identity document.

This data is processed solely for verification purposes and is accessible only to authorised administrative staff.

The identity document images and selfie are permanently deleted as soon as the verification process is concluded (approved or rejected) — in any case within 7 business days of receipt.

No copy of this data is retained after the verification process is complete.

Private messages are stored encrypted (AES-256).

Messages are not actively monitored. The operator accesses messages only in the case of a user report, reasonable suspicion of abuse, or legal order.

Reported messages are stored in plaintext for moderation review.

We do not share personal data with third parties, except:

• email service provider (MailerSend Ltd, Cyprus) for transactional emails — solely for delivery,

• fallback email provider (Resend, Inc., USA) — only used when the primary MailerSend transport is unavailable; transactional emails only (no marketing). Transfers covered by the EU-US Data Privacy Framework,

• object storage (Cloudflare R2, Cloudflare, Inc.) for all photos uploaded to the platform and identity-verification documents during the verification window — stored in EU regions, encrypted at rest. Transfers covered by Standard Contractual Clauses,

• hosting provider (Hetzner Online GmbH, Germany) for infrastructure — data physically stored in the EU,

• DNS + inbound email routing (Cloudflare, Inc.) for DNS resolution and routing of emails sent to @findashoot.com addresses,

• when required by law.

We do not sell data.

Account data is retained for as long as the account is active.

After account deletion, personal data is deleted or anonymised within 30 days, unless a legal retention obligation applies. A minimal deletion record (userId, deletion date, reason) is kept for up to 5 years to document compliance with GDPR Art. 17.

Identity documents and selfies uploaded for verification are permanently deleted upon completion of the verification process (approval or rejection), within 7 business days.

Activity logs (logins, profile edits, consent, etc.) are automatically deleted after 24 months.

Admin moderation actions and message reports are retained for up to 60 months (5 years) to support abuse investigations and comply with the Digital Services Act.

Consent receipts (T&C, newsletter, photo consent) are retained for 60 months after withdrawal to demonstrate lawful processing (GDPR Art. 7(1)).

Financial records (invoices, subscription transactions) are retained for 10 years as required by tax law.

Messages are stored encrypted while the conversation is active. On account deletion, sender messages are replaced with a placeholder and personal identifiers removed; the conversation remains visible to the other participant.

Reported content may be retained longer if legal proceedings are initiated.

You have the right to: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and objection (Art. 21 GDPR).

To exercise your rights, contact: privacy@findashoot.com

You have the right to lodge a complaint with the Austrian Data Protection Authority (dsb.gv.at).

You can submit inquiries via the contact form on our support page. We store the subject, message, category, your email address, as well as IP address and browser type.

If you are not logged in, your name and email address are additionally required.

This data is used solely to process your request and is not shared with third parties after the ticket is resolved.

Replies to your ticket are sent via email to the address on file.

We use only technically necessary cookies (session cookie for authentication).

No tracking, advertising, or analytics cookies are set.

We use Umami — a privacy-friendly, self-hosted analytics tool. Umami is cookieless, anonymizes IP addresses, does not track users across sites, and all analytics data is stored on our own servers (Hetzner, EU). No Google Analytics, Facebook Pixel, or similar third-party trackers are used.

By keeping your profile public on FindAShoot, you agree that we may display your published profile photos, display name, role and city in promotional contexts that further the platform's discoverability:

• partner-studio kiosk monitors (the in-app /display/* pages mounted on screens at studios that partner with us);

• the platform's own social media accounts (Instagram, TikTok, etc.) — never tagged with your private contact details;

• screenshots in articles, presentations and press material about FindAShoot;

• in-platform 'Spotlight' features and editorial selections.

You can revoke this consent at any time by setting your profile to private, removing the photos in question, or writing to privacy@findashoot.com. Photos you delete are removed from these uses with the same lag as the rest of the public site (typically <24h).

If the photos you upload contain other identifiable people (e.g. you are a photographer publishing a model's image), by uploading you also confirm that you have obtained the subject's consent for the same promotional uses described above. The platform is not the controller of that side-consent and bears no liability for absent or invalid consent — that responsibility stays with the uploader.