Privacy Policy

Effective Date: January 3, 2026
Last Updated: January 3, 2026
Version: v1.0-2026-01-03

1. Introduction

Vela Photo ("we," "our," "us") operates the Vela Photo wedding photography timeline management platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Service in compliance with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA/CPRA), and other applicable privacy laws.

2. Data Controller Information

For purposes of the GDPR and other data protection laws, Vela Photo is the data controller for personal information collected through our Service.

Company: Rocket Creative LLC d/b/a UXUI Design Corp

Privacy Contact: privacy@velaphoto.com

Address: [Business Address]

For GDPR-specific inquiries or to exercise your rights under EU law, please contact us at the email above.

3. Information We Collect

3.1 Information You Provide

Photographer Account Data:

Name, email address, phone number
Business name, website, address
Password (stored as a secure hash, never in plain text)
Billing information (processed securely through Stripe; we only store the last 4 digits of cards)

Couple/Client Data (provided by photographers or directly by couples via intake forms):

Names, email addresses, phone numbers, pronouns
Wedding date, ceremony and reception locations
Family member names and relationships
Cultural, religious, or faith-based ceremony preferences
Wedding party member details

3.2 Automatically Collected Information

IP address and approximate location
Device type, operating system, and browser information
Pages visited, features used, and timestamps
Referring website and exit pages

3.3 Information from Third Parties

Stripe: Transaction confirmation, payment status (we do not receive or store full credit card numbers)
Google Maps: Location and travel time calculations (anonymized)

4. How We Use Your Information

Service Delivery: Create wedding timelines, generate shot lists, send notifications
Account Management: Authenticate users, manage subscriptions, process payments
Communication: Send service updates, respond to support inquiries, renewal reminders
Security: Prevent fraud, detect abuse, protect against unauthorized access
Analytics: Understand usage patterns, improve features (using aggregated/anonymized data)
Legal Compliance: Comply with laws, respond to legal requests, enforce our terms

5. Legal Basis for Processing (GDPR)

Under the GDPR, we process personal data based on the following legal grounds:

Contract Performance (Article 6(1)(b)): Processing necessary to deliver the services you signed up for—creating timelines, managing your account, processing payments.
Legal Obligation (Article 6(1)(c)): Processing required by law—tax records (7 years), fraud prevention, responding to valid legal requests.
Legitimate Interest (Article 6(1)(f)): Security monitoring, service improvement, analytics (balanced against your rights). You may object to processing based on legitimate interest.
Consent (Article 6(1)(a)): Marketing communications, optional analytics cookies. You may withdraw consent at any time.

6. Data Sharing and Disclosure

We NEVER sell your personal data.

We share data only with the following categories of recipients:

6.1 Service Providers (Subprocessors)

Provider	Purpose	Data Shared	Location
Supabase	Database hosting	All application data	USA (AWS)
Stripe	Payment processing	Billing info, email	USA
Vercel	Website hosting	IP addresses, logs	Global CDN
Resend	Email delivery	Email addresses, names	USA
Sentry	Error monitoring	Error logs (no PII)	USA
Google Maps	Location/travel time	Addresses only	USA

6.2 Other Disclosures

Legal Requirements: Law enforcement requests, court orders, legal proceedings
Business Transfers: In case of merger, acquisition, or asset sale (with prior notice to you)
Protection: To protect our rights, safety, or property, or that of our users

7. Data Retention

We retain your data only as long as necessary for the purposes described in this policy:

Data Type	Retention Period	Reason
Account information	Account lifetime + 7 years	Tax compliance
Wedding data	Until deleted or 2 years post-wedding	Service delivery
Payment records	7 years	Tax law requirement
Security logs	90 days	Security monitoring
Analytics data	2 years (aggregated)	Service improvement
Support communications	3 years	Customer service

8. Your Rights Under GDPR (EU/EEA Residents)

If you are located in the European Union or European Economic Area, you have the following rights:

Right of Access (Art. 15): Request a copy of all personal data we hold about you.
Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten"), subject to legal retention requirements.
Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format (JSON, CSV).
Right to Object (Art. 21): Object to processing based on legitimate interest.
Right to Restrict Processing (Art. 18): Request limitation of processing in certain circumstances.
Right to Withdraw Consent (Art. 7): Withdraw consent for processing based on consent (e.g., marketing emails) at any time.
Right to Lodge a Complaint: File a complaint with your local Data Protection Authority.

To exercise your rights: Email privacy@velaphoto.com with your request. We will respond within 30 days (extendable by 60 days for complex requests).

9. Your Rights Under CCPA (California Residents)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: Request disclosure of what personal information we collect, use, disclose, and sell.
Right to Delete: Request deletion of your personal information (subject to legal exceptions).
Right to Opt-Out of Sale: We do NOT sell personal information, so this right does not apply.
Right to Non-Discrimination: We will not discriminate against you for exercising your rights.
Right to Correct: Request correction of inaccurate personal information.
Right to Limit Use of Sensitive Personal Information: We collect minimal sensitive information and use it only for providing the Service.

To exercise your rights: Email privacy@velaphoto.com or call [Phone Number]. We will verify your identity and respond within 45 days.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:

EU Residents (GDPR): We will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay if the breach poses high risk.
California Residents (CCPA): We will notify affected individuals and the California Attorney General within required timeframes.
All Users: We will provide details of the breach, data affected, and recommended protective steps via email and website notice.

11. International Data Transfers

Your data is primarily processed in the United States. For transfers from the EU/EEA to the US, we rely on:

Standard Contractual Clauses (SCCs): We have executed SCCs with our subprocessors (Supabase, Stripe, etc.) as approved by the European Commission.
Adequacy Decisions: Where applicable, we transfer data to countries with adequacy decisions.
Your Consent: By using our Service, you consent to the transfer of your data to the US for processing.

12. Data Security

We implement industry-standard security measures to protect your data:

Encryption in Transit: All data transmitted using TLS 1.3
Encryption at Rest: Database encryption via Supabase
Secure Authentication: Passwords hashed using bcrypt with salt
Access Controls: Role-based access, least-privilege principles
Security Headers: HSTS, CSP, X-Frame-Options, and other protections
Regular Audits: Periodic security assessments and monitoring

However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

13. Cookies and Tracking Technologies

We use cookies and similar technologies for:

Essential Cookies: Authentication, security, session management (required for Service)
Functional Cookies: Remember your preferences and settings
Analytics Cookies: Understand usage patterns (opt-in, can be disabled)

You can manage cookie preferences through our cookie banner or your browser settings. See our Cookie Policy for details.

14. Children's Privacy

Vela Photo is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we discover that we have collected data from a child under 18, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@velaphoto.com.

15. Do Not Track Signals

Our Service does not currently respond to "Do Not Track" (DNT) browser signals because there is no consistent industry standard for compliance. However, you can manage tracking through our cookie preferences and browser settings.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Email notification to your registered account
Prominent notice on our website
Requiring re-acceptance for material changes affecting your rights

The "Last Updated" date at the top of this policy indicates when it was last revised.

17. Text Message (SMS) Privacy

17.1 Information Collected for SMS

When you opt in to receive text messages from Vela, we collect and process:

The mobile phone number you provided
The timestamp, IP address, and browser user agent at the moment you opted in (audit trail required by US TCPA and carrier rules)
Delivery status, error codes, and message body for each outbound message we send
The keyword content of any reply you send to us (STOP, HELP, START, etc.)

17.2 SMS Sub Processor

Vela uses Twilio Inc. as a sub processor to transmit text messages. Your phone number, message content, and delivery metadata are shared with Twilio solely for the purpose of delivering the message you opted in to receive. Twilio is contractually bound to use this data only for the service it provides to Vela.

17.3 No Sale or Sharing for Marketing

Phone numbers and SMS opt in information are never sold, rented, leased, or shared with third parties for their marketing purposes. SMS consent is collected and used solely for transactional messaging from Vela. No mobile information will be shared with third parties or affiliates for marketing or promotional purposes.

17.4 Retention

SMS audit data (opt in timestamp, IP, user agent, message logs) is retained for the life of your account plus 4 years, in line with US TCPA recordkeeping requirements. Phone numbers belonging to users who opt out via STOP are flagged as opted out and retained on a suppression list to prevent future messaging. You may request full deletion via privacy@velaphoto.com, subject to legal hold requirements.

17.5 How to Revoke SMS Consent

You can revoke SMS consent at any time. Options:

Reply STOP to any message from Vela
Remove or blank your phone number in your Vela account or couple dashboard
Email privacy@velaphoto.com with the phone number to suppress

Opt out is honored within 24 hours and applies to all future SMS from Vela on that number. Revoking SMS consent does not affect email notifications or the rest of your account.

17.6 Third Party Numbers

When a couple adds a family member or wedding party contact to Vela and selects SMS as a contact method, the couple is required to attest in the dashboard form that they have permission from that person to share their number with Vela for transactional wedding texts. The recipient may opt out at any time by replying STOP, after which Vela will suppress the number on its end regardless of the couple's settings.

For the full SMS program description (message types, frequency, rates, HELP/STOP instructions), see Section 16 of our Terms of Service.

18. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights:

Privacy Inquiries: privacy@velaphoto.com

General Support: support@velaphoto.com

Mailing Address: [Business Address]

We aim to respond to all privacy-related inquiries within 30 days.