GDPR Compliance

ShootMuse is fully committed to compliance with the General Data Protection Regulation (GDPR). We believe that data privacy is a fundamental right, and we have designed our platform with privacy by design and privacy by default at its core.

Whether you are based in the European Economic Area (EEA) or elsewhere, we apply the same high standards of data protection to all of our users.

ShootMuse acts as the data controllerfor the personal data of its users (photographers and studio owners). When you use ShootMuse to manage your clients' data, you act as the data controller for your clients' information, and ShootMuse acts as the data processor on your behalf.

We process personal data under the following legal bases as defined by GDPR:

• Contractual necessity: Processing required to provide the services you have subscribed to.
• Legitimate interest: Processing for improving our services, security monitoring, and fraud prevention.
• Consent: Processing based on your explicit consent, such as marketing communications. You can withdraw consent at any time.
• Legal obligation: Processing required to comply with applicable laws and regulations.

As a data subject, you have the following rights under the GDPR:

• Right of Access: You have the right to request a copy of the personal data we hold about you.
• Right to Rectification: You can request correction of any inaccurate or incomplete personal data.
• Right to Erasure: You can request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected.
• Right to Data Portability: You can request your data in a structured, commonly used, and machine-readable format.
• Right to Restriction: You can request that we limit the processing of your personal data in certain circumstances.
• Right to Object: You can object to the processing of your personal data for direct marketing or processing based on legitimate interest.

We maintain Data Processing Agreements (DPAs) with all third-party service providers who process personal data on our behalf. These agreements ensure that our sub-processors adhere to the same high standards of data protection required by the GDPR.

If you require a DPA for your use of ShootMuse, please contact our Data Protection Officer.

When personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Transfers to countries with an adequacy decision from the European Commission.
• Additional technical and organizational measures, including encryption and access controls.

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and ensuring compliance with the GDPR. You can reach our DPO at:

dpo@shootmuse.com

We use the following categories of sub-processors to deliver our services:

• Cloud infrastructure: Hosting and storage of application data.
• Payment processing: Secure handling of billing and subscription transactions.
• Email delivery: Transactional and notification emails.
• Analytics: Anonymized usage analytics to improve our product.

A detailed list of our current sub-processors is available upon request. We will notify you of any changes to our sub-processor list with at least 30 days' notice.

To exercise any of your rights under the GDPR, you can:

• Use the data management tools in your account settings to access, export, or delete your data.
• Contact our Data Protection Officer at dpo@shootmuse.com.

We will respond to all legitimate requests within 30 days. In exceptional circumstances, we may take up to 60 days but will inform you of any delay.