Last updated: February 2026
This privacy policy explains how Cambridge Photographers Ltd collects, uses, stores, and protects your personal data when you use our website, enquire about our services, or book a photography session with us. We are committed to being transparent about what we do with your information and to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
We have written this policy in plain language so that it is genuinely useful to you. If anything is unclear, please contact us and we will be happy to explain.
Who we are
Data controller: Cambridge Photographers Ltd, a company registered in England and Wales (company number 09040225).
Contact email: ca*********************@***il.com
Telephone: +44 (0)1223 927055
Website: https://www.cambridgephotographers.co.uk
As the data controller, we decide how and why your personal data is processed. We are responsible for ensuring that processing is lawful, fair, and transparent.
What personal data we collect
We collect different types of personal data depending on how you interact with us:
When you enquire or contact us
When you submit an enquiry form on our website, email us, call us, or message us on WhatsApp, we collect the information you provide. This typically includes your name, email address, telephone number, event date, venue or location details, and the content of your message. Our contact forms also record your IP address and browser information for security and spam-prevention purposes.
When you book a photography session
When you become a client, we may additionally collect your postal address (for contracts or invoices), event details (venue, schedule, names of key people), and payment information. Payment information is processed by our payment provider and is not stored on our systems.
When you are photographed
Photographs of identifiable individuals are personal data under UK GDPR. During a photography session, we capture images of you and, depending on the service, your family members, guests, and other attendees. These images may reveal physical appearance, clothing, expressions, and the location and context of the event.
When you visit our website
When you browse our website, we automatically collect certain technical data through cookies and similar technologies. This includes your IP address, browser type and version, operating system, referring website, pages visited, time spent on each page, and the date and time of your visit. Details of the specific cookies we use are set out in the Cookies section below.
Why we collect your data and our lawful basis
UK GDPR requires us to have a lawful basis for each type of data processing. The table below sets out what we use your data for and the legal basis we rely on in each case.
| Purpose | Data used | Lawful basis |
| Responding to your enquiry | Name, email, phone, event details, message content | Legitimate interest (to respond to potential clients who contact us) |
| Providing our photography services (the session itself, editing, and delivery) | Name, contact details, event details, photographs | Performance of a contract (you have booked and paid for our services) |
| Delivering your images via an online gallery | Name, email, photographs | Performance of a contract |
| Issuing invoices and processing payments | Name, address, payment details | Performance of a contract and legal obligation (tax and accounting records) |
| Displaying images in our portfolio, website, or social media | Photographs | Legitimate interest (promoting our business), subject to your right to object — see below |
| Sending you information about your booking (confirmations, logistics, delivery notifications) | Name, email, phone | Performance of a contract |
| Preventing spam and abuse on our website | IP address, browser data, reCAPTCHA tokens | Legitimate interest (website security) |
| Analysing website traffic and improving our site | Anonymised/pseudonymised browsing data via cookies | Consent (you choose whether to accept analytics cookies) |
| Complying with legal obligations (tax records, legal disputes) | Name, address, invoices, correspondence | Legal obligation |
We will never use your personal data for automated decision-making or profiling. We do not sell, rent, or trade your personal data to any third party for marketing purposes.
Photographs and your right to object
We may use photographs from sessions in our portfolio, on our website, on social media, and in marketing materials. This helps prospective clients see examples of our work and is a standard practice in professional photography.
We rely on legitimate interest as the lawful basis for this use. However, you have the right to object at any time. If you tell us you do not want your images used for portfolio or marketing purposes, we will respect that decision and remove them. You can exercise this right before, during, or after your session by contacting us at the email address above.
For wedding, nikah, and event photography where multiple people are photographed, we ask the primary client (the person who booked the session) to inform their guests that a photographer will be present. If a guest contacts us to request removal of an image in which they are identifiable, we will comply.
Who we share your data with
We do not sell your personal data. We share it only with the following categories of third parties, each of whom processes data on our behalf or as required for our services:
| Third party | What they process | Why | Location |
| Google (Gmail) | Enquiry form contents (name, email, phone, message) | Enquiries are delivered to our Gmail inbox | USA (EU–US Data Privacy Framework) |
| Google (Analytics / GA4) | Anonymised browsing data (pages visited, session duration, device type) | Website analytics to improve our site | USA (EU–US Data Privacy Framework) |
| Google (reCAPTCHA) | IP address, browser/device data, interaction patterns | Spam prevention on contact forms | USA (EU–US Data Privacy Framework) |
| Hostinger | All website data (pages served, form submissions if stored) | Website hosting and server infrastructure | Global (Uk) Limited, c/o Cogency, 6 Lloyd’s Ave, London EC3N 3AX |
| WPForms (or equivalent form plugin) | Form submissions stored in WordPress database | Backup record of enquiries | Stored on our web server |
| Smugmug | Client name, email, photographs | Delivering edited images via a private online gallery | 67 E Evelyn Ave Ste 200, Mountain View, CA 94041, USA |
| Payment provider (bank transfer / PayPal / Stripe) | Name, payment amount, transaction reference | Processing payments | UK / EEA |
| WhatsApp (Meta) | Name, phone number, message content | When you choose to contact us via WhatsApp | USA (EU–US Data Privacy Framework) |
We require all third-party processors to handle your data in accordance with UK GDPR. Where data is transferred outside the UK, we ensure that appropriate safeguards are in place, such as the EU–US Data Privacy Framework, Standard Contractual Clauses, or an adequacy decision by the UK Government.
How long we keep your data
We retain your personal data only for as long as necessary for the purpose it was collected, or as required by law. Our standard retention periods are:
| Data type | Retention period | Reason |
| Enquiry form submissions (non-clients) | 12 months from submission | To follow up if needed, then deleted |
| Client records (name, contact details, booking details) | 6 years from completion of the booking | HMRC requires financial records to be kept for 6 years |
| Invoices and payment records | 6 years from the date of the transaction | Legal obligation (tax and accounting) |
| Photographs (client’s personal gallery) | 12 months from delivery (online gallery link) | After 12 months, the gallery link expires; we may retain archive copies for up to 3 years in case you need re-delivery |
| Photographs used in our portfolio / website | Indefinitely, unless you request removal | Legitimate interest; subject to your right to object |
| Website analytics data | 26 months (Google Analytics default) | Anonymised; used for trend analysis only |
| Cookie consent records | 12 months | To remember your cookie preferences |
When data reaches the end of its retention period, we delete or anonymise it securely.
Your rights under UK GDPR
You have the following rights in relation to your personal data. You can exercise any of them by contacting us at ca*********************@***il.com.
- Right of access: You can ask us to confirm whether we hold personal data about you, and if so, to provide you with a copy of it. We will respond within one calendar month.
- Right to rectification: If any personal data we hold about you is inaccurate or incomplete, you can ask us to correct it.
- Right to erasure (“right to be forgotten”): You can ask us to delete your personal data where there is no compelling reason for us to continue processing it. This does not apply where we need to keep the data for legal obligations (such as tax records).
- Right to restriction of processing: You can ask us to restrict (pause) processing of your personal data in certain circumstances, for example while we verify its accuracy.
- Right to data portability: Where our processing is based on your consent or on a contract, you can ask us to provide your data in a structured, commonly used, machine-readable format.
- Right to object: Where we process your data based on legitimate interest, you can object at any time. We will stop processing unless we can demonstrate compelling legitimate grounds. This is particularly relevant to our use of your photographs in our portfolio — if you object, we will remove them.
- Right to withdraw consent: You have the right to withdraw consent at any time where we rely on consent as the lawful basis (for example, analytics cookies). Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
We will not charge you a fee for exercising your rights unless your request is clearly unfounded or excessive. We will respond to all legitimate requests within one calendar month.
Cookies
Cookies are small text files placed on your device when you visit our website. We use them for the following purposes:
Strictly necessary cookies
These are essential for the website to function and cannot be switched off. They include cookies that manage your cookie consent preferences and session cookies required for form submissions and security.
Analytics cookies (require your consent)
We use Google Analytics (GA4) to understand how visitors use our website. These cookies collect anonymised information about which pages are visited, how long visitors spend on the site, and how they arrived. This data helps us improve the website. No personally identifiable information is collected through analytics cookies. You can opt in or out of analytics cookies through the cookie banner displayed when you first visit our site, and you can change your preferences at any time through the cookie settings link in our website footer.
Third-party cookies
Google reCAPTCHA, which we use to prevent spam on our contact forms, may set cookies and process data as described in Google’s privacy policy. If you interact with embedded content (such as Google Maps on our contact page), additional third-party cookies may be set by those services.
You can also control cookies through your browser settings. Most browsers allow you to block or delete cookies. However, if you block strictly necessary cookies, some parts of the website may not function correctly.
Children’s data
We photograph children as part of family sessions, graduation events, and other bookings. In these cases, the session is booked and consented to by a parent or legal guardian, and the photographs are delivered to that adult.
We do not knowingly collect personal data directly from children under the age of 13 through our website. If you believe a child under 13 has submitted personal data through our contact form without parental consent, please contact us and we will delete it promptly.
How we protect your data
We take the security of your personal data seriously. Our website is served over HTTPS (encrypted connection). Form submissions are protected by CSRF tokens, rate limiting, and reCAPTCHA. Access to client data is restricted to authorised personnel within Cambridge Photographers Ltd. Online galleries are protected by private, unique links that are not publicly indexed.
While we take all reasonable precautions, no method of transmission over the internet is completely secure. We cannot guarantee absolute security, but we are committed to protecting your data to the best of our ability.
International data transfers
Some of the third-party services we use (Google, Meta/WhatsApp) are based in the United States. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place. Google and Meta are certified under the EU–US Data Privacy Framework, which has been recognised as providing adequate protection. Where the Data Privacy Framework does not apply, we rely on Standard Contractual Clauses approved by the UK Government.
Links to other websites
Our website contains links to external websites (such as venue websites, social media platforms, and other resources). We are not responsible for the privacy practices of these external sites. We encourage you to read the privacy policy of any website you visit.
Changes to this policy
We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make changes, we will update the “Last updated” date at the top of this page. We encourage you to review this policy periodically. We will not make material changes that reduce your rights without giving you reasonable notice.
How to complain
If you are unhappy with how we have handled your personal data, we would like the chance to put it right. Please contact us at ca*********************@***il.com and we will do our best to resolve the issue.
If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s independent supervisory authority for data protection.
Information Commissioner’s Office
Website: https://ico.org.uk
Helpline: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF