Privacy Policy

Heston Photo Photography ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and safeguard your personal information when you visit hestonphoto.com or engage our photography services. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

Heston Photo Photography is the data controller responsible for any personal information you provide. For privacy-related queries, contact us via the form on our Contact page.

2. Information We Collect

We collect personal information in the following ways:

Information you provide

• Name, partner's name, email address, and phone number.
• Wedding or event date, venue/location, and service of interest.
• Any message, brief, or attachments you send us.
• Booking, contract, and payment details (where applicable).

Information collected automatically

• IP address, browser type, device information, and approximate location.
• Pages visited, time on page, referring website, and similar analytics data.
• Cookies and similar technologies — see our Cookie Policy.

3. How We Use Your Information

We use your personal information to:

• Respond to enquiries, prepare quotes, and discuss your event.
• Manage bookings, contracts, deliverables, and payments.
• Provide and improve our services and Website.
• Send service-related communications (e.g. booking confirmations, gallery delivery).
• Send marketing emails or newsletters — only with your consent (you can unsubscribe at any time).
• Comply with legal and regulatory obligations.
• Prevent fraud, abuse, and security incidents (including reCAPTCHA verification).

4. Legal Basis for Processing

Under UK GDPR, we process your data on the following legal bases:

• Contract — to provide the photography services you have booked.
• Legitimate interests — to respond to enquiries, run our business, and secure our Website.
• Consent — for marketing communications and non-essential cookies.
• Legal obligation — to keep accounting and tax records.

5. Sharing Your Information

We do not sell your personal information. We may share it with trusted third parties only as needed:

• Email and hosting providers (e.g. Zoho Mail) for sending and storing communications.
• Cloud storage and image-delivery providers (e.g. AWS S3) for delivering galleries.
• Analytics and security services (e.g. Google reCAPTCHA, Google Analytics where used).
• Professional advisors (accountants, legal advisors) where required.
• Authorities, where required by law.

All third-party providers are contractually required to protect your data and use it only for agreed purposes.

6. International Transfers

Some of our service providers (such as Google and AWS) may process data outside the UK/EEA. Where this happens, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement or Standard Contractual Clauses.

7. How Long We Keep Your Information

We keep enquiry data for up to 24 months from your last interaction with us, unless you request earlier deletion. Booking, contract, and financial records are kept for at least 6 years to meet UK accounting and tax requirements.

8. Your Rights

Under UK GDPR, you have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate or incomplete data.
• Request deletion of your data ("right to be forgotten"), where applicable.
• Restrict or object to certain processing.
• Request data portability.
• Withdraw consent at any time (e.g. for marketing).
• Lodge a complaint with the UK Information Commissioner's Office (ICO).

To exercise any of these rights, please contact us via the Contact page.

9. Security

We implement reasonable technical and organisational measures (encryption in transit, access controls, hardened hosting) to protect your data. However, no internet transmission is 100% secure, and we cannot guarantee absolute security.

10. Children's Privacy

Our Website is not directed at children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect the latest revision.

12. Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact us via the form on our Contact page.