Privacy Policy
Version 2026-04-v1
1. Who we are
Studio OS Cloud is operated by White Photo Studios. This policy explains what information we collect when you use the service and how we handle it. If you’re a parent using a gallery, we handle your data on behalf of the photographer who invited you — see “Role 2” below.
2. Role 1 — when you are the photographer
When you sign up as a photographer, we collect: your name, business name, email, a hashed password, billing information (processed by our payment provider — we never see your full card number), the photos and rosters you upload, student and parent information you import or create, order data, and usage logs (IP address, browser user-agent, event timestamps). We use this information to run your account, process payments, send service emails, and improve the product.
3. Role 2 — when you are a parent or client
If you received an invitation to view a gallery, the photographer who invited you is the data controller of that gallery’s content. Studio OS Cloud acts as a data processor on their behalf. We collect your email (to email-gate access), your gallery PIN (if used), and logs of your visits, favorites, and orders. Contact the photographer directly for deletion or access requests involving their gallery.
4. Where we store data
Account data, rosters, and order metadata are stored in Supabase (hosted on AWS). Photos and derived thumbnails are stored in Cloudflare R2. Backups are retained for up to 30 days after a photo or record is deleted by the photographer.
5. Who we share data with
We share data only with the service providers we need to run Studio OS Cloud: Supabase (auth + database), Cloudflare (storage + CDN), Vercel (web hosting), Stripe (payments), and transactional email providers. We do not sell your data, and we do not share it with advertisers. We will disclose data if required by valid legal process.
6. Security
We use industry-standard protections: TLS in transit, encryption at rest for stored objects, row-level security in our database so one photographer cannot read another’s data, and optional two-factor authentication on your account. No system is perfectly secure — if you suspect unauthorized access, email us at harout@me.com so we can investigate.
7. Your rights
You can request a copy of the data we hold about you, correct it, or ask us to delete it. Email harout@me.com. For parent/client data in a gallery, contact the photographer who invited you — they control that gallery.
8. Cookies
We use only functional cookies necessary for the service (keeping you signed in, remembering your UI preferences). We do not use third-party advertising or tracking cookies.
9. Changes to this policy
If we materially change this policy, we’ll bump the version at the top of this page and require you to re-accept via the in-app agreement prompt.
10. Contact
Privacy questions or deletion requests: harout@me.com.