Privacy & Security Policy

This policy describes how Fotosoft SA (publisher of the Fotostudio platform) protects data, ensures service continuity and guarantees the confidentiality of information entrusted by its users.

It applies to all services provided by Fotostudio.

Fotostudio is hosted on:

• Heroku by Salesforce (Europe) for the web application and databases
• Amazon Web Services S3 (Europe) for secure file storage (images, documents, etc.)

• All connections to Fotostudio use HTTPS/TLS encryption
• Passwords are hashed and salted before storage
• Files (images, documents, contracts, etc.) are protected by secure non-public links
• Internal server access is strictly limited to authorized personnel and protected by two-factor authentication

• Automatic database backups every day
• Retention of multiple versions to enable rapid data restoration in case of incident
• Regular testing of restoration procedures
• Geographic redundancy of critical data via Heroku Postgres and AWS S3 services
• Automated service monitoring 24/7

In case of planned interruption (maintenance or update), users are notified in advance by email or notification.

In case of a major incident:

• A status update is published promptly on Fotostudio's official status channel
• Technical teams intervene immediately to restore service as quickly as possible

In case of suspected or detected security incident (leak, unauthorized access, accidental deletion, etc.):

• The incident is logged and analyzed immediately
• Corrective measures are applied without delay
• Affected users are informed within 72 hours in accordance with GDPR if personal data is involved

• Employees and service providers with data access are bound by a strict confidentiality clause
• Photographers retain full ownership of their images and data
• Data is used solely for the technical operation of the platform

Data is retained as long as your account is active.

Upon account deletion:

• All data (clients, galleries, documents, etc.) is permanently deleted from servers within 30 days
• Encrypted backups are purged after the retention period expires

To ensure proper service operation, Fotostudio may use GDPR-compliant service providers:

• Heroku (Salesforce Inc., Europe) – hosting and databases
• Amazon Web Services (Europe) – file storage
• Smtp2go – transactional email delivery (notifications, reminders, etc.)
• Stripe, Mollie and Paypal – payment processing

Each of these providers has contractual security and confidentiality commitments compliant with GDPR.

Each user can:

• Access their data
• Correct or delete their information
• Download their data
• Request complete deletion

• This policy may be updated to reflect service evolution or legal requirements
• The most recent version is always available on the Fotostudio website