Skip to content

Privacy Policy

Last updated 5 July 2026

This Privacy Policy explains how Newborn Photography Art collects, uses, stores and protects personal data through the website, customer portal, iOS customer app, admin dashboard, booking process, galleries, messages, emails and related studio services.

Newborn Photography Art is the data controller for the personal data described here. We are based in Flitwick, Central Bedfordshire, MK45. The full home-studio address is shared privately with booked clients, not published publicly. You can contact us through the Contact Us page.

We process personal data under UK data protection law, including the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR).

Who This Policy Covers

This policy applies to:

  • clients and prospective clients;
  • parents, guardians and family members attending a session;
  • children whose details or images are provided by a parent or guardian;
  • gift voucher buyers and recipients;
  • people who send enquiries, messages, reviews, testimonials or referrals;
  • visitors using the website, booking flow, client portal or iOS app.

Staff/admin users have additional internal access controls, audit logs and employment or contractor arrangements. Social sign-in is for customer accounts only and is not used to create staff/admin accounts.

Personal Data We Collect

We only ask for information that is useful for running the studio safely, securely and professionally. Depending on how you use the website, app or services, we may collect:

  • Enquiry data: name, email address, phone number, service interest, preferred dates, message content, due date or baby age if you choose to share it, referrer/campaign details and anti-spam information.
  • Booking data: selected service, package, add-ons, session date/time, booking reference, manual or online booking source, voucher/discount code, questionnaire answers, child/family details, session notes, reschedule/cancellation requests and booking status.
  • Contract and agreement data: service-contract acceptance, session agreement acceptance, typed signature name, date/time, IP address, user agent, contract snapshot, downloaded PDFs and related audit records.
  • Account and authentication data: login details, email verification, password reset activity, passkeys, social-login identifiers, Apple private relay email addresses, API tokens, trusted devices, login records and account security events.
  • Customer-app data: app login state, customer API tokens, device type, push-notification token if enabled, app activity needed to show sessions, payments, documents, messages and galleries.
  • Communication data: portal messages, email conversations, replies, support requests, saved admin replies/templates and status changes such as "handled" or "needs reply".
  • Photography and gallery data: proof images, edited images, unedited galleries, watermarked files, file names, gallery paths, image selections, thumbs up/down/maybe choices, committed selections, reset selections, download records and uploaded inspiration images.
  • Payment and commercial data: invoices, receipts, Stripe references, manual cash/bank-transfer records, payment status, instalments, refunds, discounts, gift vouchers, store credit, referral rewards, testimonial rewards and upsell purchases such as extra edited images or unedited galleries.
  • Delivery and fulfilment data: delivery address, product choices, postage/delivery status, fulfilment notes and supplier records where needed.
  • Consent and preference data: cookie choices, marketing preferences, portfolio/social-media image consent, testimonial approval, privacy requests and consent withdrawal history.
  • Website and security data: cookies, session data, device/browser details, IP address, referrer, campaign parameters, Google reCAPTCHA checks where enabled, analytics, heatmaps and session replay where you have allowed them.
  • Location and travel data: postcode, approximate distance/drive-time checks, browser or iOS location if you choose to use it, and map handoff details. These are used to help you plan your journey and are not a guarantee of travel time.
  • Admin operations data: staff actions, audit logs, release history, search/filter activity, security flags, blocked IP records and data-retention actions.

Children And Family Data

Newborn, baby and family photography naturally involves children. We handle children's information with extra care. A parent or guardian must provide booking details, give any public image consent, sign required documents and be present where the session requires it.

Please only share health, allergy, feeding, developmental, accessibility or family information if it is relevant to the safety, comfort or planning of the session. Where this information is needed, we use it only to provide the service safely and respectfully.

We do not use photographs of you, your child or your family in our portfolio, awards, advertising, social media, seasonal campaigns, printed samples or testimonials unless we have clear separate permission from a parent/guardian or the relevant adult.

Why We Use Personal Data

Purpose Examples Lawful basis
Responding to enquiries replying to forms, calls and emails legitimate interests; steps before a contract
Managing bookings online bookings, manual studio reservations, contracts, agreements, questionnaires, session planning and client portal/app access contract
Providing the customer account and app login, passkeys, Apple/Facebook/Google sign-in, API tokens, app sync, documents, messages and notifications contract; legitimate interests
Delivering images and products proof galleries, selections, editing, edited galleries, unedited galleries, downloads, prints, postage and archive links contract; legitimate interests
Taking payment booking fees, balances, instalments, vouchers, discounts, refunds, invoices and receipts contract; legal obligation; legitimate interests
Customer support and communication portal messages, email replies, reschedules, cancellations, complaint handling, reminders and status updates contract; legitimate interests; legal obligation
Safety and security passkeys, login logs, trusted devices, fraud prevention, rate limiting, spam checks, reCAPTCHA, audit logs and blocked IPs legitimate interests; legal obligation
Marketing messages newsletters, offers, seasonal campaigns and follow-up marketing messages consent, or the soft opt-in where lawful and appropriate
Portfolio, social media and testimonials public use of images, words, first name, rating, session type or approved testimonial images consent
Referrals and rewards referral links, reward tracking, store credit and testimonial thank-you codes contract; legitimate interests
Website improvement analytics, heatmaps and session replay where enabled consent, with privacy safeguards
AI-assisted admin drafting internal summaries, writing assistance or client briefings where configured legitimate interests, with staff review
Legal and accounting records invoices, payment records, tax records, contract records, audit logs and dispute evidence legal obligation; legitimate interests

Social Sign-In And Passkeys

If you choose social sign-in, the provider may share your name, email address, provider subject ID and profile image if available. Apple may provide a private relay email address and may only share your name/email the first time you authorise the app. Facebook and Google may not provide an email address in every case; if no usable email is provided, we cannot create a new customer account through that provider.

Social sign-in is customer-only. If a social provider email belongs to a staff/admin account, the sign-in is rejected. We do not create staff/admin users from Apple, Facebook or Google login.

Passkeys are stored through the authentication system so you can sign in without a password where supported. We store the credential data needed to verify the passkey, not your device biometric data.

Photos, Galleries And Selections

Proof galleries, watermarked images and image choices are private client-service records. The selection process may store thumbs up, thumbs down, maybe/question-mark choices, committed selections, purchased extra edits, unedited image requests and admin resets.

If the studio resets a selection, we keep the audit history needed to understand what happened, but the customer can be prompted to choose again. We use selection records to decide what goes to editing and what is delivered.

Cookies, Analytics And Marketing Tracking

We use strictly necessary cookies to keep the website secure, remember privacy choices, support bookings and keep accounts signed in. Optional analytics, heatmaps, replay and advertising pixels only run according to your privacy choices. Full details are in the Cookie Policy.

Campaign and referral parameters in a website URL, such as UTM tags, click IDs or referral codes, may be stored in the server session and attached to the enquiry, booking or payment that results. This helps us understand where a client came from without recording private form content.

Who We Share Data With

We do not sell personal data. We share data only where needed to provide the service, run the business, protect the website/app or comply with the law. This may include:

  • website hosting, database, storage, backup and deployment providers;
  • email delivery, inbound email and customer communication providers;
  • payment providers such as Stripe and banking/payment reconciliation services;
  • Dropbox or other gallery/file-delivery providers where configured for client folders and gallery links;
  • Apple services for iOS app operation, Sign in with Apple and push notifications where enabled;
  • Google services where configured, such as Calendar, reCAPTCHA, Maps, social login or advertising conversion tracking;
  • Meta/Facebook services for Facebook login or Meta Pixel where configured and permitted by your choices;
  • third-party map apps if you choose to open directions;
  • AI service providers if an admin feature is configured to help draft or summarise, with staff review before client communication;
  • accountants, bookkeepers, insurers, professional advisers and legal advisers;
  • legacy/import tools such as StudioNinja while records are being migrated or checked;
  • law enforcement, regulators, courts or public authorities where legally required.

Service providers must only use personal data for the purposes we instruct, except where they act as an independent controller for their own legal obligations.

International Transfers

Some providers may process data outside the UK. Where that happens, we rely on UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, Standard Contractual Clauses with the UK Addendum, or another lawful transfer mechanism.

How Long We Keep Data

We keep data only for as long as needed for the reason it was collected, unless a longer period is required for tax, accounting, insurance, legal or dispute purposes.

Data type Typical retention
Visitor analytics up to 14 months
Heatmap interactions up to 6 months
Session replay recordings up to 30 days
Website sessions normally cleared after 7 days once expired
One-time login/setup/password links until used or expired
Customer app/API tokens until revoked, replaced or expired
Passkeys and social-login links until removed, account closed or no longer needed
Customer account activity up to 24 months
Security and login logs up to 12 months
Audit logs and email logs up to 24 months
Booking, payment, contract and invoice records normally up to 7 years for accounting/legal purposes
Selection galleries normally 1 month live, then archived or purgeable after about 6 months
Edited and unedited delivered galleries available for the stated delivery/archive period, then may be archived or deleted
Portfolio/social images used with consent until consent is withdrawn or the image is no longer needed

If you withdraw image marketing consent, we will stop future use and remove the image from channels we control where practical. We may not be able to recall printed materials already produced, copies already shared by others, or content already indexed, cached or reposted by third-party platforms.

Your Rights

Subject to legal exceptions, you can ask to:

  • access the personal data we hold about you;
  • correct inaccurate or incomplete data;
  • erase data;
  • restrict how we use data;
  • receive a portable copy of data you provided;
  • object to processing based on legitimate interests;
  • withdraw consent at any time where processing is based on consent;
  • complain to the Information Commissioner's Office.

To exercise your rights, use the Contact Us page and mention that your message is a privacy or data request. We usually respond within one month. If a request is complex, we may need longer and will tell you why. We may need to verify your identity before acting on a request.

You can also complain to the ICO at https://ico.org.uk/make-a-complaint/.

Deletion, Anonymisation And Legal Records

Where you request deletion, we may anonymise client/account data while keeping limited booking, payment, contract, invoice, audit and consent records required for accounting, legal claims, insurance, child safeguarding, fraud prevention or dispute handling. We also keep a record of consent withdrawal where needed to prove that your choice has been respected.

Security

We use role-based staff/admin access, secure authentication, passkeys where available, customer-only API tokens, audit logs, private storage for client uploads, signed/private image access where appropriate, limited public studio-address sharing and payment providers that keep full card details away from our servers. No internet system is completely risk-free, but we take proportionate steps to protect family and client data.

Automated Checks And AI

We do not make solely automated decisions that have legal or similarly significant effects on you. Some forms may use spam scoring, rate limits or Google reCAPTCHA where configured. Admin tools may use automation to surface messages, tasks, payment states, gallery states or recommended next actions, but staff remain responsible for client decisions and communication.

If AI assistance is configured for internal drafting or briefing, it is used to support staff work. It should not be treated as a final decision, legal advice, medical advice or a substitute for human review.

Updates

We review this policy as the website, app and studio tools change. If we make a material change, we will update this page and, where appropriate, bring the change to affected clients' attention.