Privacy Policy
Last updated: 28 April 2026
Your data matters to us. This document explains in plain language what data we collect, why, with whom we share it, how long we keep it, and what your rights are. This policy complies with the GDPR (EU 2016/679) and the Dutch AVG.
Who is the data controller
Little Stars Studio
Zoutlaan 90, 4731 MK Oudenbosch, the Netherlands
E-mail: littlestarsstudionl@gmail.com
Phone: +31 622 382 401
The studio is registered as an eenmanszaak (Dutch sole proprietorship), run together by Łukasz and Agnieszka. For any questions about your personal data you can write to our e-mail or call the number above.
What data we collect and why
1. Photo session clients
When you book a session we collect:
- name, e-mail and phone number - to schedule the session, confirm the booking and deliver your gallery
- photos from the session - the natural result of our work together
- billing details (if you request an invoice) - address, VAT/BTW number
Legal basis: contract performance (Article 6(1)(b) GDPR). Without your contact details we cannot reach you, schedule a session or deliver your finished photos.
2. Messages and chat with Agusia
The website features a chat assistant that helps answer your questions about sessions. We store the content of that conversation along with an anonymous session ID (a random string in your browser, with no name or e-mail attached). Chat data is stored in Supabase (Frankfurt, Germany) and processed by Anthropic (Claude API) to generate responses. We also read conversations to improve our service.
Legal basis: legitimate interest (Article 6(1)(f) GDPR) - we want to answer your questions better. If you share your e-mail or phone in chat, we will only use them to follow up about a session.
3. Website analytics
We count page visits in a privacy-respecting way. We log: URL path, language, country (only the 2-letter code), device type and browser name. We do not log your IP address, we do not use tracking cookies, and we do not use Google Analytics. Each session has a random ID that expires after 30 minutes of inactivity.
Legal basis: legitimate interest (Article 6(1)(f) GDPR) - to know which pages help our clients.
4. Client gallery and photo delivery
After your session we share a PIN-protected gallery with you. We store: gallery ID, hashed PIN, your selections (starred photos, comments), and your e-mail (if you provide it during selection). Galleries automatically expire after a defined period and are deleted afterwards.
Legal basis: contract performance (Article 6(1)(b) GDPR).
Who we share your data with
We use a small number of trusted service providers (processors). Each of them processes data only on our behalf, under a data processing agreement:
- Cloudinary (USA, EU servers) - photo storage and delivery
- Supabase (Frankfurt, Germany) - database for chat, galleries and admin panel
- Resend (USA) - sending e-mails (booking confirmations, gallery notifications)
- Anthropic (USA) - Claude API for generating chat responses
- Netlify (USA) - website hosting and serverless functions
- Google Fonts - website typography
Some of these providers are located outside the European Economic Area. We rely on the European Commission's Standard Contractual Clauses (SCC) as the legal basis for transfer, in line with Article 46 GDPR.
We do not sell your data. We share it externally only when required by law (tax authorities, courts) or with your explicit consent.
How long we keep data
- Session photos - 12 months in our archive, longer if requested by the client
- Online client galleries - automatically expire after the period stated in the e-mail (typically 7-30 days), then deleted
- Invoices and accounting documents - 7 years (Dutch tax law requirement)
- Conversations with Agusia - up to 12 months, then deleted
- Visit analytics - we count all visits together, with no link to any individual person, with no time limit
- E-mails and other communication - as long as needed for client service plus 2 years after session end
Your rights
Under GDPR you have the right to:
- access - ask what data we have about you
- rectification - correct inaccurate data
- erasure ("right to be forgotten") - request deletion when there is no longer a basis to keep your data
- restrict processing - ask us to temporarily suspend processing
- data portability - receive your data in a portable format
- object - object to processing based on legitimate interest
- withdraw consent - if processing is based on consent, you can withdraw it at any time
To exercise any of these rights, write to littlestarsstudionl@gmail.com. We respond within 30 days.
If you believe we are processing your data unlawfully, you have the right to file a complaint with a supervisory authority:
- in the Netherlands: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl)
- in your home country: the equivalent Data Protection Authority
Cookies and localStorage
This website does not use tracking cookies. We only use the localStorage mechanism in your browser to remember:
- your chosen language (pl/en/nl)
- a random session ID for anonymous analytics (expires after 30 minutes)
- a conversation ID with Agusia (if you use the chat)
This data stays in your browser and you can clear it at any time in your browser settings (typically: History → Clear browsing data → Cookies and other site data).
When logging into the admin panel we additionally use localStorage to store a session token (valid for 14 days). This applies only to the studio owners.
Publishing photos and children
With every client we agree in the contract whether session photos may be published. The client decides whether to consent to publication in our portfolio, on our website and on social media (including reels, videos, posts).
If you agree, we can publish the photos with no time limit. This lets us showcase our work and attract new clients. If you decline, the photos are yours only and we will not publish them anywhere.
Many of our sessions are newborn and family sessions, so we often photograph children. In those cases the agreement is signed by the parents or legal guardians of the child.
You can withdraw your consent to publication at any time. Just send us an e-mail at littlestarsstudionl@gmail.com and we will remove your photos from our website, social media and other marketing materials within a reasonable time. Photos already shared externally (press, partners) may take longer to fully remove.
Security
We protect your data with care. The site runs on full HTTPS. Admin panel passwords are hashed. Client galleries are PIN-protected. Server functions require a JWT authorization token. Database access is limited to the studio owners after logging in with two-factor authentication (e-mail code).
Changes to this policy
If we change anything material about how we process your data, we will update this document and post a new "Last updated" date at the top. We will also announce major changes on our social media.
Questions?
Have any questions or doubts? Write to littlestarsstudionl@gmail.com or give us a call. We respond quickly and without legal jargon.
This document is written in plain language so anyone can read it. For full legal certainty we recommend consulting a lawyer if you have specific questions about your rights.