Privacy Policy
Last updated: 15 April 2026
1. Who I am
This website is owned and operated by Andrea Whelan, a sole trader trading as Andrea Whelan Photography (referred to below as “I”, “me” or “my”). I am a London-based family photographer and the data controller responsible for the personal information collected and processed through this website and in the course of providing photography services.
You can contact me about anything in this policy at contact@andreawhelan.com.
2. What this policy covers
This policy explains what personal information I collect, why I collect it, how I use it, who I share it with, how long I keep it, and what rights you have over your data. It applies to information I collect through my website (andreawhelan.com), through my client portal, through email, and in the course of delivering photography sessions.
3. What information I collect
Depending on how you interact with me, I may collect:
Contact information — your name, email address, telephone number, and postal or session address, provided when you enquire, book, or correspond with me.
Family details — the names and ages of the children and adults attending a session, provided during booking so I can tailor the experience.
Session preferences — information you share via my booking form about the style of session you want, locations, clothing, and anything else relevant to planning the shoot.
Photographs — images of you and your family captured during the session.
Payment information — your payment is processed by Stripe; I do not see or store your full card details, only a record that payment was made and the associated transaction reference.
Marketing preferences — if you subscribe to my newsletter, your email address and any preferences you provide.
Website usage data — technical information such as your IP address, browser type, device, pages viewed, and time on site, collected via Google Analytics (see the Cookies section below).
Correspondence — the content of emails, messages, and form submissions you send me.
4. How I use your information and my lawful basis
Under UK GDPR I must have a lawful basis for processing your personal data. The bases I rely on are:
Contract — to provide the photography services you have booked, including scheduling, delivering your gallery, taking payment, and communicating with you about your session.
Legitimate interests — to run and improve my business, respond to enquiries, maintain records, protect against fraud, and use a limited portfolio of my work to demonstrate my style to prospective clients (where I have separate written consent for any image that identifies you — see section 7).
Consent — for email marketing, for non-essential cookies, and for the use of any photograph that identifies you or your family in my marketing or portfolio.
Legal obligation — to keep financial records for tax and accounting purposes (typically for six years following the end of the tax year).
You can withdraw consent at any time by emailing me.
5. Who I share your information with
I use a small number of trusted third-party service providers to run my business. These providers act as data processors on my behalf and are contractually required to protect your data:
Pic-Time — hosts your online gallery and enables slideshow viewing, downloads, and print shop orders.
Dubsado — my client portal and customer relationship management tool, used for booking forms, contracts, invoices, and secure client communication. (If I use a secondary CRM for any part of this, I will update this policy accordingly.)
Stripe — processes card payments for session fees, collections, and print shop orders.
Flodesk — sends my email newsletter to subscribers who have opted in.
Google Analytics — provides anonymised information about how visitors use my website.
My email and hosting providers — store correspondence and the technical infrastructure of the website.
I do not sell your personal data to anyone, and I do not share it with third parties for their own marketing purposes.
Some of these providers (including Stripe, Google, and Flodesk) are based outside the UK, predominantly in the United States. Where personal data is transferred outside the UK, it is protected by appropriate safeguards such as the UK International Data Transfer Agreement or the EU Standard Contractual Clauses, in line with UK GDPR requirements.
6. How long I keep your information
Enquiry information (from people who enquire but don’t book) — up to 12 months, then deleted.
Booking and contract information — for the duration of our working relationship and for six years afterwards, to comply with UK tax and accounting requirements.
Financial records — six years from the end of the relevant tax year.
Client photographs — retained indefinitely as part of my professional archive, so that re-orders and replacement files remain possible and so that I can demonstrate my body of work. You can request that I remove identifiable images of you and your family from any public-facing use at any time (see section 8).
Newsletter subscribers — until you unsubscribe. Every email I send includes an unsubscribe link.
Website analytics — standard Google Analytics retention settings apply (currently up to 14 months from your last visit).
7. Using photographs in my marketing
I love being able to share recent work to help prospective clients see how I shoot. I only ever use photographs that identify you, your children, or your home in my marketing — including my website, portfolio, blog, Instagram and other social channels, and occasional print or advertising use — where you have given me separate, specific, written consent as part of your booking agreement.
You can withdraw that consent at any time by emailing me. I will remove the relevant images from my active marketing channels as soon as reasonably possible; note that where an image has been shared publicly (for example, on social media), I may not be able to recover copies that have already been reshared by others.
8. Your rights
Under UK GDPR you have the following rights in relation to your personal data:
The right to be informed about what I do with your data (that’s what this policy is for).
The right of access to the personal data I hold about you.
The right to rectification if any of your data is inaccurate or incomplete.
The right to erasure in certain circumstances (the “right to be forgotten”).
The right to restrict processing in certain circumstances.
The right to data portability — to receive your data in a structured, commonly used format.
The right to object to processing based on legitimate interests or to direct marketing.
Rights in relation to automated decision making — I do not make any decisions about you using automated processing.
To exercise any of these rights, email me at contact@andreawhelan.com. I will respond within one month.
9. Children’s data
I routinely photograph children during family sessions. I do so only on the basis of the instruction and consent of the child’s parent or legal guardian, who makes the booking. Where children’s images would be used in my marketing, that consent is obtained in writing from the parent or guardian, and it can be withdrawn at any time.
If you are under 18, please ask a parent or guardian to contact me on your behalf about any data-related questions.
10. Cookies and analytics
My website uses cookies and similar technologies. These fall into two categories:
Essential cookies — required for the site to function (for example, remembering your place on a page or keeping a form session alive). These are always set.
Analytics cookies — set by Google Analytics to help me understand how the site is being used. These are only set with your consent, which you can give or withdraw via the cookie banner on the site.
You can also control cookies through your browser settings; blocking cookies may affect how some parts of the site work.
11. How I keep your information safe
I take the security of your data seriously. Measures include using reputable third-party providers with their own security programmes, keeping software up to date, using strong unique passwords and two-factor authentication where available, and limiting access to client data to me alone. No method of transmission over the internet is 100% secure, but I take reasonable steps to protect the information I hold.
12. Changes to this policy
I may update this policy from time to time to reflect changes in how I work, new services I use, or changes in the law. The “last updated” date at the top of the page will always show when the current version was published. If changes are significant, I will let existing clients know directly.
13. How to complain
If you’re unhappy with how I’ve handled your personal data, please contact me first at contact@andreawhelan.com and I’ll do my best to put things right.
You also have the right to complain to the Information Commissioner’s Office (ICO), the UK’s data protection regulator:
Website: ico.org.uk
Helpline: 0303 123 1113
