Privacy Policy

StudioFlow ("StudioFlow", "we", "us") is a client-management platform for photographers, built by 1Labs. This policy explains what personal data we collect, why we collect it, and the choices you have. It applies to studioflow.1labs.app, the StudioFlow application, and related services.

One principle above all: the client and booking data a photographer enters into StudioFlow belongs to the photographer. We process it on their behalf and on their instructions — we do not sell it, mine it for advertising, or use it to contact their clients for our own purposes. See our Data Processing Addendum for the formal terms.

1. Data we collect

Account data (you, the photographer)

• Name, email address, studio name, and password credentials.
• Plan, billing status, and payment events. Payment details (card numbers) are collected and processed by Polar, our merchant of record — we never see or store full card numbers.
• Support correspondence you send us.

Client and booking data (entered by the photographer)

• Client contact details, household records, inquiry form submissions, shoot details, proposals, contracts, invoices, gallery files, and communication history.
• For this data, the photographer is the controller and StudioFlow is the processor — we act only on the photographer's instructions.

Usage data

• Log data (IP address, browser type, pages viewed, timestamps) and product analytics events (e.g. "proposal sent"), used to keep the service secure and improve it.
• Essential cookies for authentication and session state. We do not use advertising cookies — see the Cookie Policy.

2. Purposes and legal bases

• Providing the service (contract performance): operating your account, pipelines, galleries, invoicing, and notifications.
• Billing (contract performance / legal obligation): subscription management via Polar, tax and accounting records.
• Security and abuse prevention (legitimate interest): log analysis, rate limiting, fraud detection.
• Product improvement (legitimate interest): aggregate, de-identified usage analytics.
• Communications (legitimate interest / consent): transactional email always; product news only with your consent, and you can opt out anytime.

3. AI features

Some features (for example, drafting an inquiry reply) use the Google Gemini API. Content is sent to the provider only when you invoke the feature, is used solely to generate your result, and is not used by us to train models. See Subprocessors.

4. Sharing

We share personal data only with the subprocessors needed to run StudioFlow (hosting, database, file storage, email, billing, AI — listed at /legal/subprocessors), with authorities when legally required, and in a merger or acquisition with notice to you. We never sell personal data.

5. Retention

• Account data: for the life of your account, then deleted or anonymized within 90 days of account deletion.
• Client and booking data: retained while your account is active; deleted within 90 days after account deletion, or sooner on your instruction.
• Billing records: retained as long as tax and accounting law requires.
• Backups: rotate out on a schedule of up to 35 days.

6. Your rights (GDPR)

If you are in the EEA, UK, or Switzerland, you may request access, rectification, erasure, restriction, portability, and may object to processing based on legitimate interest. Write to support@studioflow.1labs.app; we respond within 30 days. You may also lodge a complaint with your supervisory authority. If you are a client of a photographer who uses StudioFlow, please contact the photographer first — they control your data, and we will assist them in fulfilling your request.

7. Your rights (CCPA/CPRA)

California residents have the right to know, delete, correct, and opt out of "sale" or "sharing" of personal information. StudioFlow does not sell or share personal information as defined by the CCPA/CPRA, and does not use sensitive personal information beyond what is necessary to provide the service. To exercise rights, email support@studioflow.1labs.app. We do not discriminate against you for exercising your rights.

8. International transfers

Our infrastructure is primarily in the United States. Where data is transferred from the EEA/UK, we rely on Standard Contractual Clauses with our subprocessors.

9. Security

Data is encrypted in transit and at rest, access is role-scoped and logged, and databases are continuously backed up. Details on our Security page.

10. Children

StudioFlow is a business tool and is not directed at children under 16. Photographers may store images of minors (e.g. family sessions) as controllers of that data, with the consents they are responsible for obtaining.

11. Changes and contact

We will notify account owners by email of material changes to this policy at least 14 days before they take effect. Questions: support@studioflow.1labs.app. StudioFlow is built by 1Labs (1labs.ai).