John Coveney Photography Privacy Policy
Welcome to the Privacy Policy of John Coveney Photography at www.johncoveney.ie (Business number 470723) and its associated blog at www.johncoveney.ie/blog. Please read the Policy before using my website or submitting information to John Coveney Photography by any means.
To run its business, John Coveney Photography (JCP, “I” or “my”) needs to legitimately collect, store, process and archive necessary personal and business data about its clients, contacts, and visitors to my website and my social media accounts. Client and contact image data is similarly retained. As required by the General Data Protection Regulation (GDPR) as detailed by the Irish Data Protection Commission (DPC), I do not collect or store more data than I need to run and promote my photography business. I never sell client, contact or visitor data to any third party, but client, contact and visitor data may be legitimately shared or disclosed as detailed in this Privacy Policy – or as required by Irish law. For image data, such disclosure typically involves the promotion of my business by display of high-quality client and contact imagery on my website and my social media feeds, including my Blog, and my Instagram, Facebook, Twitter and Flickr accounts. Contact data about clients and contacts may be legitimately shared or disclosed to my service providers as detailed on page 4. Except in accordance with legal requirements, image or other data is only disclosed with the consent of clients & contacts. Images of children are only taken with the permission of their parents or guardians, or other organizations responsible for them such as schools. These images of children are only given to those who commission them. If I have personal data about you, I will provide it to you if you ask for it. If requested, I will remove your personal information and images from my records unless I am required by law to keep it. You can read guidance about your rights under GDPR from the DPC here. The Citizens Information Board also provides a non-technical overview of GDPR in Ireland.
Data is managed and or hosted for John Coveney Photography by five suppliers, who have their own GDPR compliant data and privacy policies - see the Data Service Providers section on page 7. Access to my data service provider accounts is via unique passwords and, where available, two factor authentication.
The rest of this Privacy Policy details my practices on the collection, use, processing, archival and disclosure of information that you may provide, or that I may collect via this site or in other communications such as on the phone, via email or via messaging applications.
When you use the John Coveney Photography website at www.johncoveney.ie or by contacting me by any means including email, phone or via messaging apps, you agree to the collection, storage, processing, archival and disclosure of data and imagery connected to my business in accordance with this Privacy Policy.
If you have queries about this Privacy Policy or any other aspect of John Coveney Photography, or wish to have your information or imagery corrected or removed, contact me at [email protected].
This version of this Privacy Policy was prepared on 2 July 2019. Updates will be logged here. A PDF of this Policy can be downloaded here www.johncoveney.ie/privacy-policy.pdf.
1.2 Contact for Queries, Corrections or Removal of Your Data. 2
3 Information Collection & Management. 3
3.1 About John Coveney Photography. 3
3.2.1 Website & Social Media Visitors. 3
3.2.2 Direct Contacts with John Coveney Photography. 3
3.2.3 Clients & Suppliers of John Coveney Photography. 3
3.2.4 Collection and Management of Client & Contact Image Data. 4
3.3 Privacy and Security of Payment Methods and Details. 4
3.4 Use, Disclosure & Retention of Information. 4
4 Data Security & GDPR Compliance. 4
4.1 Data Security – John Coveney Photography’s Responsibilities & Your Responsibilities. 4
4.1.1 Management of Client & Contact Image Data. 5
4.1.2 Management of Images of Guests at Client Events. 5
4.3 Links to other Websites. 7
5 Data Treatment by Data Service Providers for John Coveney Photography. 7
5.1 Website Provision by Zenfolio. 7
5.1.1 How Zenfolio Manages & Secures My Client Account & Payment Data. 7
5.1.2 How Zenfolio Track Visitors to John Coveney Photography. 8
5.1.3 How Zenfolio Manages Cookie’s for John Coveney Photography. 8
5.1.4 Advertising and my Zenfolio Website. 9
5.2 Domain & Email Hosting by LetsHost.ie. 9
5.3 Offsite Secure Backups by Backblaze. 10
5.4 Broadband Service and Mobile Email Service. 10
5.4.1 Broadband Internet Access from Virgin Media Ireland. 10
5.4.2 Mobile Email Access from Gmail 10
John Coveney has been photographing people place and wildlife in Dublin, all over Ireland and occasionally abroad since 2001 when he got his first digital camera. He has been running John Coveney Photography since 2013. He got his initial licentiate from the Irish Photography Federation in 2011 and he earned a high level Associateship qualification from them in 2017. In 2014, he won their National Nature photographic competition. His landscape and fashion work has been published in the national media.
John Coveney Photography collects, stores, processes and archives information on its clients, contacts and website visitors, as detailed in this section of this Privacy Policy and elsewhere as referred to from this section. All information is collected in a lawful manner based on legitimate interest as detailed in the GDPR section on page 4.
If you visit my website at www.johncoveney.ie or my blog at www.johncoveney.ie/blog but otherwise do not interact with me, your contact is managed by cookies. These are small text files that websites generate and store on your computer to “remember” your actions and preferences when you visit them. They do this to improve how the website performs for your current and future visits. Read the Data Protection Commission’s guidance on cookies for more information about them. John Coveney Photography uses cookies operated by Zenfolio. Their use is detailed in the Zenfolio section of this Privacy Policy on page 7. I have recently (June 2019) registered www.johncoveney.ie with Google Analytics and I will update this Privacy Policy as I develop my use and understanding of this website visitor analysis tool.
The use of cookies by on social media accounts at Instagram, Facebook, Twitter and Flickr is in accordance with their privacy policies that can be viewed on their websites. My access to all of these accounts is secured by unique passwords from my phone, my desktop and my laptop. These devices are also protected by unique passwords.
If you make direct contact with me, or if I approach you, you may provide me with information such as your name, email and phone number. Additional job specific information could include your postal address and details of an event, such as where it is on, who will be there, and what kind photographs you want. In the case of an event with a religious or legal component such as a Weddings or First Communions, information on your religious or sexual orientation may be implicitly or explicitly provided.
Any direct contacts to John Coveney Photography in person, by phone, text, WhatsApp, or using Instagram, Facebook, Twitter or Flickr messaging are secured and managed by those applications on my phone and on my laptop and desktop. These accounts and devices are uniquely password protected and, where available, by touch ID and two-factor authentication. Email contacts are principally managed in my office using Microsoft Outlook on my desktop – they are also forwarded to a gmail address for mobile access – see page 10. Occasionally notes about these contacts are made in my paper diary which is stored in my locked office or is in my possession when I’m away from the office.
In addition to contact and website visit data, additional information is stored about clients. This includes digital images, occasional sample prints, details of forthcoming and past jobs for clients, and financial information on payments from clients. Information is also stored on payments to suppliers. This information is stored in emails and client accounts on the John Coveney Photography website at www.johncoveney.ie – and also in Microsoft Excel spreadsheets. Client accounts and the client information in them are also stored and processed by Zenfolio in accordance with the GDPR compliance subsection of the Photographers Terms section their terms of use policy. However, it is John Coveney Photography who is responsible for the content of the client information in these client accounts on its website and their maintenance and, if requested, deletion – subject to any retention requirements necessary under e.g. Irish tax law.
See Data Security on page 5.
Clients may pay online for photography services and products provided by John Coveney Photography. They may do this by bank transfer, with PayPal, or with debit or credit cards. The security and privacy of online payments you make to John Coveney Photography from your bank or PayPal account are covered by those organizations’ data protection and privacy policies. Credit & debit card payments to John Coveney Photography are handled by Zenfolio and I only receive details of who made the payment, what it is for, and how much is involved. John Coveney Photography does not receive any credit or debit card details from customers. Here is how Zenfolio handles credit card payments on behalf of its photographer clients as detailed to me by Zenfolio Support: - [except for the addition of text in square brackets to enhance readability as well as active links]
[Zenfolio] take[s] security of transactions extremely seriously. We process tens of thousands of orders and all of the information collected during the check-out is processed via our secured servers. These servers are certified by VeriSign, a market leader in online security.
Because we must process transactions in a secure environment, we are also PCI compliant, which a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment.
The information you disclose to John Coveney Photography is used to improve the content of this site, to customize the site to your preferences, to communicate information to you (if you have requested it), for marketing and research purposes, and for the purposes specified in this Privacy Policy.
Your data is never sold to any third parties but it may be legitimately shared or disclosed in accordance with the GDPR Compliance section of this Privacy Policy at detailed on page 6.
If you become aware of any errors in your personal data, please contact me in writing by email at [email protected] or by post to John Coveney Photography, 56 Castle Farm, Shankill, Dublin D18 AD83. I will take all reasonable steps to correct errors notified to me once I have contacted you to verify the correction that you submitted.
I take all reasonable steps to responsibly manage information about clients, suppliers, contacts and website visitors to protect this information from loss, misuse, unauthorized access, unauthorized disclosure, alteration, or its destruction except as specified by a contact or client in accordance with law. However, no computer or internet system is 100% reliable, secure or error. In particular, email sent to or from John Coveney Photography is not secure. Additionally, it is your responsibility to secure any passwords linked to any account on my site that you may have, and also any passwords or direct links that you may have to private galleries on my site.
All John Coveney Photography’s business and image data is principally managed on a password protected desktop in my home office with its own separate locked and alarmed entrance. Only I and my co-director (my wife – who is not operationally involved in the business) has access to this office. On-site backups are to local hard drives held in this office and in a locked cabinet in my house. Secure offsite backups are done using Backblaze - see page 10. When I am working away from base, I use a password protected laptop and password protected mobile hard drives. On return to base, client and contact imagery and information is copied to the desktop system and, once backed up, it is deleted from the laptop and the mobile drives.
Most of my client imagery is taken with a high specification digital camera (DSLR) with removable dual memory cards that allows duplication of the imagery as it is being captured. As a shoot is completed or as memory cards fill up, they are removed from my cameras and stored on my person until I can copy the images to my desktop or laptop – normally within a few hours. Memory cards with client and contact images are never left in unattended in cameras or cars. Once the imagery is backed up, it is deleted from the cameras’ memory cards. Client & contact imagery is catalogued and processed using Adobe’s Lightroom and is typically tagged with the clients’ and contacts’ names and the location of the shoot. Client & contact imagery may be further manipulated with Photoshop. Client and contact image data is backed up locally to secured hard drives. Offsite backups to “the cloud” are done using Backblaze - see page 10
Images are typically supplied to clients & contacts via private galleries on my website – or, where the client or contact has requested it, via public galleries or social media accounts. Access to private galleries is usually via a supplied direct link. In some cases, a password may also be required. Private galleries are not visible to or searchable by search engines. In some cases images are sent by email, or where large numbers of images are sent, I use the free Netherlands based WeTransfer service. WeTransfer encrypts files when it is transferring them between senders and recipients and while it temporarily stores them. WeTransfer’s GDPR compliant privacy policy is here.
No client or contact imagery is ever sold to third parties without explicit written client/contact permission and, where relevant e.g. for advertising purposes, a model release is obtained. With client/contact permission, I may share high quality client image data on my website and my social media accounts to promote my business. I may also for submit them for photographic qualifications and awards. Clients/contacts may withdraw permission for the display of images on my website, my blog and on my social media accounts. This should be done in writing by emailing me at [email protected] . However, if a client or contacts gives permission for an image to be used in connection with a submission for an award or qualification and if that submission is successful and goes into to the public domain, the image cannot be removed from public circulation. Additionally clients and contacts should to be aware that if they consent to me publicly displaying their photograph(s) on my website, blog or social media accounts, it may pass irretrievably into the public domain beyond my control even if I take it down from my website and accounts.
I may photograph adult guests of clients or other third parties at their events and may wish to display these images on my website, my blog or my social media accounts to legitimately promote my business. It may not be possible (nor is it required by GDPR) for me to seek consent of guests to take their photographs. In order to balance the rights of guests who appear in my public photographs I apply the following three tests:
If in spite of the application of these tests, I am approached by the person in question and asked to take down the photograph I will do so, except in the case of award winning images in the public domain as detailed above in section 4.1.1.
Any images of children on my website are only published with the explicit written permission of their parents or guardians or relevant organizations such as schools or sports clubs. Full names of children are not published, nor are any other contact details.
In preparing this section on the photography at client events of adult and child guests, and also third parties, I read and took account of the only guidance on photography from the Irish Data Protection Commission (DPC) here. This mainly deals with photography at school events and by implication at other events involving children. More generally, however, the DPC advocates a “common sense” approach and states unambiguously that that GDPR does not prevent anyone taking photographs of people at public events providing they are not “harassing” them. However, GDPR arises when considering what to do with these photographs especially if they are put on public display. It then advises that that same GDPR considerations that apply to other personal data are also applied to the storage and display of these photographs – especially consent, compliance by me with withdrawal of consent requests, and legitimate interest.
I believe it’s worth quoting their closing statement on the issue of school photography here and taking account of it more generally in this Privacy policy.
“We live in a world where every owner of a smartphone is a potential photographer. The GDPR does not provide an exact roadmap on when it’s permissible to take and publish photographs in the context of school events. However, a balanced, common sense approach will go a long way towards ensuring that individuals’ rights are respected, while also ensuring that data protection doesn’t become an obstacle to capturing and celebrating significant school events.”
This site contains links or reference to other websites other than my data service providers. If you follow these links or references to these other websites, you will leave John Coveney Photography and your interactions with those other websites are not covered by this Privacy Policy. Instead you should read to the privacy policies of those other websites as you visit them. Mention of any other website by John Coveney Photography on its website or in this Privacy Policy is not an endorsement of their services.
Data is managed, transmitted, processed and hosted for John Coveney Photography by five data service providers as detailed below. These five suppliers have their own GDPR compliant service, data and privacy policies. Access to my data service provider accounts is via unique passwords and, where available, two factor authentication.
The John Coveney Photography website at www.johncoveney.ie and its associated blog at www.johncoveney.ie/blog are based on templates provided and operated by Zenfolio – an American ecommerce platform that provides websites to photographers to display and sell their photography. Their privacy policy can be viewed here and their terms of use policy is here. These policies primarily deal with the interactions between Zenfolio and my business, but they also hold and process some personal data and financial information clients, contacts and website visitors as detailed below.
Details of how Zenfolio handles client and contact account information is in the Client & Supplier subsection of the Information Collection section on page 3.
Information of how Zenfolio secures payment Information is covered in the section on Privacy and Security of Payment Methods and Details on page 4.
Zenfolio anonymously track visitors to galleries, including private galleries as per the following text in italics [with slight modifications in square brackets to enhance readability] – as received from Zenfolio Support on 6 May 2019.
While [Zenfolio] offer[s] some basic visitor tracking numbers for your galleries, the visitor counter will only show a visit to [a JCP] site or a gallery if a Photo page or a Quick Shop page is viewed. If someone simply clicks into [a JCP] gallery, but does not click a photo within the gallery, their visit will not count in the visitor counter. Same if they visit [the JCP] homepage but do not go into any galleries to view an image.
Only unique visitors are recorded, so if a visitor views the same photos from the same computer, the system will not record the additional visits because the visitor's IP address is what constitutes a new visitor. Depending on the ISP (Internet Service Provider) settings, multiple computers can be on the same IP address which can skew the visitor count.
When you visit John Coveney Photography at www.johncoveney.ie and its associated blog at www.johncoveney.ie/blog your notified by Zenfolio that “This site uses cookies. By continuing to use the site you are agreeing to our use of cookies.” You can choose to hide this notification or to click on the Learn More link. If you click on the Learn More link it will generate a pop-up showing the Zenfolio Cookie Policy that is used by John Coveney Photography. This policy is quoted below in italics as it is in the Zenfolio pop-up except that a few active links have been added and a few words have been inserted in [square brackets] to improve readability.
[Zenfolio] Cookie Policy
Our Privacy Policy explains how we collect and use information. This policy explains more about how we use cookies and choices you can make about cookies. By accessing and using our website or other services, you are agreeing to the terms of this policy.
What are cookies?
A cookie is a simple text file that is stored on your computer or mobile device by a website's server. Only that server will be able to retrieve or read the contents of that cookie. Each cookie is unique to your web browser. It contains some anonymous information such as a unique identifier, the site name, and random digits and numbers. Cookies allow a website to remember things like your preferences, or what's in your shopping basket.
For more details about cookies and details of how to delete and disable cookies you can visit www.aboutcookies.org. For more information, including how to turn off cookies, see below.
If you don't want to receive cookies, you can modify your browser so that it notifies you when cookies are sent to it or you can refuse cookies altogether. You can also delete cookies that have already been set. Please refer to the help function within your browser for specific instructions.
How does this website use cookies?
We use cookies on our website for a variety of reasons which you can learn about below. The cookies we use do not store personally identifiable information, nor can they harm your computer. Unless you have adjusted your browser settings (where possible) to refuse cookies, our systems will issue cookies as soon you visit our website. If you have switched off cookies then some of the functionality of our services may not be available to you.
The cookies set by our website fall into the following categories.
Strictly Necessary [Cookies]
These cookies are essential to ensure that you can navigate and use all features of the site. This includes browsing pages, remembering your preferences, saving favorite images, secure registration, placing orders, and other essential features. These cookies don't gather any information about you that could be used for marketing or remembering where you've been on the Internet.
Performance [Cookies]
These cookies allow the website to deliver a better browsing experience. They collect information about your website usage, such as the pages you visit, or if you experience any errors. These cookies don't collect any information that could identify you - all the information collected is anonymous and is only used to help us improve how the website works.
Functionality [Cookies]
Functionality cookies are used to provide services, or to remember settings to improve your visit. We use them for remembering settings you've applied, showing you when you're logged in to the website, saving your favorite images, and so on.
Targeting [Cookies]
Targeting cookies are linked to services provided by third parties. These include 'Like' buttons and 'Share' buttons used by services like Facebook, Google+, Twitter, Pinterest, and others. The third party provides these services in return for recognising that you have visited our website.
Additionally, the website may use Google Analytics or StatCounter services to analyse the use of this website. These services generate statistical and other information about website use by means of cookies, which are stored on users' computers. The information generated relating to our website is used to create reports about the use of the website. You can view privacy policies for Google Analytics or StatCounter on their respective websites.
There is no advertising on my website from anyone other than John Coveney Photography and I do not use any of the information gathered on website in connection with advertising.
Your visits to my website at www.johncoveney.ie may result in you seeing advertising for related services in your subsequent internet browsing. This is because your search provider may be recording your search choices especially if you are logged in with that search provider. You may be able to prevent this by deleting cookies or blocking them. If you do this, however, you may find that my website does not work well or at all. Here’s another source providing information about your online choices and cookies. You could also try using search providers that claim not to record your searches such DuckDuckGo or Startpage. As previously stated, any mention of other services in this Privacy Policy should not be taken as an endorsement of that service.
The domain name for the John Coveney Photography website at www.johncoveney.ie is provided by Digital Media Internet Services – an Irish company trading as LetsHost.ie. However, the website itself and all its contents are located on Zenfolio’s servers (see section 5.1) and so are not visible to Letshost.ie. Therefore, LetsHost.ie does not process my website data.
Emails to and from John Coveney Photography email addresses at [email protected] and [email protected] pass through LetsHost.ie’s email servers but they are automatically deleted from those servers once I download them to Microsoft Outlook on my desktop. LetsHost’s terms of service are here and their GDPR compliance statement is here.
All of John Coveney Photography’s business and image data is encrypted before transfer and securely backed up remotely by Backblaze – an American company. Their security policy can be viewed here. All data transfers between JCP and Backblaze are encrypted and done securely via HTTPS. Backblaze is unable to access this encrypted JCP data. I can only access remotely backed up JCP data via a unique password that is also subject to two-factor authentication. In the event of the total loss of part of all of my on-site data and backups, Backblaze will restore data over the internet (up to 500GB) or on shipped encrypted drives for larger amounts of data. This approach to offsite backups and restores “in the cloud” complies with the guidance of the Data Protection Commission.
Data flows between John Coveney Photography and my Zenfolio operated website at www.johncoveney.ie and its hosting domain at LetsHost.ie are done via a broadband connection that is supplied by Virgin Media Ireland. The principal conncetion between my broadband service and my computer is via an ethernet cable to a router supplied by Virgin Media. Occasional access from my mobile phone or laptop is via my secured home wifi connection or my phone data package from Vodafone Ireland. No unsecured public WiFi connections are used. Virgin media details how it provides its broadband service in compliance with GDPR here. Its privacy policy is here, and its cookie policy is here.
Emails to John Coveney Photography are automatically forwarded to the business’s gmail address, [email protected] so that I have mobile access to my emails on my phone and laptop. When a reply is needed before I return to base, I occasionally reply to emails from this address also. Google’s terms of use for its services including gmail are here and its privacy policy is here. Access to this gmail account is via a unique password.