{{REPLACE: legal review by solicitor, operational draft}}
Privacy policy
Last updated: {{REPLACE: date of last review}}
This privacy policy explains how Calum McCarron ("I", "me", "my"), a sole trader based in Dorset, United Kingdom, collects and uses personal data via this website and during commissioned event work. It is written to comply with the UK GDPR and the Data Protection Act 2018.
Who I am: controller
Calum McCarron, sole trader, Dorset, United Kingdom. Contact: hello@calummccarron.com.
I am the data controller for the personal data described below. I do not have a Data Protection Officer; for any privacy question or request, email hello@calummccarron.com and I will respond within one working day.
Personal data I collect
- Enquiry form data: name, company, role, email, phone (optional), event type, event date, location, expected attendee band, services required, brief, consent record. Submitted voluntarily via the contact form.
- Direct correspondence: anything you send me by email, WhatsApp, phone, or in-person conversation about your event.
- Booking and invoice data: company billing address, contact name and email, purchase order references where applicable.
- Server-side technical data: a salted SHA-256 hash of your IP address, the referring page, and your user-agent string at the moment of submission. The raw IP is not stored.
- Analytics data: anonymous, aggregated traffic data via Plausible Analytics (no cookies, no cross-site tracking, no personal data). Vercel Web Analytics may collect Core Web Vitals samples; these are anonymised.
- Event imagery: photographs and video of attendees captured at events I cover, under the model and venue release arrangements agreed with the booking client.
I do not collect special category data via this site.
Lawful bases for processing
- Article 6(1)(b), performance of a contract: to discuss, agree, and deliver booked photography or videography work.
- Article 6(1)(f), legitimate interests: to operate this website securely, prevent spam, monitor performance, and process technical logs. I balance this against your rights and use the minimum necessary data.
- Article 6(1)(c), legal obligation: to retain invoices and accounting records for the period required by HMRC.
- Article 6(1)(a), consent: only where explicitly requested (for example, a marketing email opt-in).
For event imagery, the booking client is the primary data controller for attendee imagery. I act as a processor for the duration of the shoot and edit, and as a controller only for the limited subset retained for portfolio use under the licence terms agreed in the booking contract.
Processors and where data is held
- Supabase (Postgres database and storage), hosted in the EU/UK region. Used to store enquiries, project records, and event imagery.
- Resend (transactional email), hosted in the EU/US. Used to deliver enquiry confirmations and notifications.
- Vercel (hosting and edge network). The site and its server-side functions run on Vercel infrastructure.
- Plausible Analytics (privacy-friendly traffic analytics, EU-hosted). No cookies, no personal data.
- Mux or Cloudflare Stream (video hosting), used for showreels and case study clips.
Each processor is bound by a data processing agreement and provides appropriate transfer safeguards where data leaves the UK.
Retention
- Unconverted enquiries are retained for 12 months from receipt and then deleted.
- Booked-job records (correspondence, invoices, signed contracts) are retained for 6 years from the end of the tax year in which the invoice was raised, in line with HMRC requirements.
- Event imagery is retained indefinitely under the licence agreed in the booking contract; you may request portfolio-use removal under the rights below.
- Server logs and IP hashes are retained for 90 days.
Your rights
You have the right to: access your data, correct inaccurate data, request erasure (subject to retention obligations), restrict processing, object to processing, and request data portability. Email hello@calummccarron.com to exercise any of these rights. I aim to respond within one calendar month.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): https://ico.org.uk, though I would prefer the chance to resolve any concern with you directly first.
Cookies
This site uses essential cookies only (for example, to remember a closed UI preference). It does not use advertising or tracking cookies. Analytics is performed by Plausible without cookies.
Children's data
This site is not directed at children under 13 and I do not knowingly collect personal data from children.
Security
Data is transmitted over HTTPS. Stored data is access-controlled at processor level. The service-role key for Supabase is held only on the server and never sent to the browser. Database row-level security policies are used wherever possible.
Changes
I may update this policy. The "Last updated" date above will reflect any change. Material changes affecting your rights will be communicated to active clients by email.
Contact
hello@calummccarron.com for privacy questions, access requests, and complaints.