1. Scope
The General Data Protection Regulation (GDPR) applies when we process personal data of individuals located in the EU/EEA. Photo247 applies these standards globally where practical.
Photo247 · Legal
GDPR Information
Last updated: 2026-05-23
This page provides GDPR-specific information for users in the European Union and European Economic Area. It supplements our Privacy Policy.
2. Categories of personal data
Identity & contact: name, email, username. Profile: bio, location, homepage, avatar, photographer interests. Content: uploaded images and metadata, comments, reviews, messages. Usage & technical: session identifiers, security logs, cookie preferences.
3. Lawful bases
Contract: account creation, uploads, messaging, and core platform features. Legitimate interests: fraud prevention, service reliability, aggregated analytics without profiling. Consent: non-essential cookies and optional marketing if introduced later. Legal obligation: responding to valid legal requests.
4. Cookies & consent
Essential cookies (login session, CSRF protection) are necessary for the site to function and do not require consent. Other cookies are only set after you accept them in the cookie banner. You can change your choice by clearing site data in your browser or contacting privacy@photo247.com.
5. Retention periods
Account data is retained while your account exists. After deletion, backups may persist for up to 90 days. Security logs are typically kept for 12 months. Cookie consent records are stored locally in your browser.
6. Your GDPR rights
You have the right of access, rectification, erasure (“right to be forgotten”), restriction, data portability, and to object to processing based on legitimate interests. Where processing relies on consent, you may withdraw it at any time without affecting prior lawful processing. Email privacy@photo247.com with your request; we respond within one month.
7. Data processors & transfers
We use infrastructure providers for hosting, email, and backups under data processing agreements where required. If personal data is transferred outside the EEA, we implement appropriate safeguards.
8. Supervisory authority
If you believe your data protection rights have been violated, you may contact Datatilsynet (Norway) or your local EU/EEA data protection authority.