Privacy Policy

Last updated: 22 February 2026

1. Data Controller

The data controller is VanSkyStudio di Joanna Levit, with registered address at Via Teatro Greco 5, Taormina ME 98039, Italy.

Email: hello@vanskystudio.com | Data Protection Officer: privacy@vanskystudio.com

VAT: IT03452780831. We are registered with the Registro delle Imprese di Messina.

2. Our Privacy Commitment

At VanSkyStudio, we believe that your privacy is a fundamental right — not a privilege. We hold ourselves to the strictest privacy and data-protection standards in the industry, exceeding the requirements of the GDPR and Italian data-protection legislation.

We operate on the principle of data minimisation: we collect only what is strictly necessary to deliver our services and never monetise, sell, or share your personal data with third parties for marketing purposes.

All personal data is processed within the European Economic Area (EEA) wherever technically possible, and we apply end-to-end encryption, strict access controls, and regular third-party security audits to safeguard your information.

3. Data We Collect

Inquiry data: name, email address, phone number, event date, event type, venue, and any message you submit via our inquiry form. Retained for 3 years from last contact.

Client session data: name, email, event details, delivery preferences, and access credentials for the client portal. Retained for the duration of our contract plus 7 years for accounting purposes.

Photographic works: finished images and edits stored in our MinIO object storage instance. Retained for 7 years after delivery unless a longer retention is agreed in writing.

Analytics data: anonymised browsing behaviour collected via Google Analytics 4 (GA4). IP addresses are anonymised before storage. Retained per Google's default retention settings (14 months).

Marketing data: ad-interaction signals collected via Facebook Pixel and Google Ads conversion tracking, used to measure campaign effectiveness.

Payment data: transactions are processed entirely by SumUp Europe S.à r.l. We do not store card numbers, CVVs, or full bank details on our systems.

4. Legal Basis for Processing

Contract performance (Art. 6(1)(b) GDPR): processing inquiry and client data to fulfil our photography services contract.

Legitimate interests (Art. 6(1)(f) GDPR): analytics to improve our website and services, provided these interests are not overridden by your rights.

Consent (Art. 6(1)(a) GDPR): analytics and marketing cookies, which you can grant or withdraw at any time via our cookie banner.

Legal obligation (Art. 6(1)(c) GDPR): retaining financial records for 7 years as required by Italian fiscal law (DPR 633/72).

5. Third-Party Sub-Processors

We carefully vet every sub-processor we engage to ensure they meet our strict privacy and security requirements. Each sub-processor is bound by a Data Processing Agreement (DPA) that mandates GDPR-level protections regardless of jurisdiction.

Google LLC (GA4, Google Ads) — analytics and conversion tracking. Data may be transferred to the USA under Standard Contractual Clauses. See Google's Privacy Policy at policies.google.com.

Meta Platforms Ireland Ltd (Facebook Pixel) — advertising audience measurement. See Meta's Data Policy at facebook.com/privacy/policy.

SumUp Europe S.à r.l. — payment processing under PCI DSS. See sumup.com/en/privacy.

MinIO / self-hosted object storage — photographic files stored on European servers operated by VanSkyStudio. No transfer outside the EEA.

Vercel Inc — website hosting and edge delivery. Data processed in the EEA region. See vercel.com/legal/privacy-policy.

6. Cookies and Tracking

We use essential cookies required for the site to function (session management, CSRF protection), analytics cookies (GA4: _ga, _gid, _ga_*), and marketing cookies (Facebook Pixel: _fbp, _fbc; Google Ads: _gcl_au).

Non-essential cookies are only placed after you grant consent via our cookie banner. You can change your preferences at any time.

See our full Cookie Policy for a detailed list of cookies, their purposes, and retention periods.

7. Your GDPR Rights

Right of access (Art. 15): you may request a copy of all personal data we hold about you.

Right to rectification (Art. 16): you may ask us to correct inaccurate or incomplete data.

Right to erasure (Art. 17): you may ask us to delete your data, subject to our legal retention obligations.

Right to restriction of processing (Art. 18): you may ask us to limit how we use your data while a dispute is resolved.

Right to data portability (Art. 20): you may request your data in a structured, machine-readable format.

Right to object (Art. 21): you may object to processing based on legitimate interests, including direct marketing.

Rights related to automated decision-making (Art. 22): we do not use fully automated decision-making that produces legal effects.

To exercise any right, email privacy@vanskystudio.com. We will respond within 30 days. You also have the right to lodge a complaint with the Garante per la protezione dei dati personali (www.garanteprivacy.it).

8. Data Security

We implement industry-leading technical and organisational measures to protect your data, including TLS 1.3 for all data in transit, AES-256 encryption at rest for all stored images and personal data, role-based access controls with the principle of least privilege, regular penetration testing and security audits, and automated intrusion-detection systems.

All staff and contractors with access to personal data are bound by strict confidentiality agreements and receive annual data-protection training.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the Garante within 72 hours and inform affected individuals without undue delay, providing clear guidance on steps you can take to protect yourself.

9. Data Retention and Deletion

We retain personal data only for as long as necessary to fulfil the purposes described in this policy or as required by law. When data is no longer needed, it is securely deleted or anonymised using industry-standard methods.

You may request deletion of your data at any time by contacting privacy@vanskystudio.com. We will process your request within 30 days, subject only to mandatory legal retention periods.

10. International Transfers

Where personal data is transferred outside the EEA (e.g., to Google or Meta servers), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or on adequacy decisions where applicable.

We continuously monitor the legal landscape regarding international data transfers and will promptly adopt any additional safeguards recommended by the European Data Protection Board (EDPB).

11. Children's Privacy

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will delete it immediately.

12. Changes to This Policy

We may update this policy periodically. Material changes will be communicated via email to active clients and via a notice on our website. The 'Last updated' date at the top of this page reflects the most recent revision.

13. Contact

VanSkyStudio di Joanna Levit, Via Teatro Greco 5, Taormina ME 98039, Italy.

Email: privacy@vanskystudio.com | Phone: +39 333 144 8982

Privacy Policy | VanSkyStudio