Privacy Policy

Last updated: 11 July 2026

1. Introduction

This privacy policy explains how Chris Kendrick Photography collects, uses, stores and protects personal information.

In this policy, “I”, “me” and “my” refer to Chris Kendrick, trading as Chris Kendrick Photography.

I am the data controller responsible for personal information collected through:

  • the website chriskendrickphoto.co.uk;

  • enquiries and correspondence;

  • photography bookings and commissions;

  • photography workshops and tuition;

  • print, product and digital-product purchases;

  • mailing-list subscriptions;

  • client galleries and image delivery;

  • competitions, promotions or surveys; and

  • my professional social-media accounts where I determine how personal information is used.

My contact details are:

Chris Kendrick Photography
Website: chriskendrickphoto.co.uk
Email: chris@chriskendrickphoto.co.uk
Business correspondence address: [INSERT BUSINESS POSTAL ADDRESS]

[OPTIONAL: ICO registration number: INSERT NUMBER]

Please contact me using the details above if you have any questions about this policy or how I handle your personal information.

2. The personal information I collect

The information I collect depends on how you interact with me and which services you use.

Identity and contact information

This may include:

  • your name;

  • email address;

  • postal address;

  • telephone number;

  • business or organisation name;

  • job title;

  • social-media username; and

  • the contact details of a parent, guardian, school or organisation where relevant.

Enquiry and correspondence information

This may include:

  • information submitted through website contact forms;

  • emails, messages and telephone enquiries;

  • details of the photography service, workshop, tuition or product in which you are interested;

  • quotations, proposals and booking discussions;

  • feedback, reviews and complaints; and

  • records of my correspondence with you.

Booking and project information

When you book a service, I may collect:

  • booking dates, locations and times;

  • details of participants or attendees;

  • photography briefs and project requirements;

  • contracts, model releases and image-consent forms;

  • venue and access information;

  • delivery requirements;

  • licensing arrangements;

  • information about planned image usage;

  • emergency contact information where reasonably necessary; and

  • accessibility, dietary, medical or support information that you voluntarily provide and that is necessary for a workshop, tuition session or other service.

Please do not provide sensitive personal information unless it is genuinely necessary for the service being arranged.

Transaction and payment information

When you make a purchase or booking, I may collect:

  • billing and delivery addresses;

  • the products or services purchased;

  • payment status;

  • transaction references;

  • invoice details;

  • refund information; and

  • relevant accounting and tax records.

Payments may be processed by a third-party payment provider. I do not normally receive or store your complete payment-card number, security code or online banking credentials.

Photographs, video and audio

As part of my photography work, I may create or receive:

  • photographs in which an individual can be identified;

  • video or audio recordings;

  • image metadata;

  • image-selection information;

  • retouching instructions;

  • contact sheets;

  • commissioned image files; and

  • photographs supplied to me by clients for editing, assessment, tuition or other agreed services.

Some photographs may constitute personal information where an individual can be identified from the image or accompanying information.

Website and technical information

When you use the website, information may be collected automatically, including:

  • your IP address;

  • browser type and version;

  • device type;

  • operating system;

  • approximate location derived from your IP address;

  • pages visited;

  • referral source;

  • date, time and duration of visits;

  • interactions with website features;

  • cookie identifiers; and

  • information used to identify errors, abuse or security incidents.

Non-essential analytics or advertising technologies will only be used where permitted by law and in accordance with the choices available through the website’s cookie controls.

Marketing preferences

This may include:

  • whether you have agreed to receive marketing;

  • the services or subjects in which you have expressed an interest;

  • records of marketing messages sent;

  • email engagement information, where permitted; and

  • any unsubscribe or objection request.

I may retain a minimal suppression record after you unsubscribe so that I do not accidentally add you to marketing communications again.

3. How I collect personal information

I may collect personal information:

  • directly from you when you contact me, complete a form, make a booking or purchase something;

  • from a parent, guardian, school, employer, agency or commissioning organisation acting on your behalf;

  • from another participant in a group booking;

  • through contracts, booking documents and model-release forms;

  • automatically through the website and its cookies or similar technologies;

  • through payment, booking, gallery and email service providers;

  • from publicly accessible sources, such as a business website or professional social-media profile;

  • from event organisers, venues, agencies or clients commissioning photography; and

  • when you interact with my professional social-media accounts.

Where information is supplied by someone else, I expect them to have the authority to provide it and to make this privacy policy available to the person concerned where appropriate.

4. How and why I use personal information

UK data-protection law requires me to have a lawful basis for each purpose for which I use personal information.

Responding to enquiries

I use contact details and enquiry information to:

  • respond to messages;

  • discuss requirements;

  • prepare quotations or proposals;

  • arrange consultations; and

  • take steps towards a possible booking or purchase.

The lawful basis is normally taking steps at your request before entering into a contract. I may also rely on my legitimate interests in managing and developing my business.

Providing photography services, workshops and tuition

I use personal information to:

  • administer bookings;

  • deliver the agreed service;

  • communicate about arrangements;

  • manage attendance;

  • create, edit and deliver photographs;

  • provide tuition or feedback;

  • manage image licences;

  • provide customer support; and

  • handle changes, cancellations or refunds.

The lawful basis is normally that the processing is necessary to perform a contract with you or to take steps before entering into that contract.

Where a school, business, agency or other organisation commissions me, I may rely on my legitimate interests and those of the commissioning organisation in administering the assignment and communicating with relevant participants.

Processing purchases and payments

I use transaction information to:

  • process and fulfil orders;

  • deliver prints, products or digital downloads;

  • issue invoices and receipts;

  • administer licences;

  • process refunds;

  • prevent fraudulent transactions; and

  • maintain financial records.

The lawful bases are performance of a contract, compliance with legal obligations and my legitimate interests in protecting the business against fraud and non-payment.

Accounting, taxation and legal compliance

I use and retain appropriate records to:

  • maintain business accounts;

  • complete tax returns;

  • comply with HMRC requirements;

  • respond to lawful requests;

  • establish, exercise or defend legal claims; and

  • meet insurance and regulatory requirements.

The lawful bases are compliance with legal obligations and my legitimate interests in maintaining appropriate business and legal records.

Website operation and security

I use technical information to:

  • operate and maintain the website;

  • display content correctly;

  • keep the website secure;

  • identify technical problems;

  • prevent spam, fraud and malicious activity;

  • investigate suspected misuse; and

  • understand the basic performance of the website.

Strictly necessary technologies are used because they are required to provide and secure the website. Where personal information is involved, I rely on my legitimate interests in operating a secure and functional website.

Website analytics

Where you have given the required permission through the website’s cookie controls, analytics information may be used to:

  • measure website traffic;

  • understand which pages are useful;

  • see how visitors find the website;

  • identify website-performance issues; and

  • improve content, navigation and services.

Where consent is required, the lawful basis is consent. You can withdraw your consent through the website’s cookie settings.

Marketing

I may use your contact details to send information about:

  • photography services;

  • workshops and tuition;

  • prints and products;

  • digital tools;

  • new articles or resources;

  • special offers; and

  • relevant business updates.

I will send electronic marketing where:

  • you have given consent;

  • the law permits me to contact an existing customer about similar services and I provided an opportunity to opt out; or

  • another applicable legal basis and PECR permission applies.

You can unsubscribe at any time by using the unsubscribe link in a marketing email or by contacting me.

I do not sell personal information to third parties for marketing.

Reviews, testimonials and case studies

I may publish a review, testimonial or case study with your permission. The agreed information may include your name, business name, role, comments and photographs.

The lawful basis will normally be consent. You may withdraw consent for future use by contacting me, although withdrawal does not make earlier lawful use unlawful and may not always require the recall of material already printed or distributed.

Portfolio, editorial and promotional photography

Selected photographs may be used in my:

  • website portfolio;

  • printed portfolio;

  • social-media accounts;

  • exhibitions;

  • competition entries;

  • editorial features;

  • teaching materials;

  • advertising; and

  • other promotional material.

The lawful basis will depend on the circumstances and may include:

  • consent;

  • the terms of a photography or model-release agreement;

  • performance of a contract; or

  • my legitimate interests in demonstrating and promoting my professional work, where those interests are not overridden by the rights and interests of the people shown.

I will take additional care where an image concerns a child, a private event, a sensitive situation or information that could create a significant privacy risk.

You may contact me if you have concerns about an identifiable photograph. Requests will be considered individually, taking account of data-protection law, contractual arrangements, copyright, freedom of expression and any applicable exemptions.

Professional networking and business-to-business communication

I may contact relevant businesses, organisations or professional contacts where I have a legitimate interest in:

  • responding to a professional opportunity;

  • maintaining an existing business relationship;

  • discussing a relevant service;

  • networking within the photography, creative or education sectors; or

  • communicating with someone in their professional capacity.

Any objection to direct marketing will be respected.

5. Special-category information

Special-category information includes information about health, disability, ethnicity, religion, political opinions, trade-union membership, genetics, biometrics used for identification, sex life or sexual orientation.

I do not routinely ask for special-category information.

In limited circumstances, you may voluntarily provide relevant health, disability, accessibility, dietary or support information when arranging a workshop, tuition session or photography service.

Where I need to use special-category information, I will identify both:

  • an appropriate lawful basis under Article 6 of the UK GDPR; and

  • an additional condition under Article 9.

This will usually be explicit consent. In a genuine emergency, vital interests or another applicable legal condition may apply.

I will only use this information for the purpose for which it was provided, restrict access to it and delete it when it is no longer required.

6. Information about children

Some photography, school, workshop or tuition services may involve people under 18.

Where appropriate:

  • booking and contact information should be provided by a parent, guardian, school or other responsible organisation;

  • parental or guardian authority will be obtained where required;

  • information will be limited to what is reasonably necessary;

  • children’s information will not be used for unrelated marketing;

  • image use will be governed by appropriate booking terms and consent arrangements; and

  • information will be presented in clear and age-appropriate language where it is provided directly to a child.

Parents and guardians should avoid submitting unnecessary personal or sensitive information about a child.

The website is not designed to encourage children to create accounts or submit personal information independently.

7. Cookies and similar technologies

The website may use cookies and similar technologies to:

  • provide essential website functions;

  • remember privacy and cookie preferences;

  • maintain security;

  • enable shopping or booking functions;

  • measure website usage;

  • display embedded media; and

  • measure affiliate or advertising activity.

Strictly necessary technologies may operate without consent where the law allows.

Where consent is required, non-essential analytics, advertising, affiliate-tracking or embedded-content technologies should not be activated until you have made an appropriate choice through the cookie banner or settings panel.

You can change your choices through the website’s cookie settings. You may also be able to control cookies through your browser, although blocking essential cookies may affect website functionality.

Further information about individual cookies, their providers, purposes and durations should be provided in the website’s separate Cookie Policy or cookie settings panel.

8. Affiliate links and external websites

Some pages may contain affiliate links, including links to retailers such as Amazon.

When you follow an affiliate link:

  • you leave my website;

  • the third-party website may collect information through its own cookies and tracking technologies;

  • that third party will process information under its own privacy policy; and

  • I may receive a commission if you make a qualifying purchase.

I may receive aggregated reporting about affiliate-link performance, but I do not normally receive the complete payment details that you provide to the retailer.

The website may also link to external websites, social-media platforms, video platforms, booking systems or online galleries. I am not responsible for the privacy practices of independently operated third-party websites.

9. Who I share personal information with

I only share personal information where it is reasonably necessary, lawful and proportionate.

Recipients may include:

  • website hosting and website-management providers, including Squarespace;

  • payment processors and banks;

  • email and mailing-list providers;

  • booking and calendar providers;

  • client-gallery and image-delivery providers;

  • cloud-storage and file-transfer providers;

  • printers, framers, laboratories and fulfilment services;

  • delivery and courier companies;

  • accountants, bookkeepers, insurers and professional advisers;

  • IT support, security and fraud-prevention providers;

  • analytics providers, where permitted by your cookie choices;

  • schools, employers, agencies, venues or commissioning organisations involved in a booking;

  • assistants, second photographers, retouchers or other subcontractors involved in delivering an assignment;

  • law-enforcement bodies, courts, regulators or public authorities where disclosure is required or permitted by law; and

  • a prospective buyer, adviser or successor if the business is restructured, sold or transferred.

Service providers are only given the information reasonably necessary for their role. Where they process personal information on my behalf, I expect appropriate contractual, confidentiality and security safeguards to be in place.

I do not sell or rent personal information.

10. Payment processing

Payments made through the website may be processed by the payment provider presented at checkout.

Payment providers may act as independent data controllers for some of their activities, such as:

  • processing payments;

  • fraud prevention;

  • identity verification;

  • regulatory compliance; and

  • managing disputes or chargebacks.

Their handling of your information is governed by their own privacy notices.

I normally receive confirmation of payment, transaction references, contact details and order information rather than your complete card details.

11. International transfers

Some service providers may store or access personal information outside the United Kingdom.

Where this results in a restricted international transfer, I will take reasonable steps to ensure that an appropriate transfer mechanism is in place. Depending on the destination and provider, this may include:

  • UK adequacy regulations;

  • the UK International Data Transfer Agreement;

  • the UK Addendum to approved standard contractual clauses; or

  • another safeguard or exception permitted by UK data-protection law.

Further information about relevant safeguards may be requested using the contact details in this policy.

12. How long I keep personal information

I do not keep personal information for longer than reasonably necessary.

Retention depends on the purpose for which the information was collected, legal requirements, contractual limitation periods, insurance requirements and whether information is needed to establish or defend a legal claim.

My usual retention periods or criteria are:

General enquiries

Enquiries that do not lead to a booking will normally be deleted or anonymised within 24 months of the last meaningful contact, unless there is a reason to retain them for longer.

Client, booking and contractual records

Contracts, booking records, project correspondence, image licences and related records may normally be retained for up to six years after the completion or termination of the service.

Information may be retained longer where necessary to deal with an active dispute, claim, ongoing licence or legal requirement.

Financial and tax records

Invoices, payment records and other accounting information will be retained for the period required by tax and accounting law. For self-employment records, this will generally be at least five years after the relevant Self Assessment submission deadline.

Client photographs and project files

Working files, client galleries and delivered images will be retained in accordance with the applicable contract or service information.

Unless a different period has been agreed:

  • temporary upload and transfer files may be removed after delivery;

  • online client galleries may be removed after the period communicated to the client;

  • working files may be deleted once the project has been delivered and any reasonable correction period has passed; and

  • selected final images may be retained for archive, portfolio, licensing, copyright, evidential or professional purposes, subject to periodic review.

Clients are responsible for securely downloading and backing up delivered images unless a separate archival service has been agreed.

Workshop and tuition information

Routine booking and attendance information may be retained with the relevant contractual records.

Emergency, health, accessibility and support information will normally be deleted when it is no longer needed for the relevant service, unless retention is required for safeguarding, insurance or legal reasons.

Marketing information

Marketing contact information will be retained until you unsubscribe, withdraw consent or object, or until I determine that the information is no longer accurate or useful.

A minimal suppression record may be retained after you unsubscribe to ensure that your preference continues to be respected.

Website analytics

Identifiable analytics data will be retained according to the settings applied within the analytics platform and should be periodically reviewed. Aggregated or effectively anonymised statistical information may be retained for longer because it no longer identifies individual visitors.

Consent and release records

Evidence of consent, model releases and records of withdrawals or objections may be retained for as long as the relevant image or material is used and for an appropriate period afterwards to demonstrate compliance and manage legal claims.

Backups

Information deleted from active systems may remain temporarily within secure backups until those backups are overwritten or expire under the relevant backup schedule.

At the end of the applicable retention period, information will be securely deleted, anonymised or put beyond normal use.

13. How I protect personal information

I use reasonable technical and organisational measures designed to protect personal information against:

  • unauthorised access;

  • accidental loss;

  • misuse;

  • alteration;

  • disclosure; and

  • destruction.

Measures may include:

  • password-protected systems;

  • multi-factor authentication where available;

  • access restrictions;

  • encrypted connections and services;

  • secure backup arrangements;

  • software and device updates;

  • confidentiality obligations;

  • careful selection of service providers; and

  • procedures for responding to suspected data breaches.

No online or electronic-storage system is completely secure. You should therefore take appropriate care when sending sensitive information electronically.

Where a personal-data breach creates a risk to people’s rights and freedoms, I will assess and report it to the Information Commissioner’s Office where required. Where a breach is likely to create a high risk, affected individuals will also be informed where required.

14. Your data-protection rights

Depending on the circumstances and the lawful basis being used, you may have the right to:

  • ask whether I hold personal information about you;

  • request a copy of your personal information;

  • ask for inaccurate information to be corrected;

  • ask for incomplete information to be completed;

  • request deletion of personal information;

  • ask me to restrict how personal information is used;

  • object to processing based on legitimate interests;

  • object to direct marketing at any time;

  • withdraw consent where processing is based on consent;

  • request the transfer of information you provided in a structured, commonly used and machine-readable format; and

  • complain to the Information Commissioner’s Office.

These rights are not absolute. An exemption or another legal reason may mean that I cannot fully comply with a particular request.

Withdrawing consent does not affect the lawfulness of processing carried out before consent was withdrawn.

To exercise a right, contact:

Email: chris@chriskendrickphoto.co.uk

Please describe your request clearly. I may ask for information reasonably necessary to verify your identity and prevent personal information being disclosed to the wrong person.

I will normally respond without undue delay and within one month of receiving a valid request. A longer period may be permitted for particularly complex requests, in which case I will explain the reason for the extension.

There is normally no charge for exercising your rights. A reasonable fee may be charged, or a request may be refused, where the law permits this because a request is manifestly unfounded or excessive.

15. Complaints

Please contact me first if you have a concern about how I have used your personal information:

Chris Kendrick Photography
Email: chris@chriskendrickphoto.co.uk

You also have the right to complain to the UK supervisory authority:

Information Commissioner’s Office

You can find current complaint procedures and contact details on the Information Commissioner’s Office website.

Making a complaint to me first does not affect your right to contact the Information Commissioner’s Office.

16. Automated decision-making

I do not currently use personal information to make solely automated decisions that produce legal effects or similarly significant effects for individuals.

If this changes, this policy will be updated and any additional information required by law will be provided.

17. Changes to this privacy policy

I may update this privacy policy when:

  • services or website features change;

  • a new service provider is introduced;

  • data-protection law or regulatory guidance changes; or

  • my information-handling practices change.

The latest version will be published on the website and the “last updated” date will be amended.

Where a change materially affects how existing personal information is used, I will take reasonable steps to provide additional notice where required.

18. Contact details

For questions, requests or concerns relating to this privacy policy or your personal information, contact:

Chris Kendrick
Trading as: Chris Kendrick Photography
Email: chris@chriskendrickphoto.co.uk
Website: chriskendrickphoto.co.uk
Address: [INSERT BUSINESS POSTAL ADDRESS]