Legal
Privacy Policy
Last updated 11 April 2026
SessionFlow respects your privacy and is committed to protecting the personal information of all users and session participants. This policy explains what we collect, how we use it, and your rights.
Information We Collect
Account Information: name, email address, and login credentials.
Session Information: participant names, contact information, scheduling details, and model release and consent confirmations.
Image Data: photographs uploaded by photographers, edited or retouched image versions, and gallery metadata.
Technical Information: device information, system logs, and platform usage data.
Data Controller and Processor Roles
For the purposes of applicable privacy law, photographers who use SessionFlow to conduct sessions and collect participant information act as independent data controllers — they determine the purpose and means of processing participant personal data. SessionFlow acts as a data processor, providing technical infrastructure and processing participant data only as directed by the photographer and as necessary to operate the platform. This distinction means that photographers bear primary responsibility for lawful data collection, participant consent, and compliance with applicable privacy regulations. SessionFlow's obligations as a data processor are governed by these Terms and the Photographer Responsibility and Participant Consent Terms.
Information is used solely to operate the SessionFlow platform and deliver its functionality, organize sessions and manage participant records, deliver galleries and images to participants, improve system performance and platform reliability, and provide customer support. SessionFlow does not sell personal information as defined under applicable privacy laws, including the California Consumer Privacy Act. SessionFlow does not share personal information with third parties for their independent commercial purposes.
Data Storage and Security
Data is stored using secure cloud infrastructure with encrypted connections in transit and at rest. SessionFlow applies industry-standard security practices to protect user information from unauthorized access, disclosure, alteration, or misuse.
Security Incidents
In the event of a data breach affecting your personal information, SessionFlow will notify affected users as required by applicable law and take prompt action to investigate and mitigate unauthorized access. Notifications will be delivered via the email address associated with the affected account.
Third-Party Services
SessionFlow relies on third-party service providers including cloud hosting providers, payment processors (Stripe), and messaging and communication services. These providers are authorized to process data solely to enable platform functionality and are contractually bound to protect user information. SessionFlow does not authorize third-party providers to use participant data for their own purposes.
Data Retention
Participant session data and images are retained for up to 180 days following session completion, after which data is deleted from active systems unless extended access has been requested. Photographer account data is retained for the duration of the active subscription plus 30 days following account termination. Backup copies may persist for up to 30 days following deletion from active systems, after which they are permanently purged.
Your Rights and Requests
You may request deletion of your personal data or removal of your images from promotional use at any time. Requests will be acknowledged within 5 business days and completed within 30 days of receipt. Contact: privacy@sessionflow.com
US State Privacy Rights
Depending on your state of residence, you may have additional rights under applicable state privacy law.
California Residents (CCPA): You have the right to know what personal information we collect and how it is used, request deletion of your personal information, opt out of the sale of your personal information (SessionFlow does not sell personal information as defined under applicable privacy laws), and non-discrimination for exercising your privacy rights. To submit a request, contact privacy@sessionflow.com. We will respond within 45 days.
Virginia Residents (VCDPA): You have the right to access, correct, delete, and obtain a copy of your personal data, and to opt out of the processing of your personal data for targeted advertising or profiling. To submit a request, contact privacy@sessionflow.com. We will respond within 45 days. If we decline your request and you wish to appeal, email privacy@sessionflow.com with "Appeal" in the subject line. We will respond to appeals within 60 days.
Other US states: Residents of Colorado, Connecticut, Utah, and other states with enacted consumer privacy laws may also have rights similar to those described above. Contact privacy@sessionflow.com for jurisdiction-specific inquiries.
International Users
SessionFlow is operated from the United States. If you are located outside the United States, your information will be transferred to and processed in the United States. For users in the UK or European Economic Area, additional rights may apply under UK GDPR or EU GDPR. Contact privacy@sessionflow.com for jurisdiction-specific inquiries.
Do Not Track
SessionFlow does not currently respond to Do Not Track browser signals as no uniform standard for recognizing such signals has been finalized. If a standard is adopted that applies to SessionFlow, this policy will be updated accordingly.
Policy Updates
SessionFlow may update this Privacy Policy from time to time. Material changes will be communicated at least 14 days before taking effect. Continued use after that date constitutes acceptance.
Contact
Privacy requests: privacy@sessionflow.com | General: support@sessionflow.com
Governing Law
This Privacy Policy is governed by the laws of the State of Wyoming.
Data Retention & Deletion Policy
Effective Date: April 28, 2026
Account Data
Photographer account information is retained for the duration of the active account plus 30 days following termination. After the 30-day window, account data is permanently deleted from active systems. Backup copies are purged within 60 days of deletion request or account closure.
Session and Participant Data
Session records, participant names, contact information, model release confirmations, and related metadata are retained for up to 180 days following session completion. After 180 days, session and participant data is automatically removed from active systems unless extended access has been requested in writing.
Image Data
Uploaded images, retouched versions, and gallery files are retained for up to 180 days following session completion. Photographers may delete individual galleries at any time. Participant-requested gallery deletion will be processed within 30 days of the request.
Backup Retention
Backup copies are maintained for a maximum of 30 days following deletion from active systems, then permanently purged. Backup data is not accessible to users during the retention window and will not be restored in response to deletion requests.
Account Deletion Timeline
When a photographer deletes their account: active session and participant data is deleted within 30 days; image galleries are removed from active systems within 30 days; backup copies are purged within 60 days; records required for legal compliance or financial recordkeeping may be retained longer as required by law.
Requesting Deletion
Email privacy@sessionflow.com. Include your name, account email, and description of the data you wish deleted. Requests acknowledged within 5 business days. Active system deletion completed within 30 days. Backup purge within 60 days.