Photo9We take your privacy seriously. This notice explains what personal data we collect, how we use it, and the rights you have over your information.
Photo9 ("we", "us", "our") is committed to protecting your personal data. This Privacy Notice explains what personal data we collect, why we collect it, how we use it, and your rights under the EU General Data Protection Regulation (GDPR) 2016/679 and the UK GDPR.
Please read this notice carefully. By creating an account or placing an order, you confirm that you have read and understood how we use your personal data.
The data controller is:
Media Rex Alliance BV Barbara Strozzilaan 201, 1083 HN Amsterdam, The Netherlands
Data Protection contact: customer.service@photonine.ai
| Category | Examples | Why we collect it |
|---|---|---|
| Identity | Name, username | Account creation, order fulfillment |
| Contact | Email address, delivery address | Fulfilling orders, customer support, optional marketing |
| Credentials | Email address, hashed password | Secure authentication |
| Order data | Products purchased, purchase amount, date | Order fulfillment, customer service, fraud prevention |
| User-generated content | Photos and videos you upload | Creating and printing your personalised products |
| Usage data | Pages visited, features used, session duration | Improving our service (with your consent for analytics) |
| AI interaction data | Messages sent to our AI assistant (where applicable) | Providing AI-powered design assistance and pre-sale support |
| Device & technical data | IP address (anonymised), browser type, region | Security, fraud prevention, service operation |
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Fulfilling your order (manufacturing, shipping, payment) | Art. 6(1)(b) — Performance of a contract |
| Maintaining a secure account session | Art. 6(1)(b) — Performance of a contract |
| AI-assisted design and pre-sale support | Art. 6(1)(b) — Performance of a contract / pre-contractual steps |
| Automated content moderation of uploaded photos | Art. 6(1)(f) — Legitimate interests (ensuring platform safety and legal compliance) |
| Analytics and service improvement | Art. 6(1)(a) — Consent |
| Marketing emails and personalised advertising | Art. 6(1)(a) — Consent |
| Fraud prevention and security | Art. 6(1)(f) — Legitimate interests |
| Legal compliance (e.g. responding to court orders) | Art. 6(1)(c) — Legal obligation |
We use cookies and similar technologies to operate the site and, with your consent, to analyse usage and serve targeted advertising. Please refer to our Cookie Notice for a full list of cookies, their purposes, and how to manage your preferences.
Our website includes an AI-powered assistant (the "Assistant") to help you design your photo book and answer pre-sale questions.
In accordance with Article 50 of the EU AI Act (Regulation (EU) 2024/1689), we inform you that the Assistant is an automated AI system, not a human agent. This will always be made clear in the interface.
When you send a message to the Assistant, your message is transmitted to our AI service providers (Anthropic, Inc. and/or OpenAI, Inc.) to generate a response. The content of your conversation is processed solely to produce that response. We do not use your conversation content to train, fine-tune, or improve AI models.
The Assistant processes only the following data:
The text of your messages during the session.
Anonymous session metadata (a session identifier, timestamp, and request count) used for rate-limiting and abuse prevention.
We do not pass your name, email address, order history, uploaded photos, or any other personal identifiers to the Assistant unless you explicitly include that information in your message.
If a future feature requires the Assistant to access your personal account data (such as your order history or uploaded designs), we will ask for your explicit, separate consent before enabling that access. You will always be clearly informed of what data will be shared and for what purpose, and you may withdraw that consent at any time.
Your conversation content, photos, or personal data are never used to train AI models — neither our own systems nor those of our AI service providers. Our agreements with Anthropic and OpenAI include contractual prohibitions on using API data for model training.
To ensure fair access and to prevent misuse, the Assistant operates within session-based usage limits. If you reach your limit, the Assistant will be temporarily unavailable until your next session. This is an automated process based solely on usage volume, not on the content of your messages. If you believe your access has been restricted in error, contact us at customer.service@photonine.ai to request human review.
Our AI service providers are based in the United States. Sending conversation data to these providers constitutes a transfer of personal data outside the UK/EEA. This transfer is protected by:
Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914/EU).
Data Processing Agreements (DPAs) with each provider, which prohibit training on API data.
| Provider | Role | Location | Transfer mechanism |
|---|---|---|---|
| Anthropic, Inc. | AI model provider (sub-processor) | USA | SCCs (EU Commission 2021/914) |
| OpenAI, Inc. | AI model provider (sub-processor) | USA | SCCs (EU Commission 2021/914) |
Session metadata (anonymised usage counts, timestamps) is retained for up to 90 days for service quality, fraud prevention, and abuse monitoring, after which it is automatically deleted. Conversation message content is not stored by us beyond the duration of your session. Retention practices at our AI providers are governed by their respective DPAs.
Because our platform allows you to upload photos and videos, we use AI-based tools to detect and filter content that is illegal or violates our Terms & Conditions (including explicit nudity, violence, and hate symbols). This processing is based on our legitimate interests in maintaining a lawful and safe platform (GDPR Art. 6(1)(f)).
If your content is flagged by automated moderation, you have the right to request human review of that decision by contacting us at customer.service@photonine.ai. We will review your request and inform you of the outcome.
We reserve the right to suspend accounts and report to relevant authorities where uploaded content is unlawful.
If you upload photos that include other people, or provide a delivery address for a third party, that information is treated with the same protections as your own data. Please ensure you have the consent of any individuals whose images you upload, where required.
We do not sell your personal data. We share it only in the following circumstances:
Print and fulfillment partners — to manufacture and ship your order.
Payment processors — to securely process your payment. We do not store your card details; these are handled directly by our payment provider under their own PCI-DSS compliance.
AI service providers — Anthropic and OpenAI, as described in Section 5.
Analytics providers — Google Analytics, PostHog, Meta, and Vercel (subject to your consent preferences).
Legal requirements — where required by law, court order, or a supervisory authority.
Business transfers — in the event of a merger, acquisition, or sale of assets, user data may be transferred to the new controller. We will notify you and, where required, seek fresh consent.
Our website is not directed at children under the age of 16. If we become aware that a user under 16 has submitted personal data, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at customer.service@photonine.ai.
| Data type | Retention period |
|---|---|
| Account and order data | Duration of your account + 7 years (legal/tax obligations) |
| Uploaded photos and designs | Until you delete them or close your account |
| AI session metadata | 90 days |
| Analytics data | Up to 26 months (Google Analytics default) |
| Marketing consent records | Duration of consent + 3 years |
We implement industry-standard technical and organisational measures to protect your personal data, including:
HTTPS/TLS encryption for all data in transit.
Encryption at rest for stored photos and personal data on EU/UK-based servers.
Access controls: your account is protected by a unique email/password combination; production data is accessible only to authorised personnel.
Regular security reviews and vulnerability assessments.
Payment details are encrypted using SSL/TLS and processed directly by our payment provider. We do not store card numbers.
If you suspect unauthorised access to your data, please notify us immediately at customer.service@photonine.ai.
You have the following rights regarding your personal data. To exercise any of them, contact us at customer.service@photonine.ai.
| Right | What it means |
|---|---|
| Right to access (Art. 15) | Request a copy of the personal data we hold about you. |
| Right to rectification (Art. 16) | Ask us to correct inaccurate or incomplete data. |
| Right to erasure (Art. 17) | Ask us to delete your data ("right to be forgotten"), subject to legal retention obligations. |
| Right to restriction (Art. 18) | Ask us to pause processing of your data in certain circumstances. |
| Right to data portability (Art. 20) | Receive your data in a structured, machine-readable format. |
| Right to object (Art. 21) | Object to processing based on legitimate interests, including profiling for direct marketing. |
| Rights related to automated decision-making (Art. 22) | Request human review of any automated decision that significantly affects you. |
| Right to withdraw consent (Art. 7(3)) | Withdraw consent at any time for processing based on consent (e.g. analytics, marketing). Withdrawal does not affect prior lawful processing. |
We will respond to requests within 30 days (extendable to 90 days for complex requests, with notice).
If you are not satisfied with how we handle your personal data or a complaint, you have the right to contact the relevant supervisory authority:
UK: Information Commissioner's Office (ICO) — ico.org.uk — 0303 123 1113
Netherlands: Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl
Germany: Der Bundesbeauftragte für den Datenschutz (BfDI) — bfdi.bund.de
Supervisory Authorities may also reach our Art. 27 GDPR representative at: customer.service@photonine.ai
We will update this notice when our data practices change or when legal requirements require it. The "Effective Date" at the top of this page indicates the date of the most recent update. We encourage you to review this notice periodically.