Privacy Policy — De Nicolais Photography
Last Updated: March 2026
This Privacy Policy applies to the website www.denicolais.com and governs the privacy of its visitors and clients worldwide. It explains how De Nicolais Photography collects, processes, manages and stores personal data, and how your rights under applicable data protection law are protected — regardless of where you are located.
Our Commitment to Your Privacy
De Nicolais Photography is built on trust. The relationships we form with our clients are personal, intimate and long-lasting — and the same care we give to preserving your most important moments is applied to protecting your personal data. We collect only what is necessary, retain it only for as long as required, and never use it for purposes beyond delivering the photography services you have engaged us for.
This policy has been written to be read — not to obscure. If you have any questions about how your data is handled, you are always welcome to contact us directly at [email protected].
1. Data Controller
De Nicolais Photography
Represented by: Mimmo De Nicolais
Contact: [email protected]
Website: www.denicolais.com
De Nicolais Photography operates internationally — primarily across Italy, Europe and worldwide — and is subject to multiple data protection frameworks depending on the location of the visitor or client:
- UK GDPR and the Data Protection Act 2018 — governed by the UK Information Commissioner’s Office (ICO)
- EU GDPR (Regulation 2016/679) — applicable by virtue of offering services to individuals located in the European Union and processing personal data of EU residents (Article 3, territorial scope)
- US State Privacy Laws — including CCPA/CPRA (California), CDPA (Virginia), CPA (Colorado), and CTDPA (Connecticut)
- Other applicable international privacy laws — including PDPA (Singapore), PDPO (Hong Kong), PIPL (China), APPI (Japan), PIPA (South Korea), DPDP Act (India), PDPL (UAE), PDPL (Saudi Arabia), PDPPL (Qatar), PDPL (Bahrain), Privacy Protection Law (Israel), LGPD (Brazil), Ley 25.326 (Argentina), POPIA (South Africa), PIPEDA (Canada), the Australian Privacy Act, and equivalent legislation in all other jurisdictions from which clients engage our services
EU Representative (Article 27 EU GDPR): EU residents may direct data protection enquiries to [email protected]. A formal EU Representative will be designated and this policy updated accordingly. In the interim, all requests are processed directly by the Data Controller within statutory timeframes.
2. Personal Data We Collect
Contact and Enquiry Data
When you submit an enquiry through our contact form, we collect your name, email address, phone number, and any information you choose to include regarding your event — such as wedding date, venue, and location. This data is necessary to respond to your enquiry and assess whether our services are suitable for your needs.
Client Data
For contracted clients, we hold names, email addresses, phone numbers, event details (dates, venues, locations), billing information where applicable, and communication records. This data is processed to fulfil our contractual obligations and deliver photography services.
Gallery Access Data
Client galleries are hosted via wfolio. To access a private gallery, your email address may be required by the platform. This data is held within wfolio’s systems and governed by their privacy policy. Only Mimmo De Nicolais has access to gallery data on your behalf. Gallery access links are password-protected and shared exclusively with contracted clients.
Website Usage Data
We collect technical data automatically when you visit this website, including IP addresses, browser type, device information, pages visited, session duration and navigation patterns. This data is collected via Google Analytics and is used solely for website performance analysis and improvement. It is never used to identify individual visitors.
Image and Copyright Data
All photographic works created by Mimmo De Nicolais are the intellectual property of De Nicolais Photography. When images featuring identifiable individuals are used for portfolio, marketing or editorial purposes, this is done exclusively with the prior consent of the contracted client.
Data We Will Never Collect
We do not collect and will never request: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, or data concerning sex life or sexual orientation. If you believe any such data is being requested, contact us immediately at [email protected].
3. Legal Basis for Processing
We process personal data only where a valid legal basis exists under UK GDPR and EU GDPR Article 6:
- Contract performance — processing necessary to deliver contracted photography services and client galleries
- Legitimate interests — website analytics, business communications, and the photographic documentation of events (see Section 5 for full detail on guest photography)
- Consent — use of images for marketing purposes on social media and website portfolio, where consent has been explicitly obtained from the client
- Legal obligation — retention of records required by applicable law
4. How We Use Your Data
- To respond to enquiries and communicate about potential bookings
- To deliver photography services and provide access to client galleries
- To share images on Instagram, Facebook, YouTube and the portfolio website where client consent has been obtained
- To analyse website performance via Google Analytics
- To comply with legal and contractual obligations
- To transfer files securely using Vimeo or equivalent platforms
We do not use your data for unsolicited marketing, automated profiling, or any purpose not disclosed above. We do not sell, rent or trade personal data to third parties under any circumstances.
5. Photography of Guests and Event Attendees
At weddings and events, Mimmo De Nicolais photographs not only the contracted clients but also guests and attendees as an integral part of documenting the event.
Under UK GDPR and EU GDPR, photographs may constitute personal data where they enable the identification of a natural person. Guest photography at events is processed on the legal basis of legitimate interests (Article 6(1) (f)), on the following grounds:
The photographic documentation of a wedding or event is a core and expected function of a professional wedding photographer. Guests attend events with a reasonable expectation that photography will take place. The legitimate interest of providing complete and authentic event documentation — which is the primary service contracted by clients — necessarily involves capturing the presence and participation of all attendees. The disproportionate effort involved in obtaining individual consent from every guest present, and the degree to which it would impair delivery of the contracted service, renders such an approach infeasible. This assessment reflects established guidance from the UK ICO and the European Data Protection Board on legitimate interest balancing tests in the context of professional event photography.
Clients are requested to inform their guests of this Privacy Policy in advance of the event and to direct any guest with concerns to contact us at [email protected] prior to the event date. We will make reasonable accommodations where a guest has a legitimate and specific objection to being photographed.
Guest images shared publicly — on social media or the portfolio website — are selected with care and editorial judgment. Any guest wishing to request the removal of an image in which they appear may contact us at [email protected] and we will process the request promptly and without prejudice.
6. Third-Party Services and Data Processors
We use the following third-party services in the operation of this website and our photography business. Each operates under its own privacy policy and applicable data protection framework. These providers have been selected on the basis of their compliance standards and their relevance to the delivery of our services:
- wfolio — website hosting and private client gallery platform. Privacy Policy
- Google Analytics — website usage analytics. Data processed by Google LLC (USA). Privacy Policy
- Google Ads — advertising and promotion. Data processed by Google LLC (USA). Privacy Policy
- YouTube (Google LLC) — video hosting for portfolio and client content. Data processed by Google LLC (USA). Privacy Policy
- Meta — Facebook and Instagram — social media platforms where portfolio content and event images may be shared with client consent. Privacy Policy
- Vimeo — video hosting for client slideshows and editorial content. Privacy Policy
No personal data is shared with any third party not listed above. None of the above parties are authorised to use your data for purposes beyond those disclosed in this policy or in their respective privacy policies.
7. International Data Transfers
De Nicolais Photography operates across multiple jurisdictions. Data transfers are managed as follows:
UK and EU transfers are lawful under the UK Adequacy Regulations 2021, which recognise the EU as providing an adequate level of data protection equivalent to UK GDPR standards.
Transfers to the United States and other countries occur via the third-party providers listed in Section 6 — including Google LLC and Meta Platforms Inc. These transfers are carried out under appropriate safeguards, including Standard Contractual Clauses (SCCs) adopted by the respective providers, as permitted under UK GDPR Article 46 and EU GDPR Article 46.
Transfers involving other international jurisdictions — including clients located in the Middle East, Asia, South America, Africa and all other destinations where De Nicolais Photography operates — are handled with the same standards of care applied to UK and EU data, ensuring personal data is never transferred to environments without adequate protection.
8. Cookies
This website uses cookies — small data files placed on your device — to enable essential website functionality and to analyse website traffic via Google Analytics.
Essential cookies are required for the website to function correctly and cannot be disabled. They do not collect personal information.
Analytics and advertising cookies — including those set by Google Analytics and Google Ads — are only activated following your explicit consent via the cookie notice displayed on your first visit. You may withdraw consent at any time by clearing your browser cookies and revisiting the site.
We do not use cookies to build personal profiles, serve targeted advertising based on your identity, or share cookie data with third parties beyond those listed in Section 6.
9. Data Retention
Personal data is retained only for as long as necessary for the purposes for which it was collected:
- Enquiry data — retained for 12 months from last contact, unless a booking is made
- Client data — retained for the duration of the contract and for a period of 6 years thereafter, in compliance with applicable legal requirements for business records
- Gallery and video data — governed by the respective platform retention policies (wfolio, Vimeo, YouTube); clients may request deletion at any time
- Website analytics data — retained in aggregate, anonymised form per Google Analytics standard data retention settings
Upon expiry of the applicable retention period, personal data is securely deleted. Requests for early deletion may be submitted at any time to [email protected].
10. Your Rights — UK and EU Residents
Under UK GDPR and EU GDPR, you have the following rights in relation to your personal data. All requests are responded to within one calendar month, free of charge:
- Right of access — to obtain a copy of the personal data we hold about you
- Right to rectification — to request correction of inaccurate or incomplete data
- Right to erasure — to request deletion of your personal data where there is no lawful basis for continued processing
- Right to restriction — to request that we limit how we use your data
- Right to data portability — to receive your data in a structured, commonly used, machine-readable format
- Right to object — to object to processing based on legitimate interests, including direct marketing
Where processing of your personal data is based on your consent, you have the right to withdraw that consent at any time by contacting [email protected], without affecting the lawfulness of processing carried out prior to withdrawal (UK GDPR Article 7(3) / EU GDPR Article 7(3)).
To exercise any of these rights, contact us at [email protected]. We will confirm receipt within 72 hours and provide a full response within one month as required by law.
11. Your Rights — US Residents
De Nicolais Photography respects the privacy rights of clients and visitors from all US states. Residents of states with applicable privacy legislation have the following rights:
California residents (CCPA/CPRA) have the right to know what personal data is collected, to request deletion, to correct inaccurate data, to opt out of the sale or sharing of personal data, and to non-discriminatory treatment when exercising these rights. We do not sell, share or trade personal data with any third party for commercial purposes. Requests may be submitted to [email protected] and will receive a response within 45 days as required by law.
Residents of Virginia, Colorado, Connecticut and other US states with applicable state privacy laws have equivalent rights to access, correct, delete and obtain a copy of their personal data. All requests are handled with the same care and within the same timeframes applied to UK and EU data subjects.
De Nicolais Photography is a creative photography business — not a data broker, advertising network or technology company. The data we collect is limited exclusively to what is necessary to deliver photography services and respond to enquiries. No data is monetised, profiled for advertising, or shared beyond the service providers listed in Section 6.
12. Your Rights — International Clients
Clients and visitors located outside the UK, EU and USA are entitled to the same standard of data protection applied to all De Nicolais Photography clients. We process personal data of international clients with the same care, transparency and legal compliance applied across all jurisdictions — regardless of nationality, location or the country in which the photography services are delivered.
Asia
Residents of Singapore are protected under the Personal Data Protection Act 2012 (PDPA). De Nicolais Photography respects the rights of Singapore residents including access, correction and withdrawal of consent. The relevant authority is the Personal Data Protection Commission (PDPC) at pdpc.gov.sg.
Residents of Hong Kong are protected under the Personal Data (Privacy) Ordinance (PDPO, Cap. 486). De Nicolais Photography respects the six Data Protection Principles established under the PDPO. The relevant authority is the Office of the Privacy Commissioner for Personal Data (PCPD) at pcpd.org.hk.
Residents of India are protected under the Digital Personal Data Protection Act 2023 (DPDP Act). De Nicolais Photography processes personal data of Indian residents lawfully and transparently, respecting the rights of data principals including access, correction, erasure and grievance redressal. Enquiries may be directed to [email protected].
Residents of China are protected under the Personal Information Protection Law 2021 (PIPL). De Nicolais Photography processes personal data of Chinese residents on the basis of consent and contractual necessity, in accordance with PIPL requirements. The relevant authority is the Cyberspace Administration of China (CAC) at cac.gov.cn.
Residents of Japan are protected under the Act on the Protection of Personal Information (APPI). De Nicolais Photography handles personal data of Japanese residents in accordance with APPI principles. The relevant authority is the Personal Information Protection Commission (PPC) at ppc.go.jp.
Residents of South Korea are protected under the Personal Information Protection Act (PIPA). De Nicolais Photography processes personal data of Korean residents lawfully and with appropriate safeguards. The relevant authority is the Personal Information Protection Commission (PIPC) at pipc.go.kr.
Middle East
Residents of the UAE are protected under Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL). De Nicolais Photography respects the data protection rights of UAE residents. The relevant authority is the UAE Data Office at uaedataoffice.gov.ae.
Residents of Saudi Arabia are protected under the Personal Data Protection Law 2021 (PDPL, Royal Decree M/19). De Nicolais Photography processes personal data of Saudi residents on the basis of consent and contractual necessity. The relevant authority is the Saudi Data and Artificial Intelligence Authority (SDAIA) at sdaia.gov.sa.
Residents of Qatar are protected under the Personal Data Privacy Protection Law No. 13 of 2016 (PDPPL). De Nicolais Photography handles personal data of Qatari residents with full respect for their rights under applicable law. The relevant authority is the National Cyber Security Agency (NCSA) at ncsa.gov.qa.
Residents of Bahrain are protected under the Personal Data Protection Law 2018 (PDPL). De Nicolais Photography processes personal data of Bahraini residents lawfully and transparently. The relevant authority is the Information and eGovernment Authority (iGA) at iga.gov.bh.
Residents of Israel are protected under the Privacy Protection Law 1981 and its regulations, aligned with international data protection standards. The relevant authority is the Privacy Protection Authority (PPA) at gov.il.
South America
Residents of Brazil are protected under the Lei Geral de Proteção de Dados 2020 (LGPD). De Nicolais Photography processes personal data of Brazilian residents with full respect for LGPD rights. The relevant authority is the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.
Residents of Argentina are protected under Ley 25.326 de Protección de Datos Personales. De Nicolais Photography handles personal data of Argentine residents in accordance with applicable law. The relevant authority is the Agencia de Acceso a la Información Pública (AAIP) at argentina.gob.ar/aaip.
Africa
Residents of South Africa are protected under the Protection of Personal Information Act 2013 (POPIA). De Nicolais Photography processes personal data of South African residents in accordance with POPIA conditions for lawful processing. The relevant authority is the Information Regulator at inforegulator.org.za.
Canada and Australia
Residents of Canada are protected under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation. The relevant authority is the Office of the Privacy Commissioner of Canada at priv.gc.ca.
Residents of Australia are protected under the Privacy Act 1988 and the Australian Privacy Principles (APPs). The relevant authority is the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
All Other Countries
Clients and visitors from all other countries are entitled to the same standard of data protection applied to all De Nicolais Photography clients. De Nicolais Photography applies the highest applicable standard of data protection to every individual, regardless of where their local legislation may stand. All requests may be directed to [email protected] and will be acknowledged within 72 hours and resolved promptly.
13. Supervisory Authorities
If you have concerns about how your personal data is being handled and are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority for your jurisdiction:
UK residents:
Information Commissioner’s Office (ICO)
ico.org.uk
Telephone: 0303 123 1113
EU residents:
The competent supervisory authority is that of the EU member state in which you reside or work, or where the alleged infringement occurred. For matters relating to photography services delivered in Italy:
Garante per la Protezione dei Dati Personali
garanteprivacy.it
US residents — California:
California Privacy Protection Agency (CPPA)
cppa.ca.gov
Canadian residents:
Office of the Privacy Commissioner of Canada
priv.gc.ca
Australian residents:
Office of the Australian Information Commissioner (OAIC)
oaic.gov.au
Singapore residents:
Personal Data Protection Commission (PDPC)
pdpc.gov.sg
Hong Kong residents:
Office of the Privacy Commissioner for Personal Data (PCPD)
pcpd.org.hk
Japan residents:
Personal Information Protection Commission (PPC)
ppc.go.jp
South Korea residents:
Personal Information Protection Commission (PIPC)
pipc.go.kr
UAE residents:
UAE Data Office
uaedataoffice.gov.ae
Saudi Arabia residents:
Saudi Data and Artificial Intelligence Authority (SDAIA)
sdaia.gov.sa
Qatar residents:
National Cyber Security Agency (NCSA)
ncsa.gov.qa
Bahrain residents:
Information and eGovernment Authority (iGA)
iga.gov.bh
Israel residents:
Privacy Protection Authority (PPA)
gov.il
Brazil residents:
Autoridade Nacional de Proteção de Dados (ANPD)
gov.br/anpd
Argentina residents:
Agencia de Acceso a la Información Pública (AAIP)
argentina.gob.ar/aaip
South Africa residents:
Information Regulator
inforegulator.org.za
14. Security
We take appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration or destruction. Client files and data are stored on encrypted, password-protected systems. Private client galleries are accessible only via secure, password-protected links. Access to personal data is limited to Mimmo De Nicolais and, where strictly necessary for service delivery, to contracted technical providers under confidentiality obligations.
In the event of a personal data breach likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33 and EU GDPR Article 33. Affected individuals will be notified directly where required by law.
Limitation of liability regarding third-party services: De Nicolais Photography implements all reasonable and proportionate security measures within its direct control. However, we cannot assume responsibility for the security, availability or data protection practices of independent third-party platforms listed in Section 6 — including wfolio, Google, Meta, Vimeo and YouTube — which operate their own independent systems and security infrastructure. Users are encouraged to review the privacy policies of these providers directly. De Nicolais Photography shall not be held liable for any unauthorised access, data breach or loss of personal data that occurs within systems operated and controlled solely by third-party providers, provided that De Nicolais Photography has fulfilled its own obligations under applicable data protection law.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the services we use, or applicable law. The date of the most recent update is always displayed at the top of this document. Where changes are material, we will notify contracted clients directly via the email address held on file. Continued use of this website following an update constitutes acceptance of the revised policy.
De Nicolais Photography
Contact: [email protected]
Website: www.denicolais.com
