Privacy Policy

Last updated: 01.05.2026

This Privacy Policy explains how personal data is collected and processed when you visit alenagurenchuk.com, including the subdomains cs.alenagurenchuk.com and ru.alenagurenchuk.com, book a photoshoot, purchase a digital product, order a photo-related product, or otherwise communicate with us.

This Privacy Policy is prepared in accordance with Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR), and Czech Act No. 110/2019 Coll., on the processing of personal data.

Contents

1. Who we are

The controller of your personal data is:

Alena Surova, self-employed person / OSVČ, doing business in photography and also known publicly as Alena Gurenchuk.

  • IČO: 01147773
  • Registered office: Laponská 1185/3, 198 00 Praha 9 — Hloubětín, Czech Republic
  • Email: [email protected]
  • Phone / Telegram, WhatsApp, Viber: +420 608 916 324

We are not required by law to appoint a Data Protection Officer / DPO and have not done so. For any questions related to personal data, please contact us at the email address above.

2. What personal data we process

Depending on how you interact with us, we may process the following categories of personal data.

Contact and identification data

This may include:

  • First name and last name
  • Email address
  • Phone number
  • Billing details, such as billing address, company name, IČO or DIČ, only where needed for invoicing, accounting, tax purposes, delivery of products or formal orders

Booking and service data

This may include:

  • Type of photoshoot
  • Selected package
  • Date, time and location of the photoshoot
  • Number of people taking part in the session
  • Planning details, preferences and special requests shared by you
  • Information needed to organise the photoshoot or provide the service

Payment and order data

This may include:

  • Payment amount, date and method
  • Invoice details
  • Information about ordered digital products, gift cards, prints, photo books or other photo-related products

We do not store full payment card numbers. Card payments are processed by payment providers.

Photographs, videos and visual materials

This may include:

  • Photographs created during a photoshoot
  • Short videos created during a photoshoot, where included in the service
  • Preview images made available for selection
  • Final edited photographs
  • Unedited photographs, where they are delivered as part of the package
  • RAW and working files used internally for editing and technical processing

Standard photographs of identifiable persons are personal data under the GDPR. However, in our normal workflow, photographs are not processed as biometric data because we do not use facial recognition or technical means to uniquely identify a person.

Communication data

This may include:

  • Emails
  • Messages sent through WhatsApp, Telegram, Viber, Instagram, Facebook, contact forms or other communication channels
  • Information you voluntarily share with us while discussing or planning a service
  • Reviews and public feedback

Website and technical data

This may include:

  • IP address
  • Browser and device information
  • Pages visited
  • Referring URL
  • Approximate time spent on the website
  • Cookie identifiers and similar technologies

More information about cookies is provided in Section 9.

3. Where we obtain your data

In most cases, we collect personal data directly from you, for example when you:

  • Contact us by email, message or contact form
  • Book a photoshoot
  • Purchase a digital product, gift card, print, photo book or other product
  • Take part in a photoshoot
  • Communicate with us before, during or after the service

We may also receive limited personal data from third parties, for example:

  • From another person organising a group, family, event or corporate photoshoot
  • From booking or partner platforms, if your session is arranged through them
  • From public reviews or public comments on platforms such as Google, Facebook, Instagram or photographer directories

We do not buy mailing lists and do not obtain personal data from data brokers.

We process personal data only when we have a legal basis under the GDPR.

The main legal bases we rely on are consent — Art. 6(1)(a), performance of a contract or pre-contractual measures — Art. 6(1)(b), legal obligation — Art. 6(1)(c), and legitimate interest — Art. 6(1)(f).

We may process your personal data for the following purposes:

  • To respond to enquiries, prepare a booking and communicate with you before the service — based on pre-contractual measures or our legitimate interest.
  • To book, organise and provide photography services, digital products, gift cards, prints, photo books or other photo-related products — based on the performance of a contract.
  • To deliver preview images, final photographs and related files — based on the performance of a contract.
  • To issue invoices, keep accounting records and comply with tax obligations — based on legal obligations.
  • To handle complaints, technical issues, additional editing requests or possible legal claims — based on the performance of a contract or our legitimate interest.
  • To publish photographs in our portfolio, website, blog, social media or marketing materials — based on your consent, unless another written agreement applies.
  • To send newsletters, offers or updates — based on your consent, or on our legitimate interest where legally permitted.
  • To use website analytics, marketing cookies or remarketing tools — based on your consent where required.

We do not use your data for automated decision-making that produces legal effects concerning you within the meaning of Article 22 GDPR.

5. Photographs and publication

Private photoshoots

Private photoshoots are treated as private by default.

The photographs we deliver to you are intended for your personal use, unless we agree otherwise in writing.

We do not publish photographs from private sessions on our website, portfolio, blog, social media, advertising materials or photographer directories without your separate consent or another written agreement.

You can book a photoshoot and refuse all portfolio or marketing use. Your decision does not affect the price or the quality of the service.

Portfolio and marketing use

If you give consent, photographs may be used for portfolio, website, blog, social media, advertising or promotional purposes.

This may include publication on:

  • alenagurenchuk.com
  • cs.alenagurenchuk.com
  • ru.alenagurenchuk.com
  • Instagram
  • Facebook
  • Pinterest
  • LinkedIn
  • Google Business Profile
  • Photographer directories or portfolio platforms
  • Printed or digital promotional materials

When photographs are published on third-party platforms, such as Instagram, Facebook, Pinterest, LinkedIn or Google, your data may also be processed by those platforms according to their own privacy policies and terms.

For photographs showing more than one clearly identifiable person, publication may require consent from all clearly identifiable persons shown in the photograph, unless another appropriate legal basis applies.

Confidential sessions

Surprise proposals, dating profile photoshoots, private relationship sessions, family sessions and other sensitive or confidential sessions are treated with additional care.

Where the nature of the booking requires confidentiality, we will not use the photographs publicly unless you clearly and separately agree to this.

You may also request enhanced confidentiality at any time by contacting us by email.

Group sessions and events

If your session includes other people, such as a partner, family members, friends, colleagues or event guests, the person organising the session is responsible for informing them that photography will take place and for sharing this Privacy Policy with them on request.

If photographs are to be used publicly, for example in our portfolio, website, social media, advertising or other promotional materials, we may require consent from all clearly identifiable persons shown in the photographs, unless another appropriate legal basis applies.

For children, consent must be given by a parent or legal guardian.

Stock photography and third-party licensing

Photographs showing identifiable clients or other identifiable persons are not sold as stock photography and are not provided to third parties for commercial use without a separate written agreement, model release or another appropriate legal basis.

This does not apply to photographs that do not identify a person and do not contain personal data, such as certain photographs of food, decorations, accessories, interiors, products, city details or other non-identifiable objects, provided that their use is not restricted by contract, confidentiality, intellectual property rights, venue rules or other legal limitations.

If a photograph contains identifiable people, private information, visible names, personal data, confidential details or other sensitive context, we do not use it for stock photography or third-party licensing without appropriate permission.

Withdrawal of consent

If you have given consent for the publication of your photographs, you may withdraw it at any time by emailing: [email protected].

After withdrawal, we will remove the relevant photographs from our own website, portfolio and social media accounts as soon as reasonably possible.

Please note that it may not always be possible to remove photographs from:

  • Printed materials already produced
  • Third-party websites or platforms outside our control
  • Reposts, screenshots or shares made by other users
  • Cached versions of web pages
  • Independent press or media publications

6. How long we keep your data

We keep personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required by law or necessary for the protection of our rights.

Booking, contract and communication data

Booking data, client communication and contract-related information are usually kept for up to 4 years from completion of the service, unless a longer period is necessary for legal claims or another legitimate reason.

Accounting and tax records

Invoices, payment records and accounting documents are kept for up to 10 years, where required by Czech law.

Preview galleries and delivered photographs

Preview galleries are usually available to clients for 30 days for the purpose of selecting images for editing.

Unedited photographs delivered through the photo delivery system are usually available for 2–3 months after delivery. Clients are advised to download them to their private archive during this period.

Final edited photographs are archived by us for 1 year after delivery, mainly in case the client loses access to the files or needs them to be re-sent.

RAW files and working files are not delivered to clients and are kept only for the time necessary to complete the order, handle additional editing requests or resolve technical issues. After that, they may be deleted.

Photographs published with consent

Photographs published with your consent may remain published until you withdraw your consent or until we remove or update the relevant portfolio, post, page or material.

After the relevant retention period expires, personal data is deleted or anonymised where possible.

7. Recipients and service providers

We share personal data only where necessary for providing our services, running the website, communicating with clients, delivering photographs, processing payments, fulfilling legal obligations or protecting our rights.

We may use the following categories of service providers:

  • Website hosting and website tools, including Forpsi, WordPress and related plugins
  • Email, communication and cloud services, including Google services such as Gmail, Google Drive and Google Photos, where used for communication, business administration, cloud storage or backups
  • Photo and video editing tools, including Adobe Lightroom, Adobe Photoshop, DaVinci Resolve and retouching tools
  • Payment providers, including SumUp, PayPal and payment gateways used for photo-related orders, where applicable
  • Social media and public platforms, including Instagram, Facebook, Pinterest, LinkedIn, Google Business Profile and photographer directories
  • Analytics and cookie tools, including Google Analytics, where used and where consent is required
  • AI-assisted productivity tools, such as ChatGPT, Claude or Gemini, used only for drafting, translating, proofreading or organising general business texts
  • Public authorities, where required by law

Some providers act as processors on our behalf. Others, such as payment providers or social media platforms, may act as independent controllers for their own purposes.

AI-assisted tools

AI-assisted tools may be used to help with drafting, translating, proofreading, planning or organising general business texts.

We do not submit identifiable client photographs, contact details, contracts, private messages or confidential client information to AI tools.

Where AI tools are used for drafting business communications, the input is anonymised before submission.

AI tools are not used to process client photographs for identification purposes and are not used to make automated decisions about clients.

8. Transfers outside the European Economic Area

Some providers we use may process personal data outside the European Economic Area, especially in the United States. This may include providers of email, cloud storage, website analytics, payment, social media, advertising, editing or AI-assisted productivity tools.

For transfers to the United States, we rely where applicable on the EU–US Data Privacy Framework for providers certified under it, or on Standard Contractual Clauses or other appropriate safeguards where the DPF does not apply.

For transfers to other third countries, we rely on adequacy decisions where available, or on appropriate safeguards such as Standard Contractual Clauses where required.

You may request more information about the relevant safeguards by contacting us at: [email protected].

We do not intentionally store client photographs, contracts or confidential business correspondence on services located in countries that do not provide an adequate level of data protection and are not covered by an appropriate transfer mechanism.

9. Cookies

Our website uses cookies and similar technologies.

Cookies may be used for:

  • Essential website functionality
  • Security
  • Contact forms
  • Website performance
  • Analytics
  • Embedded content
  • Marketing and advertising, where applicable

Strictly necessary cookies may be used without your consent because they are required for the website to function properly.

Analytics, preference and marketing cookies are used only where legally permitted and, where required, based on your prior consent through the cookie banner.

You can manage or withdraw your cookie consent through the cookie banner or cookie settings available on the website, where this option is provided. You can also control cookies through your browser settings.

More detailed information may be provided in a separate Cookie Policy.

10. Your rights under the GDPR

In relation to your personal data, you have the following rights:

  • Right of access — to ask whether we process your data and to receive a copy of the data
  • Right to rectification — to have inaccurate or incomplete data corrected
  • Right to erasure — to request deletion of your data where the legal conditions are met
  • Right to restriction of processing — to ask us to limit the use of your data in certain situations
  • Right to data portability — to receive your data in a structured, commonly used and machine-readable format where applicable
  • Right to object — to object to processing based on legitimate interest, including direct marketing
  • Right to withdraw consent — to withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal
  • Right not to be subject to automated decision-making — we do not carry out automated decision-making producing legal effects concerning you
  • Right to lodge a complaint with a supervisory authority

To exercise your rights, please contact us at: [email protected] or by post at the address listed in Section 1.

We will usually respond within 1 month from receipt of your request. This period may be extended by two further months for complex requests, in which case we will inform you.

The exercise of these rights is free of charge, unless your request is manifestly unfounded, excessive or repetitive.

For security reasons, we may ask you to verify your identity before processing your request.

11. Supervisory authority

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the Czech supervisory authority:

Úřad pro ochranu osobních údajů (ÚOOÚ)
Pplk. Sochora 27
170 00 Praha 7
Czech Republic
Phone: +420 234 665 111 Website: www.uoou.cz

12. Children

Our services are not directed at children under 16.

We process personal data of children only where this is necessary for family photoshoots, events or similar services, and where the session is booked or approved by a parent or legal guardian.

For family photoshoots, the parent or legal guardian is responsible for providing the necessary consent or permission on behalf of the child where required.

If you believe that a child has provided personal data to us without parental consent, please contact us and we will take appropriate steps.

13. Security

We take reasonable technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration or destruction.

These measures may include:

  • HTTPS encryption on the website
  • Password-protected devices and accounts
  • Two-factor authentication where available
  • Limited access to client data
  • Regular software updates
  • Malware protection
  • Secure storage and backup procedures
  • Selection of service providers that provide appropriate data protection safeguards
  • Anonymisation or minimisation of personal data before using external productivity tools, where applicable

However, no method of transmission over the internet or electronic storage is completely secure. Therefore, we cannot guarantee absolute security.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, tools, processing activities or legal requirements.

The current version is always available on this page, with the date of the last update shown at the top.

If we make material changes that significantly affect your rights, we may inform you by email or by a visible notice on the website, where appropriate.

15. Contact

If you have any questions about this Privacy Policy or the way we process personal data, please contact us:

Alena Surova
Email: [email protected]
Phone / Telegram, WhatsApp, Viber: +420 608 916 324 Registered office: Laponská 1185/3, 198 00 Praha 9 — Hloubětín, Czech Republic

Last Edited on 01.05.2026