The following document defines the Privacy Policy applied to PhMuseum services and websites, including https://phmuseum.com (effective 18 May 2026), and is supplementary to the PhMuseum Terms and Conditions.
We respect and understand the importance of your privacy. For this reason we invite you to read carefully the following Agreement, which is legally binding, in order to understand how we collect and treat your personal information with transparency while running our Service. By accessing and using the PhMuseum website You accept the practices presented in this Privacy Policy.
1. PURPOSE OF OUR POLICY
This Privacy Policy (Agreement) is meant to explain how PhMuseum treats your personally identifying, potentially personally identifying and non-personally identifying information. We have adopted this Privacy Policy to ensure that PhMuseum has the proper standards in place to manage and protect the User (User, You) data and information collected as necessary and incidental to:
a) Providing the products and services that PhMuseum offers; and
b) The normal day-to-day operations of our business.
This Agreement applies to the products and services offered on the PhMuseum website https://phmuseum.com (Site) operated by PHmuseum Srl ("PhMuseum," "we," "us," and "our"), the company (number 03908051208) based in Via Paolo Fabbri 10/2a, Bologna, Italy. By publishing this Privacy Policy we aim to make it easy for our users to understand what data we collect and store, why we do so, how we receive and/or obtain that information, and the rights you have with respect to your data in our possession.
2. THE INFORMATION WE COLLECT
In the course of business it is necessary for us to collect, process and use personal data. This information allows us, for example, to identify who an individual is for the purposes of offering our Service, or contacting the individual in the ordinary course of business. Without limitation, the type of information we may collect is:
a) Personal Information. We may collect personal details such as an individual’s name, location, date of birth, nationality and other information that allows us to identify who the individual is;
b) Contact Information. We may collect information such as an individual’s email address, telephone & fax number, third-party usernames, residential, business and postal address and other information that allows us to contact the individual;
c) Statistical Information. We may collect information about an individual’s online and offline preferences, habits, movements, trends, decisions, associations, memberships, finances, purchases and other information for statistical purposes; and
d) Information an individual sends us. We may collect any personal correspondence that an individual sends us, or that is sent to us by others about the individual’s activities, including activities with our partners.
e) Social and federated login information. We may collect profile information from a third-party identity provider when you choose to register or sign in with that provider (for example Google). We do not currently offer Facebook, Apple, or other social login on the Website.
f) Other Personal Information. We may collect other data about an individual, such as nationality, biography, where the individual is based, or the languages spoken, which we will maintain in accordance with this Privacy Policy.
We may also collect data about an individual such as information regarding their computer, network and browser. This may include their IP address and cookie identifiers.
3. WHO AND WHAT THIS POLICY APPLIES TO
PhMuseum, its Site and Services are intended for persons 18 years of age or older. We do not knowingly target or solicit data from minors. If you believe we have collected information relating to someone under 18, please contact us at privacy@phmuseum.com so we can take appropriate steps.
The Privacy Policy applies to all forms of information, physical and digital, whether collected or stored electronically or in hardcopy. We handle data in our own right and also for and on behalf of our customers and users.
Our Privacy Policy does not apply to information we collect about businesses or companies, however it does apply to information about the people in those businesses or companies that we store. If, at any time, an individual provides data or other information about someone other than himself or herself, the individual warrants that they have that person's consent to provide such information for the purpose specified.
4. HOW INFORMATION IS COLLECTED
Most information will be collected in association with an individual’s use of PhMuseum sites, products and services, an enquiry about PhMuseum or generally dealing with us. We may also receive data from other sources such as advertising, contractors, recruitment agencies, and our business partners. In particular, information is likely to be collected as follows:
Accounts, memberships, subscriptions. When an individual submits their details to open an account and/or become a member of PhMuseum;
Registrations, submissions, purchases. When an individual registers and/or purchases a product or service, submit an entry to our Grants – phmuseum.com/grant - or other process whereby they enter data details or grant access to information in order to receive or access something, including a transaction or services;
Partners, suppliers, contacts. When an individual grants us access to their accounts with our business partners, supplies us with goods or services, or contacts us in any way;
Pixel tags, cookies, and similar technologies. Pixel tags help us understand whether emails have been opened. Cookies and similar technologies help us operate the Site, remember your choices, and—only with your consent—support analytics and marketing measurement. See our Cookie Policy for details.
We also use these specific services to understand Users’ behaviour, offer our Service, and improve the quality of the whole Site:
Algolia (Algolia SAS): Algolia is a hosting and backend service provided by Algolia SAS. We use this service mostly to run our search engine. Personal Data collected: various types of Data as specified in the privacy policy of the service. Place of processing: France – Privacy Policy;
Amazon Web Services (AWS) (Amazon): Amazon Web Services is a hosting and backend service provided by Amazon.com Inc.Personal Data collected: various types of Data as specified in the privacy policy of the service. Place of processing: See the Amazon privacy policy – Privacy Policy;
Laravel Cloud (Laravel LLC):
Laravel Cloud is a hosting and backend infrastructure service provided by Laravel LLC. We use Laravel Cloud to host the PhMuseum Site and run core backend processes. In providing this service, Laravel Cloud may process Personal Data contained in application data, logs, metadata, and communications strictly as required to operate, monitor, and secure the platform.
Personal Data collected: various types of Data as specified in the privacy policy of the service.
Place of processing: EU – Privacy Policy.
Cloudflare (Cloudflare, Inc.):
Cloudflare is a content delivery, security, and performance optimisation service provided by Cloudflare, Inc. We use Cloudflare through our hosting provider (Laravel Cloud) to protect the Site from malicious traffic, improve loading speed, and deliver content efficiently to Users. Cloudflare may process Personal Data such as IP addresses, usage data, device information, and security-related metadata when providing its services, strictly for security, optimisation, and traffic routing purposes.
Personal Data collected: various types of Data as specified in the privacy policy of the service.
Place of processing: EU, United States, and other regions as described in Cloudflare’s privacy policy – Privacy Policy.
Laravel Nightwatch (Laravel LLC):
Laravel Nightwatch is an application monitoring and error-tracking service provided by Laravel LLC. We use Nightwatch to monitor the performance, stability, and security of our Site and to diagnose technical issues. In providing this service, Nightwatch may process Personal Data contained in server logs, error reports, device information, IP addresses, usage data, and other diagnostic information strictly for monitoring and maintenance purposes.
Personal Data collected: various types of Data as specified in the privacy policy of the service.
Place of processing: EU – Privacy Policy.
Meta Pixel (Meta Platforms, Inc.): When you enable Marketing cookies, we use the Meta Pixel for advertising delivery and conversion measurement. Personal Data collected: cookies and usage data. Place of processing: United States and other regions per Meta—Privacy Policy—About Ads choices. We do not use Meta for social login.
Google Analytics 4 and Google Ads (Google LLC): We use Google Analytics 4 (property G-V4VVR5SB9P) and Google Ads conversion measurement (AW-380442119) when you enable the relevant cookie categories. Google may process cookies and usage data, including pseudonymous identifiers. IP addresses may be shortened within the EU/EEA where supported. Personal Data collected: cookies and usage data. Place of processing: EU and United States (and other regions per Google)—Privacy Policy—Analytics opt-out. International transfers are covered by Google's contractual safeguards (for example SCCs and/or adequacy mechanisms).
Google reCAPTCHA (Google LLC): We use reCAPTCHA v3 on registration and certain forms to reduce abuse. Google may process device and interaction signals. Personal Data collected: as described in Google's terms—Privacy Policy.
MailChimp (The Rocket Science Group, LLC.): MailChimp is an email address management and message sending service provided by The Rocket Science Group, LLC. Personal Data collected: email address. Place of processing: US – Privacy Policy.
Mandrill (The Rocket Science Group, LLC.): Mandrill is an email address management and message sending service provided by The Rocket Science Group, LLC. Personal Data collected: email address and Usage Data. Place of processing: US – Privacy Policy.
Where you enable Marketing cookies, we may send hashed user-provided data (such as email addresses) to Google for ad measurement and enhanced conversions, subject to Google's policies and your consent choices.
SendCloud (SendCloud B.V.):
SendCloud is a shipping and logistics automation platform provided by SendCloud B.V. We use SendCloud to generate shipping labels, manage parcel logistics, and coordinate delivery services for orders placed through our Site. SendCloud processes Personal Data necessary to fulfil shipments, including recipient name, address, email address, order details, and tracking information.
Personal Data collected: various types of Data as specified in the privacy policy of the service.
Place of processing: EU – Privacy Policy.
Packlink (Auctane S.L.U.):
Packlink is a shipping and parcel-delivery comparison and fulfilment service provided by Auctane S.LU. We use Packlink to create shipping labels, coordinate courier services, and manage deliveries for orders placed on our Site. Packlink processes Personal Data necessary to fulfil shipments, including recipient name, postal address, email address, phone number, and order-related details.
Personal Data collected: various types of Data as specified in the privacy policy of the service.
Place of processing: EU – Privacy Policy.
Stripe (Stripe Payments Europe Ltd / Stripe Inc.):
Stripe is a payment service provided by Stripe. For Users in the EU/EEA, personal data is primarily processed by Stripe Payments Europe Ltd (Ireland). Stripe may also transfer data internationally, including to the United States, in accordance with applicable data-transfer safeguards such as the EU–US Data Privacy Framework and Standard Contractual Clauses.
Personal Data collected: various types of Data as specified in the privacy policy of the service.
Place of processing: EU and other regions as described in Stripe’s privacy policy – Privacy Policy.
PayPal (PayPal Holdings Inc.):
PayPal is a payment service provided by PayPal Holdings Inc. We use PayPal to process online payments made by Users. In doing so, PayPal may collect and process Personal Data necessary to complete the transaction, including billing information, payment method details, transaction data, and other information as specified in PayPal’s own privacy policy.
Personal Data collected: various types of Data as specified in the privacy policy of the service.
Place of processing: EU, United States, and other regions as described in PayPal’s privacy notice – Privacy Policy.
Gmail / Google Workspace (Google Ireland Limited):
Gmail is an email service provided through Google Workspace by Google Ireland Limited. We use Gmail to manage our email and support communications and handle enquiries sent by Users. In doing so, Google may process Personal Data contained in those emails, including the User’s name, email address, message content, and any other information voluntarily provided, as specified in Google’s own privacy policy.
Personal Data collected: various types of Data as specified in the privacy policy of the service.
Place of processing: EU/EEA and, where applicable, the United States under Standard Contractual Clauses (SCCs) – Privacy Policy.
Looker Studio / BigQuery (Google LLC): Internal analytics and reporting for authorised staff. We currently export aggregated non-personal metrics (for example country-level statistics) for operational analysis. If this scope changes to include personal data, we will update this policy and our vendor records. Place of processing: as described in Google's privacy policy – Privacy Policy.
Fatturhello (DATA CONSULT S.R.L.):
Fatturhello is an electronic invoicing and tax-compliance service provided by DATA CONSULT S.R.L. We use Fatturhello to generate, manage, and transmit electronic invoices in SDI (Sistema di Interscambio) format to the Italian Tax Authority, in compliance with applicable Italian tax laws. In providing this service, Fatturhello processes Personal Data contained in invoicing and billing records, such as customer name, billing address, VAT number or tax code, invoice details, and transaction-related information, strictly as required to fulfil legal and accounting obligations.
Personal Data collected: various types of Data as specified in the privacy documentation provided by the service.
Place of processing: EU.
Tax Compliance (SDI – Sistema di Interscambio)
Where required by Italian law, certain invoicing and billing data will be transmitted to the Italian Tax Authority via the Sistema di Interscambio (SDI) pursuant to Decreto Legislativo 127/2015. This disclosure is made to comply with legal obligations (Art. 6(1)(c) GDPR). The Italian Tax Authority acts as an autonomous data controller for the data it receives.
As there are many circumstances in which we may collect information both electronically and physically, we will endeavour to ensure that an individual is always aware of when their data is being collected. We may also collect anonymous data such as traffic, IP addresses and transaction statistics, which may be used and shared on an aggregated and anonymous basis.
5. HOW DATA IS STORED
We primarily store and process personal data in the European Union (including hosting regions such as Milan, Frankfurt, and Paris). Our staff and authorised contractors are mostly located in the EEA. Some processors may process data in other countries (for example the United States). Where personal data is transferred outside the EEA/UK, we rely on appropriate safeguards such as Standard Contractual Clauses, adequacy decisions, and/or provider certification frameworks, as applicable. Details are in our vendor agreements and the Cookie Policy.
6. WHEN DATA IS USED
In general, the primary principle is that we will not use any data other than for the purpose for which it was collected. The purpose of collection is determined by the circumstances in which the information was collected and/or submitted. We will retain data for the period necessary to fulfil the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law.
Information is used to enable us to operate the Site and our business, especially as it relates to an individual. This may include:
a) Creating and publishing profiles of Photographers including personal information;
b) Users’ communications, including between Photographers and Photo Editors, from and to individuals;
c) The provision of services between an individual and us;
d) Verifying an individual’s identity;
e) Communicating with an individual about:
i. Their relationship with us;
ii. Our goods and services;
iii. Our marketing and promotions to customers and prospects;
iv. Competitions, surveys and questionnaires;
f) Investigating any complaints about or made by an individual, or if we have reason to suspect that an individual is in breach of any of our terms and conditions or that an individual is or has been otherwise engaged in any unlawful activity; and/or
g) As required or permitted by any law (including EU General Data Protection Regulation).
7. WHEN DATA IS DISCLOSED
We will not disclose or sell an individual’s data to unrelated third parties under any circumstances. At the same time, it may be necessary for us to disclose an individual’s data to related third parties in a manner compliant with EU General Data Protection Regulation in the course of our business, or in specific circumnstances, such as:
a) When we reasonably believe that an individual may be engaged in fraudulent, deceptive or unlawful activity that a governmental authority should be made aware of;
b) As required by law (including EU General Data Protection Regulation); and/or
c) In order to sell our business (as we may transfer data to a new owner).
Where we transfer personal data to processors or partners outside the EEA/UK, we require appropriate contractual and security safeguards consistent with GDPR Chapter V (for example SCCs or adequacy). We maintain a vendor register and review transfer mechanisms periodically.
We may transmit personal information to third-party service providers when legally permitted and where we have an appropriate agreement (for example a Data Processing Agreement or processor terms), such as with payment providers, hosting, email, or logistics partners.
8. THIRD-PARTY ACCOUNTS
You may register or sign in using Google (OAuth). Information we receive depends on your Google account settings and the scopes you approve. We do not currently offer other social login providers on the Website.
9. COOKIE POLICY
We use cookies and similar technologies as described in our dedicated Cookie Policy.
In summary:
phm_consent cookie. Optional categories use additional first-party cookies (phm_preferences, phm_statistics) and, when enabled, third-party cookies from partners such as Google and Meta.For questions: privacy@phmuseum.com.
10. OPTING “IN” OR “OUT”
An individual may opt to not have us collect their data. This may prevent us from offering them some or all of our services and may terminate their access to some or all of the services they access with or through us. They will be aware of this when:
a) Opt In. Where relevant, the individual will have the right to choose to have information collected and/or receive information from us; or
b) Opt Out. Where relevant, the individual will have the right to choose to exclude himself or herself from some or all collection of information and/or receiving information from us.
If an individual believes that they have received information from us that they did not opt in or out to receive, they should contact us on the details below.
11. THE SAFETY & SECURITY OF DATA
We will take all reasonable precautions to protect an individual’s data from unauthorised access. This includes appropriately securing our physical facilities and electronic networks.
The security of online transactions and the security of communications sent by electronic means or by post cannot be guaranteed. Each individual that provides information to us via the internet or by post does so at their own risk. We cannot accept responsibility for misuse or loss of, or unauthorised access to, data where the security of information is not within our control.
We are not responsible for the privacy or security practices of any third party (including third parties that we are permitted to disclose an individual’s data to in accordance with this policy or any applicable laws). The collection and use of an individual’s information by such third parties may be subject to separate privacy and security policies.
If an individual suspects any misuse or loss of, or unauthorised access to, their data, they should let us know immediately at privacy@phmuseum.com. We are not liable for any loss, damage or claim arising out of another person’s use of the data where we were authorised to provide that person with the data.
12. HOW TO ACCESS AND/OR UPDATE INFORMATION
You can always monitor and edit the personal information provided by logging in and using the Edit Profile and Account Settings options in your personal menu. EU General Data Protection Regulation also gives you the right to request from us the data that we have about you. You further have the Right To Be Forgotten, which means that you can request us to delete your account and all the information stored in it, at any time.
If You cannot update your own information, we will correct any errors in the data we hold about an individual within 7 days of receiving written notice from them about those errors. It is an individual’s responsibility to provide us with accurate and truthful data. We cannot be liable for any information that is provided to us that is incorrect.
13. COMPLAINTS AND DISPUTES
If you have a complaint about our handling of your data, you should address your complaint in writing to privacy@phmuseum.com. You also have the right to lodge a complaint with the Italian supervisory authority (Garante per la protezione dei dati personali).
If we have a dispute regarding an individual’s data, we both must first attempt to resolve the issue directly between us.
If we become aware of any unauthorised access to an individual’s data we will inform them at the earliest practical opportunity once we have established what was accessed and how it was accessed.
14. ADDITIONS TO THIS POLICY
We reserve the right to amend, in our sole discretion, this Agreement and any supplemental terms, to comply with applicable laws, to address new services or features, or for any other reasons we determine in our sole discretion. If we decide to change this Privacy Policy, we will post the changes on our website in this section, and notify you via email in case of relevant change. It is your responsibility to refer back to this Privacy Policy to review any amendments.
15. CONTACTING US
Privacy and data protection: privacy@phmuseum.com
Postal address: PHmuseum Srl, Via Paolo Fabbri 10/2a, 40138 Bologna, Italy
We suggest contacting us by email in the first instance.
Last updated: 18 May 2026