Photo Tour Leader← Back to home

Privacy Policy

Version 2026-06-13

Photo Tour Leader · Operated from Canada

Photo Tour Leader (“we”, “us”, the “Service”) is a software tool operated from Canada, designed for photography workshop and photo tour operators to manage their participant administration. This Privacy Policy explains how we collect, use, store, and protect information when you use the Service.

1. Who this policy applies to

This policy applies to Operators — businesses and individuals who create a Photo Tour Leader account to manage their workshops. It does not govern the relationship between Operators and their own participants. Operators are responsible for their own privacy notices and consent flows with their participants.

2. Information we collect

We collect the following categories of information:

  • Account information — your first and last name, email address, hashed password, optional display name, business name, logo, and your account preferences.
  • Billing information— your subscription plan, billing interval, and a Stripe customer reference. Card numbers are entered on Stripe’s hosted checkout and are never seen or stored by us.
  • Operator-uploaded content — workshop details, participant records (names, contact information, dietary, medical and travel information, passport details, payment records you enter), waiver documents and acceptances, internal notes, checklists, and any other content you create or upload.
  • Consent and legal records — timestamps and version numbers recording your acceptance of these Terms and the Privacy Policy at signup.
  • Technical and usage information — IP address, browser user agent, timestamps, and basic request logs needed to operate, secure, and debug the Service.

3. How we use your information

We use your information to:

  • Provide, maintain, secure, and improve the Service;
  • Process subscription payments through Stripe;
  • Send transactional emails (verification, password reset, intake notifications, billing receipts, trial reminders) and respond to support requests;
  • Detect, prevent, and address fraud, abuse, and security incidents;
  • Comply with our legal obligations.

We do notsell, rent, or share your personal data or your participants’ personal data with third parties for marketing or advertising purposes. We may use aggregated, anonymised usage data to improve the product.

4. Subprocessors

We use the following third-party subprocessors to operate the Service. Each subprocessor has its own privacy and data-processing terms which apply to their handling of your data. By using Photo Tour Leader you acknowledge and agree to these subprocessing relationships.

  • Supabase, Inc.(supabase.com) — database, authentication, and file storage. All application data including operator accounts, participant records, and uploaded documents is stored on Supabase’s managed infrastructure.
  • Vercel, Inc.(vercel.com) — web application hosting and edge delivery. Requests to the Service are routed through Vercel’s infrastructure.
  • Stripe, Inc. (stripe.com) — subscription billing. Card data is handled exclusively by Stripe; we receive only a customer reference and subscription status.
  • Resend (resend.com) — transactional email delivery. Email addresses you enter into the Service and the bodies of emails sent through the Service are transmitted to Resend for delivery.

5. Where your data is stored

Application data and uploaded files are stored on Supabase infrastructure (currently in North America). When you use the Service from outside Canada or when you upload information about participants located outside Canada, that information is transferred to and processed in Canada and in any other region in which our subprocessors operate. By using the Service you consent to those international transfers.

6. Operator responsibility for participant data

If you are an Operator, you are the data controller for the participant information you store in Photo Tour Leader. We act as a data processor on your behalf for that information. You are responsible for:

  • Obtaining appropriate consent from your participants before collecting their personal data and storing it in the Service;
  • Maintaining your own privacy policy and terms with your participants;
  • Complying with applicable privacy laws in every jurisdiction you operate in, including PIPEDA (Canada), the UK GDPR, the EU GDPR, the CCPA/CPRA (California), and any others;
  • Responding to your participants’ data-subject requests (access, correction, deletion, portability);
  • Ensuring participant data is accurate and deleting it when no longer needed.

7. Your rights

Depending on where you live you may have rights to access, correct, delete, or port your personal data, to object to or restrict certain processing, and to lodge a complaint with a supervisory authority. To exercise any of these rights, email us at the address below. We will respond within the time required by applicable law.

8. Data retention

Your account data is retained for as long as your account is active. You may request deletion of your account and all associated data at any time by emailing us. Upon deletion, personal fields are scrubbed from active systems immediately; some records may be retained in anonymised form to preserve referential integrity for audit purposes (e.g. timestamped waiver acceptances). Backups may persist for a short additional period before being purged.

9. Security

We implement industry-standard security measures including encryption in transit (TLS 1.2+), encryption at rest provided by our subprocessors, row-level security in our database, hashed passwords, two-factor authentication, audit logging of administrative actions, and least-privilege access controls. No internet-facing system is perfectly secure; please use a strong, unique password and enable two-factor authentication on your account. If we become aware of a personal data breach that is likely to result in a risk to your rights, we will notify you and any relevant supervisory authority as required by applicable law.

10. Children

The Service is not directed at children. Operators must not knowingly collect personal data from anyone under the age of 13 (or the equivalent minimum age in your jurisdiction) without verifiable parental or guardian consent. If you believe a child’s data has been provided to us, contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email to the address on file. Continued use of the Service after any change constitutes acceptance of the updated policy.

12. Contact

Questions about this policy, requests to exercise your rights, or any other privacy matter can be sent to support@phototourleader.com.