Sihmo

Create Session Invite

This information helps photographers match the photos with the right people later.

Create Session Invite

This information helps photographers match the photos with the right people later.

Oh no, something went wrong. Please check your network connection and try again.

Privacy Policy

1. Controller / Data Controller

The controller responsible for processing your personal data within the meaning of the EU General Data Protection Regulation (GDPR) is:

Max Kammesheidt

(operating under the trade name "sihmo")

Waldstraße 66, 58135 Hagen, Germany

E-mail: max.kammesheidt@sihmo.com

(hereinafter: "sihmo", "we", "us")

2. Scope of this Privacy Policy

This Privacy Policy explains how sihmo collects, uses, stores, and shares personal data when you use the sihmo platform (available at sihmo.com and associated subdomains) (hereinafter “sihmo platform” or “platform”), including all related services, features, and communications.

This policy applies to all users of the platform, including photographers and customers.

3. Legal Bases for Processing (Art. 6 GDPR)

We process personal data on the following legal bases:

  • Art. 6(1)(b) GDPR — processing necessary for the performance of a contract (e.g. providing platform services, processing bookings and payments) and especially where photos showing identifiable individuals are uploaded, displayed, sold, and downloaded via the platform. In such cases we process these photos as personal data in order to enable photographers and customers to use the platform functionalities (presentation of portfolios, bookings, purchase and download of photos). Any further processing of photos by photographers outside the sihmo platform (e.g. on their own websites, social media accounts, or for their own advertising purposes) is carried out under their own responsibility as independent controllers.
  • Art. 6(1)(c) GDPR — processing necessary for compliance with a legal obligation (e.g. tax, accounting, and regulatory requirements)
  • Art. 6(1)(f) GDPR — processing necessary for our legitimate interests, which are: operating and securing the platform, preventing fraud and abuse, and ensuring the technical reliability of the service. We have balanced these interests against your rights and freedoms and determined that they do not override your interests in the context of the specific processing activities described below.
  • Art. 6(1)(a) GDPR — processing based on your freely given, specific, informed and unambiguous consent (e.g. marketing communications). You may withdraw consent at any time without affecting the lawfulness of prior processing.

4. Categories of Personal Data We Process

4.1 Registration and Account Data

When you create an account, we collect:

  • Full name and display name
  • E-mail address
  • Password (stored using one-way hashing; never readable)
  • User role (Photographer or Customer)
  • Date of registration and account status

4.2 Profile and Content Data

  • Profile photos, portfolio images, and bio information you choose to provide
  • Service descriptions, pricing, and availability (photographers)
  • Photos uploaded, delivered, or purchased via the platform
  • Ratings and reviews

4.3 Transaction and Payment Data

When transactions are processed, we collect and store:

  • Booking and order details (services, dates, scope, amounts)
  • Transaction records and platform fee amounts (currently 10% of transaction value)
  • Payment status and references (e.g. Stripe transaction IDs) Full payment card details are never stored by Sihmo. These are handled exclusively by Stripe (see Section 7.4).

4.4 Communication Data

  • Messages exchanged between users via the platform's in-app messaging system
  • Support correspondence with Sihmo
  • E-mails sent and received via our e-mail service provider (see Section 7.3)

4.5 Usage and Technical Data

  • IP address, browser type and version, operating system
  • Device and screen information
  • Pages visited, features used, session duration, referrer URLs
  • Server log files and error reports

5. Purposes of Processing and Retention Periods

The following table summarises the purposes for which we process your data and how long we retain it. We delete personal data as soon as it is no longer required for the stated purpose, unless a longer retention period is required by law.

5.1 Account and Profile Data

Purpose: Account creation, authentication, provision of platform services.

Legal basis: Art. 6(1)(b) GDPR.

Retention: For the duration of the contractual relationship. Upon account deletion, data is deleted within 30 days, subject to longer retention required by law (see 5.3). Ratings and reviews submitted by users about other users are stored for the duration of the respective user accounts. After account deletion, such ratings and reviews may either be anonymised (i.e. no longer attributed to the profile of the reviewing user) or deleted, unless overriding legitimate interests (e.g. evidence of proper use of the platform in case of disputes) require longer retention

5.2 Messaging Data

Purpose: Facilitating communication between photographers and customers in connection with bookings and services.

Legal basis: Art. 6(1)(b) GDPR.

Retention: Messages are retained for 2 years after the last booking between the relevant users, then deleted. This period covers applicable statutory warranty and limitation periods.

6. Third-Party Service Providers and Data Processors

Purpose: Storage, processing, and delivery of images on the platform (portfolio images, profile photos, purchased photos). Cloudflare also provides DDoS protection and network security.

Data processed: Images and associated metadata (file identifiers, upload timestamps); IP addresses for content delivery and security purposes.

Legal basis: Art. 6(1)(b) GDPR; Art. 6(1)(f) GDPR (legitimate interest: fast, reliable and secure image delivery and platform protection). DPA in place.

Third-country transfer: Cloudflare is established in the USA and may process data in global data centres. Transfers are safeguarded by SCCs pursuant to Art. 46(2)(c) GDPR.

Privacy policy: https://www.cloudflare.com/privacypolicy/

6.6 External Development and Maintenance Team (India)

Provider: Innovative Code Labs Pvt. Ltd., D-176, 4th Floor, Phase 8B, Industrial Area, Sector 74, Mohali, Punjab 160055

Purpose: Software development, maintenance, and technical support for the sihmo platform. During maintenance and support activities, the external development team may, for technical reasons, access personal data stored on the platform. Such access is limited to what is necessary for the specific maintenance purpose, is logged, and is subject to strict contractual controls. We ensure that access to personal data by the development team is restricted to the minimum necessary (need-to-know principle).

Data that may be accessed: Any personal data stored on the platform may technically be accessible during maintenance operations, including account data, booking data, and messaging data. Access is limited to what is technically necessary and subject to confidentiality obligations.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest: maintaining a functional and secure platform). DPA in place.

Third-country transfer: The development team is located in India. Data transfers are safeguarded by Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR, supplemented by contractual confidentiality obligations and access restrictions.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the platform.

Strictly Necessary Cookies: Required for core platform functionality (session management, authentication, security). Cannot be disabled. No consent required under Art. 6(1)(b) and (f) GDPR.

Functional Cookies: Remember your settings and preferences (e.g. logged-in state). Set on the basis of our legitimate interest (Art. 6(1)(f) GDPR).

Analytics and Marketing Cookies: Where we use analytics or marketing tools that set non-essential cookies, we will request your prior consent via a cookie consent banner before any such cookies are set (Art. 6(1)(a) GDPR). You can adjust your consent at any time via the cookie settings accessible in the platform footer. Within our cookie banner, you can choose to accept all non-essential cookies, reject them, or make individual settings. The option to reject non-essential cookies is just as easily accessible and easy to use as the option to accept them. You can also control or delete cookies through your browser settings. Please note that disabling certain cookies may impair platform functionality.

8. Your Rights Under the GDPR

As a data subject, you have the following rights, which you can exercise by contacting us at support@sihmo.com:

  • Right of access (Art. 15 GDPR): Request confirmation of whether and which personal data we hold about you, and receive a copy.
  • Right to rectification (Art. 16 GDPR): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17 GDPR): Request deletion of your data, subject to applicable retention obligations (e.g. tax law).
  • Right to restriction of processing (Art. 18 GDPR): Request that we restrict processing in certain circumstances.
  • Right to data portability (Art. 20 GDPR): Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21 GDPR): Object at any time to processing based on legitimate interests, on grounds relating to your particular situation. Where you object to direct marketing, we will cease processing immediately without requiring justification.
  • Right to withdraw consent (Art. 7(3) GDPR): Withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing.

We will respond to your request within one month of receipt (Art. 12(3) GDPR). In complex or numerous cases we may extend this by a further two months, informing you in advance.

9. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority at any time. The authority competent for sihmo based on our location in Hagen, North Rhine-Westphalia is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)

Kavalleriestraße 2–4, 40213 Düsseldorf, Germany

Tel.: +49 211 38424-0

E-mail: poststelle@ldi.nrw.de

Website: https://www.ldi.nrw.de

You may also lodge a complaint with the supervisory authority of your habitual residence or place of work within the EU.

10. International Data Transfers

Several of our service providers are located in or process data in countries outside the European Economic Area (EEA), in particular the United States and India. Neither country currently has an EU adequacy decision in force for all transfers.

We ensure that all such transfers are subject to appropriate safeguards, specifically Standard Contractual Clauses (SCCs) as approved by the European Commission under Art. 46(2)(c) GDPR. Copies of the applicable SCCs can be provided on request by contacting support@sihmo.com.

11. Data Security

We implement appropriate technical and organisational measures (TOMs) to protect your personal data against unauthorised access, loss, or destruction (Art. 32 GDPR), including:

  • Encrypted data transmission (HTTPS/TLS) for all platform traffic
  • Access controls and role-based permissions for platform systems
  • Contractual confidentiality obligations for all personnel and contractors with system access
  • Regular review of third-party provider security practices
  • Data minimisation: we collect only data necessary for the stated purpose

12. Children's Data

The sihmo platform is intended exclusively for persons aged 18 or over. We do not knowingly collect personal data from minors. If we become aware that data of a person under 18 has been collected, we will delete it without undue delay. If you have reason to believe this has occurred, please contact support@sihmo.com.

13. Photographers as Independent Controllers

Where photographers process personal data of customers or third parties (including persons depicted in photographs) for their own purposes beyond the scope of the sihmo platform, they act as independent controllers within the meaning of Art. 4(7) GDPR.

Photographers are solely responsible for compliance with applicable data protection law in relation to such processing, including obtaining any required consent from depicted persons and providing required information notices. Photographers are in particular responsible for:

  • ensuring that they hold all necessary copyright and data protection rights to the photos they upload,
  • obtaining any required consent from individuals depicted in the photos or relying on another appropriate legal basis for the processing,
  • providing such individuals with the information required under Art. 13 and 14 GDPR, and
  • handling data subject requests (e.g. access, rectification, erasure) directed at their own processing activities.
  • Any use of photos by photographers outside the sihmo platform (e.g. on their own websites, social media profiles, or in advertising materials) is carried out under the photographer's own responsibility and not under ours.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via e-mail and/or a prominent notice on the platform at least 30 days before the change takes effect. The date of the last update is shown at the top of this document.

Your continued use of the platform after notification of a material change constitutes acceptance of the updated Privacy Policy, to the extent permitted by applicable law.

15. Contact / Data Protection Inquiries

For any questions, requests, or concerns relating to this Privacy Policy or our data processing, please contact:

sihmo — Datenschutz / Data Protection

Max Kammesheidt

Waldstraße 66, 58135 Hagen, Germany

E-mail: support@sihmo.com