Information pursuant to Art. 13 and 14 GDPR
The controller responsible for data processing on this website is:
ProofShare
Andres Hoffmann
Neumeisterstrasse 15
13585 Berlin
E-Mail: ed.erahsfoorp@tkatnok
Phone: 50 730 775 030
The following overview summarises the types of data processed and the purposes of their processing, and refers to the data subjects concerned.
Below you will find an overview of the legal bases of the GDPR on which we process personal data:
Our web server automatically processes the following data (server log files) on each access:
Processing is based on our legitimate interests in providing a secure and functional online service (Art. 6(1)(f) GDPR).
This website uses technically necessary session cookies and local storage (localStorage) for your cookie preferences. No tracking, analytics, or advertising cookies are used without your consent.
Session cookies serve the following purposes:
Session cookies are automatically deleted when the browser is closed. The cookie flags HttpOnly, Secure and SameSite are enabled to ensure security.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) – technically necessary cookies do not require consent pursuant to § 25(2) TDDDG.
Your consent decision regarding Google reCAPTCHA (required to use the contact form) is stored in your browser's localStorage. This is technically necessary to save your preference and apply it on future visits.
| Name | Purpose | Storage Duration |
|---|---|---|
cookie_consent |
Stores your consent decision for Google reCAPTCHA | 1 year |
remember_me |
Keeps you logged in across browser restarts – only set when you actively enable "Stay logged in" at login (opt-in) | 30 days |
Legal basis for cookie_consent: Legitimate interests (Art. 6(1)(f) GDPR) – storing your cookie preferences is technically necessary.
Legal basis for remember_me: Legitimate interests (Art. 6(1)(f) GDPR) in conjunction with the explicit action of the data subject (§ 25(2) TDDDG) – you actively choose this function.
Photographers who use ProofShare to share photo galleries with their clients process personal data of those clients (e.g. names, email addresses, access codes, image selections) via the Platform. In this context, the photographer is the controller within the meaning of Art. 4(7) GDPR; ProofShare acts as a processor within the meaning of Art. 28 GDPR.
The legal basis and specific obligations of both parties are governed by the Data Processing Agreement (DPA), which every photographer accepts upon registration. The technical and organisational measures implemented by ProofShare are described in the TOM document (Annex 2 to the DPA).
Photographers are responsible for informing their own clients about the involvement of ProofShare as a processor and for including the necessary information in their own privacy policies.
Uploaded photos, logos and thumbnails are stored with Cloudflare R2 (Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA). Cloudflare R2 is an S3-compatible object storage service.
Processing is based on the performance of a contract (Art. 6(1)(b) GDPR) and our legitimate interests in reliable and scalable data storage (Art. 6(1)(f) GDPR).
Cloudflare has joined the EU-US Data Privacy Framework (DPF) and provides appropriate safeguards for data transfers to the USA. Further information: Cloudflare Privacy Policy.
For sending transactional emails (e.g. registration confirmation, password reset, workflow notifications), we use the email delivery service Brevo (Sendinblue SAS, 7 rue de Madrid, 75008 Paris, France).
When an email is sent via Brevo, the following data is transmitted to and processed by Brevo:
Brevo is based in France and is subject to the GDPR as an EU-based provider. We have concluded a data processing agreement (DPA) with Brevo in accordance with Art. 28 GDPR. Click and open tracking is disabled in our implementation; no tracking pixels or redirected links are used.
Legal basis: Performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR) and legitimate interests in reliable email delivery (Art. 6(1)(f) GDPR).
Further information: Brevo Privacy Policy.
On certain pages, JavaScript libraries are loaded from external CDN servers. When loading these resources, your IP address is transmitted to the respective CDN provider.
The following libraries are loaded from jsDelivr (Prospect One, ul. Krolowej Jadwigi 230/20, 30-212 Kraków, Poland; CDN infrastructure via Cloudflare and Fastly):
Further information: jsDelivr Privacy Policy.
The following libraries are loaded from unpkg.com (Cloudflare-hosted) on the customer portal:
Legal basis (both CDNs): Legitimate interests in the technically correct display of the website (Art. 6(1)(f) GDPR).
When you contact us via the contact form, the following data is processed:
The IP address is temporarily stored server-side and automatically deleted after one hour. It is used exclusively to protect against misuse (rate limiting: max. 5 requests per hour).
Legal basis: Pre-contractual measures (Art. 6(1)(b) GDPR) and legitimate interests in protection against spam (Art. 6(1)(f) GDPR).
To protect our contact form against automated spam requests, we use the service Google reCAPTCHA v3 provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").
reCAPTCHA v3 analyses user behaviour in the background (e.g. mouse movements, time on page, IP address) to determine whether it is a human or a bot. The following data is transmitted to Google:
The use of reCAPTCHA is required to submit the contact form. You will be asked for your consent via the cookie banner before the form can be submitted. Without your consent, the contact form cannot be used.
Your consent decision is stored in your browser (localStorage) and can be changed at any time via the cookie banner.
Legal basis: Consent (Art. 6(1)(a) GDPR).
Further information can be found in Google's Privacy Policy and the Google Terms of Service.
As part of the customer portal, the following data is processed:
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) – data processing is necessary for the provision of the agreed photography service.
If you activate push notifications in your account settings, your browser generates a push subscription consisting of:
This data is stored in our database and used to deliver notifications (e.g. "Step completed", "New upload") to your device. The endpoint URL is technically assigned to your device and constitutes personal data.
When a notification is sent, the message content is transmitted in encrypted form to the push service of your browser manufacturer. The push service provider processes your IP address and transmits the encrypted message to your browser.
Push subscriptions are deleted when you deactivate push notifications or delete your account.
Legal basis: Consent (Art. 6(1)(a) GDPR) – you actively activate push notifications; you can deactivate them at any time in your account settings.
For processing subscription payments, we use the service Stripe by Stripe, Inc., 510 Townsend St, San Francisco, CA 94103, USA (for EU customers: Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland).
When you subscribe, the following data is transmitted to and processed by Stripe:
Credit card information and other payment data is stored and processed exclusively with Stripe. We only receive an anonymised confirmation of successful payment and a customer ID from Stripe. Stripe is certified according to the PCI-DSS standard (Payment Card Industry Data Security Standard).
Stripe has joined the EU-US Data Privacy Framework and provides appropriate safeguards for data transfers to the USA.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) – processing is necessary for the performance of the subscription agreement.
Further information: Stripe Privacy Policy.
In the moodboard and call sheet functions, interactive maps are embedded via the OpenStreetMap service. The map display is provided by the JavaScript library Leaflet in combination with map tiles from OpenStreetMap.
When loading the map tiles, your IP address is transmitted to the servers of the OpenStreetMap Foundation (OSMF), St John's Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom. This is technically necessary for the browser to retrieve the map data.
OpenStreetMap maps are only loaded when you actively use the corresponding function (moodboard or call sheet with locations). No tracking cookies are set by OpenStreetMap.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) – embedding the map serves to display shooting locations and is technically necessary for the use of the corresponding functions.
Further information: OpenStreetMap Privacy Policy.
In the moodboard function, QR codes for Google Maps links to shooting locations are generated via the external service api.qrserver.com (goQR.me, operated by Andreas Haerter and Andreas Wolf, Germany).
When a QR code is generated, the following data is transmitted to api.qrserver.com:
QR codes are only generated when you actively use the QR code function in a moodboard. No personal login data is transmitted.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) – the QR code generation serves to provide the shooting location for all project participants.
Further information: goQR.me Privacy Policy.
We store personal data only for as long as necessary for the respective purposes:
Statutory retention obligations (e.g. tax retention periods of 6 or 10 years) remain unaffected.
As a data subject, you have the following rights:
To exercise your rights, please contact: ed.erahsfoorp@tkatnok
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the member state of your habitual residence, place of work or place of the alleged infringement (Art. 77 GDPR).
This service uses open source software components. No data is transmitted to the authors of these libraries; they are used exclusively as part of the operation of this service. The following libraries are worth noting:
| Library | Licence | Purpose |
|---|---|---|
| Leaflet | BSD-2-Clause | Interactive maps |
| Fabric.js | MIT | Canvas annotations |
| JSZip | MIT | ZIP downloads |
| SunCalc | BSD-2-Clause | Sun position calculation |
| Masonry Layout | MIT | Image gallery |
| PHPMailer | LGPL-2.1 | Email delivery |
| Stripe PHP SDK | MIT | Payment processing |
| AWS SDK for PHP | Apache-2.0 | Cloudflare R2 storage |
| endroid/qr-code | MIT | QR code generation |
| minishlink/web-push | MIT | Push notifications |
| pragmarx/google2fa | MIT | Two-factor authentication |
| vlucas/phpdotenv | BSD-3-Clause | Configuration |
In the event of a breach of the security of personal data within the meaning of Art. 4(12) GDPR, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Art. 33 GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, we will also notify the data subjects concerned without undue delay in accordance with Art. 34 GDPR, unless one of the exceptions set out in Art. 34(3) GDPR applies.
Where ProofShare acts as a processor for photographers, we will notify each affected photographer of any breach within 36 hours of becoming aware, so that the photographer can fulfil their own notification obligations as controller. Details of our breach notification procedure are set out in the Data Processing Agreement (DPA).
We reserve the right to adapt this privacy policy to ensure it always complies with current legal requirements or to reflect changes to our services. The updated privacy policy will apply to your next visit.
Last updated: June 2026