Privacy Policy
Last updated on April 28, 2026
⚠️ Working draft — This document was prepared with AI assistance and is pending professional legal validation. The legally binding version may differ. For specific questions please contact contact@pegasus-photo.com.
1. Introduction
This Privacy Policy explains how Pegasus Photo Creations CommV ("the Company", "We", "Us", "Our") collects, uses and protects personal data when You use Our Service or appear in photographs taken by Us at events.
This Policy is drafted in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data.
Our business is event photography. This means We process personal data in two distinct capacities:
- As a service provider — when You book photo packages, place orders in Our webshop or use Our on-site kiosk.
- As an event photographer — when You appear in photographs because You are riding, attending or participating in an event at which We are the official or authorised photographer.
Both situations are covered in this Policy. Where Your rights or our obligations differ between the two, this is clearly indicated.
2. Data Controller
The data controller for the personal data described in this Policy is:
Pegasus Photo Creations CommV Stationsstraat 389 1770 Liedekerke Belgium
- Enterprise number (KBO/BCE):
0567.934.010 - VAT:
BE0567.934.010 - Email: contact@pegasus-photo.com
- Phone:
+32 53 214 026
We have not appointed a Data Protection Officer (DPO), as we are not legally required to do so under Article 37 GDPR. For all data protection questions, please contact Us at the email address above.
3. Definitions
For the purposes of this Privacy Policy:
- Personal data means any information relating to an identified or identifiable natural person, including names, addresses, email addresses, phone numbers, photographs, IP addresses and online identifiers.
- Processing means any operation performed on personal data, including collection, storage, use, disclosure, transfer and deletion.
- Service means the websites, applications and platforms operated by the Company, including https://www.pegasus-photo.com and its subdomains, the booking platform, the webshop, the on-site sales kiosk, and any photo delivery system.
- Photographs means any photographic, video or digital imagery created by or on behalf of the Company, including imagery of identifiable individuals, horses or property.
- Subject means a natural person who appears in a Photograph.
- Customer means a natural or legal person who has booked, purchased or enquired about Our products or services.
- You means the individual to whom this Policy is addressed, whether as a Customer, Subject or general visitor of Our Service.
4. Categories of Personal Data We Process
4.1 Data We collect from Customers
When You interact with the Service as a Customer, We may collect:
- Identification data: first name, last name.
- Contact data: email address, postal address, phone number.
- Account data: username, encrypted password, account preferences, language preference.
- Transaction data: items ordered, order date, amount paid, payment method, invoice and credit-note information, VAT number (for business customers).
- Communication data: correspondence with Us, support requests.
- Booking data: event for which a package is booked, rider/horse name, class, participation details (where these refer to identifiable third parties, see Section 4.2).
4.2 Data We process about Subjects (riders, attendees, owners)
When You appear in a Photograph taken by Us at an event, We may process:
- Image data: photographs and (where applicable) video footage in which You are identifiable.
- Sport data: rider name, horse name, class, start number, ranking, time, prize information — typically obtained from the event organiser or from the Equipe.com platform via its public/professional API.
- Contextual metadata: date, time, venue and class of capture.
We process this data to identify which photographs belong to which rider, to make these Photographs available for purchase to the rider or other authorised parties, and to keep an organised photo archive.
4.3 Data We collect automatically (Usage Data)
When You visit Our Service, We automatically collect technical data such as IP address, browser type and version, device type, operating system, pages visited, date and time of visit, and referring URL. This information is collected for security, troubleshooting and analytics purposes.
4.4 Cookies and similar technologies
Our Service uses cookies and similar tracking technologies. Detailed information on which cookies We use, their purposes and how You can manage Your preferences is set out in Our Cookie Policy.
5. Purposes and Legal Bases for Processing
We process personal data only where We have a valid legal basis under Article 6 GDPR. The table below summarises the main processing activities.
5.1 Customer data
| Purpose | Legal basis (Article 6 GDPR) |
|---|---|
| Creating and managing Your account | Performance of a contract — Art. 6(1)(b) |
| Processing bookings, orders and deliveries | Performance of a contract — Art. 6(1)(b) |
| Processing payments | Performance of a contract — Art. 6(1)(b) |
| Issuing invoices and credit notes; bookkeeping | Legal obligation — Art. 6(1)(c) |
| Customer support and handling enquiries | Performance of a contract / legitimate interest — Art. 6(1)(b) / (f) |
| Sending newsletters and promotional emails | Consent — Art. 6(1)(a), or soft opt-in for similar products under Belgian e-commerce law |
| Fraud prevention and security | Legitimate interest — Art. 6(1)(f) |
| Statistical analysis to improve the Service | Legitimate interest — Art. 6(1)(f) |
| Compliance with tax, accounting and consumer-protection law | Legal obligation — Art. 6(1)(c) |
5.2 Subject data (riders, attendees in Photographs)
| Purpose | Legal basis (Article 6 GDPR) |
|---|---|
| Photographing public equestrian events as the official or authorised photographer | Legitimate interest — Art. 6(1)(f) of the Company and the event organiser to document the sporting event |
| Matching Photographs to riders using class lists and Equipe data | Legitimate interest — Art. 6(1)(f) to enable an organised photo archive and offer Photographs for purchase to the relevant rider |
| Offering Photographs for sale through the Service | Legitimate interest — Art. 6(1)(f) and contractual relationship with the event organiser |
| Storing Photographs as part of Our archive | Legitimate interest — Art. 6(1)(f) to maintain a body of work and enable future requests |
| Using Photographs in Our own marketing (with discretion) | Legitimate interest — Art. 6(1)(f), subject to Your right to object |
In assessing Our legitimate interests against Your rights, We have considered that equestrian events are public sporting events at which the presence of photographers is generally expected and visibly indicated, and that photography is in line with the reasonable expectations of competitors. You retain the right to object to processing at any time (see Section 9).
5.3 Visitors and general Service users
| Purpose | Legal basis (Article 6 GDPR) |
|---|---|
| Operating the Service securely | Legitimate interest — Art. 6(1)(f) |
| Analytics (where used) | Consent — Art. 6(1)(a), via cookie banner |
| Responding to contact-form enquiries | Legitimate interest / pre-contractual measures — Art. 6(1)(f) / (b) |
6. Recipients of Personal Data
We share personal data only where necessary, and only with recipients who provide adequate guarantees of compliance with the GDPR. Our principal categories of recipients are:
6.1 Service providers (data processors)
These organisations process data on Our behalf, under written data processing agreements as required by Article 28 GDPR.
- Payment processors: Mollie B.V. (Netherlands) and Stripe Payments Europe Ltd. (Ireland) for processing payments. Card details are submitted directly to these processors and are not stored by Us.
- Cloud database and storage: Supabase Inc. (United States), used for application databases and storage of digital download files.
- Email delivery: Resend (United States), used for transactional emails (order confirmations, download links, password resets).
- Hosting and infrastructure: Hetzner Online GmbH (Germany), Plesk-managed web hosting, and our own on-premises Synology storage in Belgium.
- AI image processing: Anthropic, PBC (United States), used for automated subject and start-number detection in Our photo sorting pipeline. Images are submitted via API for the purpose of classification only and are not used by Anthropic to train its models, in accordance with Anthropic's commercial terms.
- Sport data integration: Equipe AB (Sweden), the equestrian event-management platform from which we read class, rider and result data via its API to match Photographs to riders.
A current list of processors is available on request.
6.2 Other recipients
- Event organisers — to whom We may provide selected Photographs in line with Our agreement with them.
- Public authorities and courts — where We are required by law to disclose personal data.
- Professional advisors — accountants, lawyers and auditors bound by confidentiality.
We do not sell personal data and do not share personal data with advertising networks or data brokers.
7. International Transfers
Some of Our processors are established outside the European Economic Area (EEA), notably in the United States (Anthropic, Supabase, Resend, Stripe in part).
For such transfers, We rely on the following safeguards under Chapter V GDPR:
- The EU–US Data Privacy Framework (where the recipient is certified under the Framework), and/or
- Standard Contractual Clauses approved by the European Commission, supplemented where necessary by additional technical and organisational measures.
You may request a copy of the relevant safeguard by contacting Us at the address in Section 2.
8. Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, unless a longer retention period is required by law.
| Category | Retention period |
|---|---|
| Customer account data | For the duration of the account, plus 5 years after closure |
| Order and invoice data | 7 years from the date of the invoice (Belgian accounting law) |
| Payment data | As required by Our payment processors and applicable law |
| Marketing-list data | Until You unsubscribe, plus a short technical retention to prevent re-subscription errors |
| Support correspondence | 3 years from last contact |
| Server logs | Up to 12 months |
| Photographs of Subjects | Indefinitely as part of Our archive, subject to Your right to erasure (see Section 9). Photographs older than 5 years may be moved to cold storage and removed from active sales channels. |
| Booking-related Subject data | Aligned with the lifecycle of the corresponding Photographs |
9. Your Rights
Under the GDPR, You have the following rights in respect of Your personal data:
- Right of access — to obtain confirmation of whether We process Your personal data, and a copy of that data.
- Right to rectification — to have inaccurate or incomplete data corrected.
- Right to erasure ("right to be forgotten") — to have Your personal data deleted, where one of the grounds in Article 17 GDPR applies.
- Right to restriction of processing — in the circumstances set out in Article 18 GDPR.
- Right to data portability — to receive Your personal data in a structured, commonly used and machine-readable format, where the processing is based on consent or contract and is carried out by automated means.
- Right to object — to processing based on Our legitimate interests (Article 6(1)(f)), including processing of Photographs in which You appear and any direct-marketing communications.
- Right to withdraw consent — at any time, where processing is based on consent. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Specific rights for Subjects appearing in Photographs
If You appear in a Photograph and would like that Photograph to be removed from Our active sales channels, please contact Us. We will assess Your request promptly and in line with our legitimate-interest balancing. We will normally honour reasonable removal requests, particularly where:
- the Photograph is unflattering or harmful to Your reputation;
- the Photograph identifies a minor;
- You can demonstrate a particular situation that overrides Our legitimate interest.
We may decline removal where this would conflict with overriding legitimate interests, ongoing legal claims, archival purposes in the public interest, or the rights of other parties (for example, the rider who purchased the Photograph).
How to exercise Your rights
To exercise any of these rights, please email contact@pegasus-photo.com with a clear description of Your request. We may ask You to verify Your identity before responding. We will respond within one month, extendable by a further two months for complex or numerous requests.
Right to lodge a complaint
You have the right to lodge a complaint with the competent supervisory authority, in particular in the Member State of Your habitual residence, place of work or place of the alleged infringement. In Belgium, the supervisory authority is:
Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données) Drukpersstraat 35, 1000 Brussels contact@apd-gba.be https://www.gegevensbeschermingsautoriteit.be / https://www.autoriteprotectiondonnees.be
10. Marketing Communications
If You are an existing Customer, We may send You information about products and services similar to those You have already purchased or enquired about, in accordance with the soft opt-in rule under Belgian e-commerce law. You may unsubscribe at any time via the link in any email or by contacting Us.
For other marketing communications (newsletters, promotional offers from third parties, etc.), We rely on Your prior consent.
11. Automated Decision-Making
We do not carry out automated decision-making with legal or similarly significant effects on You within the meaning of Article 22 GDPR.
We do use automated processing for non-decisional purposes such as photo sorting and subject identification (see Section 6.1). These processes do not produce legal effects on individuals; their output is a classification used internally by Us to organise Photographs.
12. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, alteration or destruction, including encryption in transit (TLS), access controls, secure password storage, regular backups, and segregation of production systems.
No method of transmission over the internet or method of electronic storage is fully secure, and We cannot guarantee absolute security. In the event of a personal data breach affecting Your rights and freedoms, We will notify You and the Belgian Data Protection Authority where required by Articles 33 and 34 GDPR.
13. Children's Data
Our Service is not directed at children under 13 years of age. We do not knowingly collect personal data from children. Where Photographs include identifiable minors at events, We process such data under Our legitimate-interest assessment with particular sensitivity, and We will prioritise erasure requests in respect of minors. Parents or legal guardians may contact Us at any time to request the removal of Photographs of their child.
14. Social Media Presence
We operate accounts on social media platforms, including (but not limited to) Facebook, Instagram and (where applicable) other networks. Where We are a "joint controller" with the social network operator (for example, in respect of Page Insights on Facebook/Instagram), the relevant joint-controllership arrangement is determined by the platform operator. We refer You to the privacy policies of the relevant platforms for information on how they process personal data.
We use these platforms to share Photographs (in line with Section 5.2), promote events and engage with the equestrian community.
15. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The version published on the Website is the version in force, and the "Last updated" date at the top reflects the most recent revision. For material changes, We will provide reasonable advance notice (for example, by email to existing Customers or via a prominent notice on the Service).
You are advised to review this Privacy Policy periodically.
16. Contact Us
For any question or request regarding this Privacy Policy or Your personal data:
- By email: contact@pegasus-photo.com
- By post: Pegasus Photo Creations CommV, Stationsstraat 389, 1770 Liedekerke, Belgium
- By phone:
+32 53 214 026