Who We Are
Identity & Contact
This Privacy Policy applies to McLeod Photography, operated by Naomi McLeod, a company incorporated in Israel, United States.
We operate the website https://mcleodnphotography.com and sell fine art canvas prints ("the Service"). When this policy says "we," "us," or "our," it refers to Naomi McLeod.
Our designated privacy contact is reachable at: om.toister@gmail.com
Information We Collect
What data we receive and how
We collect information in the following ways:
| Category | Examples | Source |
|---|---|---|
| Identity & Contact | First name, last name, email address | You provide directly at checkout or registration |
| Shipping Address | Street, city, state, ZIP, country | You provide at checkout |
| Transaction Data | Order number, items purchased, amounts, payment status | Generated when you place an order |
| Payment Data | Last 4 digits of card, billing address | Stripe / PayPal — we never store full card numbers |
| Account Data | Username, hashed password, order history | Created if you register an account |
| Usage Data | Pages visited, time on site, browser type, IP address | Automatically via cookies and server logs |
| Communications | Messages sent via contact form or email | You provide directly |
| Marketing Preferences | Newsletter subscription status, opt-out records | You provide at signup or manage via unsubscribe link |
How We Use Your Data
Purpose & Legal Basis
We use your personal information only for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Process and fulfil your order (print production, shipping) | Contract performance |
| Send order confirmation and shipping tracking emails | Contract performance |
| Process returns, refunds, and customer service requests | Contract performance / Legal obligation |
| Maintain your account and cart between sessions | Contract performance / Legitimate interest |
| Send marketing emails (only if you opted in) | Consent |
| Improve our website and product catalogue | Legitimate interest |
| Detect and prevent fraud | Legal obligation / Legitimate interest |
| Comply with tax, accounting, and legal requirements | Legal obligation |
We never sell, rent, or trade your personal information to third parties for their own marketing purposes. We do not use automated decision-making or profiling that produces legal or similarly significant effects.
Cookies & Tracking Technologies
CalOPPA & ePrivacy Directive
We use cookies — small text files stored in your browser — to operate the site. California law (CalOPPA) and EU law require us to disclose this clearly.
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential (WooCommerce) | Session management, shopping cart, login state | Session / 30 days |
| WordPress Core | Login session, admin functionality | Session / 14 days |
| Analytics (if enabled) | Aggregate page views, traffic sources — no personal identification | Up to 2 years |
| Payment (Stripe/PayPal) | Fraud prevention, secure checkout | Session |
You can control cookies through your browser settings. Disabling essential cookies will prevent the shopping cart and account login from working correctly. We do not currently respond to Do Not Track (DNT) browser signals as there is no universally accepted standard.
Third-Party Services
Service providers we use
We share data with trusted third parties only as necessary to operate the Service. Each is contractually bound to protect your data and use it solely for the specified purpose:
| Provider | Purpose | Data Shared |
|---|---|---|
| Printify | Print-on-demand production and fulfilment | Name, shipping address, order contents |
| Stripe / PayPal | Payment processing | Payment data, billing address, email |
| Hostinger | Web hosting and server infrastructure | Server logs including IP addresses |
| Mailchimp (if enabled) | Email newsletters (opt-in only) | Email address, first name |
| Shipping carriers (USPS, UPS, FedEx, DHL) |
Package delivery | Name, shipping address |
| Google Analytics (if enabled) | Website traffic analysis | Anonymised usage data, no personal identifiers |
We do not share your data with social media platforms for advertising targeting. Any links to external websites are governed by those sites' own privacy policies.
Data Storage & Security
How we protect your information
Your data is stored on servers located in the United States (Hostinger US data centres). We implement the following security measures:
All data transmitted between your browser and our site is encrypted via TLS (HTTPS). Passwords are stored as one-way cryptographic hashes using WordPress's bcrypt implementation — we cannot read your password. Payment card data is never transmitted to or stored on our servers; it goes directly to Stripe's PCI-DSS-certified infrastructure.
Access to the WordPress admin panel is limited to authorised personnel only and protected by strong passwords and, where possible, two-factor authentication.
If Printify or any other processor experiences a breach affecting your order data, we will notify you promptly upon being informed by the processor.
Email Communications
CAN-SPAM Act compliance
We send the following types of emails in compliance with the CAN-SPAM Act of 2003:
Transactional emails — order confirmations, shipping notifications, password resets. These are necessary for the Service and do not require opt-in. They will always identify us as the sender and include our physical mailing address.
Marketing emails — new collection announcements, promotions, photographer stories. These are sent only to people who have explicitly opted in by subscribing. Every marketing email includes an unsubscribe link that works immediately. We honour all opt-out requests within 10 business days as required by law.
We do not use deceptive subject lines or sender names. Our physical address appears in the footer of every email we send.
Your Rights — California Residents
CCPA / CPRA — California Consumer Privacy Act
If you are a resident of California, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights:
Right to Know
Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
Right to Delete
Request deletion of your personal information, subject to certain exceptions (e.g., completing transactions, legal obligations).
Right to Correct
Request correction of inaccurate personal information we hold about you.
Right to Opt Out
Opt out of the sale or sharing of personal information. We do not sell personal information. We do not share it for cross-context behavioural advertising.
Right to Limit Use
Limit our use of sensitive personal information (we do not collect sensitive PI as defined by CPRA).
Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights — including denying service or charging different prices.
To exercise your California rights, submit a verifiable consumer request to: om.toister@gmail.com. We will respond within 45 days. We may need to verify your identity before processing the request.
Your Rights — EU / UK Residents
GDPR & UK GDPR
If you are located in the European Economic Area (EEA) or United Kingdom, the General Data Protection Regulation (GDPR / UK GDPR) grants you the following rights:
Right of Access (Art. 15)
Obtain a copy of all personal data we hold about you.
Right to Rectification (Art. 16)
Have inaccurate or incomplete data corrected.
Right to Erasure (Art. 17)
"Right to be forgotten" — request deletion where there is no legal basis for continued processing.
Right to Portability (Art. 20)
Receive your data in a structured, machine-readable format to transfer to another provider.
Right to Object (Art. 21)
Object to processing based on legitimate interests, including direct marketing.
Right to Withdraw Consent
Withdraw consent at any time where we rely on consent as legal basis (e.g., newsletter).
International transfers: Your data may be transferred to and processed in the United States, which the European Commission has not deemed to have adequate data protection. Such transfers are governed by Standard Contractual Clauses (SCCs) as required by GDPR Chapter V.
To exercise your GDPR rights, email om.toister@gmail.com. We respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority (e.g., your national Data Protection Authority).
Children's Privacy
COPPA — Children's Online Privacy Protection Act
Our Service is not directed at, and we do not knowingly collect personal information from, children under the age of 13 (or under 16 in the EU/UK). If we become aware that we have inadvertently collected personal information from a child under this age without verifiable parental consent, we will delete it immediately.
If you believe a child under 13 has provided us with personal information, please contact us at om.toister@gmail.com and we will take prompt action.
Data Retention
How long we keep your data
| Data Type | Retention Period | Reason |
|---|---|---|
| Order records (name, address, items) | 7 years | US tax and accounting law requirements |
| Customer account data | Until account deletion requested | Service provision |
| Payment transaction records | 7 years | Financial regulatory requirements |
| Server / access logs (IP addresses) | 90 days | Security and fraud prevention |
| Email marketing list | Until unsubscribed | Consent-based; removed on request |
| Contact form messages | 3 years | Customer service records |
When retention periods expire, data is securely deleted or anonymised so it can no longer be associated with any individual.
Changes to This Policy
How we notify you of updates
We may update this Privacy Policy from time to time to reflect changes in law, our practices, or the services we offer. When we make material changes, we will:
Update the "Last updated" date at the top of this page. If you have an account, send an email notification to your registered address at least 30 days before material changes take effect. Post a notice on our homepage for a reasonable period.
We encourage you to review this policy periodically. Continued use of the Service after changes become effective constitutes your acceptance of the revised policy.
The previous version of this policy is available upon request by emailing om.toister@gmail.com.
Contact & Privacy Requests
How to reach us
For any privacy questions, data requests, or to exercise your rights under CCPA or GDPR, please contact our privacy team:
Privacy Team
Naomi McLeod
Email: om.toister@gmail.com
Response time: within 30 days (GDPR) / 45 days (CCPA)