Legal

Privacy Policy

Last updated 30 June 2026

Eraya Studios respects your privacy. This policy explains what personal information we collect, how we use it, and the choices you have. It is written to align with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

1. Who we are

"Eraya Studios", "we", "us" and "our" refer to the photography studio operating at erayastudios.com, based in Sydney, NSW, Australia. We are the data controller for the information described in this policy.

2. What information we collect

We only collect information that is reasonably necessary for our photography services. This includes:

  • Contact details you give us when you submit the booking or contact form — your name, email address, phone number, and (for bookings) event date, time, and location.
  • Account information if you register a client account — your name, email, hashed password, and two-factor authentication preferences.
  • Booking and session details — the package you chose, the message you sent us, and notes we take during planning.
  • Photographs and videos taken during your session.
  • Technical information — your IP address, browser type, and the pages you visit on this website, collected via standard server logs and used for security and to improve the site.
  • Cookies — a small session cookie to keep you signed in, and (if you enable it) a 2FA "remember this device" cookie. We do not use third-party advertising trackers.

We do not knowingly collect sensitive information (health, racial, religious, or political data) and you should not send any to us. We do not collect information from children under 16 directly; bookings involving minors are made by a parent or guardian.

3. How we use your information

We use your information to:

  • Respond to your enquiry and arrange your photography session;
  • Send transactional emails (booking confirmation, session reminders, "your gallery is ready" notification, 2FA codes);
  • Deliver your photographs and videos via a private online gallery on this website;
  • Operate, secure, and improve the website (including detecting and preventing fraud or abuse);
  • With your permission, use a selection of session images in our portfolio (see our Terms of Use for details and how to opt out).

We do not use your information to send marketing emails unless you explicitly opt in.

4. Who we share it with

We don't sell your information. We share it only with the limited service providers that help us run the studio:

  • Our hosting provider (Spaceship) for website infrastructure and storage;
  • Our email provider (Spacemail) for sending transactional emails;
  • Australian government agencies if we are legally required to disclose information.

Each of these providers is bound by their own privacy obligations. We don't authorise them to use your information for their own purposes.

5. How we store and protect it

  • Your account password is stored only as a one-way hash (we never see your plain-text password).
  • Two-factor authentication is available for all client accounts at /client/security.php.
  • Your photos and videos are stored outside the public web root and served only via authenticated, per-file checks. No public URL exists for your private gallery files.
  • All communication with the website uses HTTPS encryption.
  • Outgoing emails are sent over an authenticated, encrypted SMTP connection.
  • Administrative access to the system is restricted, logged in an audit trail, and protected by 2FA.

Despite our care, no online system is perfectly secure. If we ever experience a data breach that may affect you, we will notify you and the Office of the Australian Information Commissioner (OAIC) in line with the Notifiable Data Breaches scheme.

6. How long we keep it

  • Enquiry forms: kept while we communicate and then archived for up to 24 months for reference.
  • Booking and session records: kept for 7 years for tax and warranty purposes (Australian record-keeping requirements).
  • Client galleries: kept accessible for at least 12 months after delivery, then may be archived or deleted (please back up your files).
  • RAW files: kept for at least 60 days, then may be deleted at our discretion.
  • Mail logs: kept for up to 12 months for delivery diagnostics.
  • Account data: kept while your account is active; you can request closure at any time.

7. Cookies

We use a single session cookie to remember that you're signed in. We do not use advertising, profiling, or third-party tracking cookies. You can disable cookies in your browser, but you will not be able to sign in to your client gallery without them.

8. Your rights

Under the Privacy Act 1988 (Cth), you can:

  • Ask what personal information we hold about you;
  • Ask us to correct anything that's wrong;
  • Ask us to delete your information, where we are not required by law to keep it;
  • Withdraw consent for portfolio use of your images;
  • Close your client account.

Email us at contact@erayastudios.com with your request and we'll respond within 30 days.

9. Complaints

If you're unhappy with how we have handled your personal information, please tell us first — we'll do our best to put things right. If you're still not satisfied, you may lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au or by phone on 1300 363 992.

10. Changes to this policy

We may update this policy from time to time. The "last updated" date at the top reflects the most recent change. Material changes will be notified by email to active account holders where reasonable.

11. Contact

Privacy questions or requests:

Questions? Get in touch.