Privacy Policy

Last updated: 19 May 2026

This Privacy Policy explains what personal data whoshotyou collects, how we use it, on what basis, and what rights you have. We have designed the Platform with privacy in mind.

This Policy is structured to satisfy the Swiss Federal Act on Data Protection (FADP, in force since 1 September 2023) and, where applicable, the EU General Data Protection Regulation (GDPR). For users in Switzerland we operate under the FADP's principle-of-permission model (Art. 6 + Art. 30–31 FADP); for users in the EU/EEA we identify a GDPR Art. 6 legal basis below.

1. Data Controller

The controller responsible for personal data processed on the Platform is:

Arxes Consultancy GmbH
Zahnradstrasse 22
8005 Zürich, Switzerland
Commercial register: Canton Zürich, UID CHE-150.551.662
Email: hello@whoshotyou.com

Arxes Consultancy GmbH operates the Platform under the brand “whoshotyou” at whoshotyou.com. Within the meaning of Art. 5 lit. j FADP and Art. 4(7) GDPR, Arxes Consultancy GmbH is the data controller. Correspondence should be addressed to the email above.

2. Scope

This Privacy Policy applies to all use of the whoshotyou platform at whoshotyou.com, including:

-Registration and account management for Athletes and Photographers.

-Browsing, purchasing, and downloading media as an Athlete or guest.

-Uploading, managing, and selling media as a Photographer.

-Photographer payouts and financial settings.

-Customer support and communications, including the on-site contact form.

-Content reporting and takedown handling.

-Operation, security monitoring, and continuous improvement of the Platform.

3. Data We Collect and Process

3a. Account data

-Username, email address, and password (stored as a cryptographic hash by our authentication provider Supabase Auth — we never store plaintext passwords).

-Account type (Athlete or Photographer) and registration metadata managed by Supabase Auth, including email confirmation status and most recent sign-in time.

-Acceptance records: timestamp of your acceptance of these Terms of Service and this Privacy Policy, your confirmation that you are at least 16 years old, and any specific Photographer-Acknowledgments accepted at registration.

-Optional profile information: full name (entered as first and last name and stored as a combined display name), biography, profile picture, and the optional social-channel and contact links described in section 3b.

-For Photographers: a self-declared public-profile location (free text and ISO country code), the country used by our payout matrix, and default pricing preferences (default photo and video prices, optional volume-discount tiers, optional minimum session fee).

3b. Profile contact channels and socials (Photographers, optional)

You may add any of the following to your public profile. Each is optional and may be removed at any time.

-Personal website URL.

-Instagram, Facebook, TikTok, YouTube, Pinterest, X (formerly Twitter) profile URLs.

-WhatsApp and Viber phone numbers (stored in international E.164 format).

-WeChat ID and Telegram handle or phone number.

This information is shown on your public photographer page and is the means by which athletes can reach you outside the on-site contact form.

3c. Transaction and payment data

-Order records including items purchased, prices, platform fee, payment fee, total, currency, and payment status.

-Payment references provided by Stripe (payment intent identifier and balance-transaction identifier). We do not store full card numbers, CVCs, or other sensitive payment credentials — these are handled exclusively by Stripe under PCI DSS Level 1.

-For Photographers receiving payouts via Wise: payout records including earnings balance, payout history, target currency, the photographer's Wise recipient identifier and (where the Wise Tag flow is used) the Wise contact identifier, plus the payout details JSON blob you saved (which may contain bank account numbers, IBAN, SWIFT/BIC, routing number, mobile-wallet account identifiers, or a Wise Tag handle, depending on your chosen rail).

-For Photographers receiving payouts via Stripe Connect Express: your Stripe Connect account identifier, the country and status reported by Stripe, and the on/off flags for charges and payouts. Stripe holds the underlying bank-account and identity-verification documents directly — we do not store them.

-For guest purchases: email address, billing first and last name, and the order reference. These are used solely to deliver the order confirmation, download link and any refund correspondence within the 30-day guest window described in Section 7.

-Platform ledger: an internal financial event log of every sale, fee, refund, and payout, used for accounting reconciliation and required under Swiss accounting law.

3d. Media and session data

-Photos and videos you upload as a Photographer, including: the original file, a watermarked low-resolution preview, listing thumbnails, and (for videos) extracted poster frames. All media files are stored on Cloudflare R2 object storage.

-Session metadata: location text, ISO country code, date and time range, sport type, currency, per-photo and per-video pricing, and any volume-discount tiers configured.

-EXIF capture timestamps used to group photo bursts into sequences (typically photos taken within a few seconds of each other).

-EXIF GPS coordinates, where present in uploaded files, may be reverse-geocoded via Mapbox during the upload step to suggest a location name. The coordinates themselves are not retained alongside the published media.

-Download records: the order/photo links and time-limited signed URLs used to deliver media to buyers.

-Reviews of photographers: the rating, optional body text, and identity of the reviewer (athlete user) are stored on the photographer's public page once submitted.

3e. Content reporting and moderation

-If you report a photo, album, photographer, or review on the Platform: the report record (reason, optional description, optional file attachments, your identity if logged in, your email if you reported as a guest) is stored for review.

-Where you report content claiming to be the identifiable subject of an image (a personality-rights claim under Art. 28 ZGB), we additionally auto-hide the reported content pending our review.

-Administrative actions taken in response to a report (content takedown, photographer suspension, refund) are stored in our audit log together with the actor, target, reason, and timestamp. Audit-log entries are retained for the same period as accounting records (Section 7).

3f. Customer-support data

Submissions made through the on-site contact form: your first name, surname, email address, self-declared role (Athlete / Photographer / Other), category, message, and any file attachments. Attachments are stored on Cloudflare R2; the submission record is retained until the inquiry is handled and then in line with Section 7.

3g. Technical and usage data

-IP addresses and server-side request logs handled by our hosting provider Vercel, retained for security monitoring, abuse prevention, and operational debugging.

-Application error reports collected by Sentry to detect and fix bugs. Where IP addresses, user identifiers, or stack-trace context appear in error events, they are processed strictly for debugging and incident response and are not used to build user profiles or to make automated decisions about you.

-Product-analytics data collected by PostHog only after you have given affirmative consent via our cookie banner: pageviews, custom product events (signup, search, album publication, payout request, checkout-flow steps, checkout failures, media downloads), button and link clicks, heatmaps, dead-click detection, and short session recordings. For logged-in users, the analytics record is keyed by an internal identifier together with your username and email so usage can be correlated across sessions. Data is stored on PostHog's EU cloud (Frankfurt). See Section 5 for full detail and how to withdraw consent.

-Browser type, device type, operating system, and screen resolution, derived from standard request headers when you access the Platform.

-Authentication session data stored in HTTP-only cookies set by Supabase Auth (described in Section 10).

-Local-storage preferences in your browser, including cart contents, recently-viewed UI flags, and remembered display settings. This data stays in your browser and is not transmitted to our servers except where needed to complete a transaction.

4. Purposes and Legal Bases

For users in the EU/EEA we identify a GDPR Art. 6 legal basis below. For users in Switzerland, the FADP permits processing by private persons by default; we set out the corresponding purposes here for transparency.

Contract performance (Art. 6(1)(b) GDPR / Art. 31 FADP)

-Creating and managing user accounts.

-Processing purchases, delivering download links, and maintaining order history.

-Processing photographer payouts via Wise or Stripe Connect Express.

-Enabling Photographers to upload, manage, and sell media; settling sales.

Legitimate interests (Art. 6(1)(f) GDPR / overriding interest under Art. 31 FADP)

-Operating, monitoring, and maintaining the Platform, including hosting, error tracking, and performance work.

-Fraud detection, abuse prevention, and security monitoring.

-Handling content reports and personality-rights claims under our notice-and-action procedure (Section 11).

-Enforcing our Terms of Service and protecting our rights and those of our users.

-Legal defense in connection with claims arising from Platform use.

Legal obligations (Art. 6(1)(c) GDPR / Art. 31 al. 2 lit. c FADP and Swiss accounting law)

-Retaining transaction and billing records under Art. 958f OR (Swiss Code of Obligations) and the Swiss Federal Act on Value Added Tax (MWSTG).

-Responding to lawful requests from courts, regulatory authorities or law-enforcement agencies.

Consent (Art. 6(1)(a) GDPR / Art. 6 al. 7 lit. b FADP)

-Non-essential cookies and similar tracking technologies (see Section 10), activated only after you have given affirmative consent via the cookie banner.

-Optional marketing communications, if and when introduced.

You can withdraw any consent at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

5. Analytics and Tracking

We use PostHog as our product-analytics tool to understand how the Platform is used and to improve it. PostHog runs strictly under cookie consent: it is inactive on first load and is enabled only after you choose “Accept all” on the cookie banner. If you select “Essentials only” or “Reject all non-essential”, PostHog captures nothing and no PostHog cookie or local-storage entry is written in your browser.

Where you have consented, PostHog collects:

-Pageviews and navigation events.

-Custom product events covering signup, search, album publication, photographer payout requests, checkout-flow steps, checkout failures, and media downloads.

-Button and link clicks, including heatmaps and dead-click detection (clicks on elements that did not respond).

-Short session recordings (mouse movements, keyboard activity, scroll position, click coordinates) used to debug user-experience issues. Recordings are retained on PostHog's side for 30 days and then deleted.

-For logged-in users, an internal user identifier together with your username and email address, so product-usage data can be correlated with the same account across sessions.

Data residency. PostHog is configured on PostHog's EU cloud, with all event, person, and session-replay data stored in Frankfurt, Germany. We do not use PostHog's US cloud.

Reverse-proxy endpoint. Analytics requests are routed through whoshotyou.com/ingest/, a transparent reverse proxy that forwards requests to PostHog's EU endpoint. Its sole purpose is resilience to ad-blockers and request-classification heuristics that block well-known analytics domains; it does not bypass your consent choice. When you have not consented, the Platform does not send any requests to/ingest/ in the first place.

Withdrawing consent. You can withdraw consent at any time via the “Cookie Preferences” link in the site footer. After withdrawal, the Platform stops sending data to PostHog immediately. Previously-collected data may persist on PostHog's side until the applicable retention period expires; to request deletion of previously-collected analytics data, contact us at the address in Section 14.

Sentry is used only for application error monitoring; it is not used to build user profiles or to make automated decisions about you. Mapbox is used for location autocomplete and reverse-geocoding when you set or search a location. Neither Sentry nor Mapbox is used as a behavioral-analytics service.

5a. Use of Uploaded Content and AI Training

We do not use Photographer-uploaded media to train artificial-intelligence models, whether our own or those of third parties. We do not license, share, or sell uploaded media to third parties for AI training purposes. We do not permit our infrastructure providers to use uploaded media for AI training purposes.

Uploaded media is processed only as necessary to operate the marketplace: storage on Cloudflare R2 (Section 6), watermark and thumbnail generation, delivery to buyers who have purchased the media, and the limited internal processing described in Section 3d.

Should we ever wish to use uploaded media for new purposes — including AI training, dataset licensing, or platform-marketing usage beyond the marketplace function — we will notify affected Photographers in advance and obtain explicit opt-in consent. Continued use of the Platform without opt-in shall not constitute consent for such purposes.

We do not permit our product-analytics provider PostHog (Section 5) to use event data, person-property data, or session-replay recordings collected through the Platform to train artificial-intelligence models.

6. Recipients and International Data Transfers

We share personal data only to the extent necessary for Platform operations, contract performance, or legal compliance. Recipients are listed below by category, together with the country of processing and the transfer-safeguard relied upon for transfers outside Switzerland or the EU/EEA.

Payment and payout providers

-Stripe Payments Europe Ltd (Ireland, with onward transfer to Stripe Inc., USA). Buyer-side payment processing. Stripe is PCI DSS Level 1 certified. Transfers to Stripe Inc. rely on the Swiss-US Data Privacy Framework or Stripe's Standard Contractual Clauses.

-Stripe Connect (Stripe Inc., USA, for the Stripe Connect Express payout path). Identity-verification documents and bank-account details supplied during Stripe Connect onboarding are stored by Stripe directly. Same transfer mechanisms as above.

-Wise Payments Ltd (United Kingdom; UK is on the Swiss adequacy list under Annex 1 of the Data Protection Ordinance). Payout processing for Photographers using Wise rails (bank, mobile wallet, instant local rails, or Wise Tag).

Infrastructure, hosting, and tooling

-Vercel Inc. (USA). Platform hosting, edge functions, serverless compute, request logging. Transfer mechanism: Swiss-US Data Privacy Framework where applicable and Standard Contractual Clauses as a fallback.

-Supabase Inc. (Delaware, USA; data hosted in our chosen Supabase region). Database, authentication, row-level security policies, and admin service-role operations. Same transfer mechanism as above.

-Cloudflare Inc. (USA). R2 object storage for media files and CDN delivery. Same transfer mechanism as above.

-Resend Inc. (USA). Transactional email delivery (welcome, order confirmation, payout notifications, contact-form notifications, takedown notifications, account-deletion notifications). Same transfer mechanism as above.

-Mapbox Inc. (USA). Location autocomplete and reverse-geocoding when you set or search a session location. Same transfer mechanism as above.

-Sentry Inc. (USA). Application error monitoring. Same transfer mechanism as above.

-PostHog Inc. (Delaware, USA, with all Platform data hosted exclusively on PostHog's EU cloud in Frankfurt, Germany). Product analytics: pageviews, custom events, click and heatmap data, and short session recordings, active only after affirmative consent via the cookie banner (Section 5). Transfer mechanism: Swiss-US Data Privacy Framework where applicable and EU Standard Contractual Clauses with the FDPIC-approved Swiss Addendum as a fallback, under a Data Processing Agreement signed with PostHog.

Other recipients

-Courts, regulatory authorities, and law-enforcement agencies where we are required by law to disclose data.

-Professional advisers (lawyers, auditors, accountants) bound by confidentiality, where necessary for legal advice or for compliance with Swiss accounting law.

For all transfers to countries that are not on the Federal Council's adequacy list (Annex 1 to the Swiss Data Protection Ordinance), we rely on the safeguards in Art. 16 al. 2 FADP — primarily Standard Contractual Clauses (with the FDPIC-approved Swiss Addendum) or the Swiss-US Data Privacy Framework, supplemented by a transfer-risk assessment where appropriate.

An up-to-date list of our sub-processors is available on request from hello@whoshotyou.com. We will give reasonable advance notice of any material change.

7. Retention and Deletion

Account data – Athletes

Retained for as long as the account is active. Upon deletion, personal identifiers are permanently scrubbed and the authentication record is removed, subject to the exceptions below for transaction data.

Account data – Photographers

Retained for as long as the account is active. When a Photographer requests deletion, the account enters a 7-day grace period during which the request can be cancelled by the account holder. After the grace period, personal identifiers (full name, username, biography, profile picture, social and contact channels listed in Section 3b) are permanently scrubbed by an automated job and the authentication record is removed. The username is rewritten to a random, non-identifying value so foreign-key references in the database can survive without leaking the original identity. The underlying media files (originals and watermarked previews) are retained in our storage to honor the perpetual licenses already granted to buyers under Section 4 of the Terms of Service; these files are no longer publicly browsable but remain accessible to the buyers who purchased them.

Transaction and billing data

Retained for the period required under Swiss accounting and tax law (Art. 958f OR), currently 10 years from the end of the relevant financial year. The platform ledger and order records are kept on this schedule even after account deletion.

Audit log

Entries recording administrative actions (takedowns, account suspensions, refunds, content moderation decisions) are kept for the same accounting-law period — 10 years — so the platform's actions remain auditable and defensible against later legal claims.

Technical and log data

Server request logs and error events are retained at our hosting and error-monitoring providers' default periods (typically up to 90 days), unless longer retention is required for an ongoing investigation or legal proceeding.

Guest purchase data

Email address and order data for guest purchases are retained for the statutory accounting period and used only to deliver the order confirmation and download link. Guest download links are valid for 30 days. Guest email addresses are not used for marketing.

Contact-form submissions

Submissions are retained until the inquiry is handled and then for a reasonable additional period to evidence the response, typically not exceeding 24 months. Attachments are deleted on the same schedule.

Content reports

Reports and any associated moderation decision are retained alongside the audit log for the 10-year period, so that we have a complete record of the basis on which content was retained or removed.

8. Your Rights

Depending on the law that applies to you — the FADP for users in Switzerland, the GDPR for users in the EU/EEA, or other applicable national law — you may have the rights set out below.

-Right of access – to obtain a copy of the personal data we hold about you, the categories of recipients, the retention period, and the sources of any data we did not obtain from you (Art. 25 FADP, Art. 15 GDPR). The Platform also offers an in-account data export feature that returns your account data in a machine-readable format.

-Right of rectification – to request correction of inaccurate or incomplete data.

-Right of erasure – to request deletion of your personal data in certain circumstances (subject to the retention obligations in Section 7).

-Right to restriction – to request that we limit our processing of your data in certain circumstances.

-Right to data portability – to receive personal data you provided to us in a common, machine-readable format where processing is automated and based on consent or directly tied to a contract (Art. 28 FADP, Art. 20 GDPR).

-Right to object – to object to processing based on our legitimate interests.

-Right to withdraw consent – to withdraw any consent you have given at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at hello@whoshotyou.com. We may ask you to verify your identity before processing your request and will respond within the timeframes required by applicable law, generally 30 days.

If you believe that our processing of your personal data violates applicable law, you have the right to lodge a complaint with the relevant supervisory authority. In Switzerland this is the Federal Data Protection and Information Commissioner (FDPIC). In EU member states you may contact the data protection authority in your country of residence.

9. Security

We use appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or alteration. These include:

-Encryption of all data in transit using TLS.

-Passwords stored only as cryptographic hashes by Supabase Auth.

-Bank account details and other sensitive fields stored in our database with at-rest encryption and access controls provided by our database hosting provider.

-Row-level security policies in the database limiting data access to the rightful account holder, with administrative service-role access reserved for server-side, audited operations.

-Signed, time-limited URLs for access to media files in object storage.

-Application error monitoring and log review.

-Internal access controls: only authorized personnel of the controller have administrative access to the back-office tools described in Section 3e.

No method of internet transmission or electronic storage is completely secure. We will notify you and any applicable supervisory authority of a security breach affecting your rights as required under Art. 24 FADP and Art. 33–34 GDPR.

10. Cookies and Local Storage

whoshotyou uses two categories of client-side storage:

Strictly necessary (no consent required)

-HTTP-only authentication cookies set by Supabase Auth that maintain your login session. These are technically necessary; without them you cannot remain logged in.

-Local-storage entries used to remember your cart contents and basic UI preferences while you browse. This data stays in your browser.

Non-essential (consent required)

We use PostHog for product analytics and short session recordings, as described in Section 5. PostHog cookies and local-storage entries are written only after you have selected “Accept all” on the cookie banner. If you select “Essentials only” or “Reject all non-essential”, no PostHog cookie or local-storage entry is created and no analytics request is sent.

The cookie banner offers three symmetric options:

-Accept all – consent to essential cookies and to PostHog product analytics and session recording.

-Essentials only – consent to essential cookies only; PostHog is not activated.

-Reject all non-essential – same effect as “Essentials only”.

Your choice is stored in a small first-party preference cookie so we do not ask you again on every visit. You can revisit and change your choice at any time via the “Cookie Preferences” link in the site footer or by clearing the preference cookie in your browser. Changes take effect immediately without a page reload.

Cookies in detail

Cookie / storage key	Purpose	Vendor	Retention
`sb-access-token`, `sb-refresh-token`	Maintain your login session	Supabase Auth	Up to session lifetime + refresh window
`cart` (local storage)	Persist your cart between visits	First-party	Until you clear the cart or local storage
`cookie-prefs`	Remember your cookie consent	First-party	12 months
`ph_<project-key>_posthog`	PostHog distinct identifier and capture state. Written only after “Accept all” consent.	PostHog (EU cloud, Frankfurt)	12 months
`ph_<project-key>_*` (local storage)	Buffers session-replay events and feature-flag state before they are uploaded. Written only after “Accept all” consent.	PostHog (EU cloud, Frankfurt)	Cleared on log out / browser clear; replays retained server-side for 30 days

11. Notice and Action / Takedown

Our notice-and-action procedure for reporting content that infringes your rights — including copyright, personality rights under Art. 28 ZGB, or other applicable rules — is set out in Section 8.2 of our Terms of Service. The procedure includes in-platform reporting, email submission to hello@whoshotyou.com, auto-hide of content reported as a personality-rights claim, acknowledgment within 5 business days and substantive response within 14 business days, and a statement of reasons to affected users where content is removed.

Moderation decisions and report records are stored in our audit log and retained as described in Section 7.

12. Children

The Platform is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. At registration we ask you to confirm that you are at least 16 years old. If we learn that a user is under 16, we will delete their account and associated data promptly. If you believe a person under 16 has registered, contact us at hello@whoshotyou.com.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, Platform features, or applicable law. We will notify registered users of material changes by email or by a prominent notice on the Platform at least 30 days before the changes take effect, except for changes required by law or to address an immediate security or compliance issue.

The date at the top of this document reflects the most recent update.

14. Contact

For any questions, requests, or concerns about this Privacy Policy or how we handle your personal data, please contact:

Arxes Consultancy GmbH
Zahnradstrasse 22
8005 Zürich, Switzerland
Email: hello@whoshotyou.com

We aim to respond to all privacy inquiries within 30 days.

whoshotyou is operated by Arxes Consultancy GmbH, Zahnradstrasse 22, 8005 Zürich, Switzerland.