SA Picture Day

Privacy Policy

Last updated: April 18, 2026

Who We Are

SA Picture Day (“we”, “us”, “our”) operates the Booksa booking portal at booksa.sapicture.day. This policy explains what data we collect when you book a photo session or purchase prepay credits, how we use it, and who we share it with.

Contact: support@sapicture.day

Legal Basis for Processing

We collect and process your personal data because it is necessary to fulfill the booking contract you enter into with us when you reserve a session or purchase prepay credits. Without this information we cannot confirm your booking, deliver credit codes, or provide customer support. All data collected is limited to what is strictly necessary for these purposes.

Data We Collect

  • Guardian information: first name, last name, email address, phone number
  • Child information: first name, last name, team/class name
  • Payment metadata: Stripe checkout session ID, amount paid — we never see or store raw card numbers
  • Booking details: session date, time slot, group, booking reference number
  • Analytics: anonymised usage data via PostHog and Microsoft Clarity heatmaps (no personal identifiers)

Children's Privacy (COPPA)

SA Picture Day does not collect personal information directly from children. All information about minors is provided by a parent or legal guardian during the booking process. We do not knowingly collect or retain personal data from children under 13 beyond what is necessary to fulfill the booked session.

If you are a parent or guardian and believe we have inadvertently collected information about your child without your consent, contact us at support@sapicture.day and we will delete it promptly.

How We Use Your Data

  • Confirm and fulfill your booking
  • Send booking confirmation and prepay credit codes by email
  • Respond to support requests
  • Detect and prevent fraud or abuse
  • Improve the booking experience (aggregate analytics only)

We do not sell your data or use it for advertising.

Sub-Processors

We share data with the following trusted third-party services only to the extent necessary to fulfil your booking:

  • Stripe — payment processing. Card data is handled entirely by Stripe and never passes through our servers. Stripe Privacy Policy
  • Supabase — database and authentication hosting (US region). Supabase Privacy Policy
  • Resend — transactional email delivery. Your email address is used to send booking confirmations only. Resend Privacy Policy
  • PostHog — product analytics (anonymised; no personal identifiers). PostHog Privacy Policy
  • Microsoft Clarity — session heatmaps and click analytics. Clarity may record anonymised mouse movements and interactions on this site. No personally identifiable information is sent to Microsoft. Microsoft Privacy Statement
  • Chatwoot — live chat support widget hosted on our own infrastructure. If you initiate a chat, your messages and basic session metadata (IP address, browser) are stored in our Chatwoot instance to facilitate support. Chatwoot Privacy Policy
  • Vercel — hosting and serverless infrastructure. Vercel Privacy Policy

Data Security

We use industry-standard encryption (TLS) for all data in transit and rely on access-controlled, encrypted infrastructure for data at rest. Access to personal data is restricted to personnel who require it to operate the service. While we take reasonable measures to protect your information, no system is completely secure and we cannot guarantee absolute security.

Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you as required by applicable law, including the Texas Identity Theft Enforcement and Protection Act. Notifications will be sent to the email address associated with your booking as promptly as reasonably possible.

Legal Disclosure

We may disclose your personal information if required to do so by law, court order, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of SA Picture Day, our users, or the public. We will notify you of such a disclosure where legally permitted to do so.

Data Retention

Booking records are retained for 3 years for accounting and dispute resolution purposes. You may request deletion of your personal data at any time by emailing support@sapicture.day. Deletion requests are fulfilled within 30 days, subject to legal retention obligations.

Your Rights

You may request to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data (subject to legal retention requirements)
  • Receive a copy of your data in a portable format

Email support@sapicture.day to exercise any of these rights.

Cookies

We use strictly necessary cookies to maintain your session during the booking flow (e.g., access verification). No advertising or tracking cookies are set without your consent.

Changes to This Policy

We may update this policy from time to time. Material changes will be communicated by updating the “Last updated” date at the top of this page. Continued use of the booking portal after a policy update constitutes acceptance.

Terms of ServiceContact Support