1. Data Controller and Commitment to Privacy

The Data Controller for this website is me, Diego Orlando, a professional photographer, with a professional address in the city of San Sebastián, Guipúzcoa, Spain. You can contact me regarding privacy matters at the email address provided in the footer of this site.

This site has been designed and developed following the principle of "privacy by design," as recognized by the General Data Protection Regulation (GDPR) in Article 25. The protection of personal data has been considered a fundamental element from the very conception of the project, materializing in a technical structure that minimizes the collection of personal data and maximizes information protection measures. My commitment is to protect your privacy.

2. Data Processing: Minimisation and Purposes

This website operates under the principle of data minimisation (Art. 5.1.c GDPR). I do not carry out any direct collection of personally identifiable information; I have not implemented contact forms, I do not require user account creation, nor do I maintain databases with personal information on my direct servers.

To ensure the proper technical functioning, security of the website, and the protection of intellectual property rights for the photographic content displayed, the processing of limited technical data through specialized service providers is necessary:

1.- Cloudflare, Inc.: Used for secure hosting (static hosting), efficient content delivery (CDN), protection against threats (WAF security, DDoS), and to obtain basic site usage metrics without using cookies or local storage.

2.- SmartFrame Technologies Limited: Used exclusively for the protection of image copyright and secure display, as I have technically disabled its analytics and tracking functions that could involve the use of local storage.

The processing carried out by these providers is strictly limited to the technical data essential for providing these core services, as detailed in Section 3.

I have eliminated the previous use of local storage (localStorage) for language preferences. The site now attempts to detect the browser's preferred language for the initial session display without storing this preference on the user's device, based on the legitimate interest of facilitating navigation.

The primary legal basis for processing the necessary technical information is my legitimate interest (Art. 6.1.f GDPR) in:

1.- Providing a functional, secure, and well-performing web service.
2.- Protecting the intellectual property rights over the displayed photographic content.

This processing is always carried out under the principle of data minimisation and by applying appropriate technical and organizational measures to ensure privacy.

3. Third-Party Services and Specific Processing

3.1 Cloudflare (Hosting, CDN, Security, and Cookie-less Analytics)

The website is hosted on Cloudflare's infrastructure (Cloudflare Pages) and uses its CDN and security services. The data processing carried out by Cloudflare is based on my legitimate interest (Art. 6.1.f GDPR) to:

1.- Ensure the technical security of the site and protect it against cyber threats.
2.- Ensure the availability and optimal performance of the service.
3.- Provide a secure connection via SSL/TLS encryption.
4.- Prevent fraudulent access and protect site integrity.
5.- Obtain basic aggregated metrics about website traffic (via Cloudflare Web Analytics) to understand general usage.

In this context, Cloudflare processes essential technical information such as the visitor's IP Address, user agent data (browser/device), and connection metadata to route traffic, apply security rules, mitigate attacks, and generate the aforementioned aggregated metrics. This processing is indispensable for the service's operation and basic improvement.

Cookies and Local Storage (Cloudflare): In accordance with its privacy-focused design, Cloudflare Web Analytics does not use cookies or local storage (localStorage) on the user's device to collect metrics. Occasionally, for specific security functions (such as advanced anti-bot protection), Cloudflare might need to set a strictly necessary cookie (e.g., __cf_bm), which is exempt from prior consent as it is essential for service protection. More information is provided in the Cookie Policy section (Section 8).

International Transfers: Cloudflare is a US company. International data transfers (such as IP addresses) to the USA are carried out under the protection of Cloudflare's certification under the EU-US Data Privacy Framework (DPF, recognized by the European Commission as a mechanism providing adequate data protection guarantees.

Data Processing Agreement: My relationship with Cloudflare is subject to its terms and a Data Processing Agreement (DPA) that regulates its obligations as a Data Processor. You can find more information in Cloudflare's Trust Hub: www.cloudflare.com/es-es/trust-hub/gdpr/.

3.2 SmartFrame (Image Protection)

I use the technology of SmartFrame Technologies Ltd. (UK) for the sole purpose of protecting my copyright over the displayed photographic works and ensuring their controlled viewing, preventing unauthorized use.

The information processing by SmartFrame necessary for this purpose includes technical data such as the IP address and browser/device data to serve the protected image correctly. The legal basis for this processing is my legitimate interest (Art. 6.1.f GDPR) in safeguarding my intellectual property.

Disabling of Analytics and Tracking: I have implemented technical measures (specifically, setting the global variable window.__sfDisableTracking = true) documented by SmartFrame to disable its analytics and tracking functionalities by default. As a result, SmartFrame does not install cookies or use local storage (localStorage) on your device to track interactions or generate usage statistics on this website. As this secondary processing is not carried out, no additional consent is required for it.

International Transfers: SmartFrame is based in the United Kingdom, a country with an EU Adequacy Decision. If SmartFrame were to use sub-processors in other countries, transfers would be carried out under appropriate safeguards such as Standard Contractual Clauses (SCCs).

You can consult SmartFrame's general privacy policy (although its tracking functions are disabled here) at: www.smartframe.io/privacy-policy.

4. Data Retention Periods

In line with the principle of minimisation, the technical data processed is retained only for the time strictly necessary to fulfill the described purposes.

Technical and Security Logs (Cloudflare): Information such as IP addresses and access logs managed by Cloudflare are generally kept for short periods (typically ranging from a few days to several weeks, according to Cloudflare's internal policies) in order to ensure security, detect incidents, and comply with potential legal obligations. They are not stored indefinitely.

SmartFrame Data: Given that the analytics and tracking functions have been disabled, no persistent identifiers or interaction data associated with specific users are stored for these purposes.
Once the data is no longer necessary for the original purpose and there is no legal obligation to retain it, it is securely deleted or anonymized by our providers.

5. Security Measures

The website's security is based on multiple layers of protection. The first layer consists of SSL/TLS encryption provided by Cloudflare, ensuring that all communications between the user's browser and the website are encrypted and secure. This is evidenced by the "https://" protocol and the padlock icon visible in the browser's address bar.

Cloudflare provides additional security measures, including protection against Distributed Denial of Service (DDoS) attacks, a Web Application Firewall (WAF) that filters malicious traffic, and continuous threat monitoring systems. These measures are constantly updated to respond to new security threats.

The implemented static website architecture offers significant security advantages. By not using databases or dynamic server-side information processing, a large potential attack surface is eliminated. This architecture significantly simplifies the security model, as there are no entry points for SQL injections, Cross-Site Scripting (XSS) attacks, or other common vulnerabilities found in dynamic websites.

For visual content protection, SmartFrame implements specific technologies that prevent unauthorized copying of images and provide granular control over how content is shared and viewed. This additional security layer ensures the integrity and copyright of the visual content without compromising the user experience.

The website keeps all its security components updated and performs periodic checks to ensure all protection measures are functioning correctly. These security practices align with current industry standards and best practices recommendations in web security.

6. Email Communication

The website provides an email address in the footer for contacting me. This communication method is designed such that the user must use their own email service provider (such as Gmail, Outlook, or others) to send their messages. The website does not incorporate contact forms or direct messaging systems, thus ensuring that communication is established entirely through the user's and the photographer's email servers.

The privacy and security of email communications are subject to various factors that the user should consider. Firstly, they depend on the security measures implemented by the user's chosen email provider and their corresponding privacy policies. Additionally, the level of privacy will be determined by the amount and type of information the user voluntarily decides to include in their message.

In this context, it is essential to understand that any personal information shared in email communications is done under the express responsibility and decision of the user. Therefore, it is recommended to include only the information strictly necessary for the purpose of the communication, carefully evaluating what personal data is shared in each message.

7. Social Media Links and Third-Party Links

Regarding links to social networks and other external sites provided on the website, users are informed that they are about to leave this website and access an external platform. These platforms operate under their own privacy policies. The processing of personal data on them is governed exclusively by their terms, which may differ significantly from those applied here.

Users are strongly encouraged to consult and review the privacy policies of each external site before interacting with their services or providing personal data. This precaution applies to all external links mentioned on this site, including those of our providers mentioned in this policy.

8. Cookie Policy and Similar Technologies

In compliance with Article 22.2 of Law 34/2002, of July 11, on Information Society Services and Electronic Commerce (LSSI-CE), and consistent with the privacy principles of the GDPR, the use of cookies and similar technologies on this website is detailed below.

8.1. Commitment: No Tracking Cookies or Consent Required

This website has been configured to minimize the use of cookies and similar technologies. Specifically:

We do not use cookies or local storage (localStorage) for analytical, advertising, tracking, or profiling purposes.

The analytics functions of our provider SmartFrame, which could use local storage, have been technically disabled via the window.__sfDisableTracking = true; setting.

Basic traffic metrics are obtained through Cloudflare Web Analytics, a tool designed by Cloudflare that does not use cookies or local storage on your device to generate statistics.

Given that we do not employ technologies requiring your prior consent according to the LSSI-CE / ePrivacy Directive, you will not find a banner or panel to manage cookie consents on this site.

8.2. Potential Strictly Necessary Technical Cookies (Cloudflare)

To ensure security, performance, and the proper delivery of the web service, our infrastructure provider, Cloudflare, Inc., might occasionally need to install cookies that are strictly necessary from a technical standpoint.

Provider: Cloudflare, Inc. (USA)

Purpose: These cookies are essential for functions such as:

1.- Identifying secure traffic and distinguishing between legitimate users and malicious bots (e.g., Bot Management).
2.- Maintaining the integrity of the user's session against certain threats.
3.- Optimizing network performance and load balancing.

Examples: A common example of this type of cookie is __cf_bm, used by Cloudflare's Bot Management service. Others might be used depending on active security configurations and traffic conditions. (Note: The presence and exact name of these cookies may vary and might only be visible under certain conditions or in the production environment.

Legal Basis and Consent: As they are strictly necessary for the security and functioning of the service you request by browsing, these cookies are exempt from the obligation to obtain prior consent (according to Art. 22.2 LSSI-CE and EDPB guidelines). We inform you about their potential use for transparency.

Duration: They are usually session cookies or have a very short duration (e.g., __cf_bm typically lasts 30 minutes.

More Information: You can find information on how Cloudflare uses cookies in their official documentation (although the specific applicability to this site is limited to necessary ones).

8.3. Managing Cookies in Your Browser

Although this site is configured not to use cookies requiring your consent, your browser allows you to manage and delete cookies stored by any website, including the strictly necessary ones that Cloudflare might occasionally use for the security of this site.

Generally, you can access these options in your browser's privacy and security settings. Within that section, look for options related to "Cookies" or "Site data". There you will find controls to block them (fully or partially, like third-party cookies) or to delete cookies already stored on your device. The exact steps may vary slightly between different browsers (such as Chrome, Firefox, Safari, Edge, etc.).

We remind you that disabling essential cookies could negatively affect the security or proper functioning of some websites, including this one.

9. User Rights

This website operates under the principle of data minimisation, and I do not actively collect or store personally identifiable data from visitors through their browsing. The processed information is limited to technical data managed by our providers for security, operation, and content protection purposes, as described.

Nevertheless, in compliance with the GDPR and LOPDGDD, I recognize your rights concerning personal data:

1.- Right of Access: To know if data concerning you is being processed (mainly technical data like IP address during connection) and to obtain information about it.
2.- Right to Rectification: To request the correction of inaccurate data (limited applicability in this context).
3.- Right to Erasure ('Right to be Forgotten'): To request the deletion of data when it is no longer necessary (e.g., old logs), subject to legal retention obligations.
4.- Right to Restriction of Processing: To restrict processing under certain circumstances provided by the regulation.
5.- Right to Object: To object to processing based on legitimate interest (e.g., IP processing for security) on grounds relating to your particular situation, although this right may be limited if the legitimate interest prevails or is necessary for the defense of legal claims.
6.- Right to Data Portability: To receive and transfer your data (very limited applicability here, as there is no data actively provided by the user nor processing based on active consent/contract).
7.- Right not to be subject to Automated Individual Decision-making: Not to be subject to decisions based solely on automated processing that produce legal effects or significantly affect you (not applicable on this website).

To exercise these rights, you can contact me as the data controller at the email address indicated in the footer, specifying your request and attaching proof of identity. I will manage your request within a maximum period of one month from receipt, to the extent applicable to the technical data processing carried out, and will coordinate with my providers if necessary and possible.

Consent management via a specific banner for cookies or local storage is not required, as, according to our current configuration and the design of the tools used (Cloudflare Web Analytics), we do not employ technologies that require such prior consent under the LSSI-CE / ePrivacy Directive. Only strictly necessary cookies for security might potentially be used, about which information is provided in the Cookie Policy section (Section 8).

10. Supervisory Authority

If you believe that the processing of your data (even technical data) may infringe the regulations, you have the right to lodge a complaint with the competent supervisory authority, in Spain, the Agencia Española de Protección de Datos (Spanish Data Protection Agency): www.aepd.es

11. Modifications and Contact

This policy may be updated when necessary to reflect changes in privacy practices or applicable regulations.

I will try to keep the links to third-party privacy policies (Cloudflare and SmartFrame) included in this document updated. However, as these policies are managed by their respective companies, it is recommended always to verify the latest information directly on their official websites.

For any questions regarding this policy, you can contact me via the email address in the footer.

Last updated: May 1, 2025.