Privacy Policy

Privacy Statement JR Creative Studio
Effective Date / Last Updated: 23 June 2025

1. Introduction and Organizational Information
JR Creative Studio (“we”, “us”, “our”) processes personal data in connection with our website and services. This privacy statement describes how we handle personal data, in accordance with the GDPR and relevant Dutch regulations.
Purpose of this statement:

• Improve user experience by understanding needs and preferences.

• Respond promptly to inquiries or service requests via contact form or email.

• Enhance and deliver our creative services (graphic design, web design, photography, digital art, animation, etc.).

• Carry out necessary business activities such as invoicing and account management.
  Controller and contact details:

• Controller: JR Creative Studio, sole proprietorship of Jorge Afonso.

• Chamber of Commerce (KvK) number: 97538876.

• Registered address: Protected, Amsterdam, Netherlands.
  Contact for privacy questions:

• Email: info.jrcreativeamsterdam@gmail.com

• Phone: +31 633027855

• Data Protection Officer (DPO): Not separately appointed; privacy questions are handled by JR Creative Studio.

2. Scope and Applicability
This privacy statement applies to:

• Visitors of our website (jrcreativestudio.webflow.io).

• Individuals leaving their name and email via the contact form.

• Clients using our services (graphic design, web design, photography, etc.).

• Any newsletter or marketing communications (if implemented).

• Other interactions via email or phone.

3. Which Data Do We Collect?
We only process the following personal data, aligned with your note that you only use Google Analytics and the contact form collects name/email:

• Contact form data

  • What: Name, email address, and any additional information voluntarily provided via the contact form.

  • Purpose: Respond to inquiries, prepare quotes, client communication.

• Project and client data

  • What: Project requirements, feedback, supplied files (including possibly images).

  • Purpose: Execute and document the assignment; project management; legal/accounting obligations.

• Billing and financial data

  • What: Client name, billing address, payment confirmations.

  • Purpose: Issue invoices and store for accounting obligations (minimum 7 years).

• Website Analytics (Google Analytics)

  • What: Anonymized data about website usage: pseudonymized IP (with IP anonymization), pages visited, duration, referrers, device data.

  • Purpose: Insight into how visitors use the site to improve it.

• Cookie data

  • What:

    • Essential cookies: necessary for Google Sites/Webflow environment functionality; no explicit consent required.

    • Analytics cookies (Google Analytics): _ga, _gid, _gat, etc., placed only after consent.

  • Purpose: Functionality and anonymous analytics.

• Third parties and platforms

  • What: Possible data processing by service providers (Webflow/Google Analytics/email provider).

  • Purpose: Website hosting, form handling, analytics, and any file transfers.

• Other data

  • Only if voluntarily provided in communications; no other tracking or sales functionality on the site.

4. Legal Bases for Processing
By data category:

• Contact form and project data

  • Legal basis: Performance of pre-contractual measures and contract fulfillment (Art. 6(1)(b) GDPR).

• Billing data

  • Legal basis: Legal obligation (accounting, tax; Art. 6(1)(c) GDPR).

• Website Analytics

  • Legal basis: Legitimate interest (improving the website) with appropriate safeguards (IP anonymization). Visitors must consent via cookie banner; this can be seen as a mix of legitimate interest and transparency/consent.

• Non-essential cookies

  • Legal basis: Consent (Art. 6(1)(a) GDPR). Analytics cookies only placed after explicit consent.

• Communication about updates/privacy

  • Legal basis: Legitimate interest to inform clients or contractual necessity.

• Data retention for legal claims

  • Legal basis: Legitimate interest or legal obligation (e.g., in case of disputes).

5. Data Retention
We retain personal data only as long as necessary, considering legal terms and purposes:

• Contact form data (without project): Up to 6 months after last contact, unless removed earlier on request.

• Project and client data: For the duration of the project and at least 7 years after completion (accounting, warranty, evidence).

• Billing data: At least 7 years per Dutch tax law.

• Analytics data: Retained according to Google Analytics settings (e.g., up to 14 months); thereafter anonymized or deleted.

• Cookie consent records: Stored as long as cookies are active or until consent is withdrawn.

• Model release and photography files: Retained per project agreements; then archived or deleted per policy agreements.

6. Rights of Data Subjects
Under the GDPR, individuals have the following rights:

• Right of access: Access to their personal data and information about processing.

• Right to rectification: Correct inaccurate or incomplete data.

• Right to erasure (“right to be forgotten”): Delete data when no longer needed or if processing is unlawful, unless retention obligation applies.

• Right to restriction of processing: Temporarily limit processing under certain conditions (e.g., disputing accuracy).

• Right to data portability: Receive their data in a structured, machine-readable format.

• Right to object: Object to processing based on legitimate interest or direct marketing.

• Right to withdraw consent: Withdraw previously given consent (e.g., analytics/newsletter), without affecting lawfulness prior to withdrawal.

• Right to lodge a complaint with supervisory authority: If they believe processing violates the law (Autoriteit Persoonsgegevens).
  Exercising rights:

• Send a request to info.jrcreativeamsterdam@gmail.com or call +31 633027855.

• We respond within one month (or extend if necessary, informing in time).

• Identity verification may be requested for security.

7. Cookies and Tracking Technologies
Our website shows a cookie-consent banner (via Google Sites/Webflow). We use:

• Essential cookies: Necessary for basic site functionality; no explicit consent needed.

• Analytics cookies (Google Analytics): _ga, _gid, _gat, etc.; ONLY placed after consent via banner. IP anonymization is enabled.

• No advertising or targeting cookies: Since there is no direct sales or ads on the site.
  Cookie management: Users can adjust preferences via the banner or delete cookies in their browser. Site functionality may be limited if essential cookies are blocked.
  Updates: When adding new features or external scripts, we update this section, update the “Last Updated” date, and request consent again if needed.

8. Contact Form Data
When you leave your name and email (and any additional info) via the contact form, we use these details to:

• Respond to your message.

• Prepare quotes.

• Communicate during (potential) projects.
  These details are securely stored (email or secured CRM) for up to 6 months if there’s no follow-up, or longer for a project (7 years for accounting). We do not share these details with third parties unless necessary for service (e.g., if you agree to sharing via cloud storage).

9. Third Parties and International Data Transfers
We use external services such as:

• Webflow/Google Sites hosting: for website hosting and form handling.

• Google Analytics: for anonymous site analytics.

• Email provider: for communication.

• (If applicable: cloud storage services for file exchange with clients.)
  These parties are engaged under Data Processing Agreements or comply with GDPR requirements. Data is ideally stored on EU servers; if outside the EU, it’s under appropriate safeguards (Standard Contractual Clauses or other mechanisms).

10. Security Measures
We take appropriate technical and organizational measures:

• Encryption in transit (HTTPS) and, where possible, encryption at rest.

• Access control: only authorized persons can access data.

• Regular software/platform updates.

• Secure deletion/archiving of data when no longer needed.

• Confidentiality agreements with any collaborators.

11. Data Breach Procedure
In case of a data breach posing risk to individuals, we follow the GDPR procedure:

• Notify the Autoriteit Persoonsgegevens within 72 hours (if applicable).

• If high risk to individuals, inform them directly.

• Investigate cause and take measures to prevent recurrence.

12. Privacy in Photography
For photography assignments:

• Consent / model release: We request explicit consent or a signed model release from persons in photos, specifying usage (portfolio, website, marketing).

• Storage and use: Images are securely stored during the agreed period; afterwards archived or deleted per agreements.

• Portfolio use: Only used with client consent and, if applicable, consent from photographed individuals. Confidential or sensitive projects are not published without explicit agreement.

13. Privacy of Children
Our site and services are not aimed at persons under 16. We do not knowingly collect data from minors. If data of a child under 16 is inadvertently collected without verifiable parental consent, we will delete it promptly. Contact us if you suspect this has occurred.

14. Changes to This Privacy Statement
We may update this privacy statement when our services, legal requirements, or practices change.

• Each update gets a new “Last Updated” date.

• For significant changes, we inform existing clients by email or a website notice.

• For ongoing projects, the version at project confirmation applies, unless a change directly affects processing that requires new consent.

15. How to Contact Us
For questions about this privacy statement or to exercise your rights:

• Email: info.jrcreativeamsterdam@gmail.com (subject: Privacy Question)

• Phone: +31 633027855

• Address: (Protected) Amsterdam, Netherlands
  We aim to respond within one month. You also have the right to file a complaint with the Autoriteit Persoonsgegevens if you believe our processing violates the GDPR.