Skip to content
Charmaine JamesPhotography
WorkAboutExperiencePlan a session
Menu
WorkAboutExperiencePlan a session

Privacy notice · New Zealand

Privacy

This notice explains how personal information is handled across the website, enquiries, bookings, photography services and electronic rights agreements. It is written for the Privacy Act 2020 and does not reduce any rights you have under applicable law.

Who is responsible

The collecting and holding agency is Charmaine James, trading as Charmaine James Photography in New Zealand. Charmaine is also the privacy officer. The business contact address for privacy notices, requests and questions is privacy@cjamesphotography.co.nz. If a postal address is needed for a formal request, ask by email and it will be provided securely.

What is collected directly

Depending on your interaction, this may include your name, email, phone number, preferred contact method, booking and calendar details, session people, location and timing, photography brief, correspondence, invoices and payment status, delivered image and gallery records, and information you include in an enquiry. Please provide only information reasonably needed for the service and do not send payment-card details or sensitive information by ordinary email.

Information received from someone else

A client, parent, guardian, organiser or other authorised contact may provide information about a person who will be photographed. From 1 May 2026, Information Privacy Principle 3A requires reasonable steps to tell that person about an indirect collection as soon as reasonably practicable, unless a lawful exception applies or they have already been properly informed. The notice will identify the collection, purpose, intended recipients, collecting and holding agency, any legal requirement, and access and correction rights. Providing another person's information does not by itself prove authority or grant image-use permission.

What is required, and what is optional

A name, reliable contact details and essential session information are generally required to answer an enquiry or provide a service; without them, a booking may not be possible. Contract, identity, guardian-authority and signing evidence may be required where an agreement or image permission is needed. Portfolio, social-media, advertising, editorial and third-party image permissions are separate and optional unless the specific commissioned purpose clearly requires that use. Declining an optional permission does not turn it into a condition of an unrelated service.

Agreements, permissions and signing evidence

A rights record may contain the adult participant's or guardian's name and email, their relationship and authority declaration, the subject's name and an appropriate age or age band, a minor's assent response, each permission granted or refused, restrictions, the agreement text and version, a tamper-evident content digest, typed name, drawn signature representation, date and time, link status, withdrawal or expiry history, and an audit trail. A one-way digest of limited browser information may be retained as supporting signing evidence. The rights ledger does not intentionally store a raw IP address, and a signing link alone is not treated as consent.

Why information is used

Information is used to respond to enquiries; arrange consultations and sessions; prepare, perform and administer the photography service; deliver images; manage invoices; record the exact scope of image rights and consent; honour restrictions, withdrawals and privacy requests; maintain business, tax and insurance records; prevent misuse; secure the website and studio systems; and establish, exercise or defend legal rights. It is not sold or used for unrelated behavioural advertising.

Children and young people

Collection is kept proportionate to the photography purpose. A parent or legal guardian may need to confirm their identity, relationship and authority. Where age and maturity make it appropriate, the young person's views and affirmative assent are recorded in clear language as well. A guardian's signature is not used to ignore a capable young person's objection. Public or promotional use requires the relevant, specific permission; an enquiry or attendance at a session is not publication consent.

Providers and intended recipients

Cloudflare provides website delivery, security, domain and email routing, restricted administrator access, and hosted rights-ledger storage. Email routed for the business is delivered to Google Gmail. If you choose the online scheduling option, Calendly processes the details needed to arrange the meeting and may sync them with Google Calendar. Only information needed for that function is supplied. Information may also be shared with a professional adviser, insurer, regulator, court or enforcement body when reasonably necessary and lawful. Service-provider terms do not transfer Charmaine James Photography's responsibilities under New Zealand privacy law.

Overseas processing and disclosure

Cloudflare, Google and Calendly may process or store information in countries outside New Zealand. Before a cross-border disclosure, reasonable steps are taken to determine whether Information Privacy Principle 12 applies and, where it does, to use an applicable legal basis and comparable safeguards. This may include confirming that the recipient is subject to the Privacy Act or comparable law, or using enforceable contractual protections. If comparable protection cannot be established and authorisation is the available basis, the person will first be expressly told that the overseas recipient may not provide comparable safeguards.

Website data, cookies and logs

The public website does not currently use advertising pixels or first-party behavioural analytics. Cloudflare may process network data such as an IP address, request time, browser details and security signals in short-lived delivery and security logs, and may set cookies that are strictly necessary for security or session functions. The restricted studio area uses Cloudflare Access authentication. If analytics or non-essential cookies are introduced later, this notice and any consent controls will be updated before they are used where consent is required.

Security and privacy breaches

Safeguards appropriate to the information and risk include encrypted transport, limited administrator access, expiring single-use signing links, storage of link digests rather than reusable link secrets, tamper-evident rights events, software maintenance and access review. No internet service can promise absolute security. Suspected incidents are contained, assessed and documented; the Office of the Privacy Commissioner and affected people will be notified where a breach has caused, or is likely to cause, serious harm as required by law.

How long information is kept

Retention is based on purpose rather than keeping everything indefinitely. Enquiries that do not become bookings are normally removed within 12 months of the last meaningful contact. Routine booking correspondence is normally kept for up to 24 months after the service ends. Unselected proofs and working exports are normally removed within 12 months after final delivery; delivered photographs and associated metadata are normally kept for up to 7 years for archive, replacement delivery and rights administration, unless a different period is agreed or continuing lawful use requires the record. Tax and financial records are normally kept for 7 years. Agreements, permissions, refusals, signatures and audit evidence are kept for the life of the relevant permission or use, then normally 7 further years. Routine security logs are normally kept for 30 to 90 days. A dispute, complaint, legal hold, safeguarding concern or statutory requirement may justify longer retention. Information is then securely deleted or de-identified where reasonably practicable, with backup copies expiring on their normal protected cycle.

Access and correction

You may ask whether personal information is held about you, request a copy, or ask for a correction by emailing privacy@cjamesphotography.co.nz. Include enough detail to locate the record. Reasonable identity verification may be requested and then discarded when no longer needed. A decision will be made as soon as reasonably practicable and no later than 20 working days, unless the Privacy Act permits an extension; any extension or lawful refusal will be explained. If a requested correction is not made, you may ask for your statement of correction to be attached to the record.

Withdrawing permission and objecting

You may withdraw an optional marketing or image-use permission at any time through the privacy email. A guardian may make a request for a child within their authority, and a young person's own views will be considered. The rights record will be updated and future optional use stopped where the agreement and law require. A withdrawal is generally prospective: it cannot undo a use already lawfully made, require deletion of records that must lawfully be retained, or by itself cancel separate contractual obligations.

If you are outside New Zealand

This is a New Zealand-first notice, not a claim that one notice satisfies every privacy regime worldwide. Where a mandatory overseas law applies to a particular interaction, its additional rights and duties will be addressed. For example, if the EU or UK GDPR applies, processing may rely on steps requested before a contract, performance of a contract, legal obligations, consent for genuinely optional publication, or proportionate legitimate interests such as security and rights administration. Applicable rights may include erasure, restriction, objection, portability and a complaint to the relevant supervisory authority, subject to lawful limits. Contact the privacy officer so the correct local supplement can be considered.

Questions and complaints

Please raise a concern first with the privacy officer at privacy@cjamesphotography.co.nz, so it can be investigated and answered. If it is not resolved, you can complain to the New Zealand Office of the Privacy Commissioner through privacy.org.nz. You may also have a right to complain to an applicable overseas regulator. This notice supplements, and does not replace, session-specific contracts and rights agreements.

Version 1.0 · Effective and last updated 19 July 2026.

Return home →