Legal · Data protection

Privacy Policy

Effective 7 May 2026 Last reviewed 26 May 2026 Version 1.1

IVAE Studios is a luxury resort photography practice based in Cancún, México. We work with discerning travelers and we believe the same care we put into a session should apply to how we handle your information. This policy explains what we collect, why we collect it, who else handles it, and the rights you have over it.

01Who controls your data

For the purposes of European Union General Data Protection Regulation (GDPR), the United Kingdom Data Protection Act 2018, the California Consumer Privacy Act (CCPA / CPRA), and México's Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP), the data controller (the party that decides why and how your personal data is processed) is:

IVAE Studios Trading name of the photographic practice operated by Vianey Díaz (Founder & Creative Director).
Cancún, Quintana Roo, México
Privacy contact: contact@ivaestudios.com
Website: ivaestudios.com

Where this policy says "we", "us" or "IVAE Studios", it refers to the entity above. Where it says "you", it refers to the visitor, prospective client, client, or gallery viewer reading the page.

02Scope of this policy

This policy covers personal data we process in connection with:

The marketing website at ivaestudios.com and its Spanish mirror under /es/.
The client gallery sub-application at gallery.ivaestudios.com (and the equivalent path under the main domain).
Inquiries and bookings received by email, WhatsApp, Instagram direct message, or any contact form on the site.
Sessions we deliver in Cancún, the Riviera Maya, Tulum, Playa del Carmen, Playa Mujeres, Costa Mujeres, Isla Mujeres and Los Cabos.

It does not cover external services we link to (Instagram, third-party reviews platforms, resort websites). When you leave our domain those services apply their own privacy policies.

03What we collect

3.1 Information you give us directly

When you contact us by form, email, WhatsApp or any other channel we typically receive: your full name, your email address, your phone number, the proposed event date, the destination or resort name, the type of session (family, couples, wedding, proposal, etc.), the approximate group size, and any narrative context you choose to share. If you proceed to a booking we will additionally hold the contractual terms agreed between us and the dates that gallery delivery is due.

3.2 Information we collect automatically

When you browse the site our infrastructure receives standard HTTP request information: your IP address, an approximate geographic location derived from that IP, your user-agent string, the referring URL, the pages requested, the timestamp of each request, and language preference. This data is used to operate, secure and audit the site. Most of it is processed and discarded by Cloudflare's edge network within short retention windows (see Section 8).

3.3 Photo gallery access tokens

If you receive a private link to a delivered gallery, that link contains a randomly generated access token. The gallery system records the token, the time of viewing, the rough region of the request, and any download or favourites activity associated with the token, so that we can confirm successful delivery and pursue abuse if it occurs. The token only grants access to your own gallery; it does not identify you to the public.

3.4 Image content

The photographs we capture during a session naturally contain your image, the image of any people you bring, and the image of any third parties incidentally in frame. We treat the unedited and edited photographic catalogue from a session as personal data of the people depicted and we apply the retention and deletion rules in Section 8.

3.5 Information we do not collect

We do not knowingly collect government-issued identification numbers, financial account numbers, payment card numbers, social security numbers, passport numbers, biometric identifiers beyond ordinary photography, or special-category data as defined under GDPR Article 9 (such as health data, racial or ethnic origin, religious beliefs, or sexual orientation), unless you choose to volunteer such information in the course of telling us about a session, in which case we treat it with corresponding care.

04Legal basis for processing

Under the GDPR and equivalent regimes we must have a lawful basis to process your personal data. Depending on the activity, we rely on one of the following:

Activity	Lawful basis
Replying to your inquiry	Steps taken at your request prior to entering into a contract (GDPR Art. 6(1)(b)).
Delivering a booked session and the resulting gallery	Performance of the contract between us (GDPR Art. 6(1)(b)).
Operating, securing and auditing the website	Our legitimate interest in running a safe website (GDPR Art. 6(1)(f)).
Optional analytics and measurement	Your prior, freely given consent (GDPR Art. 6(1)(a)).
Showing your finished session in our portfolio or social channels	Your separate written consent, requested at the time of booking and revocable at any time.
Tax, accounting and legal record-keeping	Compliance with our legal obligations (GDPR Art. 6(1)(c)).

For visitors located in México, the equivalent basis under the LFPDPPP is your tacit or express consent for ordinary personal data, or your express consent for any sensitive personal data, except where the law allows processing without consent (for example, to fulfil a contract or to comply with a legal duty).

05How we use your data

We process the data described above for the following purposes only:

To answer your inquiry and prepare a tailored quote.
To plan and deliver your session, including travel, location scouting, scheduling, contracts, invoicing and gallery delivery.
To operate and secure the website, including detecting and mitigating abuse, denial-of-service attempts and bot traffic.
To improve the website experience based on aggregated, non-identifying analytics where you have opted in.
To send you transactional messages tied to your booking (confirmations, gallery readiness, schedule changes).
To meet legal, tax, accounting and dispute-resolution obligations.
To showcase finished work, only with your explicit and revocable permission.

We do not use your data for automated decision-making with legal or similarly significant effects, and we do not sell your personal data to anyone, ever (see Section 10).

06Third-party processors

We are a small studio. To operate at the standard our clients expect, we rely on a short list of carefully chosen vendors who process personal data on our behalf, under written agreements that meet GDPR Article 28 requirements:

Provider	What it processes	Region
Cloudflare, Inc.	Website hosting (Cloudflare Pages), DNS, content delivery network, security filtering, gallery storage (R2) and database (D1).	United States, with global edge presence.
Google LLC	Optional Google Analytics / Tag Manager (only fired after your consent), Search Console for SEO diagnostics, and Google Workspace email for the contact@ivaestudios.com mailbox.	United States and EU.
WhatsApp Ireland Limited (Meta)	Messaging when you choose to contact us through the WhatsApp link on the site.	Ireland and United States.
Instagram (Meta Platforms)	Messaging and lead handoff when you reach us through the @ivaestudios.cancun handle.	Ireland and United States.
Stripe / bank rail of your choice	Payment processing for booking deposits and balances. We never store the card itself; we only retain the transaction reference and amount.	United States and Ireland.
Resend, Inc.	Transactional email delivery for the inquiry and intake forms on the site. Processes the name, email address, and message body you submit only for the purpose of routing that message to our inbox; does not use the data for marketing.	United States.
IVAE Marketing (sister practice)	Form-intake handling for inquiries about social-media management services (Instagram and TikTok content for hotels, restaurants, spas, dental clinics, and other Mexican luxury hospitality clients). Acts as data processor only for inquiries originating on IVAE Marketing landing pages; does not access photography client data.	Cancún, Quintana Roo, México.

IVAE Marketing is a related practice operated by the same founder (Vianey Díaz) under a separate commercial offering for social-media management. The two operations share a single privacy contact (contact@ivaestudios.com) but maintain independent client records: photography inquiries stay in the IVAE Studios book, marketing inquiries stay in the IVAE Marketing book, and neither side reads the other's intake unless you ask for both services explicitly.

We review these vendors at least annually. If we add a new processor that materially changes how your data is handled, we will update this policy and, where required, request fresh consent.

07Cookies and analytics

The site uses two categories of client-side storage:

7.1 Strictly necessary

These keep the site functional. They include the language preference set when you switch between EN and ES, the dark-mode preference toggle, and short-lived security tokens issued by Cloudflare to mitigate abuse. We do not ask for consent for strictly necessary storage, because the site cannot reasonably operate without it.

7.2 Optional analytics

At present we do not run analytics, measurement scripts, marketing pixels, or advertising identifiers on this site. The site loads no Google Analytics, no Google Tag Manager, no Facebook pixel, and no Cloudflare Web Analytics beacon. Because of that, there is no consent banner to dismiss: the default and only state is no tracking. If we later choose to enable any optional analytics, we will (a) update this policy with the specific tool and purpose, (b) request your prior, freely given consent through a clearly labelled banner before any tag fires, and (c) keep the declined state as the default. You can always withdraw consent in the future by clearing your browser storage for ivaestudios.com or by emailing us.

We do not run third-party advertising trackers, retargeting pixels, or social-media engagement pixels on the marketing pages.

08How long we keep your data

We hold personal data only as long as we have a clear, lawful reason to do so:

Inquiry messages: up to 24 months from the last meaningful contact, then archived or deleted.
Contractual records (signed agreement, invoice, payment reference): five years from the end of the calendar year in which the session occurred, in line with Mexican tax record-keeping obligations.
Gallery access tokens and viewer logs: until the gallery's stated expiry, plus 30 days for audit, after which the token is revoked and the access log is purged.
High-resolution session catalogue: up to 12 months after delivery, then archived to encrypted offline storage. After three additional years offline, the archive is deleted unless you have asked us to keep a longer-term backup.
Server access logs at the Cloudflare edge: short rolling windows controlled by Cloudflare's own retention policy, typically days, not months.
Marketing emails (if you opt in): until you unsubscribe, which you can do at any time from any of those emails.

09International data transfers

IVAE Studios is established in México. Several of our processors are headquartered in the United States or the European Union. Where personal data leaves your country of residence (for example, when an EU visitor's request is served from a Cloudflare data centre in the United States, or when an inquiry email travels through Google's mail servers) we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework. You may request a copy of the relevant transfer mechanism by writing to contact@ivaestudios.com.

10Your rights

Depending on where you are located, you have some or all of the following rights. We will honour them regardless of which legal regime technically applies to you, on the principle that good practice should not depend on the strongest available enforcement.

10.1 Under the GDPR (European Economic Area, United Kingdom)

Right of access: to obtain a copy of the personal data we hold about you.
Right to rectification: to correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten"): to ask us to delete data we no longer have a legitimate reason to hold.
Right to restrict processing: to ask us to pause processing while a complaint is investigated.
Right to data portability: to receive a structured, machine-readable copy of data you have provided to us.
Right to object: to processing based on legitimate interests, including any direct-marketing use (we do not currently run direct-marketing campaigns).
Right to withdraw consent: at any time, where processing is based on consent.
Right to lodge a complaint with your local supervisory authority. Within the EU you can locate yours through the European Data Protection Board's directory.

10.2 Under the CCPA / CPRA (California)

Right to know the categories and specific pieces of personal information collected, sources, business purposes and third parties with whom it has been shared.
Right to delete personal information, subject to specific exceptions in the statute.
Right to correct inaccurate personal information.
Right to opt out of the sale or sharing of personal information for cross-context behavioural advertising. We do not sell personal information and do not engage in cross-context behavioural advertising.
Right to non-discrimination for exercising any of the above rights.

10.3 Under the LFPDPPP (Derechos ARCO, México)

Acceso: to know what data we hold and how we use it.
Rectificación: to correct inaccurate or outdated data.
Cancelación: to ask that data be deleted from our active records once it is no longer needed.
Oposición: to object to specific uses of your data.
You may also revoke any consent previously given, and may file a complaint with the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI).

11How to exercise your rights

To exercise any of the rights in Section 10, please write to contact@ivaestudios.com from the email address you used to contact us, with the subject line "Privacy request" and a brief description of what you would like us to do.

For ARCO requests under the LFPDPPP, please include: your full name and reliable contact details, a clear description of the right you wish to exercise, and any documents that help us locate your data (for example, the date of your inquiry or the resort name). We may need to verify your identity before acting on the request, in line with the law.

We aim to acknowledge every privacy request within five (5) business days and to provide a substantive response within thirty (30) days. Where the request is complex or numerous, we may extend by an additional thirty (30) days and will tell you why. There is no fee for a reasonable request; if requests become manifestly unfounded or excessive, we reserve the right to charge a reasonable fee or to refuse, and we will explain that decision in writing.

12Security measures

We take the security of your data seriously and apply technical and organisational measures appropriate to a small studio handling sensitive imagery:

Encryption in transit (HTTPS / TLS 1.2+) on every page of the site, the gallery and the contact channels we control.
Encryption at rest for stored files and database records on Cloudflare R2 and D1.
Strict, named-individual access to the inquiry mailbox, the booking calendar and the photo archive.
Two-factor authentication on the email account, the website hosting account and the photo-archive account.
A written incident-response procedure: we will notify affected users without undue delay, and within 72 hours where required by GDPR, of any breach likely to result in a risk to your rights and freedoms.
Regular review of vendor security posture and prompt action when issues are reported.

No system is perfectly secure. If you believe your account or your gallery has been compromised, please email contact@ivaestudios.com immediately and we will investigate as a priority.

13Children's data

Our website and our services are directed at adults, typically the parent or partner organising a session. We do not knowingly collect personal data directly from children under sixteen (16). When children appear in a family or wedding session, we rely on the explicit consent of the parent or legal guardian who has booked the session, and we apply enhanced caution before any of those images are used in our portfolio or social media.

If you are a parent or guardian and you believe your child has provided personal data to us without your consent, please contact contact@ivaestudios.com and we will delete the relevant data without delay.

14Changes to this policy

We may update this policy to reflect changes in our practice, in our vendor stack, or in applicable law. When we do, we will update the "Effective" and "Last reviewed" dates at the top of the page and, for material changes, we will notify clients with active bookings by email and post a notice on the homepage for at least thirty (30) days. Continued use of the site after the new effective date constitutes acceptance of the updated policy.

Earlier versions of this policy are kept on file. If you would like a copy of the version that was in force at a given time, ask us in writing.

15Contact us

For any privacy question, request, complaint or concern please write to:

IVAE Studios, Privacy Vianey Díaz, Founder & Creative Director
Email: contact@ivaestudios.com
Cancún, Quintana Roo, México

We treat every privacy message as a priority, even if it is the only message we ever exchange. You are not bothering us by asking; you are helping us run a better studio.