Skip to content
Trust

GDPR & NDPA

Draft · last updated June 10, 2026

This is a working draft pending legal review. It explains in plain language how Piczel works, not the final binding document.

Photographers on Piczel serve clients in Nigeria, the EU, the UK, and beyond. This page explains how the platform supports your obligations under the GDPR and the Nigeria Data Protection Act, and where the formal commitments live.

1. Our commitment

Piczel is built for photographers in Nigeria, Europe, and everywhere else, so data protection is designed in rather than bolted on. This page summarizes how we support compliance with the EU and UK General Data Protection Regulation (GDPR) and the Nigeria Data Protection Act 2023 (NDPA). Our Privacy Policy and Data Processing Addendum are the operative documents.

2. Controller and processor

For your own account data, Piczel is the controller. For the personal data of your clients that you put into Piczel (gallery visitors, booking contacts, the people in your photographs), you are the controller and we are your processor, acting only on your instructions. This split matters: it means your client list is yours, and our obligations to you are written down in the DPA.

3. Your obligations as a photographer

Both the GDPR and the NDPA put the primary duties on the controller, which is you. In practice that means:

  • Have a lawful basis for collecting and sharing your clients' data, usually your contract with them or their consent.
  • Tell your clients how you handle their data, for example in your booking terms or a short privacy notice.
  • Collect consents or releases your law requires before publishing or selling images of people.
  • Honour your clients' requests about their data, using the tools Piczel provides.

4. How Piczel helps you comply

The product gives you the controls these laws expect:

  • Export of your galleries, client records, and documents, so data portability is a button, not a project.
  • Deletion that actually deletes, with a 30-day trash window and scheduled purge of caches and backups.
  • Access controls per gallery (passwords, expiry, download permissions) and per team member (roles).
  • A Data Processing Addendum that covers processing details, sub-processors, and breach notification.

5. Data subject rights

When a client exercises a right (access, correction, deletion, portability, objection), you can handle most requests directly from your dashboard. If a request reaches us instead, we redirect the person to you and let you know. Where the platform itself needs to act, we assist without undue delay.

6. Sub-processors and international transfers

We use vetted sub-processors to run the service and rely on appropriate safeguards, such as standard contractual clauses and mechanisms recognized under the NDPA, for any cross-border transfers. The current list and the notice-and-objection process are in our Data Processing Addendum.

7. Security and breach notification

We maintain security measures appropriate to the risk (encryption, signed media delivery, role-based access, backups) and will notify you without undue delay if we become aware of a personal-data breach affecting your data, with enough detail for you to meet your own obligations to authorities such as the NDPC, the UK ICO, or your EU supervisory authority.

8. Supervisory authorities

If you or your clients have concerns we cannot resolve, the relevant authorities include the Nigeria Data Protection Commission (NDPC) in Nigeria, the Information Commissioner's Office (ICO) in the UK, and the data-protection authority of the relevant member state in the EU.

9. Contact

For data-protection questions, our sub-processor list, or a signed DPA, email [email protected].