ProofProtectLog in

Privacy Policy

Last updated: 9 July 2026

This Privacy Policy explains how GuardedContent Pty Ltd ([ABN: 46 688 024 535]), trading as ProofProtect (“we”, “us”, “our”), handles personal information when you use the ProofProtect websites, applications, and services (the “Services”). We are committed to protecting your privacy in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and — where they apply — the EU and UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA).

1. Our role: controller and processor

ProofProtect serves two groups of people, and our role differs for each:

  • Customers (photographers and studios) — we are the controller of the personal information we collect to provide them an account, billing, and support.
  • End Users(a Customer’s clients, gallery viewers, and buyers) — when a Customer uploads or collects personal information through the Services, the Customer is the controller of that information and ProofProtect acts as a processoron the Customer’s behalf. If you are an End User, please direct privacy requests about a Gallery to the relevant Customer (the photographer or studio); we will assist them as needed.

Accounts created for you by a photographer

If a photographer wants to share a gallery with you, they enter your email address and we create a ProofProtect account on their instruction, then email you a temporary password. We did not obtain your email from you, so that first email also tells you who set the account up, why, and how to have it deleted. The photographer is the controller of your information; we only process it on their behalf, and we never use your email address for our own marketing.

You will be asked to accept these terms the first time you sign in, and we record that acceptance. The same account works across every photographer who shares a gallery with you — each studio sees only its own galleries and its own notes about you. If you never sign in, we delete the account and everything attached to it after 180 days. You can ask us or the photographer to delete it sooner at any time.

2. Information we collect

  • Account information — name, email address, password (hashed), organisation details, and profile or branding settings.
  • Billing information — plan, transaction history, and tax details. Card payments are processed by Stripe; we receive limited details (such as the card brand and last four digits) but do not store full card numbers.
  • Content and metadata — photographs and other media you upload, along with associated metadata (such as file names, capture information, and Gallery settings), stored using Cloudflare R2.
  • End-User information— names, email addresses, and activity (such as Gallery views, selections, and purchases) provided or generated when End Users access or buy through a Gallery. When anyone (including a visitor without an account) views a Gallery, we record visit telemetry on the Customer’s behalf: IP address, browser and device type, a device label, viewing duration, and content-protection events (such as attempted screenshots, screen recording, or unauthorised asset access). This telemetry operates the Gallery’s security features and is made available to the Customer whose Gallery it is; we process it as their processor.
  • Single sign-on data — where SSO/SAML is configured, we receive identity attributes (such as email and name) from your identity provider.
  • Device and usage data — IP address, browser and device type, log data, and security and access events (including audit logs).
  • Support and communications — messages you send us, including via our in-product chat (Intercom).
  • Cookies and similar technologies — see the Cookies section below.

3. How and why we use information

We use personal information to provide, secure, and improve the Services, including to: create and manage accounts; deliver and protect Galleries; process payments and payouts; provide support; send service and transactional messages; detect and prevent fraud, abuse, and security incidents; comply with legal obligations; and, where permitted, send product updates you can opt out of.

Lawful bases (GDPR/UK GDPR). Where the GDPR applies, we rely on: contract (to provide the Services you request); legitimate interests (to secure, maintain, and improve the Services, and for limited marketing, balanced against your rights); consent (for non-essential cookies and certain communications, which you may withdraw); and legal obligation (for tax, accounting, and compliance).

4. Cookies and tracking

We use essential cookies required to operate the Services (for example, authentication, security, and remembering your cookie choices). Our only non-essential cookies are the functional support-chat cookies set by Intercom, and they are set solely with your consent: the Intercom messenger does not load until you accept it via the consent banner or the “Cookie preferences” controls linked in our footer, where you can also withdraw consent at any time. We honour the Global Privacy Control (GPC) signal — when your browser sends it and you have not yet made a choice, we default to essential cookies only. We use no advertising or analytics cookies. See our Cookie Policy for the full list.

5. How we share information

We do not sell personal information. We share it only as needed to run the Services:

  • Service providers (sub-processors) who process data on our behalf under contract;
  • Customers, where you are an End User of their Gallery;
  • Professional advisers, acquirers, and authorities, where required for corporate transactions, legal compliance, or to protect rights and safety.

Our key sub-processors include:

ProviderPurpose
StripePayment processing and marketplace payouts
Cloudflare (incl. R2)Content storage, delivery, and security
ResendTransactional and notification email
IntercomIn-product support and messaging
Cloud hosting providerApplication hosting and infrastructure

The full, current register — including locations and the personal data involved — is published at /legal/subprocessors.

6. International data transfers

We are based in Australia, and our providers may process data in Australia, the United States, the European Union, and elsewhere. Where we transfer personal information across borders (including from the EU/UK), we take reasonable steps to ensure it is protected, relying on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (and the UK Addendum) where required.

7. Data retention

We retain personal information for as long as needed to provide the Services, comply with legal, tax, and accounting obligations, resolve disputes, and enforce our agreements. When information is no longer required, we delete or de-identify it. Customer Content is retained while an account is active and for a limited period afterward, subject to the Terms of Service.

8. Security

We use technical and organisational measures appropriate to the risk, including encryption in transit, access controls, audit logging, and content-protection features such as DRM and watermarking. No system is completely secure, and we cannot guarantee absolute security; please see the content-protection disclaimer in our Terms of Service.

9. Your privacy rights

Australia (APPs)

You may request access to, and correction of, the personal information we hold about you. We will respond within a reasonable time. If you are dissatisfied with how we handle your information, you may complain to us and, if unresolved, to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

European Union and United Kingdom (GDPR)

Where the GDPR applies, you have rights to access, rectify, erase, restrict, and object to processing of your personal information, and to data portability. Where we rely on consent, you may withdraw it at any time. You may also lodge a complaint with your local supervisory authority. If we are required to appoint an EU/UK representative under Article 27, their contact details will be published here: [EU/UK representative — to be appointed].

California (CCPA/CPRA)

If you are a California resident, you have rights to know, access, delete, and correct your personal information, and to opt out of the sale or sharing of personal information and of certain targeted advertising. We do not sell personal information. We will not discriminate against you for exercising your rights, and we aim to honour Global Privacy Control (GPC) signals where applicable.

To exercise any of these rights, contact us at support@guardedcontent.com.au. We will verify your request and respond within the timeframes required by applicable law. If you are an End User, requests relating to a specific Gallery should be directed to the relevant Customer (controller); we will assist them.

10. Children’s privacy

The Services are not directed to children, and accounts are intended for users aged 18 and over. Customers may, however, photograph or upload Content depicting children with appropriate consent of a parent or guardian; Customers are responsible for obtaining that consent. We do not knowingly collect personal information directly from children. If you believe a child has provided us personal information, contact us and we will take appropriate steps to delete it.

11. Data breach notification

We maintain procedures to detect and respond to data breaches. Where an eligible data breach is likely to result in serious harm, we will notify affected individuals and the OAIC as required under the Notifiable Data Breaches scheme. Where the GDPR applies, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a qualifying breach.

12. Customers as controllers

Where we process End-User personal information on a Customer’s behalf, we do so under the Customer’s instructions and our agreement with them. Customers who require a data processing agreement (DPA) for GDPR or similar compliance can review our template at /legal/dpa and execute it by emailing support@guardedcontent.com.au. Our sub-processor register is published at /legal/subprocessors.

13. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide reasonable notice (for example, by email or in-product notice). The “Last updated” date at the top reflects the latest revision.

14. How to contact us

For privacy questions, requests, or complaints:

GuardedContent Pty Ltd trading as ProofProtect
GuardedContent Pty Ltd Suite #1038 79-83 Longueville Road Lane Cove, NSW 2066
[ABN: 46 688 024 535]
support@guardedcontent.com.au

© 2026 GuardedContent Pty Ltd · trading as ProofProtect · v0.3.4
Cookies

We use essential cookies to run this site, and — only with your consent — a support-chat cookie (Intercom). See our Cookie Policy.