Skip to content

Legal

GDPR & Your Privacy Rights

Effective date:

This page explains how MedellinModeling.com complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the rights available to individuals in the European Economic Area (EEA), the United Kingdom, and Switzerland. Our full Privacy Policy covers all users; this page focuses specifically on GDPR obligations and the rights of EU data subjects.

1. Data Controller

MedellinModeling.com acts as the data controller for personal data processed through this platform. This means we determine the purposes and means by which your personal data is processed.

MedellinModeling.com
Email: [email protected]

We have not appointed a formal Data Protection Officer (DPO) as we are a small platform that does not carry out large-scale systematic monitoring or process special category data as a core activity. For all data-related inquiries, contact us directly at the address above.

2. Personal Data We Collect

2.1 Account data

When you register, we collect:

  • Username, email address, and hashed password;
  • Account type (model or photographer) and role;
  • Display name, biographical text, and location (if provided);
  • Physical measurements such as height and clothing sizes (models, if provided);
  • Portfolio photographs and work-sample images you upload;
  • Day rate and availability (if provided).

2.2 Usage data

When you visit the platform we automatically collect:

  • IP address (used to derive approximate country and city);
  • Browser type, operating system, and device category;
  • Pages visited, time spent on each page, and session duration;
  • Referring URL (the website that sent you to us).

This data is collected by our own first-party tracking system. We do not use Google Analytics or third-party advertising trackers.

2.3 Communications

If you send us a message via the contact form or in-platform messaging, we store the content of that communication together with your name and email address.

2.4 Special category data

Under GDPR, photographs that reveal racial or ethnic origin are considered special category data (Article 9). By uploading photographs to your public profile you explicitly consent to the processing of any such data for the purpose of operating your public portfolio. You may withdraw this consent at any time by deleting your photos or requesting account deletion.

3. Legal Basis for Processing

We rely on the following lawful bases under Article 6 GDPR:

  • Contract (Art. 6(1)(b)): processing necessary to provide the service you signed up for — authentication, profile display, messaging, photo hosting, and moderation.
  • Legitimate interests (Art. 6(1)(f)): first-party analytics to understand how the platform is used and to improve it, fraud prevention, and platform security. We have balanced these interests against your rights and concluded they do not override them.
  • Legal obligation (Art. 6(1)(c)): where we are required to retain data to comply with applicable law (e.g., tax, fraud investigation).
  • Explicit consent (Art. 9(2)(a)): for special category data (photographs) as described in Section 2.4 above.

4. How We Use Your Data

  • To create and maintain your account and public profile;
  • To display your portfolio to photographers or models browsing the platform;
  • To send transactional emails (account verification, password reset, admin replies);
  • To moderate uploaded content for compliance with our content standards;
  • To analyse aggregate usage patterns and improve the platform;
  • To detect and prevent abuse, fraud, and unauthorised access;
  • To respond to your messages and support requests.

We do not sell, rent, or share your personal data with third parties for their own marketing purposes. We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.

5. Data Retention

  • Account data: retained for as long as your account is active. On deletion, your public profile and photos are removed within 30 days. Certain records (e.g., moderation logs) may be retained for up to 12 months.
  • Analytics data: anonymised visitor sessions are retained for up to 24 months, after which they are purged.
  • Contact messages: retained for up to 36 months to maintain a record of support interactions.
  • Backups: encrypted backups are rotated on a rolling 30-day cycle.

6. International Data Transfers

MedellinModeling.com is hosted on servers located in the United States. If you are accessing the platform from the EEA, UK, or Switzerland, your personal data will be transferred to and processed in the United States, which does not have an adequacy decision from the European Commission for all transfers.

We rely on Standard Contractual Clauses (SCCs) issued by the European Commission to ensure an adequate level of protection for your data when it is transferred outside the EEA. By using the platform you acknowledge this transfer. You may request a copy of our SCCs by emailing us at [email protected].

7. Cookies & Tracking

We use the following types of storage:

  • Session cookie (strictly necessary): a secure, HTTP-only session cookie to keep you logged in and protect against CSRF attacks. This cookie is essential to the platform and cannot be disabled without breaking core functionality.
  • Preference cookie: a small cookie to remember your chosen theme (light/dark) and language preference.
  • First-party analytics beacon: a lightweight script that records page views and session data described in Section 2.2. No third-party cookies are set by this system.

We do not use advertising cookies, Facebook Pixel, Google Tag Manager, or any cross-site tracking technology.

8. Your Rights Under GDPR

If you are located in the EEA, UK, or Switzerland, you have the following rights regarding your personal data:

Right of access (Art. 15)

You may request a copy of all personal data we hold about you, including the purposes for which it is processed, the categories of data held, and who it has been shared with.

Right to rectification (Art. 16)

You may request correction of any inaccurate or incomplete personal data. Most profile data can be updated directly via your account settings.

Right to erasure — "right to be forgotten" (Art. 17)

You may request deletion of your personal data. We will honour this request where we are not required to retain data by law. Deleting your account removes your public profile and all associated photos.

Right to restriction of processing (Art. 18)

You may request that we restrict the processing of your data in certain circumstances — for example, while a rectification request is being assessed.

Right to data portability (Art. 20)

You may request a structured, commonly used, machine-readable copy of the personal data you provided to us (e.g., your profile data and uploaded photos).

Right to object (Art. 21)

You may object to processing based on our legitimate interests (e.g., analytics). We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Right to withdraw consent (Art. 7(3))

Where processing is based on consent (including consent to process special category data such as photographs), you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Right not to be subject to automated decisions (Art. 22)

We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.

To exercise any of these rights, email us at [email protected] with the subject line "GDPR Rights Request". We will respond within 30 days. We may ask you to verify your identity before fulfilling the request.

9. Right to Lodge a Complaint

If you believe we have not handled your personal data in compliance with GDPR, you have the right to lodge a complaint with your national data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.

UK residents may contact the Information Commissioner's Office (ICO). Swiss residents may contact the Federal Data Protection and Information Commissioner (FDPIC).

We would, however, appreciate the chance to address your concerns before you contact a supervisory authority — please reach out to us first.

10. Security Measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:

  • HTTPS encryption for all data in transit;
  • Bcrypt hashing of passwords (never stored in plaintext);
  • Photo storage outside the public web root with access-controlled serving;
  • CSRF protection on all state-changing requests;
  • Rate limiting on authentication and submission endpoints;
  • Regular encrypted backups.

No system is completely secure. If you discover a security vulnerability please report it responsibly to [email protected].

11. Changes to This Page

We may update this GDPR page when our practices change or when required by law. The effective date at the top will be updated accordingly. For material changes we will notify registered users by email.

12. Contact Us

For any questions about this page, to exercise your rights, or to make a data subject access request:

MedellinModeling.com
Email: [email protected]
Subject line: GDPR Rights Request
Privacy Policy →    Terms of Service →