Privacy Policy

1. Who we are

Three Chapters (“we”, “us”, “our”) is a wedding CRM product designed for solo photographers and other wedding professionals. The service is operated by Three Chapters Ltd, a company registered in England and Wales.

Our registered address is: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ

For data privacy enquiries, contact us at privacy@threechapters.app.

For the purposes of UK GDPR and the Data Protection Act 2018, Three Chapters Ltd is the data controller for photographer account data. For EU residents, we are also subject to EU GDPR Regulation 2016/679.

2. Two different roles

If you are a photographer (account holder)

You have a direct relationship with Three Chapters. You signed up, you pay a subscription, and you use the platform to run your business. We are the data controller for the personal information you provide to us — your name, email, business details, financial data, and so on.

This means we decide what data to collect from you and why, and we are directly responsible for your rights under applicable privacy law.

If you are a couple (end user)

Your photographer chose to use Three Chapters to manage their business. Your photographer is the data controller for your personal information — they decided to collect it from you and store it in our system. Three Chapters acts as their data processor, meaning we store and process your data only on the photographer’s instruction, not for our own purposes.

For most privacy requests — such as accessing or deleting your information — you should contact your photographer in the first instance. They are legally responsible for responding to those requests. We will always cooperate with photographers to help them fulfil their obligations to you.

There are two situations where you interact with Three Chapters directly, which we explain in detail in sections 7 and 8 below:

• The client portal, where you view proposals, sign contracts, and fill in questionnaires sent by your photographer.
• Booking forms, where you browse, select, and pay for session types directly on your photographer’s public booking page.

3. What data we collect

Photographer account data

When you sign up and use Three Chapters, we collect information you provide directly:

• Identity — Name and email address
• Business — Business name, address, phone number, and website URL
• Branding — Logo, brand colours, and hero images used in your proposals and client-facing pages
• Financial — Revenue, invoice, and booking data you enter; VAT registration number (if applicable); subscription billing details (managed securely by Stripe — we never see full card numbers)
• Usage — Log data, session information, and in-app activity generated when you use the platform

Couple / client data (stored on behalf of photographers)

When photographers use Three Chapters to manage their clients, the following couple data may be entered into the system — either by the photographer directly or by you through a booking form or client portal:

• Contact details — Names (both partners), email address, and phone number
• Address — Postal address
• Wedding details — Wedding date, venue name and address, budget, and session type
• Correspondence — Messages, notes, and questionnaire responses
• Documents — Signed contracts, invoice records, and any files shared through the portal
• Payment data — Payment status and amounts (card processing is handled entirely by Stripe; Three Chapters never receives or stores card numbers)
• Engagement data — Proposal page views, approximate time spent on each section, and add-on interactions (see section 7 for details)

Data collected automatically

When you use our website or applications, we automatically collect limited technical data:

• Log data — IP address, browser type, operating system, pages visited, and timestamps — retained for 90 days for security purposes
• Session data — Authentication tokens that keep you logged in (strictly necessary; no consent required)

We do not use third-party analytics platforms, advertising trackers, or any cookies beyond those strictly necessary to run the service.

4. How we use your data

We use the data we collect only for the purposes described below. We do not sell personal data to third parties. We do not use personal data for advertising, profiling, or any purpose unrelated to delivering the Three Chapters service.

For photographers

• Providing and maintaining the Three Chapters service, including enquiry management, booking tracking, proposals, invoicing, and client communications
• Processing your subscription payments and generating VAT-compliant invoices for your account
• Sending transactional emails such as account confirmations, password resets, invoice receipts, and service notifications
• Powering AI-assisted features such as email draft suggestions — your content is sent to our AI provider only when you actively use this feature, and it is not used to train AI models
• Sending product updates, tips, and marketing communications where you have opted in (you can unsubscribe at any time)
• Improving the service through aggregated, anonymised usage analysis (individual photographers are never identified in this analysis)
• Responding to support requests and resolving disputes
• Complying with our legal obligations, including financial record-keeping

For couples

• Enabling your photographer to manage their relationship with you — storing your enquiry, booking, correspondence, and documents
• Delivering the client portal experience — displaying proposals, contracts, invoices, questionnaires, and the wedding-day timeline your photographer has prepared for you
• Processing payments made through your photographer’s booking form (via Stripe)
• Sending transactional emails on your photographer’s behalf, such as booking confirmations and invoice reminders
• Providing your photographer with engagement signals (see section 7) so they can follow up at the right time

5. Lawful bases for processing

Under UK GDPR and EU GDPR, we must have a lawful basis for every type of processing. Here is how we justify the data processing we carry out:

Contract performance (Article 6(1)(b))

Processing your photographer account data is necessary to provide the service you have signed up and paid for. Without this, we cannot create your account, process payments, or deliver the CRM features.

Legal obligation (Article 6(1)(c))

We retain financial records for seven years to meet our obligations under UK tax law. We may also process data to comply with other legal requirements, including responding to court orders or regulatory investigations.

Legitimate interests (Article 6(1)(f))

We rely on legitimate interests for the following processing activities. In each case, we have assessed that our interests (or the photographer’s interests) are not overridden by individuals’ rights and freedoms:

• Processing couple data on behalf of photographers, to deliver the CRM service they have contracted for. Couples reasonably expect their photographer to use business software to manage bookings.
• Proposal engagement tracking — helping photographers understand whether couples have viewed their proposals, so they can follow up at the right time. The tracking is limited, disclosed clearly in the portal, and directly benefits the couple by enabling a more timely and relevant response.
• Security logging and fraud prevention — retaining IP addresses and technical logs for 90 days to detect abuse.
• Service improvement — anonymised, aggregated analysis of how the platform is used, with no individual profiling.
• Support and dispute resolution — retaining correspondence to resolve any issues that arise.

Consent (Article 6(1)(a))

We send marketing emails only where you have given explicit consent at the point of registration or through a separate opt-in. You can withdraw consent at any time using the unsubscribe link in any marketing email, or by emailing us at privacy@threechapters.app. Withdrawing consent does not affect the lawfulness of any processing carried out before withdrawal.

6. Our role as a data processor (for couples’ data)

When photographers store their clients’ information in Three Chapters, we act as a data processor under Article 28 of UK GDPR and EU GDPR. The photographer is the data controller: they decide what data to collect from their couples and why, and they are responsible for having their own lawful basis to do so.

As a data processor, Three Chapters commits to:

• Processing couple data only on the documented instructions of the photographer (i.e. to provide the CRM service), and not for any other purpose
• Ensuring that our staff and sub-processors are bound by appropriate confidentiality obligations
• Implementing appropriate technical and organisational security measures (see section 12)
• Assisting photographers to fulfil their obligations to respond to individuals’ rights requests
• Deleting or returning all couple data when the photographer closes their account
• Providing photographers with information necessary to demonstrate compliance, and cooperating with any audit

Photographers who use Three Chapters to process their clients’ personal data should ensure they have a compliant privacy notice of their own that covers this processing, as required under Article 13/14 of UK/EU GDPR. They should direct their couples to that notice for information about how their wedding data is handled.

7. Proposal engagement tracking

When a photographer sends a proposal through Three Chapters, the client portal records limited engagement data to help photographers follow up at the right time. This is a core feature of the product — it helps photographers know whether a couple has seen their pricing, which parts they found interesting, and when it might be a good moment to reach out.

We track the following events when a couple views a proposal:

• Whether the proposal page has been viewed, and when
• Approximate time spent on each section of the proposal
• Which add-on options the couple interacted with

This engagement data is shared only with the photographer who sent the proposal. It is not shared with any other photographers, used for advertising, or sold to any third party.

Couples are informed about this tracking via a visible notice in the client portal footer. No cookies, pixel trackers, or third-party tracking scripts are used for this purpose — the tracking is performed by our own systems.

The lawful basis for this tracking is the photographer’s legitimate interest in knowing whether their proposal has been received and reviewed. Couples cannot opt out of this tracking, as it is inherent to the proposal delivery service and does not involve surveillance beyond what is expected when receiving a formal business proposal.

Engagement event data is retained for 12 months.

8. Booking forms

Some photographers use Three Chapters to create public booking pages where couples can browse session types, pick a date and time, pay a deposit or the full fee, and sign a contract — all in one flow.

When you complete a booking through one of these pages, you are entering into a contract with the photographer, not with Three Chapters. We collect and process your data on the photographer’s behalf to make that booking happen.

During the booking flow, we collect:

• Your name(s), email address, and optionally your phone number
• The session type, date, time, and any add-ons you selected
• Payment details — processed entirely by Stripe on the photographer’s behalf; Three Chapters never receives or stores your card number
• Your responses to any booking questionnaire the photographer has configured
• Your signature on the photographer’s contract (if one is required as part of the booking)

After completing a booking, you will receive an email confirmation and access to the client portal where you can view your booking, invoice, and any signed documents. The lawful basis for this processing is performance of the contract between you and the photographer.

Booking pages display the photographer’s branding. If you have questions about how a specific photographer handles your data, please contact them directly.

9. Sub-processors

We use a small number of trusted third-party services (“sub-processors”) to deliver Three Chapters. Each one processes only the data necessary for their specific function. We have signed a Data Processing Agreement (DPA) with each provider.

We will notify photographers of any changes to this list that could affect the processing of their clients’ data, giving at least 14 days’ notice before a new sub-processor is added.

10. International data transfers

Our primary database and authentication infrastructure is hosted by Supabase in the EU (Frankfurt, Germany), which means most data stays within the European Economic Area.

Some of our sub-processors — specifically Resend, Stripe, and Anthropic — are based in the United States. When data is transferred to these providers, it is protected by:

• Standard Contractual Clauses (SCCs) approved by the European Commission and adopted by the UK ICO as an appropriate international transfer mechanism under the UK GDPR
• Data Processing Agreements with each provider that impose GDPR-equivalent obligations on their handling of our users’ data

We use each of these providers because they are industry leaders in their field with mature data protection practices, and the use of a US-based provider in each case is necessary to deliver the relevant service (email delivery, payment processing, messaging, and AI drafting). We have assessed that appropriate safeguards are in place in each case.

We do not transfer data to countries that do not provide an adequate level of protection without first putting appropriate safeguards in place.

11. Data retention

We keep personal data only for as long as necessary for the purpose for which it was collected, or as required by law. Here is a summary of our retention periods:

When we delete data, we do so in a way that makes it unrecoverable. Backups are purged on a rolling 30-day cycle.

If you request deletion of your account or personal data, we will action that request within 30 days, subject to any legal hold obligations (for example, we must retain invoice records for seven years regardless of account status).

12. Security

We take the security of your data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, or destruction.

These measures include:

• All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
• All data at rest is encrypted by Supabase (AES-256) in the EU (Frankfurt) region
• Row Level Security (RLS) enforced at the database level — every query is automatically scoped to your account, making it impossible for one photographer to access another’s data
• Authentication handled by Supabase Auth with JWT tokens; passwords are hashed and never stored in plain text
• Access to production systems is restricted to authorised personnel on a need-to-know basis
• Payment data is handled exclusively by Stripe, which is certified to PCI DSS Level 1 — the highest level of payment security

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, and we will inform affected individuals without undue delay where required to do so by law.

If you discover a potential security vulnerability, please report it to privacy@threechapters.app. We will respond within 48 hours.

13. Your rights

Under UK GDPR, EU GDPR, and applicable data protection laws, you have the following rights in relation to your personal data. These rights apply to photographers as account holders. If you are a couple, please see section 6 — your rights under GDPR should be exercised with your photographer, not directly with us.

To exercise any of these rights, email us at privacy@threechapters.app with your name and account email address. We will respond within one calendar month (UK and EU GDPR timescale). In complex cases, we may extend this by a further two months, in which case we will tell you within the first month.

We will not charge a fee for processing requests unless they are manifestly unfounded or excessive. Where we have reasonable doubts about your identity, we may ask for additional verification before actioning a request.

Right to complain: If you are unhappy with how we have handled your data or your rights request, you have the right to lodge a complaint with a supervisory authority:

• UK residents: Information Commissioner’s Office (ICO), ico.org.uk, 0303 123 1113
• EU residents: Your local supervisory authority — find yours at edpb.europa.eu
• Australian residents: Office of the Australian Information Commissioner (OAIC), 1300 363 992

14. California residents (CCPA / CPRA)

Categories of personal information we collect

In the last 12 months, we have collected the following categories of personal information (as defined by the CCPA):

• Identifiers — name, email address, IP address, account identifier
• Commercial information — subscription records, invoices, transaction history
• Internet or other electronic network activity — session logs, page views, in-app activity
• Professional or employment-related information — business name, address, and other business details you provide
• Inferences drawn from above — aggregated, anonymised product usage analysis (no individual profiling)

Sources of personal information

We collect personal information directly from you when you:

• Create and use a Three Chapters account
• Contact our support team
• Submit a booking form (as a couple)
• Interact with the client portal (as a couple)

We also receive limited technical data automatically through your use of our website and applications.

Business and commercial purposes for collection

We collect and use this information to provide and improve the Three Chapters service, process payments, send communications, ensure security, and comply with legal obligations — as described in full in section 4 of this policy.

Disclosure of personal information

We share personal information with our sub-processors (listed in section 9) solely for the purpose of delivering the service. In the last 12 months, we have not:

• Sold personal information to any third party
• Shared personal information for cross-context behavioural advertising purposes
• Used sensitive personal information for any purpose beyond delivering the service

We do not sell or share personal information as those terms are defined under the CCPA/CPRA. You do not need to opt out — it does not happen.

Your California rights

As a California resident, you have the following rights under CCPA/CPRA, which you can exercise free of charge, up to twice per 12-month period:

• Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom it has been shared
• Right to delete — request that we delete personal information we have collected, subject to certain exceptions (e.g. where retention is required by law or necessary to complete a transaction)
• Right to correct — request correction of inaccurate personal information
• Right to opt out of sale or sharing — as noted above, we do not sell or share personal information for advertising, so this right is not relevant in practice
• Right to limit use of sensitive personal information — we do not use sensitive personal information beyond the purpose for which it was collected
• Right to non-discrimination — we will not discriminate against you for exercising any of these rights

To exercise your California privacy rights, email us at privacy@threechapters.app with the subject line “California Privacy Request”. We will respond within 45 days as required by CCPA. We may extend this by a further 45 days if we let you know within the initial period.

You may designate an authorised agent to submit a request on your behalf. We will require written authorisation and may verify your identity before processing the request.

Shine the Light (California Civil Code § 1798.83)

California customers may request information about our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for direct marketing purposes.

15. Other US state residents

Residents of the following states have privacy rights under their respective state laws:

• Virginia — Consumer Data Protection Act (VCDPA), effective 1 January 2023
• Colorado — Colorado Privacy Act (CPA), effective 1 July 2023
• Connecticut — Connecticut Data Privacy Act (CTDPA), effective 1 July 2023
• Utah — Utah Consumer Privacy Act (UCPA), effective 31 December 2023
• Oregon — Oregon Consumer Privacy Act, effective 1 July 2024
• Texas — Texas Data Privacy and Security Act (TDPSA), effective 1 July 2024
• Montana — Montana Consumer Data Privacy Act, effective 1 October 2024
• Iowa — Iowa Consumer Data Protection Act, effective 1 January 2025
• Delaware — Delaware Personal Data Privacy Act, effective 1 January 2025
• Tennessee — Tennessee Information Protection Act (TIPA), effective 1 July 2025
• Indiana — Indiana Consumer Data Protection Act, effective 1 January 2026

Under these laws, you have rights that are broadly equivalent to those described in section 13 of this policy:

• Right to access the personal data we hold about you
• Right to correct inaccurate personal data
• Right to delete personal data you have provided to us
• Right to data portability (a copy of your data in a portable format)
• Right to opt out of the sale of personal data, targeted advertising, and profiling in furtherance of decisions that produce legal or similarly significant effects

As noted throughout this policy, Three Chapters does not sell personal data, does not use personal data for targeted advertising, and does not engage in profiling that produces legal or significant effects.

To exercise any of these rights, email us at privacy@threechapters.app. We will respond within 45 days, with a possible extension of a further 45 days for complex requests. We will not discriminate against you for exercising your privacy rights.

If we decline your request, we will explain the reason. You may appeal our decision by emailing us at the address above with the subject line “Privacy Rights Appeal”. If you are unsatisfied with our response to an appeal, you may contact your state’s Attorney General:

• Virginia: oag.state.va.us
• Colorado: coag.gov
• Connecticut: portal.ct.gov/AG
• Utah: attorneygeneral.utah.gov
• Oregon: doj.state.or.us
• Texas: texasattorneygeneral.gov

For other states listed above, contact your state Attorney General’s office.

16. Australian residents (Privacy Act 1988)

Data controller and Australian contact

Three Chapters Ltd is the entity responsible for handling your personal information. If you have questions or complaints about how we handle your personal information, you can contact us at privacy@threechapters.app.

What we collect and why

We collect personal information that is reasonably necessary to provide the Three Chapters wedding CRM service, as described in sections 3 and 4 of this policy. We do not collect personal information that we do not need.

Overseas disclosure

Your data is stored on servers in the European Union (Frankfurt, Germany) operated by Supabase. Some of our sub-processors are located in the United States (see section 9 for the full list). This means your personal information will be transferred to, and stored in, countries outside Australia.

Before disclosing personal information overseas, we take reasonable steps to ensure that each overseas recipient handles your information in a way that is consistent with the Australian Privacy Principles. These steps include entering into contractual arrangements (Standard Contractual Clauses and Data Processing Agreements) that require recipients to protect your information to a standard comparable to the APPs.

The countries in which our sub-processors are located are:

• Germany (EU) — Supabase — database, authentication, file storage
• United States — Resend (email), Stripe (payments), Anthropic (AI text generation)
• Global (EEA/UK primary) — Cloudflare — website hosting and content delivery

Your rights under the Privacy Act

Under the Privacy Act 1988, you have the right to:

• Access — Request access to the personal information we hold about you (APP 12). We will respond within 30 days.
• Correction — Request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13).
• Complaint — Make a complaint about how we have handled your personal information (APP 1). We will acknowledge your complaint within 7 days and provide a substantive response within 30 days.

To exercise any of these rights, email us at privacy@threechapters.app. There is no charge for making a request or complaint.

Notifiable Data Breaches scheme

Three Chapters complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. If we become aware of an eligible data breach that is likely to result in serious harm to any individual whose information is involved, we will:

• Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable
• Notify affected individuals as soon as practicable, including a description of the breach, the types of information involved, and steps they can take to protect themselves

Complaints to the OAIC

If you are not satisfied with our response to a privacy complaint, you can lodge a complaint with the Office of the Australian Information Commissioner:

• Online: oaic.gov.au/privacy/privacy-complaints
• Phone: 1300 363 992
• Post: GPO Box 5218, Sydney NSW 2001

17. Cookies and tracking

What we use

Three Chapters uses strictly necessary cookies and local storage only. These are limited to:

• Authentication session cookies — set by Supabase Auth to keep you logged in to the CRM. These are essential for the service to function and do not require your consent under the ePrivacy Directive and UK PECR.
• Cookie consent preference — stored in localStorage to remember your choice on the marketing site cookie banner. This is also strictly necessary (it stores your decision, not tracking data).

What we do not use

We do not use:

• Analytics cookies (e.g. Google Analytics, Mixpanel)
• Advertising or retargeting cookies
• Social media tracking pixels
• Third-party tracking scripts of any kind

Proposal tracking (not cookies)

The proposal engagement tracking described in section 7 is not implemented using cookies. It uses server-side event recording when authenticated portal sessions are active. No persistent tracking identifier is set on the couple’s device.

Future analytics

If we introduce analytics tools in the future that require cookies or similar technologies beyond strictly necessary, we will obtain your consent before setting them, update this policy, and provide a clear opt-out mechanism.

18. Email communications

We send two types of email from Three Chapters:

Transactional emails

These are emails that are necessary to deliver the service — for example, account confirmation, password reset, invoice receipt, booking confirmation, and workflow reminder emails. We send these without requiring separate consent, as they are a necessary part of the service. These emails comply with CAN-SPAM requirements, including our physical address, a clear sender identification, and accurate subject lines.

Marketing emails

These include product updates, tips, new feature announcements, and other communications not strictly required to deliver the service. We only send marketing emails to photographers who have explicitly opted in.

Every marketing email includes:

• A clear identification that it comes from Three Chapters
• Our physical address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
• A working one-click unsubscribe link — clicking it will remove you from marketing lists within 10 business days
• An honest and accurate subject line

You can also opt out of marketing emails at any time by emailing privacy@threechapters.app or updating your notification preferences in account settings.

Emails sent on behalf of photographers

When photographers use Three Chapters to send emails to their couples — such as booking confirmations, invoice reminders, or automated workflow messages — those emails are sent as the photographer, not as Three Chapters. The photographer is responsible for ensuring those communications are lawful and comply with applicable email law, including CAN-SPAM and the UK PECR. We provide the platform; the photographer is the sender.

19. Automated decision-making

Three Chapters does not make any decisions about you that are based solely on automated processing and that produce legal effects or similarly significant effects.

Some features of the platform use algorithms to generate suggestions — for example, the AI email drafting feature, or the performance analytics that give photographers insight into their booking patterns. None of these produce decisions that affect your legal rights, access to services, or financial standing. They are tools to assist the photographer, not to make decisions about you.

This section satisfies our disclosure obligations under Article 22 of UK GDPR and EU GDPR.

20. Children

Three Chapters is a business tool designed for wedding professionals aged 18 and over. Our service is not directed at children under the age of 16 and we do not knowingly collect personal data from children.

If you believe a child has provided personal data to us without appropriate consent, please contact us at privacy@threechapters.app and we will delete it promptly.

21. Changes to this policy

We may update this privacy policy from time to time. If we make material changes — particularly changes that affect your rights or how we use your data — we will:

• Email all registered photographers at least 30 days before the changes take effect
• Display a notice in the CRM application when you next log in
• Update the “last updated” date at the top of this page

For minor changes — such as clarifications that do not affect how we use data — we will update the page and the date without sending a notification email.

Continued use of Three Chapters after material changes take effect constitutes acceptance of the revised policy.

22. Your rights by region

Our Data Protection Officer and Privacy Contact is Mark Edwards and can be reached at privacy@threechapters.app. This contact serves as our Encarregado (Brazil), Information Officer (South Africa), DPO (Singapore), and Accountable Person (Canada).

Brazil (LGPD)

Under the Lei Geral de Proteção de Dados, Brazilian users have rights including access, correction, anonymisation, portability, deletion, and the right to review decisions made solely by automated processing.

We process your data under one of ten legal bases defined by the LGPD, including contractual necessity and legitimate interest. You may request information about the specific legal basis for any processing activity.

To exercise your rights, contact our Encarregado at privacy@threechapters.app.

Canada (PIPEDA)

Under the Personal Information Protection and Electronic Documents Act, Canadian users have the right to access their personal information, challenge its accuracy, and withdraw consent. We collect and use your data based on meaningful, informed consent.

If you are in Quebec, additional protections under Law 25 apply, including the right to data portability and stricter consent requirements.

We will notify you and the Office of the Privacy Commissioner of Canada of any breach that creates a real risk of significant harm. To make a privacy request, contact us at privacy@threechapters.app.

New Zealand (Privacy Act 2020)

Under the New Zealand Privacy Act 2020, you have rights similar to those under the Australian Privacy Act. We comply with the 13 Information Privacy Principles, including collecting data directly from you where possible and using it only for the purpose collected.

We will notify the NZ Privacy Commissioner and affected individuals of any notifiable privacy breach. Your data is stored in the EU with GDPR-level protections, which satisfies New Zealand’s cross-border disclosure requirements.

You may complain to the NZ Privacy Commissioner at privacy.org.nz.

South Africa (POPIA)

Under the Protection of Personal Information Act, South African users have the right to access, correct, and delete their personal information. We process your data based on legitimate interest, contractual necessity, or your consent.

Our Information Officer can be reached at privacy@threechapters.app. You may lodge a complaint with the Information Regulator at inforegulator.org.za.

We will not use your personal information for direct marketing without your explicit opt-in consent.

Singapore (PDPA)

Under the Personal Data Protection Act, Singaporean users have the right to access and correct their personal data, and to withdraw consent for its use. We designate a Data Protection Officer contactable at privacy@threechapters.app.

Where you voluntarily provide data for a clear purpose, consent may be deemed given under the PDPA. We comply with Singapore’s Do Not Call provisions and will not send marketing messages to registered numbers.

We will notify the Personal Data Protection Commission of any notifiable data breach within 3 calendar days of assessment.

Switzerland (nFADP)

Under the revised Swiss Federal Act on Data Protection, Swiss users have rights broadly similar to those under the GDPR. Your data is stored in the EU, which Switzerland recognises as providing adequate data protection.

The supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC). Note that the nFADP includes criminal penalties for certain data protection violations — we take our obligations under Swiss law seriously and maintain appropriate safeguards.

sections.rightsByRegion.switzerland.p3

India (DPDP Act 2023)

The Digital Personal Data Protection Act 2023 grants Indian users rights including access, correction, erasure, and grievance redressal. We process your data based on your consent or for legitimate uses defined under the Act.

The enforcement rules are still being finalised — we are preparing for compliance ahead of the rules taking effect. Our grievance officer can be contacted at privacy@threechapters.app.

sections.rightsByRegion.india.p3

UAE (PDPL)

Under the UAE Federal Decree-Law No. 45 of 2021, users in the UAE have rights including access, correction, and erasure of personal data. We process your data based on contractual necessity and legitimate interest.

Your data is transferred to the EU under appropriate safeguards. The UAE Data Office is developing implementing regulations — we will update this section as the framework matures.

sections.rightsByRegion.uae.p3

Mexico (LFPDPPP)

Under the Federal Law on Protection of Personal Data Held by Private Parties, Mexican users have ARCO rights: Access, Rectification, Cancellation (erasure), and Opposition. We will respond to ARCO requests within 20 business days.

If your data is used for marketing, you may opt out at any time by contacting us at privacy@threechapters.app.

Our privacy notice covers the purposes of data processing, international transfers, and your rights under Mexican law.

Japan (APPI)

Under the Act on the Protection of Personal Information, Japanese users have rights to access, correct, and request deletion of their personal data.

The United Kingdom and Japan have a mutual adequacy arrangement, meaning your data can flow between the UK, EU, and Japan under recognised protections. We specify the purpose of use of your personal data clearly and do not use it beyond what is reasonably related to the original purpose.

You may contact the Personal Information Protection Commission with any concerns.

23. Contact us

If you have any questions, concerns, or requests related to this privacy policy or how we handle your data, please get in touch:

We aim to respond to all privacy enquiries within 5 business days and to formally resolve all rights requests within the legally required timescales set out in sections 13, 14, and 15 above.

If you are a couple whose personal data is managed by a photographer who uses Three Chapters, please contact your photographer in the first instance, as they are the data controller for your information. If they are unable to help or you are not satisfied with their response, you are welcome to contact us directly and we will do our best to assist.