Privacy Policy

1) Scope

This policy explains how we collect, use, share, and protect personal data on our website, inquiry forms, emails, messages, and client portals/galleries. It applies to visitors and clients worldwide.

2) What we collect

You give us: names, emails, phone numbers, event dates/locations, planner details, messages, files (moodboards/invites), billing addresses, signed contracts, NDAs, and feedback/testimonials.
We collect automatically: device, browser, IP, pages viewed, time on site, referring URL, approximate location, cookie IDs, and similar tech.
From third parties: planners, venues, and processors (e.g., payment confirmation, deliverability data). We do not buy lists.

3) Why we use data (lawful bases)

  • To respond to inquiries & provide services (contract / pre-contract).

  • To take payment & send invoices/receipts (contract/legal obligation).

  • To run and secure the site (legitimate interests).

  • To analyze performance and measure ads (consent where required).

  • To comply with law (tax, fraud prevention, sanctions).
    Where consent is the basis, you can withdraw it anytime in the cookie banner or by emailing us.

4) Cookies & similar tech

We use essential cookies (load the site, security) and non-essential cookies (analytics, ads, personalization). You can:

  • Accept/decline in the banner;

  • Change settings anytime via “Cookie Settings” link in the footer [TBD];

  • Use your browser to block cookies (some features may break).
    See our Cookie Table [TBD link] for current vendors and lifetimes.

5) Analytics & ads

We may use Google Analytics (IP masking), Google Ads/Consent Mode, Meta (Facebook/Instagram) Pixel, and comparable tools to understand site usage and measure campaigns. Data is aggregated where possible. Cross-site tracking runs only with consent where required. You can opt-out in our banner and via platform settings.

6) Payments

Payments are processed by Stripe (and wallets like Apple Pay and Google Pay). We do not store or see full card numbers. Processors handle encryption, PCI DSS compliance, fraud checks, and receipts.

7) Sharing with service providers (processors)

We share the minimum necessary with vetted providers under a Data Processing Agreement (DPA) and confidentiality: hosting/CDN [TBD], email (e.g., Google Workspace), form & CRM [TBD], file delivery/galleries [TBD], analytics/ads (Google/Meta), project tools [TBD], and payment (Stripe). We do not sell personal information for money. Some advertising use may be considered “sharing” under California law—see §10.

8) Retention

  • Inquiries (not converted): 24 months after last reply.

  • Client files & contracts/invoices: 7 years (tax/accounting).

  • Photo galleries/archives: at least 12 months after delivery (see your contract for specifics).

  • Security logs: 12 months.
    We may keep limited data longer if required by law or to defend legal claims.

9) International transfers

We operate globally. When moving data across borders (e.g., EEA/UK → US), we use safeguards like Standard Contractual Clauses, the UK IDTA/Addendum, or another lawful mechanism. We also apply least-data-necessary principles and access controls.

10) Your rights

GDPR/UK: access, rectify, erase, restrict, portability, object, and withdraw consent.
California (CPRA): know, access, correct, delete, limit use of sensitive data, and opt-out of “sale”/“sharing” for cross-context behavioral ads.
To exercise rights or appeal a decision, email privacy@ximenazermeno.com. For CPRA opt-out, use the “Do Not Sell or Share” link in the footer [TBD].

11) Security

We use HTTPS, strong authentication, role-based access, and hardened configurations with reputable providers. No method is 100% secure, but we work to prevent unauthorized access, disclosure, alteration, and destruction.

12) Children

Our services target adults. We don’t knowingly collect data from children under 13 (US) or under the local age of digital consent. If you believe a minor provided data, contact us to delete it.

13) Photos, likeness & guests

Event photography captures people who attend. We work with you/your planner on signage or guest notices when appropriate. Portfolio use is opt-in by default unless your contract says otherwise. NDAs are available on request.

14) Third-party links & social features

Links to other sites or social widgets (Instagram, etc.) have their own privacy policies. We’re not responsible for their practices.

15) Changes to this policy

We’ll post updates here and revise the “Effective date.” If changes are material, we’ll notify you by email (if we have it) or via a banner.

16) Contact

Email: privacy@ximenazermeno.com [TBD] • Phone: +1 (310) 361 6208
Mail: ROCKSTAR LIFE HOLDINGS LLC, 1230 Rosecrans Ave, Suite 300 9023, Manhattan Beach, CA 90266, USA

TL;DR

TL;DR

 We collect only what’s needed to answer inquiries, book services, and run our website. Cookies/analytics (Google/Meta) help improve experience. You control consent. Your rights (GDPR/CCPA) are honored. Secure processors (e.g., Stripe). Questions? Email privacy@ximenazermeno.com.

KEY FACTS

Controller: ROCKSTAR LIFE HOLDINGS LLC (USA)

Uses Stripe/Apple Pay/Google Pay (we don’t store card numbers)

Cookies + analytics/ads with consent controls

Retention: inquiries 24 months; contracts 7 years (tax)

GDPR/CCPA rights: access, delete, correct, opt-out

 

FAQs

Do you sell my data?

No. We don’t sell personal information for money. Some ad and analytics tools may count as “sharing” under California law. You can opt-out at any time using our “Do Not Sell or Share” link [TBD] and cookie settings.

Can I use the site without cookies?

Essential cookies are required for security and loading. You can refuse non-essential cookies (analytics/ads) in the banner or browser. Some features may not work if you block all cookies.

How do I access or delete my data?

Email privacy@ximenazermeno.com with your request. We’ll verify identity, then respond within the time allowed by law (usually 30–45 days). Tell us if you’re in the EEA/UK/California so we can apply the right rules.

Do you keep my card details?

No. Payments run through Stripe and wallet providers (Apple Pay/Google Pay). We receive payment confirmation, not full card numbers. Stripe is PCI DSS compliant.

What analytics do you use?

We may use Google Analytics (with IP masking) and Consent Mode, plus Meta for campaign measurement. You can opt-out via our banner and your Google/Meta ad settings.

How long do you keep inquiry emails?

For up to 24 months after our last reply, so we can continue the conversation, understand seasonality, and improve service. You can ask us to delete earlier, unless we must keep records for legal reasons.

Who are your processors?

Typical categories: hosting/CDN [TBD], email (Google Workspace), forms/CRM [TBD], galleries/delivery [TBD], analytics/ads (Google/Meta), payments (Stripe). All operate under DPAs and data protection commitments.

Are my photos public?

Portfolio use is opt-in unless agreed otherwise. Client galleries are private by default and shareable only via your links. We can sign NDAs for additional confidentiality.

Do you transfer data internationally?

Yes. When transferring data (e.g., EEA/UK ↔ US), we use legal safeguards like Standard Contractual Clauses and apply least-data-necessary practices.

What are my California rights?

You can request access, delete, correct, and opt-out of “sale”/“sharing.” Use our “Do Not Sell or Share” link [TBD] or email privacy@ximenazermeno.com. We won’t discriminate for exercising rights.

How do you secure the site?

HTTPS, reputable infrastructure, role-based access, regular updates, and logging. No method is perfect, but we work to mitigate risk and respond quickly if something goes wrong.

How will I know about changes?

We’ll update the Effective date and, for major changes, use email or an on-site banner. Keep an eye on this page.