Privacy policy

Perpetua Forma cares about your privacy. This policy describes what personal data we collect when you use perpetuaforma.com, why we collect it, who we share it with, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR).

1. Who we are

The data controller is Perpetua Forma, a company registered in the Netherlands.

• Registered address: Binckhorstlaan 36, Unit M3 12, 2516 BE The Hague, The Netherlands
• Chamber of Commerce (KvK) number: 83241590
• VAT (BTW) number: NL003791144B12
• Email for privacy requests: info@perpetuaforma.com

We have not appointed a Data Protection Officer (DPO). Under GDPR Article 37, a DPO is mandatory only for public bodies, organisations whose core activities involve large-scale systematic monitoring, or large-scale processing of special categories of data. Perpetua Forma does none of these. Privacy questions go to the email above.

2. What we collect

We only collect data when you actively do something on the site. There’s no hidden background tracking; nothing is collected until you choose to interact.

2.1 Account data

When you create an account (optional — browsing is anonymous) we store your display name, email, and a password hash. You can change or delete these any time from your account settings.

2.2 Contributor data

If you submit a project for editorial, apply to an Open Call, or claim a studio or photographer profile, we store the information you enter on those forms, together with any images or PDFs you upload. This is processed so we can review and potentially publish the work.

2.3 Newsletter

If you opt in to the newsletter we store your email address and the date you subscribed. We never pre-tick the consent box; you can unsubscribe any time from your account or by replying to a letter.

2.4 Shop data

When you place an order, reserve a pre-order, or send a product enquiry we collect the details needed to fulfil it: name, billing address, shipping address, email, phone (optional). Payment data is handled by the payment processor — we don’t see full card numbers.

2.5 Technical data

Our hosting provider records standard server logs (IP address, user agent, request timestamps) for security and debugging. We use no analytics, tracking pixels, or third-party advertising cookies by default. If we ever add privacy-first analytics we’ll update this policy and gate the pings behind the cookie banner.

3. How we use it

• To provide and operate the site (contractual necessity).
• To fulfil orders, arrange shipping, and handle returns (contractual necessity).
• To review and publish submissions and Open Call entries (your consent, given by submitting).
• To send the newsletter, if you explicitly opt in (your consent).
• To keep the site secure and improve its function (our legitimate interest).
• To comply with legal obligations (e.g. tax records).

Where we process data on the basis of your consent — newsletter sign-ups, cookies beyond the strictly necessary, contributor submissions — you can withdraw that consent at any time. The newsletter has a one-click unsubscribe link in every email (you can also unsubscribe from your account); cookie preferences can be reopened from the footer; submission consent is withdrawn by emailing us. Withdrawal stops future processing but doesn’t affect anything we did lawfully before.

4. Who we share it with

We share only the minimum data each partner needs to do its job, under contracts that comply with GDPR. Today those partners are:

• Supabase — database + authentication hosting. Your account and contributor data is stored in a Supabase project in the EU.
• Vercel — web hosting. Standard server logs pass through Vercel infrastructure.
• Sendcloud — shipping labels and carrier handoff. Shared when you place an order: name, shipping address, contact details.
• Resend (when enabled) — transactional emails (order confirmations, newsletter delivery). Shared: your email and the email body.
• Mollie — payment processor. Mollie B.V. is based in Amsterdam, NL and handles card and iDEAL data directly at checkout; we receive only the minimum we need to reconcile orders (transaction id, status, last four digits) and never see full card numbers.

Some of these processors host data outside the EU (e.g. in the United States). Transfers are covered by the European Commission’s Standard Contractual Clauses.

5. How long we keep it

• Account data — until you delete your account (which you can do any time from your account).
• Newsletter — until you unsubscribe; we keep a suppression record so unsubscribed addresses stay unsubscribed.
• Order + invoice data — seven years, as required by Dutch tax law. After that, anonymised or deleted.
• Published articles — indefinitely; they form an editorial archive. If you delete your contributor account, your articles stay but your author line becomes anonymous and any studio or photographer profile you’d claimed reverts to unclaimed.
• Server logs — up to 30 days for security diagnostics.

6. Your rights

Under GDPR you can ask us to:

• Give you a copy of the data we hold on you (Article 15).
• Correct anything that’s wrong (Article 16).
• Delete your account and associated data (Article 17).
• Restrict processing (Article 18).
• Port your data to another service in a machine-readable format (Article 20).
• Object to processing based on legitimate interest (Article 21).
• Withdraw consent for the newsletter at any time, without affecting the lawfulness of processing done before the withdrawal.

The quickest way to exercise rights 1 and 3 is from your account — the Request my data and Delete my account controls handle both in one click. For anything else, email info@perpetuaforma.com. We aim to respond within 14 days; under GDPR Article 12(3) we have a maximum of one month, extendable by two further months for unusually complex requests (you’ll be told if that applies). You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl).

7. Cookies and tracking

We use three categories of measurement on the site, gated differently depending on what each tool actually does.

• Strictly necessary cookies — authentication and session state. Required for the site to work; no consent option here, since GDPR/ePrivacy exempts them.
• Cloudflare Web Analytics — aggregate pageview, country, and referrer counts. Genuinely cookieless, never sets identifiers, never tracks you across sites. Confirmed by the European Data Protection Board as not requiring consent. Always on.
• Google Analytics 4 — richer behavioural analytics (read time, scroll depth, conversions). Loads with Google Consent Mode v2, which means: until you accept the “analytics” category in the cookie banner, GA4 sends only cookieless aggregate pings carrying no identifiers; if you accept, it switches to full tracking with cookies.
• Meta Pixel (Facebook) — supports our Instagram and Facebook advertising. Strict consent: the script only loads when you accept the “marketing” category. If you decline, nothing about your visit reaches Meta from our site.

You can change these choices any time from the “Cookie preferences” link in the footer. Withdrawal stops new tracking; data already collected before withdrawal stays subject to whichever provider received it (Google, Meta) and is governed by their retention schedules.

8. Children

The site isn’t aimed at children under 16. We don’t knowingly collect data from them. If you believe we have, email us and we’ll remove it.

9. Changes to this policy

We may update this policy as our processing changes. The Last updated date at the top always reflects the latest version. Material changes are announced in the newsletter (if you’re subscribed) or surfaced on your next visit.

10. Contact

Privacy questions or requests: info@perpetuaforma.com. General contact details are on our contact page.