If you’re a resident of California, Colorado, Connecticut, Utah, or Virginia, check out the U.S. State Law Privacy Rights section below for some additional information about your personal information and rights under state law.
Table of Contents
Data we collect
There are three types of data we collect about you: data that you provide us, data we get through third parties, and data we collect automatically.
Here are some tables that summarize the different types of data we collect
We need certain information to set up your account.
You can customize your profile on our Services so other creators can get to know you better
Sometimes we might reach out to you, or you might reach out to us.
We would love to hear your thoughts on our Services.
We need certain information about you so we can process your payments
We want to honor your choices regarding our marketing efforts, and understand how our marketing campaigns are performing.
You’ll get to interact with other creators and generate your own content when you use our Services.
You might want to invite your friends to use our Services.
We might need NFT data related to artists and their content, curators, exhibitions, and collections if we offer NFT related products.
Sometimes you might connect with us on social media
Our creators might want to invite you to use our Services.
We try to make the login process simpler for you by providing you with some SSO options.
We receive certain information about your device and browser when you use our Services.
We learn about how you’re engaging with us and our Services online.
We get data about the content you contribute to our Services.
How we use your data
Once we collect your data, we use it in a few different ways. This table summarizes the different ways we may use your data.
We’ll use your data to provide our Services to you.
We might use your data to help us make our Services better.
As part of these activities, we may also create aggregated, de-identified, or other anonymous data from personal information we collect. We make personal information into anonymous data by removing information that makes the data personally identifiable to you.
Depending on your choices, you might get marketing communications about our Services.
We will also disclose information to advertising technology partners for purposes of measuring the effectiveness of our ads, such as actions that you take on our Services.
We may need to use your data in certain ways to make sure we provide our Services legally and safely.
To that end, we might use your data as needed to comply with the law, respond to lawful data requests (like subpoenas and warrants), protect our creators, protect our rights (including by establishing and defending against legal claims), comply with any legal, accounting, or reporting requirements, enforce our terms and policies, and prevent or investigate fraudulent, harmful, or illegal activity.
We may create other ways you can interact and communicate with other creators, including things like tipping and other ways you can support creators monetarily. The data related to these interactions will be visible by other creators.
We may also offer ways for you to interact with companies that may wish to work with you. Certain data relating to these interactions will be visible by companies, other creators, and the public.
You have control over your data in several ways. This table summarizes your choices concerning your data. If you’re located in California, Colorado, Connecticut, Utah or Virginia, you can find additional information in the U.S. State Law Privacy Rights section below.
If you are under 18 years of age, you can also use these same instructions to exercise your right to delete your content under California’s “Online Eraser” Law.
How we secure your data
We use technical, organizational, and physical safeguards to protect your data, like firewalls and other security technology. For example, when you enter confidential information (such as login credentials or information submitted from within our Services), we encrypt the transmission of that information using secure socket layer technology (SSL). However, there is always risk when doing anything on the internet, so we can’t guarantee 100% security of your data. If we find out that we’ve had a data breach and your personal information has been compromised, we’ll notify you as required by law and take appropriate steps to investigate and remedy the vulnerability.
International data transfer
We’re headquartered in the United States and may use service providers in other countries. Your data may be processed or stored in the United States or other countries outside of where you live, which may have data protection laws that are different from those in your country. When we transfer data across borders, we take measures to comply with the relevant data protection laws governing the transfer.
General audience service
Our Services are intended for a general audience. As such, they are not directed or targeted toward children under 13 years of age and are not intended for use by children under 13. If we learn that we collected data through our Services from a child under 13 without the consent of the child’s parent or guardian as required by law, we will delete it.
How to contact us
- Online: https://support.vsco.co
- Mail: VSCO, Attention: Legal Department, 548 Market St, Suite 92958, San Francisco, CA 94104
U.S. State Privacy Rights
This section provides additional disclosures to California, Colorado, Connecticut, Utah, and Virginia residents under their respective state privacy laws, including further information on their rights. Where we use the term “personal information,” we mean as it (or a similar term, such as “personal data”) is defined under those laws.
Verification. We’ll need enough detail to understand and respond to your request. We may need to verify your identity to process your requests and may also need to confirm your state residency. To verify your identity, we may require a combination of government identification, a copy of the receipt for your VSCO membership, or other information. We may also require you to login from a verified valid device or verify that the device you’re logging in from is valid.
Authorized Agents. You can have an authorized agent make a request on your behalf, but we’ll need to verify your agent’s identity. We would also need a copy of a valid power of attorney, or a written and signed permission to exercise your privacy rights on your behalf. We may still need to verify your identity and may ask you to directly confirm that you provided your authorized agent permission to submit the request on your behalf.
Sensitive Information. We process “sensitive personal information” (or similar term, such as “sensitive data”) only as reasonably expected for providing theservices that you’ve requested or as otherwise permitted without requiring a corresponding right to restrict or limit such use.
Profiling. We do not undertake any “profiling in furtherance of decisions that produce legal or similarly significant effects” on our creators.
Retention. The duration of how long we retain personal information is generally based on how long we need it for the purposes for which it was collected, which includes complying with our legal obligations.
Your Privacy Rights
You have certain rights regarding your personal information, subject to certain exceptions under applicable law. Here, we provide a summary of your rights relating to personal information and how to exercise them. You are entitled to exercise these rights free from discrimination.
Correction. You have the right to request that we correct inaccurate personal information that we have collected about you. You can do so by submitting a support request here, or by submitting a request here.
Deletion. You have the right to request deletion of the personal information that we have collected from you, which you can do by following the instructions available here, or by submitting a request here. But if we delete your personal information, we might not be able to provide our Services to you.
Opting out of “sales,” “sharing,” and processing for “targeted advertising” purposes.
“Sales” or “Sharing” Involving Cookies or other Tracking Technologies
Like many companies, we use advertising technology companies that help deliver targeted ads to you based on your activity across unrelated properties (e.g., your activity on VSCO and other social media networks) and to measure the effectiveness of such ads.
Alternatively, you can also broadcast the Global Privacy Control (GPC) to opt-out on each participating browser on the device that you’re using. Learn more at the Global Privacy Control website.
“Sales or Sharing” Not Involving Cookies or other Tracking Technologies
To opt-out of all other sales/shares that do not rely on adtech partner technologies on this website, you must also opt out by submitting a request here.
If we know that you're 13-15 years of age, we won't "sell" or "share" (as defined by applicable privacy law) your Personal Information unless permitted by privacy law or we get your consent to do so.
Appeals. If you are a Colorado, Connecticut, or Virginia resident, you may appeal our refusal to take action on a request exercising one of your rights mentioned above by contacting our Support Team.
Right to Know. If you’re a California resident, you have the right to know the following as it relates to the last 12 months: the categories of PersonalInformation that we’ve collected about you, the categories of sources from which we’ve collected the Personal Information, the business or commercial purpose for collecting, selling,” or “sharing” the Personal Information, the categories of recipients to whom we’ve disclosed the personal information for a business purpose, and the categories of third parties to whom the personal information was “sold” or “shared.” You can find this information in the table below.
Privacy Notice to European Creators
The information provided in this notice applies only to individuals in the European Economic Area, United Kingdom and Switzerland (collectively, “Europe”) and explains our practices regarding personal data that we collect from you or which we have obtained about you from a third party, and the legal bases for processing your personal data. It also describes your rights in respect to our processing of your personal data.
Personal data. “Personal data” as used in this notice has the same meaning given in European data protection legislation.
Data protection representative. Our data protection representative in the EU and UK is VeraSafe. You may contact them at:
- VeraSafe Ireland Ltd., Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork T23AT2P, Ireland
- VeraSafe United Kingdom Ltd., 37 Albert Embankment, London SE1 7TL, United Kingdom
Legal bases for processing. We use your personal data only as permitted by law. Our legal bases for processing personal data are described in the table below.
Retention. We retain personal data for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
When we no longer require the personal data we have collected about you, we will either delete or anonymize it or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible. If we anonymize your personal data (so that it can no longer be associated with you), we may use this information indefinitely without further notice to you.
Sensitive personal data. We ask that you not provide us with any sensitive personal data (e.g., social security numbers, information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background or trade union membership) on or through our Services, or otherwise to us.
Your rights. You have the following rights in relation to the personal data we hold about you:
- Right of access: You can ask us if we are processing your personal data and to provide you with a copy of it (along with certain details). If you require additional copies, we may need to charge a reasonable fee.
- Right to rectification: If the personal data we hold about you is inaccurate or incomplete, you are entitled to request to have it rectified.
- Right to erasure: You can ask us to delete or remove your personal data in some circumstances such as where we no longer need it or if you withdraw your consent to our processing of your personal data (where applicable).
- Right to restrict processing: You can ask us to 'block' or suppress the processing of your personal data in certain circumstances, such as where you contest the accuracy of that personal data.
- Right to data portability: You have the right, in certain circumstances, to obtain personal data you have provided us with (in a structured, commonly used and machine readable format) and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.
- Right to object: You can ask us to stop processing your personal data, and we will do so, if we are:
- relying on our own or someone else's legitimate interests to process your personal data, unless we can demonstrate compelling legal grounds for the processing; or
- processing your personal data for direct marketing purposes.
- Right to withdraw consent: If we rely on your consent (or explicit consent) as our legal basis for processing your personal data, you have the right to withdraw that consent at any time.
- Right to lodge a complaint with the supervisory authority: If you have a concern about any aspect of our privacy practices, including the way we have handled your personal data, you can report it to the relevant supervisory authority. You can find your data protection regulator here.
You may submit these requests through our Help Center. We may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions.
Cross-border data transfer. If we transfer your personal data out of Europe to a country not deemed to provide an adequate level of personal data protection for purposes of applicable data protection laws such that additional safeguards are required, the transfer will be performed:
- pursuant to the recipient’s compliance with Standard Contractual Clauses or Binding Corporate Rules;
- pursuant to the consent of the individual to whom the personal data pertains; or
- as otherwise permitted by applicable laws.
You may contact us through our Help Center if you want further information on the specific mechanism used by us when transferring your personal data out of Europe.
Privacy Notice for China Residents
If you are a resident based in the mainland of China, we will collect, store, use, process, transfer, provide, disclose and delete (collectively referred to as the “Process”, “Processing” or “Processed”) your personal data in accordance with the PRC Personal Information Protection Law (“PIPL”) and the relevant applicable laws. The terms used in this Privacy Notice for China Residents have the definitions given to them under PIPL, including terms such as “data processor” and “data controller.”
Unlike in other jurisdictions, a legitimate interest is not a justified legal basis to process personal data in China. Consequently, we will obtain your proper consent for processing of your personal data as required by the PIPL and other relevant laws.
- Processing of sensitive personal data;
- Use of personal data in automated decision-making;
- Provision of personal data to another personal data processor
- Disclosure of the personal data we Processed to the public; or
- Cross-border collection of your personal data
For the avoidance of any doubt, “sensitive personal data” refers to the personal data that is likely to result in damage to the personal dignity of any natural person or damage to his or her personal or property safety once disclosed or illegally used, including such information as biometric identification, religious belief, specific identity, medical health, financial account and precise geolocation, as well as the personal data of minors under the age of 14.
The processing of sensitive personal data is only for a specific purpose and sufficient necessity, and strict protection measures must be taken to ensure its data security.
Data we collect from you
Please see the above section “Data we collect” for details on the categories of data we collect from you.
Purpose and method to Process your data
How long and where your data will be retained
We will collect your personal data from the United States and process your personal data in the United States. We will take necessary measures to ensure that the direct collection and other processing activities of your personal data comply with the relevant regimes under the PIPL.
Please see the above section "How Long We Keep Your Data” on the retention period of your personal data.
As a data subject, you have the following rights:
Right to know and make decisions. You have the right to be informed and to decide on the Processing of your personal data, as well as the right to restrict or deny another person from the Processing of your personal data, unless otherwise provided by the relevant laws and regulations of PRC.
Right to access and make copies. You have the right to access or make copies of your personal data from us, unless otherwise provided by the relevant laws and regulations of PRC.
Right of portability. We will provide a way for transfer where you request to transfer your personal data to another personal data processor you designate, provided that the conditions prescribed by the PRC national cybersecurity authority are met.
Right to correct and complete. If you discover that your personal data is incorrect or incomplete, you have the right to request us to correct or complete your personal data.
Right to delete. We will delete your personal data under the circumstances required by the PIPL. In case we fail to do so, you have the right to request the deletion in such circumstances as described by the law.
However, where the retention period prescribed by the applicable laws and regulations has not expired, or it is technically difficult to delete the personal data. However, we will cease the Processing of the personal data, except for storage and any necessary measure taken for security protection.
- Right to request explanation. You have the right to require us to explain our rules regarding the processing of personal data.
- Right to withdraw. You have the right to withdraw your consent to the processing of your personal data carried out based on your consent. We will provide an easy way to withdraw consent. Your withdrawal of consent shall not affect the validity of any activity of processing of your personal data already carried out before the withdrawal based on your consent.
- Right to opt-out of marketing communications. You can opt-out of marketing-related emails by following the opt-out or unsubscribe instructions at the bottom of a marketing email, or by contacting us. You will continue to receive other non-marketing emails related to our Services. If you receive marketing text messages from us, you can opt out by replying STOP to our marketing message.
We will establish an accessible mechanism for you to exercise your rights. If we determine that your request to exercise your rights is not practical, we will let you know the reasons for such determination.
You may contact us through our Help Center with any questions regarding the processing of your personal data.