If you’re a resident of California or Virginia, check out the State Law Privacy Rights section below for some additional information about your personal information and rights under state law.
There are three types of data we collect about you: data that you provide us, data we get through third parties, and data we collect automatically.
Here are some tables that summarize the different types of data we collect
Once we collect your data, we use it in a few different ways. This table summarizes the different ways we may use your data.
We retain data for as long as we need for the uses mentioned above. You can delete your account by following the instructions here.
When we don’t need your personal data anymore, we’ll either delete it or anonymize it, unless deletion or anonymization isn’t possible or practical (for example, because your data is in backup archives), in which case we’ll make sure your data is securely stored and isolated from further processing.
Remember that it is impossible to ensure that anything on the internet is ever completely removed. Even after your account is deleted, your content may still be visible, for example, if you’ve shared it on other platforms or if other people copied or shared your content before you deleted your account.
You have control over your data in several ways. This table summarizes your choices concerning your data. If you’re located in California or Virginia, you can find additional information in the State Law Privacy Rights section below.
We use technical, organizational, and physical safeguards to protect your data, like firewalls and other security technology. For example, when you enter confidential information (such as login credentials or information submitted from within our Services) we encrypt the transmission of that information using secure socket layer technology (SSL). But unfortunately there is always risk when doing anything on the internet, so we can’t guarantee 100% security of your data. If we find out that we’ve had a data breach and your personal data has been compromised, we’ll notify you as required by law and take appropriate steps to investigate and remedy the vulnerability.
We’re headquartered in the United States and may use service providers in other countries. Your data may be processed or stored in the United States or other countries outside of where you live, which may have data protection laws that are different from those in your country. When we transfer data across borders, we take measures to comply with the relevant data protection laws governing the transfer.
Our Services are intended for a general audience. As such, they are not directed or targeted toward children under 13 years of age and are not intended for use by children under 13. If we learn that we collected data through our Services from a child under 13 without the consent of the child’s parent or guardian as required by law, we will delete it.
This section applies to the use of our Services by residents of California and Virginia, and other states where they have privacy laws with similar rights as in the California Consumer Privacy Act (“CCPA”) andVirginia Consumer Data Protection Act (“VCDPA”) as may be amended, superseded or replaced.
When we use the term, “personal information” here, we mean the term as it’s used to describe what’s in scope as either “personal information” or “personal data” under the privacy laws of your state.
You have certain rights regarding your personal information, subject to certain specific exceptions in state law. We are providing a summary of your rights relating to personal information and how to exercise them. You are entitled to exercise these rights free from discrimination.
Verification. We’ll need enough detail to understand and respond to your request. We may need to verify your identity to process your requests and may also need to confirm your state residency. To verify your identity, we may require a combination of government identification, a copy of the receipt for your VSCO membership, or other information. We may also require you to login from a verified valid device or verify that the device you’re logging in from is valid.
Authorized Agents. You can have an authorized agent make a request on your behalf, but we’ll need to verify your agent’s identity. We would also need a copy of a valid power of attorney, or a written and signed permission to exercise your privacy rights on your behalf. We may still need to verify your identity and may ask you to directly confirm that you provided your authorized agent permission to submit the request on your behalf.
Sensitive Information. We only use “sensitive personal information” as defined by CCPA or "sensitive data" as defined by VCDPA, if you opt-in to this use and we don’t use that information for any purposes that California or Virginia residents can limit.
Retention. The duration of how long we retain personal information is generally based on how long we need it for the purposes for which it was collected, which includes complying with our legal obligations
Correction. You have the right to request that we correct inaccurate personal information that we have collected about you. You can do so by submitting a support request here, or by submitting a request here.
Deletion. You have the right to request deletion of the personal information that we have collected from you, which you can do by following the instructions available here, or by submitting a request here. But if we delete your personal information, we might not be able to provide our Services to you.
You can also broadcast the GlobalPrivacy Control (GPC) to opt-out for each participating browser system that you use. Learn more at the Global Privacy Control website.
If we know that you’re 13-15 years of age, we won’t share your Personal Information unless we get your consent to do so.
Right to Know. If you’re a California resident,you have the right to know, in the past 12 months: the categories of PersonalInformation that we collected about you, the categories of sources from whichwe collected the Personal Information, the business or commercial purpose forcollecting and/or “selling” Personal Information, the categories of thirdparties with whom we share Personal Information, the categories of PersonalInformation that we sold, shared, or disclosed for a business purpose, and thecategories of third parties to whom the Personal Information was sold, sharedor disclosed for a business purpose. You can find this information here and in the table below.
The information provided in this notice applies only to individuals in the European Economic Area, United Kingdom and Switzerland (collectively, “Europe”) and explains our practices regarding personal data that we collect from you or which we have obtained about you from a third party, and the legal bases for processing your personal data. It also describes your rights in respect to our processing of your personal data.
Personal data. “Personal data” as used in this notice has the same meaning given in European data protection legislation.
Data protection representative. Our data protection representative in the EU and UK is VeraSafe. You may contact them at:
Legal bases for processing. We use your personal data only as permitted by law. Our legal bases for processing personal data are described in the table below.
Retention. We retain personal data for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
When we no longer require the personal data we have collected about you, we will either delete or anonymize it or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible. If we anonymize your personal data (so that it can no longer be associated with you), we may use this information indefinitely without further notice to you.
Sensitive personal data. We ask that you not provide us with any sensitive personal data (e.g., social security numbers, information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background or trade union membership) on or through our Services, or otherwise to us.
Your rights. You have the following rights in relation to the personal data we hold about you:
You may submit these requests through our Help Center. We may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions.
Cross-border data transfer. If we transfer your personal data out of Europe to a country not deemed to provide an adequate level of personal data protection for purposes of applicable data protection laws such that additional safeguards are required, the transfer will be performed:
You may contact us through our Help Center if you want further information on the specific mechanism used by us when transferring your personal data out of Europe.