Stylized DJ initials in black and white logo design.

Privacy Policy for davidjosue.com

Last updated: May 4, 2026

David Josué Delgado Salazar ("we," "us," or "our"), operating as David Josué Photography, runs the website davidjosue.com (the "Site"). This Privacy Policy explains what personal data we collect when you visit the Site, how we use it, who we share it with, how long we keep it, and the rights you have over it.

By using the Site, you consent to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Site.

Who is responsible for your data

The data controller for personal information collected through davidjosue.com is:

  • Name: David Josué Delgado Salazar, operating as David Josué Photography
  • Postal address (privacy correspondence): 433A Tecate Road, PMB 638, Tecate, California 91980, USA
  • Email: dj+privacy@davidjosue.com
  • Jurisdiction of operation: Mexico (Baja California). The Site serves visitors worldwide.

What information we collect

Personal Data you provide directly

When you contact us, fill in a form, subscribe to our newsletter, request our Investment Guide, purchase a product, or otherwise interact with the Site, we collect personal data that may include:

  • First and last name
  • Email address
  • Phone number (optional in most forms; required at SMS-consent and checkout)
  • Wedding date, event location, and venue (optional)
  • Budget range and inquiry notes (optional)
  • Payment information for purchases (processed by Stripe — we do not store your card details on our servers)
  • SMS opt-in consent flag, the verbatim consent text shown to you, and the page URL where consent was captured

Usage Data we collect automatically

When you browse the Site, we and our service providers may automatically collect:

  • IP address
  • Browser type and version, device identifiers, operating system
  • Pages visited, time spent, referral source, click events
  • Date and timestamp of visit
  • Diagnostic and performance data

Cookies and similar tracking technologies

The Site uses cookies, web beacons, pixels, scripts, and similar technologies to operate the Site, remember your preferences, measure performance, and (where you have consented) deliver and measure advertising. Cookies fall into several categories:

  • Essential cookies: required for the Site to function (e.g., session, security, checkout). Cannot be disabled without breaking the Site.
  • Preference cookies: remember choices you make (language, region, recently viewed pages).
  • Analytics cookies: help us understand how the Site is used, in aggregate (Google Analytics).
  • Advertising cookies: measure the effectiveness of our advertising and (where applicable) deliver targeted ads on third-party platforms (Meta, Google).
  • Affiliate tracking cookies: attribute purchases you make on partner sites after clicking an affiliate link to our referral. See our Affiliate Disclosure for details.

You can control cookies through your browser settings. Refusing non-essential cookies may limit some features of the Site.

How we use your information

We use the information we collect for the following purposes:

  • To respond to wedding photography inquiries, course inquiries, and customer messages
  • To send you our Investment Guide, newsletter, and educational content (with your consent)
  • To send you SMS messages related to your inquiry, booking, or course access — only if you affirmatively opted in (see "SMS / Text Messaging" section below)
  • To process purchases, deliver products, and provide customer support
  • To analyze and improve the Site, fix technical issues, and prevent abuse
  • To measure the effectiveness of our advertising and marketing
  • To comply with legal obligations and enforce our Terms of Service

SMS / Text Messaging Consent and Data

David Josue Photography offers SMS text messaging communication to customers and prospects who have explicitly opted in via a contact form, lead ad, ShootQ inquiry, or course checkout.

What we collect: We collect your mobile phone number, the timestamp and method of your opt-in, the verbatim consent text shown to you at the time of opt-in, and the content of messages we send and receive in connection with that opt-in.

How it is used: Mobile information is used solely to deliver the messages you opted in to receive (booking conversation, follow-up, course access, customer support). Mobile information and opt-in consent will not be shared with third parties or affiliates for marketing or promotional purposes. No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. The above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

Service providers: We may share your mobile number with service providers who help us deliver these messages — specifically, our SMS gateway provider, Twilio (Twilio Privacy Notice). These providers are contractually obligated to protect your information and to use it only for the purpose of delivering the messages you requested.

Opt-out: You may opt out at any time by replying STOP to any message. After you opt out you will receive a single confirmation that you have been unsubscribed and you will receive no further messages on that campaign.

Help: Reply HELP to any message for help, or contact us at dj@davidjosue.com.

Message and data rates may apply. Message frequency varies. Carriers are not liable for delayed or undelivered messages.

Service Providers we use

We use the following third-party service providers to operate the Site and deliver our services. Each provider has access to your data only for the purposes listed and is contractually required to protect it. Each provider's own privacy policy applies to data they hold.

Twilio — SMS gateway

Used to deliver text messages to opted-in recipients. Receives your phone number, message content, and opt-in metadata. Twilio Privacy Notice.

Stripe — payment processing

Used to process payments for any purchases on the Site. Receives your name, email, billing address, and payment card details. Stripe handles all card data under PCI DSS compliance — we do not store your card information on our servers. Stripe Privacy Center.

Flodesk — email marketing

Used to send our newsletter, Investment Guide, and educational email content. Receives your name, email, subscription status, and engagement metrics (opens, clicks). You can unsubscribe at any time using the link in any email we send. Flodesk Privacy Policy.

ShootQ — booked-client management

Used for proposal, contract, and retainer management once a lead converts to a booked client. Receives the booked client's name, email, phone, and event details. Not used for early-stage lead handling. ShootQ Privacy Policy.

Meta (Facebook + Instagram) — advertising and lead capture

We use the Meta Pixel and Meta Lead Ads to measure the effectiveness of our advertising on Facebook and Instagram, build custom audiences for retargeting, and capture wedding inquiry leads from ad responses. Meta receives information about your interactions with our ads and the Site (page views, conversion events, hashed email when applicable). For Meta Lead Ads specifically: when you submit a lead form on Facebook or Instagram, we receive your name, email, phone, wedding date, and wedding location for follow-up. Meta Privacy Policy. You can manage Meta ad preferences and opt out of personalized ads in your Facebook account settings. For details about a separate internal analytics integration with the Meta Graph API used by the Page admin, see the Facebook App Data — Internal Page Admin Analytics section below.

Google — analytics and advertising

We use Google Analytics 4 to measure Site usage in aggregate. Google receives IP address, browser, page views, and conversion events. We may also use Google Ads conversion tracking to measure the effectiveness of paid search and display advertising. Google Privacy Policy. You can opt out of Google Analytics by installing the Google Analytics opt-out browser add-on.

Amazon Associates — affiliate program

We participate in the Amazon Associates Program in multiple regions (United States, Mexico, and other Amazon properties). When you click an affiliate link to Amazon, Amazon may place a referral cookie on your browser to attribute any subsequent purchase to our account. See our Affiliate Disclosure for the program-specific required statements and full details. Amazon Privacy Notice.

Pic-Time — client gallery delivery

Used to deliver wedding photography galleries to booked clients. Booked clients access their gallery via a Pic-Time link sent by email or SMS. Pic-Time receives the client's email, IP, and viewing/downloading behavior. Not used for general website visitors. Pic-Time Privacy Policy.

Pixellu / SmartAlbums — wedding album design and delivery

Used to design and deliver finished wedding albums to booked clients. When we share album proofs, revisions, or final layouts for client review, the client's name and email may be shared with Pixellu / SmartAlbums to enable proofing access. Not used for general website visitors. Pixellu Privacy Policy.

Zenfolio — additional gallery hosting and proofing

Used to host and deliver certain client galleries and proofing sessions. When clients access a Zenfolio gallery shared with them, Zenfolio receives the client's email, IP, and viewing/downloading behavior. Not used for general website visitors. Zenfolio Privacy Policy.

StickyFolios — boudoir client experience platform

Used for boudoir-related client gallery delivery, mobile sharing, and proofing experiences. When boudoir clients access a StickyFolios gallery or sales gallery, StickyFolios receives the client's email, IP, browsing behavior, and any selections made. Used in the context of boudoir services; not for general wedding-photography website visitors. StickyFolios Privacy Policy.

Cloudflare — content delivery and lead-form proxy

We use Cloudflare to deliver Site content efficiently (CDN) and as a secure proxy for our lead capture form (Cloudflare Worker). Cloudflare receives your IP address and request metadata for performance and security purposes. Cloudflare Privacy Policy.

Supabase — internal analytics database

Used as the private analytics database for the Page admin's own analytics tooling (see Facebook App Data — Internal Page Admin Analytics). Supabase stores aggregated metrics, internal classifications, and engagement data accessed only by the Page admin. Supabase does not have access to website visitor data, customer payment data, or SMS opt-in records. Supabase Privacy Policy.

Instagram Integration

The Site displays content from Instagram through Instagram's public APIs. This integration:

  • Only displays public posts from our official Instagram account (@davidjosuephotographer)
  • Does not collect or store any Instagram user data from visitors
  • Does not require visitors to log in with Instagram or Facebook
  • Links to Instagram posts open in Instagram's platform, subject to Instagram's own privacy policy

For information about Instagram's privacy practices: Instagram Data Policy.

Facebook App Data — Internal Page Admin Analytics

This section describes the data accessed and stored by the Page admin's own internal analytics tool, which integrates with the Meta Graph API under a Meta App registered to the Page admin (App ID 3378050542350515, "CLAUDEADs"). This integration is operated solely by the Page admin (David Josué) for analytics on Facebook Pages he administers in Meta Business Manager. It is independent of, and does not affect, the website-visitor-facing Meta Pixel and Meta Lead Ads activities described above.

Pages in scope: Marcela Corral (Page ID 331721913555341), David Josué Boudoir (Page ID 537341433104562), and David Josue photographer (Page ID 10384446821). The Page admin holds the MANAGE role on each of these Pages, verifiable via the Meta Graph API endpoint /me/accounts.

What is collected: Comments left on Facebook ad posts published by the Pages above. The Meta Graph API endpoint used is GET /v21.0/<post_id>/comments. The fields collected are: comment ID, comment text (message), comment author Facebook user ID (from.id), comment author display name (from.name), comment timestamp (created_time), like count (like_count), reply count (comment_count), parent comment ID (parent.id) when applicable, and hidden status (is_hidden).

How it is used: Comments are aggregated for sentiment classification, intent classification (question / objection / testimonial / spam / noise), and objection-type classification (price / time / skepticism / timing / identity / platform / method-doubt / other). The aggregated daily signals — by ad and date — are combined with the Page admin's own ad spend and sales data to recommend creative iterations on the Page admin's own ads. The integration is read-only with respect to comments: the tool does not reply, edit, hide, or delete any comments on the Page's behalf.

Author identifiers: Author identifiers (from.id, from.name) are used solely to detect duplicate or related comment threads (for example, to identify when the same author has posted on multiple ads, or to link a parent comment to its replies). Author identifiers are never displayed in any user interface, exported to any external system, used for direct outreach, or shared with any third party. Author identifiers are not used to build profiles of individual commenters.

Where it is stored: A private Supabase database project owned and accessed exclusively by the Page admin. The data is not exposed via any public API, web page, dashboard, or external integration. The database is protected by HTTPS in transit, row-level security at rest, and access tokens limited to the Page admin's own development environment.

Who has access: The Page admin (David Josué) is the sole operator. No employees, contractors, agencies, business partners, or third parties have access to the stored comment data.

Retention: Comment records are retained for up to 24 months from the comment's created_time for analytical comparison across ad cohorts. After 24 months, comment records (including author identifiers) are automatically and permanently deleted. Aggregated daily signals (counts, sentiment distributions) — which do not contain author identifiers — may be retained indefinitely for historical benchmarking.

Data subject rights — deletion and access: If you have left a comment on one of our Facebook Pages and you wish for that comment to be removed from our internal analytics database (independent of any deletion of the comment from Facebook itself), please contact us at dj+privacy@davidjosue.com. We will locate any record referencing your Facebook user ID or comment text and delete it within 30 days of your verified request. You may also request access to or correction of any data we hold about you. Note that deleting a comment from Facebook does not automatically delete records of that comment that we may have already ingested into our internal database — please contact us directly to ensure full deletion.

No advertising or remarketing use: Data collected under this integration is not used to build advertising audiences, deliver targeted ads, retarget commenters, or share information with advertising platforms. The Meta Pixel and Meta Lead Ads activities described in the "Service Providers" section above operate independently and on different data flows.

Compliance: Our use of data obtained via the Meta Graph API complies with the Meta Platform Terms and Meta Developer Policies, including but not limited to the prohibitions on selling or licensing platform data, using platform data to discriminate against users, or transferring platform data to data brokers, advertising networks, or any third party not approved by Meta.

Privacy contact for Facebook App Data: Privacy requests, access requests, deletion requests, and questions about this integration: dj+privacy@davidjosue.com.

International data transfers

We are based in Mexico. Our service providers (Twilio, Stripe, Meta, Google, Amazon, Cloudflare, Pic-Time, Flodesk, ShootQ, Supabase) operate primarily in the United States and other jurisdictions. By using the Site, you understand that your personal data may be transferred to, stored, and processed in countries outside your country of residence, including Mexico, the United States, and any other jurisdiction where our service providers operate.

For visitors in the European Economic Area (EEA), the United Kingdom, or Switzerland, transfers outside those regions rely on the European Commission's Standard Contractual Clauses, the recipient's adequacy decision, or another lawful transfer mechanism, as applicable.

We take reasonable steps to ensure that transferred data is treated securely and consistent with this Privacy Policy.

Data retention

We keep your personal data only as long as necessary for the purposes described in this Privacy Policy, or as required by law.

  • Inquiry data from visitors who do not become clients: retained for up to 3 years from the most recent interaction (form submission, email open, email reply, or other meaningful engagement). After 3 years of inactivity, the data is automatically and permanently deleted.
  • Booked clients: data is retained for the duration of the engagement plus the period required for fiscal, contractual, and legal purposes (typically 7 years under Mexican fiscal law).
  • Newsletter subscribers: retained while your subscription is active. If you unsubscribe, your email is moved to a suppression list (kept indefinitely solely to honor your unsubscribe choice).
  • Analytics data: retained per Google Analytics' default retention setting (typically 14 months for user-level data, indefinitely for aggregate data).
  • Payment records: retained as required by tax and accounting law.
  • SMS opt-in records: retained for the duration of your consent plus a reasonable period after revocation, to demonstrate consent in case of audit.
  • Facebook App Data (internal analytics database): comment records retained for up to 24 months from the comment's creation date, then automatically deleted. Aggregated daily signals (no author identifiers) may be retained indefinitely.

You may request earlier deletion at any time — see "Your rights" below.

Your rights

Rights available to all users

Regardless of your jurisdiction, you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate or incomplete data
  • Request deletion of your personal data
  • Object to or restrict our processing of your data
  • Request a copy of your data in a portable format
  • Withdraw consent at any time (where processing is based on consent)
  • Lodge a complaint with a data protection authority

To exercise any of these rights, contact us at dj+privacy@davidjosue.com. We will respond within 30 days.

If you are located in Mexico (LFPDPPP / ARCO rights)

Under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP), you have the right to Acceso (Access), Rectificación (Rectification), Cancelación (Cancellation / Deletion), and Oposición (Opposition) — collectively the "ARCO rights." You may exercise these rights by sending a written request to dj+privacy@davidjosue.com with the following information:

  • Your full name and contact information
  • Documents that prove your identity
  • A clear and precise description of the personal data with respect to which you are exercising the right
  • The specific right you wish to exercise (Access, Rectification, Cancellation, or Opposition)

If your request is denied, you may file a complaint with the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI): home.inai.org.mx.

If you are located in the European Economic Area, the United Kingdom, or Switzerland (GDPR / UK GDPR)

You have the rights of access, rectification, erasure, restriction of processing, data portability, objection, and to not be subject to solely automated decision-making, as set out in Articles 15–22 of the GDPR. The lawful basis for our processing depends on the activity:

  • Consent for marketing communications, SMS messaging, and non-essential cookies
  • Contract performance for processing related to a booking, purchase, or service delivery
  • Legitimate interest for Site analytics, security, fraud prevention, and responding to inquiries
  • Legal obligation for tax, accounting, and regulatory record-keeping

You may lodge a complaint with the supervisory authority in your country.

If you are a California resident (CCPA / CPRA)

You have the right to know what personal information we collect, use, disclose, and (if applicable) sell or share; the right to delete your personal information; the right to correct inaccurate information; the right to opt out of the sale or sharing of personal information; and the right to non-discrimination for exercising your rights. We do not sell your personal information. To exercise any CCPA right, contact us at dj+privacy@davidjosue.com.

Children's privacy

The Site is not directed to children under 18, and we do not knowingly collect personal data from anyone under 18. If you are a parent or guardian and you believe your child has provided us personal data, contact us and we will delete it.

Security

We use reasonable administrative, technical, and physical safeguards to protect your data against loss, theft, and unauthorized access, including HTTPS encryption in transit, restricted access to backend systems, and contractual data-protection obligations on our service providers. No system is completely secure; we cannot guarantee absolute security but we work to minimize risk.

Disclosure of data

We may disclose your personal data:

  • To our service providers, as described above, strictly to deliver the Site and our services
  • To comply with a legal obligation, court order, or governmental request
  • To protect and defend our rights, property, and safety, or those of our users or the public
  • To investigate possible wrongdoing, fraud, or security incidents
  • In connection with a business transaction (merger, acquisition, asset sale), in which case we will provide notice before your data is transferred and becomes subject to a different privacy policy

We do not sell your personal data.

Links to third-party sites

The Site may contain links to third-party websites (Instagram, vendor websites, wedding venues, publication features, affiliate retailers). When you click a third-party link, you leave the Site and that third party's privacy policy applies. We are not responsible for the content or privacy practices of third-party sites.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will provide notice through a prominent notice on the Site or by email (where we have your email and active consent to communicate).

Your continued use of the Site after a Privacy Policy update constitutes your acceptance of the updated policy.

Contact us

If you have questions about this Privacy Policy, your data, or your rights, contact us:

This Privacy Policy is provided for general informational purposes and does not constitute legal advice. For legal counsel specific to your situation, consult a Mexican attorney specialized in data protection and digital business law.

David Josué Photography — Luxury Destination Wedding Photography Based in Valle de Guadalupe, Mexico — Available Worldwide