Privacy Policy

This website is operated by Barbara Lynn Studio ("we", "us", "our"). We are the data controller responsible for your personal information collected through this website and its associated services.

For any privacy-related questions or requests, contact us at: our contact page.

We collect only the information you voluntarily provide, and only for the purposes described in this policy. We do not collect any information passively beyond standard server logs.

COMMISSION & QUOTE FORMS

• Your name (quote form only)
• Your email address
• Your project brief or description
• An approximate budget range (quote form only)

PAYMENT INFORMATION

We do not collect, store, or process your credit or debit card details. All payment information is handled exclusively by Stripe, Inc. on their PCI-DSS certified infrastructure. We receive only a confirmation of payment, your email address (if provided to Stripe), and your billing name — solely for the purpose of fulfilling the commission.

TECHNICAL DATA

Our hosting provider (Vercel) may record standard server logs including IP addresses and browser user-agent strings as part of normal infrastructure operation. We do not use this data to identify you and do not analyse it for marketing purposes.

Your personal information is used only for the following purposes:

• Commission fulfilment — to understand your project, prepare a scope agreement, and deliver the commissioned artwork.
• Commission-related communication — to reply to your brief or quote enquiry, request clarification, share sketches and progress, and deliver final files.
• Payment processing — your email is passed to Stripe solely to create a checkout session and send you a payment receipt.
• Legal and accounting records — to comply with applicable tax and financial reporting obligations.

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following lawful bases:

• Contractual necessity (Article 6(1)(b) GDPR) — processing your name, email, and brief is necessary to enter into and perform the commission contract you have requested.
• Legitimate interests (Article 6(1)(f) GDPR) — we retain commission correspondence and payment records as necessary for normal business operation and to resolve any disputes.
• Legal obligation (Article 6(1)(c) GDPR) — we retain financial records as required by applicable tax law.

We share the minimum necessary data with the following processors, each bound by their own privacy policies and, where applicable, a Data Processing Agreement:

• Stripe, Inc. — payment processing. Stripe receives your payment card details, billing address, and email address to process your commission deposit. Stripe is PCI-DSS Level 1 certified. See stripe.com/privacy for their policy.
• Resend, Inc. — transactional email delivery. Resend is used solely to deliver commission notification emails to our studio. Your email address may transit Resend's infrastructure as part of this process. See resend.com/privacy.
• Vercel, Inc. — website hosting and serverless infrastructure. Vercel processes requests to this website on our behalf. See vercel.com/legal/privacy-policy.

We do not use Google Analytics, Meta Pixel, or any other third-party tracking, advertising, or analytics services on this website. There are no advertising cookies on this site.

• Commission records (email, brief, correspondence) — retained for 7 years from the date of the commission, in accordance with standard accounting and tax record requirements.
• Quote enquiries that did not result in a commission — retained for up to 2 years, then permanently deleted.
• Payment records — managed by Stripe in accordance with their retention policy and applicable financial regulation.

You may request earlier deletion at any time (see Section 8), subject to any overriding legal retention obligations.

This website does not use tracking cookies, advertising cookies, or analytics cookies. We do not use any cookie-based profiling or behavioural advertising.

Stripe may set cookies on their hosted checkout pages as required for payment security and fraud prevention. Those cookies are governed by Stripe's own cookie policy.

Depending on your jurisdiction, you have the following rights regarding your personal data:

• Right of access — to request a copy of the personal data we hold about you.
• Right to rectification — to request correction of inaccurate or incomplete data.
• Right to erasure ("right to be forgotten") — to request deletion of your personal data, where no overriding legal basis for retention applies.
• Right to data portability — to receive your data in a structured, commonly used, machine-readable format.
• Right to object — to object to processing based on legitimate interests.
• Right to restrict processing — to request that we limit how we use your data while a dispute is resolved.
• Right not to be subject to automated decision-making — we do not use automated profiling or decision-making that produces legal or similarly significant effects.

California residents (CCPA/CPRA) have the additional right to know whether we sell personal information (we do not), to opt out of any such sale, and to non-discrimination for exercising their privacy rights.

To exercise any of these rights, contact us via our contact page. We will respond within 30 days. We may ask you to verify your identity before processing your request.

If you are located in the EEA or UK and believe we have not handled your data lawfully, you have the right to lodge a complaint with your local supervisory authority (e.g. the UK ICO at ico.org.uk, or your EU member state's data protection authority).

We implement commercially reasonable technical and organisational measures to protect your personal data, including:

• HTTPS encryption for all data in transit
• No storage of payment card details on our servers
• Access to commission data limited to the studio
• Use of reputable, security-certified third-party processors

No method of internet transmission or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a data breach that is likely to result in high risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law.

Our service providers (Stripe, Resend, Vercel) are US-based companies. When your data is transferred to the United States, it is protected by the standard contractual clauses approved by the European Commission, or equivalent transfer mechanisms under applicable data protection law.

This website is not directed at children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has submitted personal information to us, please contact us immediately and we will delete it.

We may update this policy from time to time. The "Last updated" date at the top of this page will reflect any changes. If changes are material, we will take reasonable steps to notify affected users. Continued use of the website after changes are posted constitutes acceptance of the revised policy.

For any questions, concerns, or requests related to this Privacy Policy or the handling of your personal data, please contact us through our contact page. We take all privacy requests seriously and aim to respond within 30 days.