Privacy Policy
Noctiv Studio("we," "us," or "our") is a boutique design and development studio operated by CT Shelton. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our website at https://noctivstudio.com and our client portal services.
By using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our services.
Data We Collect
We collect the following categories of personal data in the course of providing our services:
Identity information: Full name, business name, and professional title provided during onboarding or project intake.
Contact information: Email address and phone number used for project communication and account authentication.
Business information: Company details, project requirements, brand assets, and design preferences submitted through the client portal.
Technical data: IP addresses recorded when you sign agreements or interact with our platform, browser type, and device information.
Session recordings: Audio and video recordings from collaborative design sessions, including automated transcriptions. Recording requires explicit consent from all participants before activation.
Analytics data: We use Umami, a cookie-free, privacy-focused analytics platform. Umami collects anonymized page views, referrer sources, and device types without placing cookies or tracking individuals across sessions.
Payment information: Payment processing is handled entirely by Stripe. We do not store credit card numbers, CVVs, or full payment credentials on our servers. We retain only Stripe customer and invoice identifiers for record-keeping.
Legal Basis for Processing
We process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):
Contract performance (Art. 6(1)(b)): Processing necessary to deliver design and development services you have engaged us for, including project management, file delivery, invoicing, and communication.
Legitimate interest (Art. 6(1)(f)): Processing for website analytics (anonymized via Umami), platform security, fraud prevention, and improving our services. We have assessed that these interests do not override your fundamental rights.
Consent (Art. 6(1)(a)): Session recording and transcription require explicit consent from all participants prior to activation. Consent is recorded in our database and can be withdrawn at any time.
Legal obligation (Art. 6(1)(c)): Retention of financial records and invoicing data as required by tax and accounting regulations.
How We Use Your Data
Project delivery: Managing your project through our client portal, delivering design assets, tracking revisions, and maintaining project timelines.
Invoicing and payments: Generating invoices via Stripe, tracking payment status, and maintaining financial records.
Communication: Sending project updates, scheduling notifications, and responding to your inquiries via email.
Session management: Facilitating live design sessions, storing recordings for project reference, and generating transcripts for meeting notes.
Service improvement: Analyzing anonymized usage patterns to improve platform performance and user experience.
Third-Party Processors
We share personal data with the following third-party service providers who process data on our behalf:
Stripe -- Payment processing. Stripe handles all payment card data and is PCI DSS Level 1 certified. We never receive or store your full card details. Stripe Privacy Policy
Supabase -- Authentication and database hosting. Supabase stores user accounts, project data, and session metadata. Supabase Privacy Policy
SMTP Email Provider -- Transactional email delivery for project notifications, magic link authentication, and booking confirmations. Email content may include your name and project details.
AWS (Amazon Web Services) -- Compute infrastructure (EC2) hosting our self-hosted Next.js application and supporting services. AWS may process request logs that include IP addresses. AWS Privacy Notice
We do not sell your personal data to any third party. Data sharing is limited to what is necessary for service delivery.
Data Retention
Active projects: All project data is retained for the duration of the engagement and for a reasonable period afterward to support any follow-up work or revisions.
Archived projects: Completed project data is archived and retained for up to 7 years to satisfy legal and tax obligations.
Session recordings: Recordings and transcripts are retained for the duration of the project and deleted within 90 days of project completion, unless you request earlier deletion.
Account data: If you request account deletion, we will remove your personal data within 30 days, except where retention is required by law.
Your Rights
Under GDPR, CCPA, and applicable data protection legislation, you have the following rights regarding your personal data:
Right of access (Art. 15): Request a copy of all personal data we hold about you.
Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
Right to erasure (Art. 17): Request deletion of your personal data where there is no compelling reason for continued processing.
Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
Right to restriction (Art. 18): Request that we restrict processing of your personal data under certain circumstances.
Right to object (Art. 21): Object to processing based on legitimate interests.
Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated.
To exercise any of these rights, contact us at hello@noctivstudio.com. We will respond to your request within 30 days.
Cookies and Tracking
We use a minimal approach to cookies and tracking:
Authentication cookies: Supabase Auth uses strictly necessary session cookies to maintain your login state. These are essential for the platform to function and do not require consent under ePrivacy regulations.
Analytics: We use Umami, a privacy-focused analytics platform that does not use cookies, does not track individuals across sessions, and does not collect personally identifiable information. No consent banner is required.
We do not use advertising cookies, social media tracking pixels, or any third-party marketing trackers.
Data Protection Contact
For any questions about this Privacy Policy or to exercise your data protection rights, contact:
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will update the "Last updated" date at the top of this page. For significant changes affecting active clients, we will provide direct notice via email.