Privacy Policy

Last updated: May 19, 2026

Studio (studio.thomas-hart.com) is operated by Thomas Hart ("Studio," "we," "our"). This policy explains what we collect, why, who else sees it, and what rights you have.

1. What we collect

Identity. When you sign in with Google, we receive your name, email, and avatar URL from Google. When you sign in with a magic link, we receive only your email.

Project data. Anything you enter into Studio: brief answers, project details, comments, page lists, color preferences, reference URLs. This is the whole point of the service.

Uploaded files. Logos, photos, brand references, PDFs, copy documents, and any other assets you upload through the asset uploader.

Account activity. When you signed up, when you last signed in, timestamps on every project event (you completed a brief, you approved a design, etc.).

Payment metadata. When you pay through Stripe Checkout, we store the Stripe Checkout Session ID, the Payment Intent ID, the amount, and whether it succeeded. We do NOT store card numbers, CVV, bank account numbers, or any other raw payment credentials — Stripe handles those directly.

Cookies.A session cookie (HTTP-only) keeps you signed in. A theme cookie remembers light vs dark mode. That's it — no tracking pixels, no advertising cookies.

2. Where it's stored

Studio runs on Vercel (US infrastructure). The application database is Neon Postgres (US-East). Uploaded files are mirrored to Atlas (atlas.thomas-hart.com), our private asset library. Email magic links and notifications go through Resend. Payments go through Stripe. Google OAuth happens at Google.

Data at rest is encrypted by Neon, Vercel, and Atlas. Data in transit uses HTTPS with HSTS.

3. Who else sees it

Thomas Hartsees everything you put into Studio — that's the purpose: he's the operator delivering your project. Other Studio users do NOT see your data unless you explicitly invite them to your workspace.

The service providers above (Vercel, Neon, Atlas, Resend, Stripe, Google) see only the data necessary to do their job. They're bound by their own privacy policies and security agreements; links are at the bottom of this page.

We do NOT sell, share, or rent your data to advertisers, data brokers, or other third parties. We don't run ads. We don't train AI models on your data.

4. How long we keep it

Project data and uploaded files stay in Studio for as long as your engagement with Thomas Hart is active, plus an archive period afterwards (typically the duration of any maintenance / hosting agreement). When you delete your account, we delete your profile and active sessions immediately, and purge your project data + uploads within 90 days (the lag is for encrypted backups that age out).

Payment records (Stripe Session ID, amount, timestamp) are retained for 7 years to comply with US tax recordkeeping rules.

5. Your rights

Regardless of where you live, you can:

• Access your data via the Studio UI (every page shows your data; if you need a full export, email thomas@hartecho.com).
• Correct your data by editing it in Studio.
• Delete your account from Settings (or by email request) — see the retention note above.
• Object to processing or port your data — email the same address.

If you're in the EU/UK (GDPR) or California (CCPA), you have additional rights including the right to lodge a complaint with your local data protection authority.

6. Children

Studio is for business clients of Thomas Hart. We don't knowingly collect data from anyone under 16.

7. Changes

We'll update this page if anything material changes and email account-holders when we do. Older versions on request.

8. Contact

Privacy questions, deletion requests, or anything else: thomas@hartecho.com.

Third-party privacy policies

• Vercel
• Neon
• Resend
• Stripe
• Google

This policy reflects how Studio actually works as of May 19, 2026. If anything contradicts what you observe in the app, the observed behaviour wins and we'll update this page.