← Back to sitePrivacy policy
Last updated · June 2026
Lumen & Gesso (“we,” “our,” the “studio”) is a small custom pet-portrait studio operated from the United States. This policy describes the personal information we collect when you visit lumengesso.com or place a commission, how we use it, who we share it with, and the choices you have.
If you have any questions or want to exercise any of the rights below, email us at hello@lumengesso.com — we read every message.
What we collect
We collect the minimum information needed to fulfill your commission and run the site.
- Account details. Your email address when you sign in via a magic link, plus the session cookies our authentication provider sets to keep you signed in.
- Order details. Your name, shipping address, and order configuration (style, frame, size, lettering, any artist note you leave). The shipping address is collected by Stripe at checkout and shared back to us so we can fulfill and ship.
- Payment details. Card and billing details are entered with Stripe — we never see or store your card number. We only receive a payment confirmation, the amount, and the last four digits of the card.
- Photos you upload. Pet photos (and any optional style reference) you upload to commission a portrait. We store these securely so we can render and proof your portrait.
- Communication. Emails you send us and our replies, kept so we can respond and follow up on your order.
- Site analytics. Basic usage data via Google Analytics (pages visited, device type, country) to understand which parts of the site need work. We do not use cross-site advertising trackers.
How we use it
- To create your commission — including rendering the portrait, preparing the print file, and packaging.
- To process payment and issue refunds when applicable.
- To ship your portrait and notify you of order milestones (in production, shipped, delivered).
- To answer questions you send us and provide customer support.
- To improve the studio — reviewing aggregate analytics, fixing bugs, and refining our process.
- To meet legal obligations (tax records, fraud prevention, responding to lawful requests).
How we use your pet photos
Your uploaded photos are used to produce your commission. To do that, we send the photo to our image-generation partners (Google’s Gemini and OpenAI) so an AI model can render the styled portrait based on your selections. We then review and refine the result before publishing a proof to you for approval.
We do not use your photos to train AI models, and we do not share them with anyone outside the parties listed below. We will never feature your pet photo or the finished portrait in our public gallery, social media, or marketing without asking you first.
Who we share with
We share the minimum data needed with a small set of trusted service providers:
- Stripe — payment processing and shipping-address collection at checkout.
- Prodigi — our print-and-ship fulfillment partner; receives the final print file and your shipping address.
- Cloudflare — secure image storage and delivery (CDN) for the photos and renders.
- Supabase — database and authentication; stores your account email and order records.
- Resend — sends transactional emails (proof links, order confirmations, shipping updates).
- Google (Gemini) and OpenAI — image-generation APIs used solely to render your commission.
- Google Analytics — site-usage analytics.
- Vercel — hosting and edge delivery for the website itself.
We do not sell your personal information, and we do not share it for advertising purposes.
How long we keep it
- Order records and shipping addresses: at least seven years, to meet tax and accounting requirements.
- Uploaded photos and rendered portraits: retained while the order is active and for a reasonable period afterward so we can re-print or revise on request. You can ask us to delete them sooner; see the next section.
- Account email and authentication state: kept while your account exists. If you ask us to close your account, we delete it on a routine basis.
- Analytics: retained per Google’s default analytics retention (26 months by default).
Your rights
You can ask us to:
- Confirm what personal information we have about you.
- Send you a copy of that information.
- Correct anything that’s inaccurate.
- Delete your information (subject to records we’re legally required to keep).
- Stop using your photos beyond what’s strictly required for your order.
- Opt out of analytics — you can use a browser-level setting (such as “Do Not Track”) or a privacy extension.
To exercise any of these rights, email hello@lumengesso.com. We respond within 30 days. We will never charge you for exercising a right or retaliate for the request.
If you are a California resident, you have specific rights under the CCPA/CPRA (including the right to know, delete, correct, and limit the use of sensitive information). If you are in the EU or UK, you have the rights granted by the GDPR/UK GDPR (including data portability and lodging a complaint with your local supervisory authority). Email us with your jurisdiction and we’ll handle the request accordingly.
Cookies
We use a small number of cookies:
- Authentication cookies — set by Supabase to keep you signed in after a magic-link login.
- Analytics cookies — set by Google Analytics to count visits anonymously.
- Functional cookies — small in-browser values that remember your build-in-progress so you can pick up where you left off.
You can clear or block cookies at any time in your browser; some site features (such as staying signed in) will stop working if you do.
Children’s privacy
The studio is not directed to children. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, email us and we will delete it.
Security
We use TLS in transit, encrypted storage at rest with our providers, and limit internal access to the small team that needs it. No method of transmission or storage is perfectly secure, but we do our best. If we ever experience a breach affecting your information, we will notify affected customers without undue delay.
International transfers
The studio is based in the United States, and the providers above process data in the U.S. and other countries. If you are accessing our service from outside the U.S., you understand that your information may be transferred to and processed in the U.S. under the safeguards each provider has in place.
Changes to this policy
If we make material changes, we’ll update the “Last updated” date at the top of this page and, when warranted, email customers with active orders. Routine wording cleanups won’t be announced individually.
Contact
Lumen & Gesso
hello@lumengesso.com