Privacy Policy

Last updated: April 7, 2026

Data Collection

We collect only what is necessary: email addresses (when voluntarily provided for mailing lists), page view analytics, and payment information processed by Stripe. We do not collect names, phone numbers, or any other personal information unless you voluntarily provide it.

IP Address Handling

We never store raw IP addresses. All IP addresses are hashed with a daily-rotating salt using SHA-256 before storage. This means visitor activity cannot be traced across days, and if our database were compromised, IP addresses could not be recovered. The hashed data is used solely for fraud detection and aggregate analytics (e.g., country-level visitor counts).

Cookies

We use a single session cookie to group page views into browsing sessions for analytics. This cookie contains a random identifier and no personal information. It expires when you close your browser. We do not use third-party tracking cookies, advertising cookies, or any form of cross-site tracking.

Email

Email addresses provided for mailing lists are stored securely and used only for the purpose stated at signup (Full Moon notifications, general updates, or viewing room follow-ups). All email subscriptions use double opt-in — you must confirm your email before receiving any messages. You can unsubscribe at any time via the link in any email. Upon unsubscribing, you will receive no further emails from us.

Payment Processing

Payments are processed by Stripe. We do not store credit card numbers, bank account details, or other financial information on our servers. Stripe’s privacy practices are governed by Stripe’s Privacy Policy.

Third Parties

We use two third-party services:

Stripe — for payment processing
Resend — for email delivery

We do not sell, share, or provide your data to any other third parties. We do not use Google Analytics, Facebook Pixel, or any external tracking services.

Buyer Privacy

Anonymous purchases are fully supported. Buyer identity is never publicly associated with any artwork unless the buyer provides explicit written consent. We do not maintain or publish collector lists. We do not disclose who purchased what to any third party.

Data Storage

All data is stored on a server located in Germany (EU), operated by Hetzner Online GmbH. Email processing is handled through Resend’s EU region (Frankfurt). This means your data is processed and stored within the European Union, subject to EU data protection standards.

Your Rights

You have the right to:

Request a copy of any personal data we hold about you
Request correction of inaccurate data
Request deletion of your data (right to erasure)
Unsubscribe from any and all email communications
Withdraw consent for data processing at any time

To exercise any of these rights, contact studio@cgaspar.art. We will respond within 30 days.

Changes to This Policy

If we make material changes to this privacy policy, we will update the “Last updated” date at the top of this page. Continued use of the site after changes constitutes acceptance of the revised policy.