Privacy Policy

Effective date: June 4, 2026

This Privacy Policy describes how Artisana — operated by Abdi Mohamud as a sole proprietorship based in Seattle, Washington ("Artisana," "we," "us," or "our") — collects, uses, shares, and protects personal information when you use the Artisana website, application, and related services (the "Service"). It also explains the rights you have over your information and how to exercise them.

We have written this policy to be readable. If anything below is unclear, email amohamud23@gmail.com and we will explain.

1. What We Collect

We collect only what we need to operate the Service. Specifically:

Information you provide to us.

• Email address — required to create an account, receive magic-link sign-in messages, and receive transactional emails about your subscription.
• Display name (optional) — a name you may set in your account profile. May be blank.
• Waitlist signup — if you join the waitlist before launch, we store your email address and the date you joined. This is opt-in.

Information we collect automatically.

• Log data — your IP address, user-agent string, request path, response status, and timestamp, recorded when you interact with the Service. We use these logs for security, abuse prevention, and debugging.
• Session cookie — a single strictly-necessary cookie that keeps you signed in after you click a magic link. We do not currently use analytics, advertising, or third-party tracking cookies.

Information we receive from Stripe.

• Subscription state — your subscription tier, status (active, cancelled, past due), and renewal dates, mirrored to our database from Stripe so the Service knows what features you have access to.

Information we explicitly do not collect.

• We do not collect, store, or process your credit or debit card number, CVV, expiration date, or billing address. All payment information is collected directly by Stripe, Inc., which handles it under PCI-DSS as the payment processor. We never see your card data.

2. How We Use Your Information

We use the information above for the following purposes:

• To provide the Service — authenticate you (magic link), display your account, gate Pro features to subscribers, and respond to your requests.
• To process payments and manage subscriptions — through Stripe; we mirror only the minimum subscription metadata we need.
• To send transactional email — magic-link sign-in messages and important account or subscription notices, sent through Resend. We do not currently send marketing email to subscribers.
• To send waitlist updates — only to email addresses that opted in to the waitlist, and only until you unsubscribe.
• For security and abuse prevention — using log data to detect, investigate, and respond to abuse or unauthorized access.
• To comply with legal obligations — for example, retaining transaction records as required for tax purposes.

3. Lawful Bases (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, our processing relies on the following lawful bases under Article 6 of the GDPR:

• Performance of a contract (Art. 6(1)(b)) — to provide the Service to you, manage your account, and process subscription payments.
• Consent (Art. 6(1)(a)) — for waitlist signups and any future marketing email. You may withdraw consent at any time by unsubscribing or emailing us.
• Legitimate interests (Art. 6(1)(f)) — to keep the Service secure, prevent abuse, and operate our business at a basic level. We have considered your interests and rights and believe these processing activities are proportionate.
• Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and other legal requirements.

4. Processors We Use

We share personal information only with the following processors, and only as needed for them to provide services to us:

| Processor | Purpose | Location | Notes | | --- | --- | --- | --- | | Stripe, Inc. | Payment processing, Customer Portal (cancellation, billing updates), Stripe Tax (US sales-tax calculation) | United States | PCI-DSS Level 1; Standard Contractual Clauses for EU/UK transfers; Stripe maintains its own privacy policy and DPA. | | Amazon Web Services (AWS) | Hosting of the website, API, database, and photo storage | United States — us-west-2 (Oregon) | All Artisana infrastructure runs in AWS US West (Oregon). | | Resend | Sending transactional email (magic-link sign-in, account notices) | United States | Resend has its own privacy policy and DPA. |

We do not sell personal information. We do not share personal information with advertisers. We do not currently use analytics, advertising, or behavioral-tracking processors.

5. Cookies

Artisana currently uses one cookie: a strictly-necessary session cookie set after you sign in via magic link. It keeps you signed in for the duration of your session. Because this cookie is required for the Service to function, we do not present a cookie banner for it. We will update this policy and, where required, present a consent banner if we add analytics or any non-essential cookies in the future.

6. Data Retention

• Account data (email, display name, subscription mirror) — retained while your account is active and for 30 days after account deletion, after which it is removed from our active systems. Backups are rotated and aged out within an additional 30 days.
• Server and access logs — retained for 90 days, then deleted.
• Waitlist emails — retained until you unsubscribe, after which we remove your address from the waitlist within 30 days.
• Magic-link tokens — single-use, expire after 10 minutes, and are deleted on use or expiry.
• Subscription and tax records — retained for the periods required by Stripe's records and by applicable tax and accounting law (typically 7 years in the US), even after account deletion. These records are kept by Stripe; we retain only the minimum mirror data we need for our own books.

7. Your Rights

Subject to applicable law, you have the right to:

• Access the personal information we hold about you.
• Correct information that is inaccurate or incomplete (you can edit your display name directly; for other corrections, email us).
• Delete your account and the personal information associated with it, subject to the retention exceptions in Section 6.
• Port your data — receive a copy of the personal information you provided in a structured, commonly used, machine-readable format.
• Object to or restrict processing based on legitimate interests.
• Withdraw consent at any time for processing based on consent (for example, by unsubscribing from waitlist email). Withdrawal does not affect the lawfulness of processing before withdrawal.
• Lodge a complaint with your local supervisory authority (for EU/UK residents) if you believe your rights have been violated.

To exercise any of these rights, email amohamud23@gmail.com. We will respond within 30 days. Requests are handled manually; we may need to verify your identity by sending a confirmation email to the address on file.

8. California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA, gives you specific rights:

• Right to know — what categories of personal information we collect (see Section 1), the sources (you, your browser, Stripe), the purposes (Section 2), and the categories of third parties we share it with (Section 4).
• Right to delete — your personal information, subject to the retention exceptions in Section 6.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of at this time, and we will update this policy if that changes.
• Right to limit use of sensitive personal information — we do not collect sensitive personal information as defined by the CPRA.
• Right to non-discrimination — we will not deny service, charge a different price, or provide a different level of service because you exercised a privacy right.

To exercise these rights, email amohamud23@gmail.com.

9. International Data Transfers

Artisana is operated from the United States, and all data we hold is stored in the United States (AWS us-west-2, Oregon). If you access the Service from the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction whose laws differ from US law, your information will be transferred to and processed in the United States.

For payment-related data, Stripe relies on Standard Contractual Clauses approved by the European Commission for transfers of EU/UK personal data to the United States. For the limited data we handle directly (email, display name, subscription mirror, logs), we rely on your consent and the contractual necessity of operating the Service you have requested.

10. Security

We take reasonable, industry-standard measures to protect personal information: encryption in transit (TLS) and at rest, access controls, network segmentation (the database is not directly internet-accessible), production secrets held in AWS Secrets Manager, and short-lived authentication tokens. No system is perfectly secure. If we ever experience a breach affecting your personal information, we will notify you and the appropriate authorities as required by applicable law.

11. Children

The Service is not directed to children under 13 (or under 16 in jurisdictions where that is the applicable age of digital consent), and we do not knowingly collect personal information from them. If you believe a child has provided personal information to us, email amohamud23@gmail.com and we will delete it.

12. Changes to This Policy

We may update this policy from time to time. For non-material changes we will update the effective date at the top. For material changes — for example, adding a new category of data, a new processor, or a new purpose for processing — we will give you reasonable advance notice by email and, where required by law, ask for your consent.

13. Contact and Data Subject Requests

For any privacy question, data subject access request, deletion request, complaint, or correction request:

Email: amohamud23@gmail.com Operator: Artisana, a sole proprietorship of Abdi Mohamud Location: Seattle, Washington, United States

We do not currently have a designated EU or UK Representative under GDPR Article 27 because our processing of EU/UK personal data is limited and occasional. If our EU/UK activities expand, we will appoint a Representative and update this policy.

This document is a starting template. Reviewed by Anthropic's legal-compliance-advisor agent; reviewed by a Washington state business attorney: [DATE — TBD].