Privacy Policy

Last updated: June 6, 2026  |  Version: 2026-06-06

This Privacy Policy explains how Arts Atelier 146 ("we," "us," or "our") collects, uses, discloses, and protects personal information when you use our websites, learning platform, checkout, forms, and email communications (the "Service").

This Policy supplements our Terms & Conditions.

1. Scope

This Policy applies to visitors, prospective students, enrolled students, guardians, instructors, and administrators who interact with the Service. It does not apply to third-party websites or services we do not control, even if linked from our site.

2. Information we collect

2.1 Information you provide

• Account data: Name, email address, password (stored in hashed form), optional profile photo, bio, website, timezone, and role (student, instructor, or administrator).
• Checkout and billing: Billing name, email, phone, mailing address, and payment details processed by Stripe (we store Stripe customer identifiers and order/payment records, not full card numbers).
• Enrollment and learning: Course enrollments, assignment submissions, uploaded files, external links submitted for assignments, quiz answers, grades, instructor feedback, forum posts, office messages, and peer discussion content where enabled.
• Guardian and minor flows: Whether the student is 18 or older, guardian consent confirmations, and guardian–student account links.
• Forms: Information you enter on contact or custom forms, plus optional topic selection.
• Marketing: Email and name when you subscribe to waitlists or newsletters through our forms (processed via Kit/ConvertKit).

2.2 Information collected automatically

• Session authentication: An httpOnly cookie containing a signed session token when you log in (see Section 11).
• Form submissions: IP address, browser user agent, and referrer URL when you submit a public form.
• Administrative audit logs: For privileged actions, we may log actor identity, IP address, user agent, request identifier, and action metadata.
• Server and security logs: Standard web server data used for operation and abuse prevention.

2.3 Information from third parties

• Stripe: Payment status, receipt URLs, and customer/payment identifiers.
• Vimeo: Video hosting metadata when course videos are stored or played through Vimeo.

3. How we use information

We use personal information to:

• Provide, maintain, and improve the Service;
• Process enrollments, payments, installments, refunds, and tax/compliance records;
• Deliver lessons, grade work, operate forums and office messaging, and enforce enrollment access rules;
• Send transactional email (confirmations, password reset, payment notices);
• Respond to inquiries submitted through forms or email;
• Send marketing communications where you have opted in (you may unsubscribe through the email provider's link);
• Detect fraud, abuse, and security incidents;
• Comply with law and protect our rights and users.

4. Legal bases (EEA/UK visitors)

Where the GDPR or UK GDPR applies, we rely on: contract (providing the Service you request); legitimate interests (security, fraud prevention, improving the Service, and internal reporting); consent (marketing and non-essential cookies where required); and legal obligation (tax, financial, and regulatory retention).

5. How we share information

We do not sell your personal information. We share information with service providers that help us operate the Service, under contracts that require appropriate protection:

• Stripe — payment processing (Stripe Privacy Policy);
• Cloudflare R2 (or compatible S3 storage in development) — file and upload storage;
• Vimeo — video hosting and playback where used;
• Brevo (production) or SMTP providers (development/staging) — transactional email;
• Kit (ConvertKit) — email marketing and waitlist tags where you subscribe;
• Hosting providers — servers that run our application and database.

We may also disclose information if required by law, court order, or government request; to protect safety and rights; or in connection with a merger, acquisition, or asset sale with notice where required.

Course instructors and staff may access student information necessary to teach, grade, and support enrollments in their courses.

6. International transfers

We are based in the United States. If you access the Service from other countries, your information may be processed in the U.S. and other countries where our providers operate. We take steps appropriate to the transfer mechanism required by applicable law.

7. Retention

• Account data: While your account is active and for a reasonable period afterward for support, legal, and backup purposes.
• Orders and payments: Typically retained for at least seven (7) years for accounting, tax, and dispute resolution.
• Educational records: Submissions, grades, and related content may be retained for academic and institutional record-keeping after enrollment ends.
• Marketing: Until you unsubscribe or we delete the list entry after inactivity.
• Form and audit logs: As needed for security investigations and administration, then deleted or aggregated.

We may retain anonymized or aggregated data that does not identify you.

8. Security

We use measures appropriate to the nature of the data, including TLS encryption in transit, password hashing, role-based access controls, administrative audit logging, and optional malware scanning status on uploaded files. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

9. Your choices and rights

Depending on your location, you may have rights to access, correct, delete, restrict processing, object, or port personal information, and to withdraw consent for marketing.

To exercise rights, contact us with enough detail to verify your identity. We will respond within timeframes required by applicable law. You may update certain profile fields in your account settings. You may deactivate your account where the feature is offered; some records may remain as described in Section 7.

California residents: We do not sell personal information as defined by the CCPA/CPRA. You may request access, deletion, or correction as described above. We do not discriminate against you for exercising privacy rights.

10. Children's privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13 without appropriate parental consent. If you believe we have collected information from a child under 13 without consent, contact us and we will take appropriate steps.

Students under 18 may enroll with guardian involvement as described at checkout. Guardians are responsible for the minor's use of the Service.

11. Cookies and similar technologies

Cookies are small text files stored on your device when you visit a site. Similar technologies include local storage and pixels. Some cookies are set by us (first-party); others by partners (third-party).

We use cookies that are necessary to operate the Service. We do not use first-party advertising or analytics cookies in our application code as of the last updated date above. Third-party payment and video providers may set their own cookies when you use those features.

Name / provider	Purpose	Duration	Essential?
jwt (first-party, httpOnly)	Keeps you signed in to the student dashboard, checkout (when logged in), and API. Not accessible to page JavaScript.	Typically up to 15 days (configurable by our servers)	Yes
Stripe	Fraud prevention, payment session, and card checkout when you pay by card.	Per Stripe's policies	Yes for card payment
Vimeo	Video playback preferences and delivery when lessons use embedded Vimeo players.	Per Vimeo's policies	No (functional)

Waitlist and newsletter sign-ups on our public site submit data to our email marketing provider (Kit/ConvertKit). That interaction may involve cookies on their embedded forms or redirects per their policy.

Your choices: Blocking the jwt cookie prevents login and authenticated use of the learning platform. Most browsers let you delete or block cookies. Stripe and Vimeo may set preferences through those services when you use card checkout or embedded video.

12. Changes to this Policy

We may update this Policy. We will post the new version with an updated date and version. Material changes may be communicated by email or prominent notice. Checkout may require acceptance of an updated policy version.