Privacy Policy

1. Introduction & Controller Identity

This Privacy Policy explains how softuriona (“we”, “us”, “our”) collects, uses, and protects personal data when you visit our website at the softuriona domain and when you contact us to request a consultation, appointment, or information about studio services.

For the purposes of the General Data Protection Regulation (“GDPR”) and the UK GDPR, the data controller is Softuriona Studio LLC, registered address: 77 Great Titchfield Street, Fitzrovia, London W1W 6TB, United Kingdom.

Contact email for privacy questions: [email protected]. If you prefer to write by post, use the address above and mark the letter “Privacy”.

Effective Date: March 12, 2026.

2. Personal Data We Collect

We collect personal data in two main ways: (a) data you provide directly when you contact us, and (b) limited technical data that is generated when you browse the website. The categories below reflect what is commonly required to operate an appointment-led studio website safely and to respond reliably to enquiries.

• Identity and contact data: name, email address, and phone number (if provided).
• Enquiry and form content: any message you submit, including project notes, reference descriptions, preferred dates, and your selection of service type and preferred artist.
• Technical data: IP address, browser type and version, device type, operating system, language preferences, and approximate location derived from IP (city-level).
• Usage data: pages viewed, time spent on pages, referral source, and click paths (where analytics is enabled by consent).
• Cookies and identifiers: cookie IDs and consent flags as described in Section 4 and in our Cookie Policy at /cookie-policy/.
• Conversion events: actions such as a submitted enquiry form or a visit to the Thank You page, where measurement tools are enabled by consent.

We do not intentionally collect special-category data (such as health data, religious beliefs, political opinions, or biometric identifiers) through our website forms. Please do not include such information in free-text fields. We also do not request government IDs or financial account details through the website.

3. Why We Process Personal Data & Legal Basis

We process personal data only where we have a lawful basis to do so. The lawful basis depends on the specific activity and is aligned with GDPR Article 6.

3.1 Enquiries, consultation requests, and booking coordination

When you submit a consultation request or contact us by email or phone, we use your contact details and message content to respond, clarify requirements, and coordinate scheduling.
Legal basis: GDPR Art. 6(1)(b) (steps prior to entering into a contract) and, where relevant, Art. 6(1)(a) (consent) where you explicitly request contact or provide optional information.

3.2 Analytics and site improvement

If you enable analytics cookies, we use aggregated traffic and interaction data to understand which pages are useful, how visitors navigate, and where content can be clarified. We aim to keep analytics at a practical level rather than a surveillance level.
Legal basis: GDPR Art. 6(1)(a) (consent).

3.3 Marketing measurement and remarketing

If you enable marketing cookies, we may measure the performance of advertising campaigns and create audiences for remarketing. This can include attributing a form submission to an ad click and limiting repeated ads to the same browser.
Legal basis: GDPR Art. 6(1)(a) (consent).

3.4 Security, fraud prevention, and service integrity

We process certain technical signals and log data to protect the website from abuse, bots, and suspicious traffic patterns. This is standard defensive monitoring to keep the site available and to protect legitimate enquiries.
Legal basis: GDPR Art. 6(1)(f) (legitimate interests).

3.5 Legal compliance

In limited cases, we may process data to comply with legal obligations (for example, responding to lawful requests).
Legal basis: GDPR Art. 6(1)(c) (legal obligation).

3.6 Automated decision-making

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects within the meaning of GDPR Article 22.

4. Cookies & Tracking Technologies

We use cookies and similar technologies (such as pixel tags) to run the website, remember your choices, and—if you consent—measure traffic and advertising performance. Cookies are small text files placed on your device. Pixel tags are small code snippets that can send event information (such as a page view or conversion) to a provider.

4.1 Essential cookies (always active)

These cookies are required for core site functionality, including basic session continuity and remembering your cookie preferences. They do not require consent.

• _site_session (first-party): supports session continuity and basic security controls. Retention: session to up to 12 months depending on implementation.
• cookie_consent (first-party): stores your cookie preference choice. Retention: 12 months.
• CSRF and security cookies (first-party): may be used to protect forms and prevent abusive submissions. Retention: typically session.

4.2 Analytics cookies (optional, consent required)

If enabled, analytics cookies help us understand general site usage. Example provider: Google Analytics 4 (GA4) with IP anonymization. We aim to use analytics data in aggregate to improve clarity and navigation, not to identify individuals.

• _ga (third-party): GA4 user identifier. Retention: 2 years.
• _ga_XXXXXXXXXX (third-party): GA4 session state (provider-specific identifier). Retention: 2 years.

Analytics data retention (typical): 14 months.

4.3 Marketing cookies (optional, consent required)

If enabled, marketing cookies are used to measure advertising effectiveness and support remarketing. This can include conversion attribution (for example, connecting an enquiry submission to an ad interaction) and building audiences for ads that are more relevant.

• _gcl_au (third-party): Google Ads conversion linker. Retention: 90 days.
• _fbp (third-party): Meta Pixel browser identifier. Retention: 90 days.
• _fbc (third-party): Meta Pixel click identifier (set when click ID is present). Retention: 90 days.

4.4 Server-side events

Where enabled, some advertising measurement can be performed server-side (for example, via Meta Conversion API or server-side tag management). In such cases, limited identifiers (such as IP address and User-Agent) may be transmitted, and any user identifiers may be hashed before transfer depending on provider configuration.

5. Consent and Managing Preferences (EEA/UK)

Users in the EEA and UK receive a cookie consent notice under GDPR/UK GDPR. Analytics and marketing cookies activate only after explicit, informed, freely given consent under GDPR Art. 6(1)(a).

Your choice is recorded in the cookie_consent cookie (typically for 12 months). You can withdraw or change consent at any time by using the “Manage cookie preferences” link in the website footer. You can also clear cookies in your browser to remove the stored choice.

Withdrawing consent does not affect the lawfulness of processing based on consent before it was withdrawn.

6. Sharing With Advertising and Service Partners

We share personal data with a limited set of service providers and advertising partners only where necessary to operate the website and measure performance, and only in line with your consent choices.

• Google LLC (GA4, Google Ads, Tag Manager, remarketing): cookie identifiers, usage data, and conversion events. Privacy information: policies.google.com/privacy.
• Meta Platforms (Meta Pixel, Custom/Lookalike Audiences, Conversion API): page views, conversion events, and audience membership signals depending on consent. Privacy information: facebook.com/privacy/policy.
• Cloudflare (content delivery network and security): IP-based threat detection and performance optimization. Privacy information: cloudflare.com/privacypolicy/.

We do not sell personal data. Our partners and processors are engaged to provide services to us, and we do not permit them to use site data for their own independent commercial purposes beyond what is necessary to provide the contracted services and comply with their legal obligations.

7. International Data Transfers

Some service providers may process data outside the EEA/UK, including in the United States. Where applicable, international transfers may rely on the EU–US Data Privacy Framework (July 2023), the UK Extension to the DPF, the Swiss–US DPF, and/or Standard Contractual Clauses (EU 2021/914) as a fallback. UK transfers may also rely on the UK IDTA where relevant.

We take reasonable steps to ensure appropriate safeguards are in place for international transfers, consistent with applicable data protection laws.

8. Data Retention

We keep personal data only for as long as necessary for the purposes described in this policy, unless a longer retention period is required by law.

• Contact submissions and enquiry history: up to 2 years from the last interaction.
• Analytics data: typically 14 months (provider setting), where enabled by consent.
• Marketing cookies: retained according to cookie lifetime (for example, 90 days) where enabled by consent.
• Email correspondence: relationship duration plus up to 1 year for continuity and dispute handling.
• Server logs and security records: typically up to 90 days unless an incident requires longer investigation.
• Cookie consent record: up to 3 years for audit purposes, where applicable.
• Legal and tax records: retained as required by applicable law (often 6–10 years for invoices and related documentation).

9. Your Rights (GDPR and UK GDPR)

If you are located in the EEA or the UK, you may have the following rights under GDPR/UK GDPR (subject to conditions and exemptions):

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21)
• Right to withdraw consent (Art. 7(3))
• Right to lodge a complaint (Art. 77)

To exercise a right, email [email protected]. We typically respond within 30 days. For complex requests, this may be extended by up to 60 additional days where permitted.

If you wish to lodge a complaint, you can contact your local supervisory authority. Reference directories: edpb.europa.eu (EU), ico.org.uk (UK), bfdi.bund.de (Germany), cnil.fr (France), uodo.gov.pl (Poland), aepd.es (Spain).

10. Children

This website is not directed at individuals under 16. We do not knowingly collect personal data from minors. If we learn that personal data from a child under 16 has been collected without verifiable parental consent, we will delete it promptly.

11. Do Not Track

This website does not respond to “Do Not Track” (DNT) browser signals. Third-party providers may have their own approaches to DNT and similar mechanisms.

12. Data Deletion Requests

You can request deletion of personal data by emailing [email protected] with the subject line “Data Deletion Request”. We may need to verify your identity before completing the request. Where deletion is not possible due to legal obligations, we will restrict processing and retain only what the law requires.

13. Business Transfers

In the event of a merger, acquisition, asset sale, financing, or insolvency, personal data may be transferred to a successor entity. If such a transfer materially changes how personal data is used, we will provide a notice on the website.

14. California (CCPA / CPRA)

If you are a California resident, you may have rights under the California Consumer Privacy Act as amended by the CPRA. In the last 12 months, we may have collected the following categories of personal information:

• Identifiers: name, email, IP address, device identifiers.
• Internet or other network activity: browsing interactions and page views (where analytics/marketing is enabled by consent).
• Inferences: interests or preferences inferred from browsing activity for advertising purposes (where marketing is enabled by consent).

We do not sell personal information as defined by CCPA. We may share personal information for cross-context behavioral advertising where you have enabled marketing cookies. California residents may opt out of sharing for targeted advertising using our cookie preferences panel (see the footer link “Manage cookie preferences”).

You may request to know, delete, or correct personal information, and you may opt out of sale/sharing where applicable. To submit a request, email [email protected] with the subject “California Privacy Request”. We will verify your request as required by law. Authorized agents may submit requests with written proof of authorization.

We will not discriminate against you for exercising your rights.

15. Virginia (VCDPA)

If you are a Virginia resident, you may have rights under the Virginia Consumer Data Protection Act, including access, correction, deletion, portability, and the right to opt out of targeted advertising. To submit a request, email [email protected] with the subject “Virginia Privacy Request”.

We do not sell personal data or engage in profiling that produces legal or similarly significant effects.

If we decline a request, you can appeal by emailing with the subject “Appeal of Refusal — Privacy Request”. We will respond within 60 days. If the appeal is denied, you may contact the Virginia Attorney General.

16. Nevada

Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject “Nevada Do Not Sell Request”. We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.

17. Changes to This Policy

We may update this Privacy Policy to reflect changes in legal requirements, provider configurations, or website functionality. Material changes will be announced via a site notice at least 14 days before they take effect. The “Last Updated” date at the top of this page will change with each revision.

18. Contact

Data controller: Softuriona Studio LLC
Address: 77 Great Titchfield Street, Fitzrovia, London W1W 6TB, United Kingdom
Email: [email protected]
Phone: +44 20 7946 0958