Legal

Privacy Policy

We treat photographs of the people you love with the same care we treat the sculptures themselves. This page explains what we collect, why, who else processes it, and how to exercise your rights.

Effective: April 27, 2026 · Last updated: April 27, 2026

On this page

Plain-language summary
Who we are
What we collect
How we use it & legal bases
Photographs & biometric data
AI processing
Who we share with
International transfers
How long we keep it
Security
Cookies & analytics
Your rights
California-specific notice
Illinois (BIPA) notice
Children
Breach notification
Changes
Contact

01Plain-language summary

We collect your name, contact details, shipping address, payment confirmation, and the photographs you upload to commission a sculpture.

Your photographs are processed by automated AI services (Google Gemini and Meshy AI, with Anthropic Claude as a fallback) for the sole purpose of producing your bust. We do not sell your data, we do not use it to train AI models, and we delete the photographs 120 days after delivery.

You can ask for a copy of your data, ask us to correct or delete it, or withdraw consent at any time. The rest of this page is the detailed version.

02Who we are

“Jagtar Studio”, “we”, “us”, and “our” refer to the entity operating jagtarstudio.com, registered in the Province of Ontario, Canada. Our registered business address and full legal name will appear here once incorporation paperwork is on file; in the interim please reach us at hello@jagtarstudio.com.

We are the data controller for the personal information described in this policy.

Privacy Officer (PIPEDA)

Our Privacy Officer is responsible for compliance with the Canadian Personal Information Protection and Electronic Documents Act and is reachable at privacy@jagtarstudio.com.

EU and UK GDPR representatives

Because we offer goods to residents of the European Economic Area and the United Kingdom, we have appointed (or will appoint, before our first EU/UK order) representatives under Article 27 of the EU and UK GDPR. Their contact details will be published here once the appointments are filed. Until then, EU and UK residents can reach us directly at privacy@jagtarstudio.com.

03What we collect

Identifiers	Your name, email address, optional phone number.
Shipping	Postal address you provide at checkout.
Photographs	The two images you upload (front-facing and side / three-quarter) for your commission. These contain facial features and are treated as sensitive personal information.
Order data	Order number, line items, amount paid, currency, customer-facing notes, and internal status.
Payment confirmation	A token from Stripe confirming payment. We never receive or store your card number, CVC, or expiry — that data lives only with Stripe.
Communications	Emails, support messages, and any photos you send for clarification.
Device and usage	IP address (briefly, for fraud prevention) and aggregate analytics from Plausible, which does not use cookies and does not identify you.

04How we use your information & legal bases

Under EU and UK GDPR we are required to identify a legal basis for each processing activity:

Order fulfilment	Performance of a contract — Art. 6(1)(b) GDPR.
Processing your photographs to create the bust	Your explicit consent — Art. 6(1)(a) and Art. 9(2)(a) GDPR. You can withdraw consent at any time by emailing us; withdrawal does not affect the lawfulness of processing already carried out.
Sending transactional emails (order confirmations, status, tracking)	Performance of a contract — Art. 6(1)(b).
Fraud prevention & chargeback defence	Our legitimate interests — Art. 6(1)(f).
Tax, accounting, and consumer-law recordkeeping	Legal obligation — Art. 6(1)(c).
Cookieless analytics	Our legitimate interests in measuring site usage — Art. 6(1)(f).
Marketing emails (only if you opt in)	Consent — Art. 6(1)(a). Every marketing email contains an unsubscribe link honoured immediately.

For Canadian customers, we collect and use information only with your knowledge and consent under PIPEDA, and with explicit, separate consent for sensitive information including photographs.

05Photographs & biometric data

The photographs you upload contain images of human faces. Our AI suppliers compute a representation of facial geometry in order to produce a sculpture that resembles the person depicted. Some privacy laws — notably the EU GDPR (Art. 9), the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifiers Act, and the California Consumer Privacy Act as amended by the CPRA — treat this information as biometric or sensitive personal information.

We process your photographs only to create the bust you ordered. We do not use them for facial recognition, identity verification, profiling, behavioural advertising, or to train AI models. We do not sell, lease, trade, or otherwise profit from biometric information.

Before we begin processing, you give us your explicit, opt-in consent at checkout. You may withdraw that consent at any time before we begin manufacturing by emailing privacy@jagtarstudio.com; we will stop processing and refund your order. Once production has commenced, withdrawal will end further processing and we will delete the data, but we cannot reverse manufacturing already underway.

See Illinois (BIPA) notice for the additional written-consent and retention disclosures required for residents of Illinois.

06AI processing

Your photographs are processed by automated artificial-intelligence systems to generate a 3D model that is then printed in resin and finished by hand. Specifically:

Google Gemini (Nano Banana Pro and Flash models, accessed through OpenRouter) — used to validate the photographs you upload and to generate stylised reference imagery.
Meshy AI — used to convert reference imagery into a 3D mesh suitable for printing.
Anthropic Claude — used as a fallback for image validation only, when upstream services are unavailable.
OpenRouter — used to route requests between the providers above.

We have selected providers whose paid-API terms prohibit use of customer data to train their general-purpose AI models. We do not authorise — and contractually prohibit, where the provider permits — the use of your photographs to train any AI model.

In line with Article 50 of the EU AI Act, we disclose that the 3D model and the resulting bust are artificially generated. The output is a stylised interpretation of the person depicted and is not intended to identify any individual.

Generating your bust is not “solely automated decision-making producing legal or similarly significant effects” within the meaning of Article 22 GDPR. A human reviewer at Jagtar Studio approves the model before it is sent to manufacturing.

07Who we share with

We share your information only with the service providers we need to fulfil your order. Each is bound by a written agreement that requires confidentiality and lawful processing.

Provider	Purpose & location
Stripe, Inc.	Payment processing — United States.
Cloudflare, Inc. (R2 storage, Pages, Workers)	Encrypted file storage and hosting — United States and global edge.
Google LLC — Gemini API	AI image generation and validation — United States.
Meshy AI	3D model generation — United States.
OpenRouter, Inc.	AI request routing — United States.
Anthropic PBC — Claude API	Fallback image validation — United States.
Resend, Inc.	Transactional and marketing email delivery — United States.
Plausible Insights OÜ	Cookieless analytics — Estonia (EU).
Manufacturing partner (currently JLCPCB)	Resin printing. We send only the generated 3D model file — never your original photographs.
Shipping carriers	Your name and delivery address only.

We may also disclose information when required by a valid court order, subpoena, or law-enforcement request, or in connection with a corporate transaction (in which case the receiving party is bound to the same protections). We do not sell your personal information.

08International transfers

Several of our service providers are located in the United States. When we transfer personal data out of the EEA or the United Kingdom we rely on the European Commission’s Standard Contractual Clauses (Decision 2021/914), the UK International Data Transfer Addendum, and — for processors enrolled — the EU–US Data Privacy Framework. These are supplemented by encryption in transit (TLS) and at rest (AES-256).

For Canadian customers, when personal information is transferred to providers outside Canada it may be subject to the laws of those jurisdictions, including lawful access by foreign government authorities. We use contractual safeguards comparable to PIPEDA. Quebec residents: we have completed a Privacy Impact Assessment for the cross-border transfer of personal information processed by our service providers in the United States, in accordance with Law 25.

09How long we keep your information

Photographs you uploaded	120 days after delivery, then automatically and irreversibly deleted from Cloudflare R2. Earlier deletion on request.
AI-generated 3D models & intermediate images	120 days after delivery, then deleted.
Order records (invoice data — name, address, amount)	7 years, to satisfy Canadian tax and consumer-protection law and equivalent foreign obligations.
Email correspondence	24 months from last contact, then archived or deleted.
Marketing preferences	Until you unsubscribe.
Aggregate analytics (Plausible)	Indefinite, but cannot be tied to you.
Records of consent (BIPA / GDPR)	3 years after consent ends, as a defence record.

10Security

We use industry-standard technical and organisational measures to protect personal information: TLS 1.2+ for all data in transit, encrypted-at-rest object storage on Cloudflare R2, encrypted PostgreSQL backups, role-based access for staff, multi-factor authentication on admin accounts, and a written incident-response procedure.

No system is fully secure. If you discover or suspect a vulnerability, please email security@jagtarstudio.com; we will acknowledge within two business days and will not pursue good-faith research.

11Cookies & analytics

We use a small number of strictly necessary cookies (a session cookie for staff sign-in, and Stripe’s fraud-prevention cookies during checkout) and a privacy-preserving analytics tool (Plausible) that does not set cookies and does not identify visitors. We do not use behavioural advertising, retargeting, or third-party tracking.

For full detail see our Cookie Policy.

12Your rights

Subject to local law and applicable conditions, you have the right to:

Access the personal information we hold about you.
Correct inaccurate or incomplete information.
Delete your information (subject to legal retention requirements such as tax records).
Restrict certain processing.
Object to processing based on legitimate interests, including direct marketing.
Portability — receive your data in a portable, machine-readable format.
Withdraw consent at any time where processing is based on consent (this does not affect prior lawful processing).
Lodge a complaint with your supervisory authority — for example the UK Information Commissioner’s Office, the Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, your Member State Data Protection Authority in the EU, or the California Privacy Protection Agency.

To exercise any of these rights, email privacy@jagtarstudio.com from the address associated with your account, or write to our postal address. We will verify your identity (typically by confirming your order number) and respond within 30 days. There is no charge unless your request is manifestly unfounded or excessive.

13California-specific notice

This section applies to California residents and supplements the rest of this policy.

In the prior 12 months we have collected the following categories of personal information about California residents: identifiers (name, email, phone), commercial information (order history), internet or other electronic network activity (cookieless analytics), geolocation (shipping address), and sensitive personal information (the photographs you upload).

We do not sell or share your personal information for cross-context behavioural advertising, and we do not use sensitive personal information for purposes other than those identified as permitted under the CCPA. Because we do not sell or share, our footer “Do Not Sell or Share My Personal Information” link confirms that status.

California residents may request that we limit the use of sensitive personal information to that necessary to provide the requested goods. Use the “Limit the Use of My Sensitive Personal Information” link in our footer or email privacy@jagtarstudio.com.

California residents have the right to know, delete, correct, opt out of sale or sharing, limit use of sensitive personal information, and to be free from retaliation for exercising these rights. We respond to verifiable requests within 45 days.

14Illinois (BIPA) notice

This section applies to residents of Illinois and to anyone whose biometric information is collected in Illinois.

Our AI suppliers compute a representation of facial geometry from your uploaded photographs in order to generate a 3D model of the person depicted. To the extent this constitutes a “biometric identifier” or “biometric information” under the Illinois Biometric Information Privacy Act, 740 ILCS 14/, the following applies:

Specific purpose. We collect, store, and use biometric information for the sole purpose of generating a personalised 3D-printed resin bust that you have ordered.
Term. We retain biometric information for no longer than 120 days after your order is delivered, and then permanently destroy it. Earlier destruction on request.
Written consent. Before any biometric information is collected we will require your express, written, electronic consent at checkout. The consent box discloses the points above and links to this policy.
Disclosure schedule. Our retention and destruction schedule is published in the retention section of this policy.
No sale. We will not sell, lease, trade, or otherwise profit from biometric identifiers or biometric information.
Limited disclosure. We will not disclose biometric information except (a) to the AI sub-processors listed in this policy, each bound by written agreement; (b) where required by valid warrant or subpoena; or (c) with your separate written consent.

15Children’s privacy

Our service is not directed to children. We do not knowingly collect personal information — including photographs — from anyone under 13 (United States: COPPA) or under the age applicable in your country (typically 16 under the EU GDPR, or as low as 13 in some Member States, and 14 in Quebec under Law 25).

If a customer wishes to commission a bust depicting a minor, the customer must be the minor’s parent or legal guardian and must provide verifiable parental consent at the point of upload. If you believe a child has uploaded information to us, contact privacy@jagtarstudio.com and we will delete it.

16Breach notification

If a security incident creates a real risk of significant harm to you we will notify you and the relevant supervisory authorities as soon as feasible — within 72 hours under the GDPR, and as required under PIPEDA s. 10.1, the Quebec Act, the CCPA, BIPA, and any other applicable law. We retain records of all breaches for at least 24 months.

17Changes to this policy

We update this policy when our practices change or when the law changes. Material changes are communicated by email to active customers and a prominent notice on the site at least 30 days before they take effect. Continued use of our service after the effective date constitutes acceptance.

18Contact

Privacy Officer: privacy@jagtarstudio.com
General enquiries: hello@jagtarstudio.com
Security disclosure: security@jagtarstudio.com
Postal address: To be published once incorporation completes.

EU and UK Article 27 representatives: To be appointed before our first EU/UK order.