Scope of this Policy
This Privacy Policy describes how Seasia Studio ("we", "us", "our") collects, uses, stores, and shares personal information when you visit our website, create an account, submit a project, communicate with our team, or otherwise use our Services (collectively, the "Services"). It applies to all visitors and users, including clients, prospects, and authorised staff.
By using the Services, you confirm that you have read and understood this Policy. If you do not agree, please discontinue use of the Services.
What Information We Collect
We collect the following categories of information:
- Account data: name, email address, profile picture, business name, and any other info you choose to add to your account.
- Authentication data: if you sign in with Google, we receive your Google profile info (name, email, avatar). If you sign in with email + password, we store a bcrypt-hashed credential.
- Project data: content, files, briefs, feedback, and messages you provide when working with us.
- Usage data: pages viewed, features used, timestamps, referrers, and approximate geographic region derived from your IP address.
- Device data: browser type, screen size, and user-agent string.
- Communications: any messages you send to our team, including live chat transcripts and email correspondence.
How We Use Information
We use the information we collect to:
- Provide, operate, and improve the Services.
- Authenticate users, manage accounts, and protect against fraud or abuse.
- Process project orders, deliver deliverables, and respond to inquiries.
- Send transactional emails (receipts, project updates, security alerts) and, with your consent, occasional marketing.
- Analyse aggregate usage trends to improve the user experience.
- Comply with applicable legal obligations and enforce our Terms of Service.
Legal Basis for Processing
We process your personal information on the following legal bases under the EU General Data Protection Regulation (GDPR) and equivalent frameworks:
- Performance of a contract — to deliver the services you've ordered and respond to your inquiries.
- Legitimate interests — to secure our services, prevent fraud, and improve our product, where those interests are not overridden by your rights.
- Consent — for marketing emails, optional cookies, and any processing that isn't covered by the above. You may withdraw consent at any time.
- Legal obligation — where we are required to retain or disclose information by law.
Data Retention
We retain your personal information for as long as your account is active or as needed to provide you the Services. Specifically:
- Account data is kept while your account is active. If you delete your account, your profile and chat history are deleted within 30 days; back-ups may persist for up to 90 days.
- Project files and final deliverables are kept for at least 24 months after project completion so we can fulfil re-edit requests. You may request earlier deletion, but doing so forfeits our ability to offer re-edits at no cost.
- Financial records (invoices, payment history) are retained for 7 years to comply with Indian tax law.
- Anonymised usage analytics may be retained indefinitely.
Your Rights (GDPR, CCPA & DPDP Act)
Depending on where you live, you have statutory rights regarding your personal information under frameworks such as the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and the Indian Digital Personal Data Protection Act, 2023 (DPDP Act).
For EU/UK Residents (GDPR)
- Access & Portability — request a copy of the data we hold about you in a structured, machine-readable format.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — ask us to delete your data, subject to legal retention obligations.
- Restriction & Objection — ask us to pause processing of certain data or object to processing based on legitimate interests.
- Withdraw consent— for any processing that's based on your consent, at any time.
For California Residents (CCPA/CPRA)
- Right to Know — request details about the categories and specific pieces of personal information collected.
- Right to Delete & Correct — request deletion or correction of your personal data.
- Right to Opt-Out— opt-out of the "sale" or "sharing" of personal data (Note: Seasia Studio does not sell or share data).
- Right to Non-Discrimination — receive equal services and pricing regardless of exercising your privacy rights.
For Indian Residents (DPDP Act, 2023)
As a registered data fiduciary in India, we extend the following rights to our "Data Principals":
- Right to Information — access a summary of your processed personal data and list of processors.
- Right to Correction & Erasure — correct, complete, or request erasure of data no longer required.
- Right of Grievance Redressal — raise concerns directly with our Grievance Officer.
- Right to Nominate — nominate another person to exercise your rights in the event of death or incapacity.
To exercise any of these rights, email privacy@seasiastudio.in. We verify your identity before releasing data and respond within 30 days.
Security
We take reasonable measures to protect your personal information from unauthorised access, disclosure, alteration, or destruction. These include:
- TLS encryption for all traffic between your browser and our servers.
- Passwords stored as bcrypt hashes (we never see or store plaintext passwords).
- Row-Level Security on every Supabase table — users can only read or write rows they're explicitly allowed to.
- Rate-limited authentication endpoints and automatic lockout after repeated failed login attempts.
- Audit logging of sensitive operations.
No system is 100% secure. If you believe your account has been compromised, please contact us immediately.
Children's Privacy
The Services are not directed at children under 13 (or the age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.
International Data Transfers
Seasia Studio is based in India, and your data is primarily stored and processed in India. If you are accessing the Services from outside India, you acknowledge that your information will be transferred to and processed in India, which may have different data-protection laws than your jurisdiction.
Where we use service providers in other regions (for example, Vercel's global edge network), we rely on those providers' standard contractual clauses and security certifications.
Grievance Officer
In accordance with the Indian Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023, the contact details of the designated Grievance Officer for Seasia Studio are:
Name: Grievance Officer, Seasia Studio
Email: grievance@seasiastudio.in
Address: Kolkata, West Bengal, India
We will acknowledge your complaint within 36 hours and aim to resolve or redress any grievances within thirty (30) days from receiving the complaint.
Changes to this Policy
We may update this Policy from time to time. Material changes will be communicated by posting a notice on the website, updating the "Last updated" date below, or by email for active users. Continued use of the Services after changes take effect indicates acceptance of the revised Policy.
Contact
Questions or concerns about this Policy or our handling of your data can be sent to privacy@seasiastudio.in. We aim to respond within five (5) business days.
