Privacy Policy

Who we are

Our website address is: https://www.paintingpartiesbylucy.com/

Painting Parties by Lucy

Last updated: Oct 28, 2025

Painting Parties by Lucy (“we,” “our,” or “us”) operates a membership website that showcases painting tutorials, classes, and related content (the “Site”). Protecting your privacy is important to us. This Privacy Policy explains what personal information we collect, why we collect it, how we use it, and the choices you have. By using the Site, you agree to the practices described here.

---

1. Information We Collect

Account & Membership Data

• Name, email address, username, password
• Profile photo (if you upload one)
• Membership tier and purchase history

Payment Data (processed by Stripe)

• Cardholder name
• Billing address
• Stripe transaction IDs
  (Full card details never touch our servers.)

Usage & Device Data

• IP address, browser type, referring page, device identifiers
• Pages visited and actions taken on the Site
• Collected automatically via Google Analytics and Google Search Console cookies and scripts

User‑Generated Content

• Artwork uploads, comments, messages, support tickets

Communications

• Emails, chat transcripts, survey responses, and other messages you send us

---

2. How We Use Your Information

1. Provide and maintain the Site, including paid content
   • Legal basis (GDPR): Contractual necessity
2. Process payments securely through Stripe
   • Legal basis: Contractual necessity
3. Improve performance, troubleshoot issues, and prevent fraud
   • Legal basis: Legitimate interests
4. Send marketing communications (newsletters, special offers)
   • Legal basis: Your consent (you may opt out at any time) or our legitimate interests when allowed
5. Comply with legal, tax, or accounting obligations
   • Legal basis: Legal obligation
6. Store and deliver large media files efficiently
   • Legal basis: Contractual necessity

---

3. Cookies & Tracking Technologies

We use first‑party and third‑party cookies, pixels, and similar technologies to:

• Keep you logged in and remember preferences
• Understand how visitors navigate the Site (Google Analytics)
• Measure search performance (Google Search Console)

You can disable non‑essential cookies through your browser settings or our cookie banner. Some Site features may stop working if you do.

---

4. Sharing & Disclosure of Information

We never sell your personal data. We share it only when necessary to operate the Site and fulfill legal requirements:

• Stripe – processes all membership payments.
• Google Analytics & Search Console – provide aggregated traffic insights.
• Service Providers – trusted vendors for hosting, email delivery, and customer support, bound by confidentiality agreements.
• Legal & Safety Reasons – to comply with lawful requests, protect rights, or prevent security threats.

---

5. International Transfers

Our servers and many service providers are in the United States. If you access the Site from outside the U.S., your data will be transferred and processed here. We rely on Standard Contractual Clauses or comparable safeguards when required by law.

---

6. Data Retention

• Account data: kept while your membership is active, then archived for up to 5 years for tax and audit purposes.
• Payment records: retained for 7 years to meet IRS requirements.
• Analytics data: stored for 26 months (Google Analytics default).
• Support tickets: retained for 3 years after closure.
• Backup files: rotated every 30 days.

We will delete or anonymize data sooner if you submit a verified request and no legal obligation requires us to keep it longer.

---

7. Your Rights

Depending on your location, you may have the right to:

• Access, correct, or delete your personal data
• Object to or restrict certain processing activities
• Receive a portable copy of the data you provided
• Withdraw consent at any time (this will not affect prior lawful processing)
• Lodge a complaint with your local data‑protection authority

To exercise any of these rights, email lrschmidt99@yahoo.com. We may ask you to verify your identity before acting on your request.

California Residents: We do not “sell” or “share” personal information for cross‑context behavioral advertising. You may request a list of categories of personal information we disclosed for a business purpose in the past 12 months.

---

8. Security

We use industry‑standard safeguards, including:

• HTTPS encryption for all traffic
• Encryption at rest and in transit for sensitive data
• Least‑privilege access controls for employees and contractors
• Periodic penetration testing
• Stripe PCI‑DSS Level 1 certification

No system is perfectly secure, but we work hard to protect your information.

---

9. Children’s Privacy

The Site is not directed to children under 13, and we do not knowingly collect their data. If you believe a child has provided us personal information, contact us and we will delete it promptly.

---

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on the Site or communicated via email, and the “Last updated” date will change accordingly.