Privacy Policy

Stratus Creative is a sole-proprietor design and development studio operated by James Farmer out of Simpsonville, South Carolina, USA. The studio is the data controller for everything described on this page.

Reach the studio directly at business@stratus-creative.com. Privacy questions go to the same inbox — there's no dedicated privacy desk because there is no department.

Information you give us

• Contact and project form fields: name, business name, email, phone, project type, budget, contact preference, website URL, and the body of your message.
• Newsletter signups: your email address.
• Support requests: anything you write in the support form.
• AI chat messages: the text you send the in-page chat assistant, plus a randomly generated session ID and the URL of the page you opened the chat from.
• Cost estimator inputs: only stored if you click “email me this estimate” — otherwise they live in your browser and are gone when you close the tab.
• Payment details: handled entirely by Stripe. We receive a record of the transaction (plan, amount, customer email, Stripe customer/subscription ID) but never your card number, CVV, or billing address.

Information collected automatically

• Standard server logs from our host (Vercel): IP address, user agent, request path, timestamp.
• Pageview pings written to our database, including page URL, referrer, and UTM parameters where present, tied to a random visitor session ID stored in your browser.
• Aggregate analytics from Vercel Analytics and Vercel Speed Insights: pageview counts, performance metrics, no cross-site tracking.
• Session recordings, click heatmaps, and scroll behavior via Microsoft Clarity. Clarity masks form input by default; we have not turned masking off.

• To reply to you and scope your project.
• To deliver the website, workflow, or hosting you bought.
• To process payment and send receipts via Stripe.
• To send transactional email (project updates, payment confirmations) and the newsletter you opted in to.
• To run the in-page AI chat assistant — your message has to reach an AI provider for the assistant to answer.
• To prevent abuse: rate limiting, IP throttling, and deduplicating spam submissions.
• To figure out which pages work and which don't — aggregate analytics and session replay.

We do not sell personal information. We do not run advertising pixels. We do not build profiles for anyone but ourselves, and the only thing we do with that profile is decide what to ship you next.

We use a small set of subprocessors to run the studio. Each one receives only the data it needs to do its job.

• Vercel — hosting, edge runtime, Vercel Analytics, Speed Insights. Receives all HTTP traffic to the site (IPs, request paths, user agents) and aggregate performance/pageview data. Vercel privacy policy.
• Supabase — Postgres database hosted on AWS (US region). Stores your form submissions, chat conversations, pageview records, and admin data. Supabase privacy policy.
• Resend — sends transactional email and stores newsletter subscriber lists. Receives recipient email addresses and message contents. Resend privacy policy.
• Stripe — processes payments when checkout is enabled. Receives your card details, name, billing address, and email directly. We never see the card. Stripe privacy policy.
• Anthropic — generates AI chat responses using Claude. Receives your chat messages and the system prompt. Also receives a redacted summary of new project submissions for an internal lead-scoring step. Anthropic privacy policy.
• Microsoft Clarity — captures session recordings, click heatmaps, and behavioral analytics. Sets its own cookies. Form input is masked by default. Microsoft privacy statement.

We may also disclose information when legally required — subpoena, court order, or to protect rights and safety. If that ever happens we'll narrow the disclosure as much as the law allows.

The chat widget is powered by Anthropic's Claude. When you send a message, the conversation history for that session is forwarded to Anthropic to generate the reply. We also store the full transcript in our Supabase database, tied to a randomly generated session ID, so we can review unanswered questions and improve the bot. Anthropic's own retention is governed by their privacy policy.

When you submit a project inquiry, a redacted version of your submission is sent to Anthropic for a fire-and-forget lead scoring step. The score is stored alongside your submission; the prompt isn't retained on our side.

The cost estimator runs entirely in your browser. Your inputs are not stored on our servers unless you explicitly click the button to email yourself the estimate — at which point the numbers are passed to Resend so the email can be sent, and business@stratus-creative.com is BCC'd so the studio knows someone ran the math.

• Project submissions and client records: kept for the life of the engagement. After project close, retained for up to 7 years to satisfy US tax and accounting obligations, then deleted or anonymized.
• Newsletter subscribers: kept until you unsubscribe. Every email has a one-click unsubscribe link.
• Chat conversations:retained for up to 90 days, then deleted. Anthropic's retention runs on their own schedule.
• Pageview records: retained for up to 12 months, then aggregated and pruned.
• Session recordings (Clarity):kept per Clarity's default retention, currently up to 13 months.
• Stripe records: retained on Stripe per their financial-record policies; we keep transaction summaries for the 7-year tax window.

Want it gone sooner? Email business@stratus-creative.com.

Everyone

• Access: ask for a copy of what we hold on you.
• Correction: ask us to fix anything wrong.
• Deletion: ask us to remove your data, with limited exceptions for tax records and active project obligations.
• Opt-out of marketing: unsubscribe link in every newsletter, or email us.

California residents (CCPA / CPRA)

You have the right to know what we collect, request deletion, and opt out of the sale or sharing of personal information. Stratus does not sell personal information and does not share it for cross-context behavioral advertising.

EU / UK residents (GDPR / UK GDPR)

Our legal bases for processing are: performance of a contract (delivering services you bought), legitimate interest (responding to inquiries, preventing abuse, basic analytics), and consent (newsletter signups). You have the right to access, rectify, erase, restrict processing, port your data, object to processing, and withdraw consent at any time without affecting the lawfulness of processing already done.

Children

The site is not intended for anyone under 13. We don't knowingly collect data from children. If you think a child has submitted information, email us and we'll delete it.

The marketing site uses a small number of cookies and browser-storage entries:

• admin-session — first-party, httpOnly, 7-day expiry, set only when an authorized admin signs in to the /admin area. You will never see this cookie as a normal visitor.
• Microsoft Clarity — third-party analytics cookies (_clck, _clsk, plus related local storage) used to stitch together session recordings and heatmaps.
• Vercel Analytics — uses local storage to generate an anonymous pageview ID. No third-party cookies.
• Stratus visitor session ID— a random ID stored in your browser's local storage so we can stitch pageviews together for attribution. Not shared with anyone.
• Stripe — sets its own cookies on the Stripe-hosted checkout page if you go through payment.

You can clear cookies and local storage in your browser settings, install an ad/tracker blocker, or use Do Not Track and Global Privacy Control headers — we honor GPC for California opt-out signals. Blocking analytics will not break the site.

All traffic is served over HTTPS. Data sits in Supabase Postgres with row-level security; the admin area is gated by password and a server-validated session cookie. Payment data never touches our servers — Stripe handles it. We rate-limit every public endpoint to make abuse expensive.

No system is unbreakable. If we discover a breach affecting your data we'll tell you in plain English, fast.

Stratus operates from the United States and stores data with US-based providers (Vercel, Supabase on AWS US, Resend, Stripe, Anthropic, Microsoft). If you're visiting from the EU, UK, or anywhere outside the US, your data is transferred to and processed in the United States. We rely on the standard contractual clauses our subprocessors maintain for cross-border transfers.

When we make material changes we'll update the “Last updated” date at the top of this page and email active clients. Small wording cleanups go in without notice.

Questions, requests, or complaints — same address either way: business@stratus-creative.com.