Privacy Policy
Effective Date: April 28, 2026
Last Updated: April 28, 2026
This Privacy Policy describes how Stromatic Media ("Stromatic Media", "we", "us", or "our"), an unincorporated business operated from Toronto, Ontario, Canada, collects, uses, discloses, retains, and protects personal information when you access or use the Stromatic Media mobile application, website, and any related services (collectively, the "Service"). This Policy is incorporated into and forms part of our Terms of Service.
This Policy is designed to comply with applicable privacy laws including, where applicable, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Ontario privacy law, the European Union and United Kingdom General Data Protection Regulation (GDPR / UK GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA / CPRA), and other applicable provincial, state, and national privacy laws.
Summary (non-binding): We collect only the information needed to fulfill your Order and operate the Service: your email, your Brief content, basic technical information, and payment metadata (we never see your full card number). We use Stripe for payments, Supabase for hosting, and Resend for email. We do not sell your personal information. You can ask us to access, correct, or delete your information at the contact address below.
1. Scope
1.1 This Policy applies to personal information processed by Stromatic Media in the operation of the Service.
1.2 This Policy does not apply to third-party websites, applications, or services, even if linked to or integrated with the Service. Their own privacy policies govern their practices.
1.3 If you do not agree with this Policy, do not use the Service.
2. Personal Information We Collect
We collect the following categories of personal information.
2.1 Information you provide
(a) Order information: the email address you submit at checkout; any business name, website URL, industry, brand-related preferences, references, instructions, color choices, target keywords, competitor URLs, and any other content you include in your Brief.
(b) Communications: the content of any email, message, support request, or other correspondence you send to us, including any attachments.
(c) Optional account information (if and when account features are introduced): a chosen identifier, password hash, and any profile information you elect to provide.
2.2 Information collected automatically
(a) Device and technical data: device type, operating system, device identifiers, application version, language and locale, and crash or diagnostic data.
(b) Usage data: screens viewed, actions taken, timestamps, referral source, and approximate session duration.
(c) Network data: Internet Protocol (IP) address, network or carrier provider, and approximate location derived from IP address (typically at the country, region, or city level — we do not collect precise GPS location).
(d) Cookies and similar technologies: small data files used by our website (if any) and certain third-party services to recognize your device, maintain session state, and improve the Service. You can manage cookies through your browser settings; some Service features may not function correctly if cookies are disabled.
2.3 Information from third parties
(a) Payment metadata from our payment processor (Stripe): the last four digits of your card, card brand, country of issuance, and Stripe payment identifiers. We do not collect or store full payment card numbers, expiration dates, or CVV codes.
(b) Email-delivery metadata from our email service (Resend): delivery status, bounce information, and similar operational metadata.
2.4 Sensitive information
We do not request, and you should not submit, any of the following: government-issued identifiers (e.g., Social Insurance Number, Social Security Number, passport, driver's licence); health, medical, biometric, or genetic data; precise geolocation; payment card numbers (these go directly to Stripe); racial or ethnic origin; political opinions; religious beliefs; trade-union membership; sexual orientation; or information about minors.
If you submit such information despite the above, you do so at your own risk and grant us the right to delete it without notice.
2.5 Children
The Service is not directed at, or intended for, children under sixteen (16). We do not knowingly collect personal information from children. If we learn we have collected information from a child, we will delete it. If you believe a child has provided us information, please contact us at the address in Section 13.
3. How We Use Personal Information (Purposes)
We use personal information for the following purposes:
(a) Service delivery: to receive, accept, fulfill, and deliver Orders, produce Deliverables, communicate with you about your Order, and provide customer support.
(b) Payments: to process payment, prevent fraud, manage chargebacks and reversals, and maintain transaction records.
(c) Communications: to send transactional and operational messages (e.g., Order confirmations, delivery emails, security notices, policy updates).
(d) Service operations and security: to operate, maintain, monitor, troubleshoot, secure, and improve the Service; to detect, investigate, and prevent fraud, abuse, security incidents, and violations of our Terms; and to enforce our rights.
(e) Analytics and improvement: to understand how the Service is used and to develop new and improved features and offerings, in aggregated or de-identified form where possible.
(f) Legal and compliance: to comply with applicable law, lawful requests, court orders, regulatory requirements, audits, tax obligations, and the establishment, exercise, or defense of legal claims.
(g) Business transfers: in connection with a merger, acquisition, reorganization, financing, or sale of assets, in accordance with Section 5(d).
(h) Other purposes disclosed at the time of collection or with your consent.
4. Legal Bases (GDPR / UK GDPR)
If you are in the European Economic Area, the United Kingdom, or another jurisdiction requiring a lawful basis, we process personal information under one or more of the following legal bases:
(a) Performance of a contract — to take steps at your request before entering into a contract and to perform the contract for the Service.
(b) Legitimate interests — to operate, secure, and improve the Service, prevent fraud, communicate with you, and conduct ordinary business operations, where these interests are not overridden by your rights.
(c) Legal obligation — to comply with applicable law.
(d) Consent — where required by law, for purposes you have specifically consented to (e.g., optional marketing). You can withdraw consent at any time without affecting the lawfulness of prior processing.
(e) Vital interests or public interest — where processing is necessary to protect a person's life or in the public interest, in rare circumstances.
5. How We Disclose Personal Information
We do not sell personal information for monetary consideration. We disclose personal information only as follows:
(a) Service providers ("processors"/"sub-processors") acting on our behalf and bound by contractual confidentiality and security obligations, including:
- Stripe, Inc. (payments) — see https://stripe.com/privacy
- Supabase, Inc. (database, hosting, authentication, edge compute) — see https://supabase.com/privacy
- Resend, Inc. (transactional email delivery) — see https://resend.com/legal/privacy-policy
- Hosting, infrastructure, content-delivery, monitoring, error-tracking, analytics, and customer-support providers as may be engaged from time to time.
- Production tools and platforms, which may include automated, algorithmic, or generative tools, used to produce, refine, or analyze Deliverables. Brief content may be processed by such tools to fulfill your Order. Where reasonably practicable, we configure these tools so that submitted content is not retained for the provider's own training. We do not guarantee any specific provider's data-handling practices, and you acknowledge that flow-through of Brief content to such tools is inherent to the Service.
(b) Compliance and protection — to comply with law, lawful requests (including subpoenas, court orders, and regulatory inquiries), or to investigate or prevent fraud, abuse, security incidents, or violations of our Terms; to protect the rights, property, life, or safety of Stromatic Media, our customers, or others; and to establish, exercise, or defend legal claims.
(c) Professional advisors — our lawyers, accountants, auditors, and consultants, bound by professional or contractual confidentiality obligations.
(d) Business transfers — in connection with a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of assets, or transition of service to another provider, in which case personal information may be transferred as a business asset, subject to standard confidentiality protections.
(e) With your consent or at your direction, including when you choose to share content publicly.
(f) Aggregated or de-identified information that cannot reasonably be used to identify you may be disclosed for any purpose.
We do not engage in cross-context behavioral advertising and do not share personal information for advertising "as defined" under the CCPA/CPRA.
6. International Transfers
6.1 Stromatic Media is operated from Canada. Our service providers are located in Canada, the United States, the European Union, the United Kingdom, and potentially other countries. By using the Service, you understand that personal information will be transferred to and processed in jurisdictions that may have different data-protection laws than your home jurisdiction.
6.2 Where required by law (including GDPR/UK GDPR), we use appropriate safeguards for international transfers, such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and adequacy determinations where available.
6.3 You may contact us at the address in Section 13 for more information about transfer safeguards.
7. Retention
7.1 We retain personal information only for as long as necessary to fulfill the purposes set out in Section 3, or as required or permitted by law.
7.2 General retention guidelines:
(a) Order, Brief, and Deliverable records — retained for the duration of the customer relationship and for a reasonable period thereafter for legitimate business and legal purposes (typically up to seven (7) years to comply with tax, accounting, audit, anti-fraud, and limitation-period requirements).
(b) Payment metadata — retained as long as required by Stripe and applicable financial-record-keeping law.
(c) Email correspondence — retained as long as needed to manage the relationship and for a reasonable period thereafter.
(d) Operational logs, error logs, and analytics data — retained for shorter periods (typically up to twelve (12) months) for security, fraud prevention, and Service improvement.
(e) Anonymized or aggregated data — may be retained indefinitely.
7.3 Once a retention period ends, we delete, anonymize, or restrict access to the information.
8. Security
8.1 We use technical and organizational measures designed to protect personal information against loss, theft, and unauthorized access, use, modification, or disclosure. These include encryption in transit, restricted access, server-side authentication, rate limiting, payload validation, sanitization, secret management, and storage on reputable cloud infrastructure.
8.2 No method of transmission or storage is one hundred percent secure. We cannot guarantee absolute security, and any information you transmit to us is at your own risk. You are responsible for keeping any account credentials confidential and for the security of the email account associated with your Order.
8.3 If we become aware of a security incident affecting your personal information, we will notify you and applicable authorities to the extent required by law.
9. Your Privacy Rights
Depending on your jurisdiction, you may have some or all of the following rights regarding your personal information:
(a) Access / know — to request information about, and a copy of, the personal information we hold about you.
(b) Correction / rectification — to request correction of inaccurate or incomplete personal information.
(c) Deletion / erasure ("right to be forgotten") — to request deletion of personal information, subject to exceptions where retention is required or permitted by law (e.g., tax records, fraud prevention, legal claims).
(d) Restriction / objection — to request that we restrict or stop certain processing, or to object to processing based on legitimate interests.
(e) Portability — to request a copy of personal information you provided to us in a structured, commonly used, machine-readable format.
(f) Withdrawal of consent — to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal.
(g) Right to non-discrimination (CCPA/CPRA) — we will not deny service, charge a different price, or provide a different level of quality because you exercised your privacy rights.
(h) Opt-out of "sale" or "sharing" (CCPA/CPRA) — we do not sell or share personal information for cross-context behavioral advertising. There is no opt-out required, but you may submit a request as described below for completeness.
(i) Right to lodge a complaint — you may complain to your local data-protection authority. In Canada, the Office of the Privacy Commissioner of Canada (https://www.priv.gc.ca). In the EU, your national data-protection authority. In the UK, the Information Commissioner's Office (https://ico.org.uk). In California, the California Privacy Protection Agency (https://cppa.ca.gov).
9.1 How to exercise your rights
Send a written request to stromaticmedia@gmail.com with the subject line "Privacy Rights Request" and include enough information for us to verify your identity and locate the relevant records (typically the email used at checkout). We may request additional verification before fulfilling certain requests.
We will respond within the timeframe required by applicable law (generally thirty (30) days for PIPEDA and GDPR; forty-five (45) days for CCPA, extendable as permitted).
You may use an authorized agent to submit a request on your behalf, subject to verification of authority as required by applicable law.
10. Automated Decision-Making
We do not engage in automated decision-making that produces legal or similarly significant effects concerning you. Production of Deliverables may involve automated tools, but human review is available at our discretion, and Deliverables are not legally binding decisions about you.
11. "Do Not Track" and Global Privacy Control
Our Service does not currently respond to browser "Do Not Track" signals, due to lack of a common industry standard. Where required by applicable law (e.g., CCPA/CPRA), we honor recognized opt-out preference signals such as the Global Privacy Control (GPC) for opt-outs of "sale" and "sharing", to the extent we engage in such activities (we currently do not).
12. Changes to This Policy
We may update this Policy from time to time. The "Last Updated" date at the top reflects the most recent revision. Material changes will be communicated by reasonable means, which may include posting in the application or sending email to the address you used at checkout. Continued use of the Service after the effective date constitutes acceptance.
13. Contact and Privacy Officer
To exercise any privacy right, ask a question about this Policy, or raise a concern, please contact our designated privacy contact:
Stromatic Media — Privacy Officer
Operated from Toronto, Ontario, Canada
Email: stromaticmedia@gmail.com
We will respond to your inquiry as required by applicable law.
By using Stromatic Media, you acknowledge that you have read and understood this Privacy Policy.