Legal
Privacy Policy
Last updated: 1 June 2026
1. Data Controller
gestuo (operated by Shadowdog Ltd, UK) is the data controller for personal data collected through gestuo.com. Contact our Data Protection Officer at privacy@gestuo.com.
2. Data We Collect
We collect the minimum data needed to operate the platform. Here is the full list, broken down by category.
Account information
Name, email, and password hash (handled by Supabase Auth). We never see your password.
Commission data
Briefs, messages, reference images, and revision feedback you provide to artists.
Payment data
Processed by Stripe. We never store card details — only the last 4 digits and card brand for display.
Artist portfolio
Bio, styles, sample images, and pricing tiers you provide in your artist profile.
Usage data
Pages visited, wizard interactions, and search queries. Used to improve the platform, never to identify you personally.
Technical data
IP address, browser type, and device information, used for fraud prevention and security.
3. Legal Basis
We process data under: contract performance (commissions), legitimate interest (platform improvement, fraud prevention), consent (marketing communications), and legal obligation (tax records).
4. Data Storage & Sovereignty
All data is stored within the European Economic Area on Supabase infrastructure. We do not transfer personal data outside the EEA without appropriate safeguards under GDPR Chapter V.
5. Data Retention
Financial records: 6 years (UK tax law). Commission data and messages: 2 years (dispute resolution). Account data: until you request deletion, plus 30 days for soft-delete.
6. Your Rights (GDPR)
Under the GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Request erasure ("right to be forgotten")
- Restrict processing
- Data portability (machine-readable export)
- Object to processing
- Withdraw consent at any time
7. Cookies
We use only essential cookies for authentication and session management. We do not use tracking or advertising cookies. See our Cookie Policy for details.
8. Third-Party Processors
We share data with these processors under Data Processing Agreements (DPAs):
| Processor | Purpose |
|---|---|
| Supabase | Database, authentication, and file storage (EU region) |
| Stripe | Payment processing and Stripe Connect payouts |
| Resend | Transactional email delivery |
| OpenRouter | AI brief wizard — only your brief text is sent, never personal data |
| Printful | Print production and shipping for TIER 2 orders |
| PACK & SEND | Insured shipping for TIER 3 originals |
9. Contact & Complaints
To exercise your rights, email privacy@gestuo.com. We respond within 30 days. You may also lodge a complaint with the Information Commissioner's Office.