Legal

Privacy Policy

Last updated: May 2, 2026

Studiotag("we", "our", or "us") operates the Studiotag platform accessible at https://www.studiotag.org. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. Please read this policy carefully. By using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Scope of This Policy

This Privacy Policy applies to all users of the Studiotag platform, including Service Providers (studio owners and their team members), Customers (end users who book sessions), and visitors to our website. It covers personal data processed in connection with the creation of accounts, use of platform features, payment processing, and communications we send.

This policy does not apply to third-party websites or services linked from within the platform. We encourage you to review the privacy policies of any third-party services you access through or alongside Studiotag.

2. Information We Collect

2.1 Information You Provide Directly

Account Information: Name, email address, and password when you register for an account.
Service Provider Profile: Business name, business address, logo, category (e.g., photography, music), slug/URL, working hours, and my page settings you configure.
Business Data: Customer records, appointments, invoices, payments, staff details, services, categories, deposits, payroll, and any other information you enter into the platform as part of running your business. This data is owned by you (the Service Provider).
Payment and Billing Information: Billing address, plan details, and transaction history. Card numbers, UPI credentials, and other sensitive payment credentials are processed directly by Razorpay and are never stored on our servers.
Communications: Messages, emails, and support requests you send to us, including contact form submissions.
Profile Completion Data: For users signing in via Google OAuth, additional profile information you provide to complete your account setup (e.g., phone number, business name).
Team and Invitation Data: Names and email addresses of staff members you invite to your workspace.

2.2 Information Collected Automatically

Usage Data: Pages visited, features used, buttons clicked, actions performed, and timestamps of activity within the platform.
Device and Browser Information: IP address, browser type and version, operating system, device type, screen resolution, and referring URL.
Geolocation (Approximate):Country and region inferred from your IP address via Vercel's edge network headers, used for currency and pricing localization. We do not collect precise GPS location.
Session and Authentication Tokens: JWT session tokens stored in HTTP-only secure cookies to maintain your authenticated session.
Server Logs: Request logs including endpoint, method, status code, and timestamp for security monitoring, debugging, and performance analysis.

2.3 Information from Third Parties

Google OAuth: If you sign in with Google, we receive your name, email address, and profile picture from Google. We do not receive your Google password or access to any Google services beyond your basic profile.
Razorpay: Payment status, transaction IDs, order IDs, and billing confirmation data from Razorpay after payment processing.
OpenAI:If you use AI-powered Reports, we send anonymized and aggregated business metrics (e.g., revenue ranges, booking counts by service type) to OpenAI's API to generate insights. No personally identifiable customer data — names, emails, or phone numbers — is included in these API calls.

3. Legal Basis for Processing

We process your personal data on the following legal bases under applicable data protection laws (including the General Data Protection Regulation, or GDPR, for users in the European Economic Area and the United Kingdom):

Performance of a Contract: Processing your account information, business data, and payment details is necessary to provide the Service you have contracted with us to receive. Without this, we cannot operate your account.
Legitimate Interests: We process certain data (such as usage analytics, server logs, and security monitoring) for our legitimate interests in operating, improving, and securing the platform, provided these interests are not overridden by your rights.
Legal Obligation: We may process or retain certain data (such as payment and tax records) to comply with applicable laws, court orders, or regulatory requirements.
Consent: Where we rely on your consent (for example, for certain marketing communications), you have the right to withdraw that consent at any time without affecting the lawfulness of prior processing. See Section 5 for details on email preferences.

4. How We Use Your Information

We use the information we collect to:

Provide, operate, maintain, and improve the Studiotag platform and its features.
Create and manage your account, workspace, and team members.
Process payments, manage subscription billing, and handle Razorpay webhooks.
Send transactional emails necessary for the Service: email verification, password resets, booking confirmations, OTP codes, booking notifications, and payment receipts.
Send appointment reminders to your customers on your behalf, but only when you have configured and triggered this feature within the platform.
Generate AI-powered business insights using anonymized, aggregated data from your account (see Section 2.3).
Detect country of origin to present correct currency and pricing.
Monitor platform health, detect errors, investigate security incidents, and prevent fraud or abuse.
Enforce our Terms of Service and this Privacy Policy.
Respond to your support requests, inquiries, and legal requests.
Comply with applicable laws and fulfill legal obligations.

We do notsell, rent, or trade your personal data or your customers' data to any third party for advertising, marketing, or any other commercial purpose.

5. Marketing Communications & Email Preferences

From time to time, we may send you product updates, feature announcements, tips, and other marketing communications about Studiotag. We will only send such emails to Service Providers who have registered for an account.

Your right to opt out:You can unsubscribe from marketing emails at any time by clicking the "Unsubscribe" link included in the footer of every marketing email we send, or by visiting studiotag.org/unsubscribe. Opting out will not affect transactional emails that are necessary for the operation of your account (such as booking confirmations, password resets, email verification, and payment receipts).

We record your unsubscribe preference in our system and honor it promptly. If you continue to receive emails after opting out, please allow a few business days for processing and contact us at hello@studiotag.org.

6. Data Isolation & Multi-Tenancy

Studiotag is a multi-tenant platform. Each Service Provider's data is strictly isolated. Every database query is scoped to your unique Service Provider ID — it is architecturally enforced at the API layer that one Service Provider cannot access another Service Provider's data. This isolation applies to customers, appointments, staff, invoices, services, and all other business data.

Team members (staff and admins) you invite to your workspace can only access your workspace. They cannot access any other Service Provider's data. Role-based access control (RBAC) governs which features each team member can access within your workspace.

7. Data Sharing & Disclosure

We share your information only in the following circumstances:

7.1 Sub-Processors

We rely on the following trusted third-party service providers to operate the platform. Each is bound by their own privacy policies and, where applicable, data processing agreements:

Razorpay (Payment Processing) — Processes subscription payments and manages billing. Razorpay receives your payment method details and billing address. Razorpay Privacy Policy
Nodemailer / SMTP (Email Delivery) — Transactional email delivery (verification, password reset, booking confirmations). Email content is minimal and contains only the information necessary for the specific communication.
OpenAI (AI Insights) — Receives anonymized and aggregated business metrics for AI-generated reports. No customer PII is transmitted. OpenAI Privacy Policy
Vercel (Hosting & Edge Network) — Hosts and serves the application globally. Vercel processes request logs and provides edge functions. Vercel Privacy Policy
MongoDB Atlas (Database) — Stores all platform data in encrypted, access-controlled cloud databases. MongoDB Privacy Policy
Cloudflare R2 (File Storage) — Stores uploaded files, images, and documents (e.g., studio gallery, logos).

7.2 Legal Requirements

We may disclose your information if required to do so by law, regulation, court order, or government authority, or if we believe in good faith that such disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend our rights or property; (c) prevent or investigate possible wrongdoing; or (d) protect the personal safety of users or the public.

7.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, your data may be transferred to the acquiring entity. We will provide at least 30 days' advance notice by email or a prominent notice on the platform before your data becomes subject to a different privacy policy.

7.4 With Your Consent

We may share information for any other purpose with your explicit prior consent.

8. International Data Transfers

Studiotag is operated from India. Our infrastructure (Vercel, MongoDB Atlas, Cloudflare R2) may store and process data in servers located in various countries, including the United States and the European Union. If you are accessing the Service from outside India, your data may be transferred to and processed in countries that may have different data protection standards than your country of residence.

For users in the European Economic Area (EEA) or the United Kingdom, such transfers are carried out under appropriate safeguards, including Standard Contractual Clauses (SCCs) or other legally recognized transfer mechanisms established by the applicable data protection authority. By using the Service, you consent to such international transfers where applicable.

If you have questions about the safeguards we use for international data transfers, please contact us at hello@studiotag.org.

9. Data Retention

We retain your account and business data for as long as your account remains active or as needed to provide the Service and support legitimate business operations.

Active Accounts: Data is retained indefinitely while your account is active.
Account Deletion: If you request deletion of your account, we will delete or anonymize your Service Provider data within 30 days of your request, except where retention is required by law.
Financial Records: Payment transaction records, invoices, and related financial data may be retained for up to 7 years to comply with Indian tax and accounting regulations (GST, Income Tax Act).
Email Verification and Password Reset Tokens: These expire automatically (24 hours and 1 hour, respectively) and are deleted upon use or expiry.
Session Tokens: JWT session tokens expire within 24 hours. There are no persistent long-lived refresh tokens.
Server Logs: Application and access logs are retained for up to 90 days for security and debugging purposes.
Unsubscribe Records: Email unsubscribe preferences are retained indefinitely to honor your opt-out preference.

10. Security

We implement industry-standard and defense-in-depth security measures, including:

Encryption in Transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS 1.2 or higher.
Encryption at Rest: Data stored in MongoDB Atlas is encrypted at rest using AES-256.
Password Hashing: Passwords are hashed using bcrypt with a cost factor of 10 before storage. Plaintext passwords are never stored or logged.
Authentication Tokens: JWT session tokens are short-lived, signed with a strong secret, and transmitted via HTTP-only secure cookies to mitigate XSS risks.
Multi-Tenant Data Isolation: Every API endpoint enforces Service Provider ID scoping to prevent cross-tenant data access at the application layer.
Rate Limiting: API endpoints, particularly authentication routes (login, registration, password reset), are rate-limited per IP address to prevent brute-force attacks.
Access Control: Role-based access control (RBAC) ensures team members can only access the features and data their role permits within a workspace.
Dependency Security: We regularly review and update third-party dependencies to address known security vulnerabilities.

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials and notifying us immediately if you suspect unauthorized access.

11. Cookies & Tracking Technologies

11.1 What We Use

Essential Session Cookies: Set by NextAuth to maintain your authenticated session. These are HTTP-only, secure cookies that expire within 24 hours. They are strictly necessary for the platform to function and cannot be disabled without breaking authentication.
Theme / Preference Cookies: Store your display preferences (e.g., dark mode, language, currency). These are functional cookies that improve your experience and can be cleared via your browser settings.

11.2 What We Do Not Use

We do not use third-party advertising cookies, cross-site tracking pixels, Google Analytics, Facebook Pixel, or any other analytics tracking cookies from third parties. We do not build advertising profiles or share browsing data with ad networks.

11.3 Managing Cookies

You can control and delete cookies through your browser settings. Deleting essential session cookies will log you out of the platform. Most browsers allow you to block third-party cookies without affecting first-party functionality.

12. Your Rights & Choices

12.1 Rights for EEA & UK Users (GDPR)

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the GDPR:

Right of Access: Request a copy of the personal data we hold about you.
Right to Rectification: Request correction of inaccurate or incomplete personal data.
Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal retention obligations.
Right to Data Portability: Receive your personal data in a structured, machine-readable format and have the right to transmit it to another controller, where technically feasible.
Right to Restriction: Request that we restrict processing of your data in certain circumstances (e.g., while you contest its accuracy).
Right to Object: Object to processing based on legitimate interests or for direct marketing purposes. Where we rely on legitimate interests, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right Not to Be Subject to Automated Decision-Making: We do not make decisions with significant legal or similar effects based solely on automated processing, including profiling.
Right to Lodge a Complaint:You have the right to lodge a complaint with your local data protection supervisory authority. For EU users, this is your national Data Protection Authority (DPA). For UK users, this is the Information Commissioner's Office (ICO).

12.2 California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties we share it with.
Right to Delete: Request deletion of your personal information, subject to certain exceptions.
Right to Correct: Request correction of inaccurate personal information.
Right to Opt Out of Sale: We do not sell personal information. There is nothing to opt out of.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a verifiable consumer request under the CCPA, contact us at hello@studiotag.org. We will respond within 45 days of receiving your request.

12.3 How to Exercise Your Rights

To exercise any of the rights described above, please contact us at hello@studiotag.org with the subject line "Privacy Request." We may ask you to verify your identity before fulfilling your request. We will respond within 30 days (or as required by applicable law). Some rights may be limited where retention is required for legal compliance or legitimate business purposes.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by applicable law (e.g., GDPR Article 33).
Notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms, describing the nature of the breach, the data categories affected, the likely consequences, and the measures we have taken or propose to take.

We maintain an internal incident response process to detect, contain, and remediate security incidents. If you believe your account has been compromised, please contact us immediately at hello@studiotag.org.

14. Children's Privacy

Studiotag is a professional business management platform intended for use by adults (18 years or older) operating businesses. We do not knowingly collect, process, or store personal information from children under the age of 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take prompt steps to delete that information. If you believe a child has provided us with personal information, please contact us at hello@studiotag.org immediately.

15. Links to Third-Party Sites

The platform may contain links to third-party websites, integrations, or services. This Privacy Policy does not apply to those third-party sites. We are not responsible for the privacy practices or content of third-party websites. We encourage you to review the privacy policies of any third-party services you use in connection with Studiotag.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or platform features. When we make material changes, we will:

Update the "Last updated" date at the top of this page.
Send an email notification to registered Service Providers at least 14 days before the changes take effect.
Display a prominent notice within the platform dashboard.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should discontinue use of the Service and may request account deletion by contacting us.

17. Contact Us & Data Controller

Studiotag is the data controller for personal data processed in connection with your account and use of the Service. If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Mobile Number: +91 80976 90137
Email: hello@studiotag.org
Website: https://www.studiotag.org
Subject Line:"Privacy Request" or "Data Protection" for faster routing.

We aim to respond to all privacy-related inquiries within 10 business days. For verifiable consumer requests under GDPR or CCPA, response time is within 30 days.