1. Who We Are

Cafe Estudio Designs ("we," "us," or "our") is a graphic design and web development business located in Pomona, California. We provide design services, digital products, and websites to small businesses across the United States.

This Privacy Policy explains how we collect, use, and protect your personal information when you visit cafeestudiodesigns.com, purchase our products or services, or communicate with us.

2. Information We Collect

Information You Give Us

• Name and email address — when you sign up for our newsletter, create an account, or use our contact form
• Order information — products purchased, order amount, and order status
• Account credentials — your password (stored as an encrypted hash; we never see your actual password)
• Messages — when you contact us via email, Facebook Messenger, or our website chat

Information Collected Automatically

• IP address and browser type — collected by our hosting provider (Bluehost) in standard server logs
• Pages visited and time on site — collected via cookies if you consent
• Device type — mobile or desktop, operating system

Payment Information

We do not store your credit card or payment information. All payments are processed securely by Stripe, a PCI-compliant payment processor. We only receive a confirmation of successful payment and your order total.

3. How We Use Your Information

We use your information only for the following purposes:

• To process and fulfill your orders
• To send you order confirmation emails
• To respond to your messages and customer support requests
• To send marketing emails if you opted in (you can unsubscribe at any time)
• To improve our website and services
• To detect and prevent fraud
• To comply with legal obligations

We do not use your data for automated decision-making or profiling that produces legal effects.

4. Third-Party Services

We use the following third-party services to operate our business. Each has its own privacy policy:

Stripe

Handles all payment processing. Your card data goes directly to Stripe — we never see or store it. Stripe Privacy Policy →

Supabase

We store customer accounts and order records in a Supabase database hosted in the United States. Your data is protected with Row Level Security so only you can access your own records. Supabase Privacy Policy →

Resend

We use Resend to send order confirmation and transactional emails. They receive your email address to deliver messages on our behalf. Resend Privacy Policy →

Anthropic (Claude AI)

Our Facebook Messenger chatbot uses Claude AI to respond to your messages. Messages you send through Messenger may be processed by Anthropic's API to generate a response. We do not store Messenger conversations beyond what Facebook retains. Anthropic Privacy Policy →

Meta (Facebook & Instagram)

If you interact with us on Facebook or Instagram, Meta collects data according to their own policies. We may use Facebook to show ads to people who have visited our website, but only with your cookie consent. Meta Privacy Policy →

Formspree

We use Formspree to receive contact form submissions and newsletter sign-ups. Formspree Privacy Policy →

5. Cookies & Tracking

We use cookies to improve your experience. When you first visit our website, we ask for your consent before activating any tracking cookies.

Essential Cookies (Always Active)

• ce_cookie_consent — remembers your cookie preference (365 days)
• ce_popup_shown — remembers if you've seen the discount popup (30 days)
• Session cookies — keeps you logged in during your visit

Marketing & Analytics Cookies (Require Consent)

• Meta Pixel — tracks visits to help us show relevant Facebook/Instagram ads
• Google Analytics — tracks website usage statistics

6. Your CCPA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) gives you the following rights:

How to Exercise Your Rights

Email us at [email protected] with subject line "CCPA Request". We will respond within 45 days. We will never charge a fee for exercising your rights.

Do Not Sell or Share My Personal Information

We do not sell or share your personal information with third parties for their own marketing purposes. We only share data with service providers listed above to operate our business.

7. Data Security

We take security seriously and have implemented multiple layers of protection:

• Passwords — stored as bcrypt hashes (salt factor 12). We never store plain-text passwords.
• HTTPS — all data transmitted between your browser and our site is encrypted via SSL/TLS.
• Rate limiting — our login system blocks repeated failed attempts to prevent brute-force attacks.
• Row Level Security — database access controls ensure customers only see their own data.
• Security headers — XSS protection, clickjacking prevention, and content sniffing headers.

8. Data Retention

• Account data — retained while your account is active. You can request deletion at any time.
• Order records — retained for 3 years for tax and legal compliance.
• Email marketing lists — retained until you unsubscribe or request removal.
• Server logs — automatically deleted after 30 days by our hosting provider.

9. Children's Privacy

Our website and services are not directed to children under 13 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will update the "Last updated" date at the top of this page. Continued use of our website after changes constitutes your acceptance of the updated policy.

11. Contact Us

For any privacy questions, CCPA requests, or data concerns, contact us: