Privacy Policy.

The "data controller" (or "business" under the California Consumer Privacy Act) for the information described in this policy is SJD LABS LLC, a California limited liability company doing business as Atelier Booking. You can reach us at stephen@atelierbooking.com, or by mail at the registered-agent address in Section 13.

This policy applies to personal information we collect through:

• the atelierbooking.comwebsite and its subdomains (the "Site");
• inquiries submitted through the contact form, email, or mail;
• communications and relationships with clients, prospects, vendors, and service providers; and
• our operation of platforms we build for clients, in our role as a processor of their end users' data (see Section 06).

It does not cover platforms we build that are operated by our clients under their own brand and policies — those clients have their own privacy policies that govern their end users.

Information you give us. When you submit the contact form or write to us, we collect: your name, your email, your company (if provided), your selected vertical, your rough monthly booking volume (if provided), and the message you write. If you go on to become a client, we collect additional information needed to run the engagement — billing contact details, legal entity information, Stripe and domain account holders, and similar.

Information we collect automatically. Our hosting provider (Vercel) logs basic request metadata — IP address, user agent, referrer, timestamps, response codes — for security, abuse prevention, and operational purposes. We do not run analytics, advertising trackers, or fingerprinting on the Site. We do not set marketing cookies. The only cookies the Site may set are operational cookies required for the Site to function.

Information from third parties. If you email us or reach us through a referral, we may collect the identifying information shared by that source.

We use the information we collect to:

• respond to your inquiry and evaluate whether our services are a fit;
• negotiate, sign, and deliver engagements;
• invoice, collect payment, and handle accounting;
• operate, secure, and improve platforms we build — and the Site itself — including debugging and abuse prevention;
• communicate about the engagement, related services, and legal or administrative matters; and
• comply with legal obligations and enforce our rights.

We do not sell or share your personal information for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act (CCPA / CPRA).

We share the minimum information necessary with a small set of service providers that help us run the business. Each is contractually obligated to process data only as needed to deliver their service.

• Vercel Inc. — hosting and request logging for the Site and for platforms we build.
• Resend, Inc. — outbound transactional and inquiry-response email delivery.
• Cloudflare, Inc. — DNS management and inbound email routing.
• Stripe, Inc.— payment processing for clients' platforms under Stripe Connect. Stripe is a separate data controller for the transactions it processes; see stripe.com/privacy.
• GitHub, Inc.— source code hosting and project collaboration (metadata only; clients' customer data is not stored in GitHub).
• Professional advisors — accountants, attorneys, tax and compliance professionals, on a need-to-know basis.

We may also disclose information (i) to comply with law or valid legal process, (ii) to protect the safety, rights, or property of us, our clients, or the public, and (iii) in connection with a merger, acquisition, or sale of assets, in which case we will require the successor to honor this policy.

When we operate a platform we've built for a client, the end users of that platform (guests, patients, event attendees, etc.) interact primarily with the client's brand, and the client is the controller of that data. We act as a processoron the client's behalf. In that role we process personal information only on the client's documented instructions, do not use it for our own independent commercial purposes, and apply the security measures described below. The client's own privacy policy — published on their platform — is the authoritative notice to those end users.

We keep personal information only as long as needed for the purpose we collected it or as required by law:

• Unresponsive or declined inquiries: up to 24 months after last contact, then deleted.
• Active client records: for the life of the engagement plus 7 years, for tax, audit, and statute-of-limitations purposes.
• Server logs: up to 30 days for routine log rotation; longer if under investigation.
• Marketing list (none today — we don't currently operate one): if we ever introduce one, you will opt in explicitly and can unsubscribe at any time.

We use reasonable administrative, technical, and physical safeguards to protect personal information: TLS 1.2+ in transit, encryption at rest through our providers, least-privilege access, secrets stored in Vercel-managed encrypted environment variables, and staff access restricted to the founder and vetted contractors under confidentiality obligations. No system is perfectly secure — if you suspect a security incident, please contact us immediately.

California residents (CCPA / CPRA). You have the right to:

• know what personal information we have collected about you and how we use it;
• access a copy of that personal information in a portable format;
• request deletion, subject to limited exceptions (tax, legal, defense);
• request correction of inaccurate information;
• opt out of the "sale" or "sharing" of personal information — we do neither, but the right is yours regardless; and
• be free from discrimination for exercising any of these rights.

Everyone else. We honor reasonable access, correction, and deletion requests from visitors outside California to the extent we can verify your identity and are not legally required to retain the information.

How to exercise your rights. Email stephen@atelierbooking.com with the subject line "Privacy request." We will verify your identity and respond within 45 days. You may use an authorized agent; we will verify the agent's authority before acting.

We are based in the United States, and our service providers process data primarily in the United States. If you interact with us from outside the U.S., you understand that your personal information will be transferred to and processed in the U.S., which may have different data-protection standards than your country.

For platforms we operate for clients whose end users are in a specific country (for example, LifePlace Alfonso's guests in the Philippines), data residency and cross-border-transfer safeguards are governed by the relevant client's privacy policy.

The Site is not directed to children under 13 (or under 16 in jurisdictions where that is the minimum age for digital consent), and we do not knowingly collect personal information from them. If you believe a child has submitted personal information to us, please email stephen@atelierbooking.com and we will delete it.

When we change this policy, we update the "Effective" date at the top. For material changes, we will provide prominent notice on the Site and, where appropriate, email notice to contacts on file. Continued use of the Site after a change takes effect constitutes acceptance of the updated policy.

For any privacy question, request, or concern, email stephen@atelierbooking.com with "Privacy" in the subject, or write to us at:

Related documents: Terms of Service · Contact page.