Privacy notice

How we handle your information.

Fran's Faces is a small independent project. We collect only what we need, use it only for the purposes you've agreed to, and give you full control over your data — wherever you live.

Effective May 10, 2026 · Last updated May 10, 2026

1. Who we are (data controller)

For the purposes of the EU and UK General Data Protection Regulations (collectively, the “GDPR”), the data controller is Frances Catania Studio (“Fran's Faces,” “we,” “us,” or “our”), an independent publishing and art project based in Hudson Valley, New York, United States.

For privacy enquiries, data subject access requests, or to withdraw consent, contact us at hello@fransfaces.com.

2. What this notice covers

This notice describes how we collect and use personal data when you:

  • Visit fransfaces.com or any of its sub-pages.
  • Join the waitlist or any other email signup form.
  • Submit a café/salon/boutique partner application.
  • Sign in to the gated digital proof reader at /book.
  • Email or otherwise contact us directly.

It does not cover third-party websites we may link to. Their privacy practices are governed by their own notices.

3. Categories of personal data we collect

We collect only what we need for the purposes listed below. Specifically:

3.1 Information you give us

  • Email address — required for waitlist signups, partner applications, the digital proof reader login, and any reply we send to you.
  • First name — optional; used to address you in confirmation emails.
  • Business information — for partner applicants only: business name, city/state, type of business, website or social link, and your description of your space.
  • Authentication password — invited reviewers and editors of the digital proof reader use a shared password we provided directly. We never store your personal password and we don't use a third-party identity provider for this gate.
  • Free-text content you submit — anything you type into a partner application or send us by email.

3.2 Information collected automatically

  • IP address (hashed) — when you submit a form, we hash your IP using SHA-256 with a server-side secret and store only the hash. We use the hashed value to detect abuse (rate limiting, bot signatures); we do not store the raw IP.
  • User agent string — the browser/OS identifier your device sends with each request. Used for the same anti-abuse purpose and trimmed to 256 characters.
  • Submission timestamp — UTC timestamp when you submitted a form.
  • Session cookie — for invited reviewers/editors only, NextAuth sets a JWT session cookie after you sign in. See §10 (Cookies) for details.
  • CSRF token cookie — a short-lived signed cookie used to verify that form submissions came from our own pages.

3.3 Information we do NOT collect

  • Payment-card information. The waitlist and partner forms never charge a card. If you eventually place an order, payment is processed by a PCI-compliant third-party processor and we never see or store your card details.
  • Precise location data, biometric data, government-ID numbers, or any “special category” data under GDPR Art. 9.
  • Cross-site tracking identifiers. We do not run third-party advertising pixels.

4. Why we use your data, and the legal basis

Under GDPR Article 6, every use of your personal data has a defined legal basis. The table below maps every purpose we have to its basis.

PurposeData usedLegal basis (GDPR Art. 6)
Send you the email updates you signed up for (waitlist, launch news, partner program)Email, first name, source tagConsent — Art. 6(1)(a). Withdrawable at any time.
Confirm your double opt-inEmail, single-use confirmation tokenConsent — Art. 6(1)(a)
Process partner-program applicationsBusiness + contact info, free-text descriptionPre-contractual measure — Art. 6(1)(b)
Authenticate invited reviewers / editors of the proof readerEmail, password, session cookiePerformance of a contract / legitimate interest — Art. 6(1)(b)/(f). Reviewing the proof is the service.
Detect spam, bots, and abuse of our formsHashed IP, user agent, submission timestampLegitimate interest — Art. 6(1)(f). The interest is keeping the service available; a balancing test concluded that hashed values minimize impact on data subjects.
Fulfill orders and pre-ordersName, shipping address, email (collected at the moment of order, not in advance)Performance of a contract — Art. 6(1)(b)
Comply with legal obligations (tax, fraud, lawful requests)Order records, where applicableLegal obligation — Art. 6(1)(c)

We do not engage in automated decision-making with legal or similarly significant effects (Art. 22). We do not perform profiling.

5. Who we share your data with (recipients)

We do not sell, rent, or trade your personal data. We share it only with the limited set of service providers that we need to operate the site and deliver the service you requested. Each acts as a processor under our written instructions and applies appropriate safeguards.

  • Vercel Inc. — hosts the website and runs the serverless functions that power our forms. May process IP and request metadata for security and operational telemetry. Privacy: vercel.com/legal/privacy-policy.
  • Vercel Blob — the same Vercel account stores your hashed signup record as a JSON object behind authentication.
  • Email service provider (ESP) — when we send confirmation or update emails, we use a transactional ESP under a data processing agreement. We will name the specific provider in this notice once production email is wired in (target: Resend or Postmark). Until then, no marketing emails are sent.
  • Domain registrar / DNS — handles resolution of fransfaces.com.
  • Legal counsel and accountants — only when strictly necessary, and only the minimum data required.

We may also disclose information if required by valid legal process (e.g., a subpoena), or to protect our rights, property, or safety, or that of our users, in accordance with applicable law.

6. International transfers

Our hosting and storage are operated in the United States. If you access the site from the European Economic Area, the United Kingdom, or Switzerland, your personal data is transferred to and stored in the United States.

Where transfers occur, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where applicable, on our processors' certifications under the EU-US Data Privacy Framework. You can request a copy of the transfer safeguards in place by contacting us.

7. How long we keep your data (retention)

  • Waitlist signups: for as long as you're subscribed plus 30 days after unsubscribe (to honor any “please re-add me” requests). After that, the record is deleted.
  • Partner applications: 24 months from submission, unless you become an active partner — in which case the record is retained for the life of the partnership plus 36 months for accounting.
  • Anti-abuse logs (hashed IP, user agent): 90 days, then permanently deleted.
  • Authentication session cookies: 14 days; refreshed on each sign-in.
  • Order records: 7 years (US tax requirement) for any order we eventually fulfill.
  • Email correspondence with us: as long as needed to handle the matter, then archived for up to 36 months.

8. Your rights

Depending on where you live, you have some or all of the following rights over your personal data. We honor every one of these for every user, regardless of jurisdiction.

8.1 EU/UK residents (GDPR / UK GDPR)

  • Right of access (Art. 15) — request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — correct anything inaccurate.
  • Right to erasure (Art. 17) — “the right to be forgotten.”
  • Right to restriction (Art. 18) — pause processing while a question is resolved.
  • Right to data portability (Art. 20) — receive your data in a machine-readable format.
  • Right to object (Art. 21) — including a blanket right to object to direct-marketing processing.
  • Right to withdraw consent — at any time, with no effect on processing that already occurred.
  • Right to lodge a complaint with your local supervisory authority — for example, the European Data Protection Board member list or the UK Information Commissioner's Office. We'd appreciate the chance to address your concern first.

8.2 California residents (CCPA / CPRA)

  • Right to know what personal information we've collected and how we use it.
  • Right to delete your personal information.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing of personal information — note: we do not sell or share personal information for cross-context behavioral advertising.
  • Right to limit use of sensitive personal information — note: we do not collect sensitive personal information.
  • Right to non-discrimination for exercising any of these rights.

8.3 Other US states

Residents of states with comparable laws (Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Montana, and others as those laws come into force) have substantively similar rights. We honor them on the same terms as above.

8.4 How to exercise your rights

Email hello@fransfaces.com from the address you used to sign up, or from one we can reasonably verify is yours, and tell us what you'd like us to do. We respond within 30 days (45 days for US state-law requests, with one possible 45-day extension for complex requests). There is no fee for the first request in any 12-month period; manifestly excessive or repetitive requests may incur a reasonable administrative charge or be refused as the law allows.

You may also designate an authorized agent to act on your behalf where applicable law permits.

9. How we protect your data (security)

  • All site traffic is served over HTTPS with HSTS forcing TLS for one year (and eligible for browser preload lists).
  • Content security headers (X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy minimal) are set on every response.
  • Form submissions are protected by a CSRF double-submit cookie scheme and per-IP rate limits.
  • Authentication uses signed JWT session cookies with a 14-day expiry; failed sign-in attempts are throttled with a 15-minute lockout after 5 failures.
  • The gated digital proof reader is protected at three layers: an edge middleware gate, a server-component session check, and a per-handler authorization check.
  • IP addresses are hashed with a server-side secret before storage; raw IPs are never persisted.

No system is perfectly secure. If you become aware of a vulnerability, please report it to hello@fransfaces.com and we'll respond promptly.

10. Cookies and similar technologies

We use only the cookies that are strictly necessary to operate the site. We do not run third-party advertising or analytics cookies.

  • ff_csrf — HttpOnly, SameSite=Strict, Max-Age 7200s. Holds the CSRF token verified on form POSTs.
  • ff_partners_csrf — same shape, scoped to the partner-application form.
  • next-auth.session-token — HttpOnly, SameSite=Lax, 14-day expiry. Set only after a reviewer/editor signs in to the proof reader.
  • next-auth.csrf-token — HttpOnly, set by NextAuth during the sign-in dance.

Because all of the above are strictly necessary for the page or feature you requested, the EU ePrivacy Directive does not require a consent banner for them. We will display an explicit consent banner before introducing any non-essential cookies (analytics, marketing, etc.); none are in use today.

11. Children's data

The site is intended for adults. We do not knowingly collect personal information from children under 16 (EU) or under 13 (US, COPPA). If you believe a child has submitted information to us, contact us and we will delete the record promptly.

12. Changes to this notice

We may update this notice as the project grows. Material changes will be highlighted at the top of the page and, where required by law, communicated to subscribers by email at least 30 days before they take effect.

The “Last updated” date in the hero reflects the most recent substantive change. A version history is available on request.

13. Contact us

For any privacy-related question, request, or complaint:

Frances Catania Studio
Privacy enquiries: hello@fransfaces.com
General contact: same address — we're a small team.