Privacy Policy

Last updated: 2026-05-19

Also available in Español. See also our Cookie Policy.

This Privacy Policy explains how StudioPrime collects, uses, and protects your personal data when you visit our website or use our Service. StudioPrime is based in Dubai, United Arab Emirates, and because we target customers in the European Economic Area, this Policy is written to satisfy the EU General Data Protection Regulation (GDPR), the ePrivacy Directive, and Spain's LOPDGDD, in addition to applicable UAE data protection law.

1. Data controller

The controller responsible for processing your personal data is:

  • Name: StudioPrime (REVIEW NEEDED: registered legal entity name)
  • Registered address: REVIEW NEEDED: registered address ( Dubai, United Arab Emirates)
  • Privacy contact: privacy@studioprime.co
  • General contact: info@studioprime.co

We have not appointed a Data Protection Officer (DPO); under GDPR Article 37 we are not required to do so. For any privacy-related question please write to privacy@studioprime.co.

2. Personal data we collect

2.1 Service & contact data

  • Email address you provide when booking a meeting, subscribing, or contacting us.
  • Account details (name, company, password hash) if you have a customer account.
  • Subscription and billing metadata returned by our payment processor — we do not store full card numbers ourselves.
  • Project files, briefs, and communications you share with us in the course of an engagement.

2.2 Usage & device data (analytics)

  • Pages visited, clicks, scroll, session duration, referrer.
  • Device and browser information (user agent, screen size, language).
  • Approximate location derived from your IP address (city / region level — not a precise GPS coordinate).
  • Identifiers stored in cookies and local storage used to recognize your browser across visits (see our Cookie Policy).

We do not knowingly collect special categories of personal data (Article 9 GDPR) such as health or biometric data, nor data from anyone under 16.

3. Legal basis (GDPR Article 6)

  • Performance of a contract (Art. 6(1)(b)) — to deliver the design / development / branding services you engage us for, send invoices and project updates, and authenticate access to deliverables.
  • Legitimate interest (Art. 6(1)(f)) — to secure our website, prevent fraud and abuse, and debug technical issues.
  • Consent (Art. 6(1)(a)) — for all analytics, advertising, and personalization cookies and similar technologies. You give consent through our cookie banner and can withdraw it at any time (see Section 8).
  • Legal obligation (Art. 6(1)(c)) — for statutory record-keeping (invoices, contracts) and to comply with valid legal requests.

4. Purposes of processing

4.1 Necessary for service operation

Handling enquiries, scheduling meetings, fulfilling subscriptions, authenticating you to the dashboard, processing payments, and sending transactional emails (booking confirmations, invoices).

4.2 Analytics and measurement (consent-based)

Understanding how visitors find and use the Service so we can improve it. We use Google Analytics 4. We do not currently enable Google signals or user-provided data hashing; if that ever changes, this section and the cookie banner will update accordingly and you will be asked to re-consent.

We do not sell your personal data. We do not share your personal data with third parties for their own independent marketing purposes.

5. Third-party processors and recipients

We rely on the following processors. Each acts on our instructions under a Data Processing Agreement (Art. 28 GDPR):

  • Google LLC (Google Tag Manager + Google Analytics 4) — tag management, analytics and measurement. May process data in the United States under the EU-US Data Privacy Framework, of which Google is a certified participant. See Google's privacy policy and the Data Privacy Framework list.
  • Cloudflare, Inc. — hosting, content delivery, edge security, transactional email, database (D1), object storage (R2). Data processed primarily in the European Union for EU-located visitors; some traffic may be served from the nearest Cloudflare edge globally. See Cloudflare's privacy policy.
  • Stripe Payments Europe, Ltd. — payment processing and fraud prevention on checkout and subscription flows. Stripe acts as an independent controller for some processing activities (e.g., fraud detection); see Stripe's privacy policy.
  • Cal.com, Inc. — scheduling meetings booked via the /meet page. See Cal.com's privacy policy. (REVIEW NEEDED: confirm this matches your actual scheduling provider.)

REVIEW NEEDED: confirm this list before publication and add any processors that are wired up but not listed here (e.g., Sentry for error tracking, PostHog for product analytics, an email marketing tool).

6. International transfers

Some of our processors (notably Google) are based in the United States, and we ourselves operate from Dubai, United Arab Emirates. Transfers of EU personal data outside the European Economic Area rely on the EU-US Data Privacy Framework (Commission Decision (EU) 2023/1795) where the recipient is certified, or on the Standard Contractual Clauses issued by the European Commission, supplemented by technical measures such as IP truncation and encryption in transit.

7. Retention

  • Google Analytics 4 event and user data: 14 months from the user's last visit, then automatically deleted by Google.
  • Account and project data: for as long as our engagement is active, plus a retention window for legal / accounting obligations.
  • Cookie consent record (our cookie_consent cookie): 6 months from your last choice, after which we ask again.
  • Server logs: typically 30 days.
  • Invoices and tax records: retained as required by applicable accounting law.

8. Your rights

Under GDPR Articles 15–22 and equivalent provisions of UAE data protection law, you have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Rectification of inaccurate or incomplete data (Art. 16).
  • Erasure ("right to be forgotten") (Art. 17).
  • Restriction of processing (Art. 18).
  • Portability in a machine-readable format (Art. 20).
  • Object to processing based on legitimate interest (Art. 21).
  • Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal (Art. 7(3)).

To exercise any of these rights, write to privacy@studioprime.co. We will respond within one month as required by Article 12(3) GDPR.

9. How to withdraw consent

Open our cookie preferences at any time via the Cookie preferences link in the footer. Your new choice replaces any prior consent immediately on every subsequent page load.

10. Right to lodge a complaint

If you are in the European Economic Area and believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with your national data protection authority. Spanish residents can contact the Agencia Española de Protección de Datos at www.aepd.es. We would appreciate the opportunity to address your concerns first — please email privacy@studioprime.co before filing a complaint.

11. Changes to this Policy

We may update this Policy to reflect changes in our practices or in the law. Material changes will be announced on this page and the "Last updated" date above will change.

12. Contact

Privacy questions: privacy@studioprime.co
General contact: info@studioprime.co

Changelog

  • 2026-05-19: Rewrote the Policy for GDPR + LOPDGDD compliance. Added disclosures for Google Analytics 4, Consent Mode v2, international transfers under the EU-US Data Privacy Framework, GA4 14-month retention, and the right to lodge a complaint. Removed CalOPPA / CCPA sections (out of scope; EU-only focus).