Legal

Privacy Policy

Effective May 9, 2026 · Last updated May 9, 2026

This Privacy Policy explains how Cerulean Labs LLC (“Curata,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information when you use curata.artand any related services (the “Service”). It also describes the choices and rights you have regarding your information.

The Service is intended for customers in the United States. If you are accessing the Service from outside the U.S., please do not use it.

If you have questions, contact us at [email protected].

1. Summary

  • We collect the information needed to operate a curated framed-print store: account identity, order details, shipping address, and limited browsing data needed to make the catalog and search work.
  • Payments are processed by a PCI-compliant third-party processor. We do not see or store your full card number.
  • A third-party print partner produces and ships your order, and we share with them the information needed for that fulfillment.
  • We use cookies sparingly — primarily for sign-in sessions and basic analytics.
  • We do not sell or rent your personal information.
  • You have rights over your data. How to exercise them is in Section 8.

2. Information we collect

2.1 Information you provide

  • Account information. You can sign in with a passwordless email link (magic link) or with your Google account. We do not collect or store passwords. If you sign in with Google, we receive your name, email address, and profile image from Google as part of the sign-in handshake; we do not request access to any other Google account data. You may also provide or update a name and a display image associated with your Curata account.
  • Order information. When you place an order, we collect the shipping address, recipient name, contact information you provide, and the artwork, frame, size, and shipping options you select.
  • Payment information.Your payment card details are entered directly into our payments processor’s checkout components. We receive a token, the last four digits, the card brand, and the billing ZIP code or country — not your full card number.
  • Communications. If you email us or use a contact form, we keep your message and any information you include in it.

2.2 Information collected automatically

  • Session and device data. Sign-in sessions store your IP address and user-agent so we can detect anomalies and keep your session valid.
  • Server and usage logs. Like most web services, we record request logs that include IP address, timestamps, the pages requested, referrer, and basic device information. These logs are used for security, debugging, abuse prevention, and basic analytics.
  • Cookies and similar technologies. We use a small number of essential cookies for authentication, cart state, and CSRF protection. We may use optional analytics tools to understand aggregate usage and improve the Service. We do not use advertising cookies. See Section 6.

2.3 What we do not collect

  • We do not knowingly collect information from children under 13.
  • We do not collect biometric data.
  • We do not collect precise GPS location.

3. How we use information

We use the information described above for the following purposes:

  • Provide the Service. Show the catalog, run search, maintain your cart, manage your account, and let you complete purchases.
  • Process orders. Authorize and capture payment, prepare your order, and produce, ship, and deliver your print.
  • Customer support. Respond to inquiries, process replacement requests, and resolve issues.
  • Transactional communications. Send order confirmations, shipping updates, and service-related notices. These are not marketing.
  • Marketing communications, if you opt in. Send occasional updates about new collections or features. You can unsubscribe at any time.
  • Security and fraud prevention. Detect and prevent unauthorized access, fraudulent transactions, abuse, and violations of our Terms.
  • Improve the Service. Analyze aggregate usage to improve search relevance, browse surfaces, performance, and design.
  • Legal compliance. Meet our obligations under applicable law and respond to lawful requests.

4. How we share information

We do not sell or rent personal information. We share it only as described below.

4.1 Service providers

We share personal information with third parties that provide services on our behalf. They are bound to use the information only as needed to provide their service to us. The categories of providers we use include:

  • Payments processing— to authorize and capture card payments.
  • Production and shipping support— to produce and deliver your order.
  • Cloud hosting, storage, and email delivery— to operate the website, store assets, and send transactional email.
  • Authentication— to manage sign-in sessions.
  • Analytics— to understand aggregate usage of the Service.

The specific recipients within each category may change as the Service evolves.

4.2 Legal and safety

We may share information when we reasonably believe it is necessary to:

  • comply with a law, regulation, court order, subpoena, or other lawful request;
  • enforce our Terms or investigate suspected violations;
  • detect, prevent, or address fraud, security, or technical issues; or
  • protect the rights, property, or safety of Curata, our users, or others.

4.3 Business transfers

If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction. We will notify you of any such change and any resulting changes to this Policy.

4.4 With your direction

We share information when you explicitly direct us to — for example, to provide a recipient address that is not your own.

5. Categories of personal information collected and disclosed (CCPA/CPRA notice)

For California residents, this section provides notice of the categories of personal information we have collected and disclosed in the past 12 months, the purposes, and the categories of recipients. This is in addition to the rest of this Policy.

CategoryExamplesPurposeDisclosed to
IdentifiersEmail, name, IP addressAccount, orders, securityService providers (payments, operations, hosting, auth, analytics)
Customer recordsShipping address, order historyOrder production, delivery, and supportService providers (operations, hosting)
Commercial informationProducts considered or purchasedOperate the store, analyticsService providers (hosting, analytics)
Internet/network activityBrowsing on the Service, referring URLsSecurity, debugging, analyticsService providers (hosting, analytics)
Financial informationTokenized payment method, last 4 digits, billing ZIPProcess paymentsService providers (payments)

We do not collect sensitive personal information as defined by the CPRA. We do not sell or share personal information for cross-context behavioral advertising, and we do not knowingly collect or sell the personal information of minors under 16.

6. Cookies and tracking

We use cookies and similar technologies for the following limited purposes:

  • Strictly necessary— sign-in sessions, cart state, CSRF protection. These cannot be disabled if you want to use the Service.
  • Analytics— we may use optional analytics tools to understand aggregate usage and improve the Service. Optional analytics is enabled by default, and you can turn it off in Preferences.

We do not use cookies for cross-site advertising. You can control cookies through your browser settings; disabling necessary cookies will break sign-in and checkout.

We honor Global Privacy Control (GPC)signals as a request to opt out of “sale” or “sharing” of personal information under applicable U.S. state privacy laws. We do not currently sell or share personal information for cross-context behavioral advertising.

7. Data retention

We keep personal information only as long as necessary for the purposes described in this Policy.

  • Account data— kept while your account is active and for a reasonable period after closure to handle late returns, disputes, or legal obligations.
  • Order and transaction data— kept for the period required by tax, accounting, and consumer-protection laws (typically several years).
  • Server logs— retained for a limited period for security and debugging, then rotated out.
  • Support communications— kept as long as needed to resolve the matter and for a reasonable period afterwards.

You can request deletion of your account at any time (Section 8). Some data may be retained for legal, accounting, or fraud-prevention purposes even after account deletion.

8. Your rights and choices

Depending on where you live, you may have rights over your personal information. For California residents and residents of other U.S. states with applicable privacy laws, these rights generally include:

  • Right to know— request information about the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share it.
  • Right to delete— ask us to delete your information, subject to legal exceptions (for example, completed orders that we must retain for tax purposes).
  • Right to correct— ask us to correct inaccurate information.
  • Right to opt out— opt out of “sale” or “sharing” of personal information. We do not sell or share personal information for cross-context behavioral advertising.
  • Right to non-discrimination— we will not discriminate against you for exercising your rights.
  • Right to withdraw consent / opt out of marketing— unsubscribe from marketing emails using the link in the email or by emailing us.

How to exercise your rights

Email us at [email protected] with the request and the email address associated with your account. We may need to verify your identity before responding. We will respond within the timeframe required by applicable law (typically 45 days). You may also use an authorized agent where allowed by law.

9. Security

We use administrative, technical, and physical safeguards designed to protect personal information — including encryption in transit, access controls, isolated storage for order assets, and limited employee access. No system is perfectly secure; we cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at [email protected].

10. Children

The Service is not directed to children, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it.

11. Third-party links

The Service may link to third-party sites we do not control. This Policy does not apply to those sites. We encourage you to review their privacy policies.

12. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will post the updated version with a new “Last updated” date and, where appropriate, notify you by email or through the Service.

13. Contact

Cerulean Labs LLC
522 W Riverside Ave Ste N, Spokane, WA 99201-0581, United States
Email: [email protected]