Privacy Policy
Last updated: April 20, 2026
1. Introduction
FrameForged, operated by Strickland Services Group LLC, a Florida limited liability company (“we,” “us,” or “our”), is committed to protecting your privacy. This policy explains what personal information we collect, how we use it, who we share it with, and the choices you have. It applies to our website and services at frameforged.com and any related interfaces (collectively, the “Service”).
2. Information We Collect
2.1 Account Information
- Email address
- Name (optional)
- Password (stored as a bcrypt hash; never in plain text)
- Google account profile data (if using Google sign-in)
- Email-verification and password-reset tokens (stored as hashes)
2.2 Order Information
- Shipping name, address, and country
- Payment information (processed by Stripe — we never receive or store full card numbers or CVCs)
- Order history, tracking numbers, and transaction records
2.3 Usage Information
- Text prompts submitted for image generation
- Generated images and associated metadata (model, dimensions, seed)
- Credit balance and ledger of credit transactions
- Technical data: IP address, browser user-agent, device type, approximate location derived from IP
- Security events: login successes and failures, admin actions, webhook signature failures (see Section 6)
2.4 Information We Do Not Collect
- Precise GPS location (we disable it via the
Permissions-Policyresponse header) - Biometric data (face/fingerprint)
- Contacts, microphone, camera input
- Third-party advertising identifiers or cross-site tracking
3. How We Use Your Information
- To provide, maintain, and secure the Service
- To process credit purchases and fulfill print orders (including sharing your shipping address and generated image with Prodigi for fulfillment)
- To manage your account, credits, and order history
- To send transactional emails: email verification, password reset, order confirmations, shipping updates, and delivery confirmations
- To detect and prevent fraud, abuse, and policy violations (including rate-limit enforcement and prompt moderation)
- To comply with legal obligations and respond to lawful requests
We do not send marketing emails, newsletters, or promotional broadcasts. We do not sell, rent, or share your personal information for third-party advertising.
4. We Do Not Train AI Models On Your Data
We do not use your prompts, generated images, account data, or usage patterns to train, fine-tune, or otherwise improve any AI model, whether our own or a third party’s. Our upstream AI provider (fal.ai) operates under its own terms of service that govern its use of data you submit through our Service; where available, we rely on their no-training guarantees.
5. Sub-Processors & Third-Party Services
We share only the information necessary for each provider to perform its function. Each is bound by its own privacy and security commitments. Where applicable, transfers of data outside the recipient’s country rely on the provider’s standard contractual clauses (SCCs) or equivalent safeguards.
| Sub-processor | Purpose | Data | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processing, fraud prevention | Email, billing address, card details (processed by Stripe, never by us) | USA, global |
| Prodigi Ltd | Print fulfillment and shipping | Name, shipping address, ordered artwork | United Kingdom, USA, EU |
| fal.ai | AI image generation (Flux models) | Text prompts, model parameters | USA |
| Cloudflare, Inc. (R2) | Image storage and content delivery | Generated images, thumbnails, print-ready files | USA, global CDN |
| Railway | Backend hosting, PostgreSQL database, Redis | All account, order, and usage data | USA |
| Vercel Inc. | Frontend hosting and edge network | Technical request metadata; no account data stored | USA, global CDN |
| Postmark (ActiveCampaign) | Transactional email delivery | Email address, message content | USA |
| Sentry | Error and performance monitoring | Stack traces and technical metadata; personal identifiers scrubbed before transmission | USA |
| Google LLC | OAuth sign-in (only if you choose Google sign-in) | Email, name, profile picture, Google account ID | USA, global |
6. Security
We implement layered security measures including: TLS/SSL encryption in transit; bcrypt password hashing; SHA-256 hashing for password reset and email verification tokens; signed JWT session tokens; per-user and per-endpoint rate limiting; Content Security Policy headers; HSTS; strict-origin referrer policy; input validation at route level; constant-time secret comparison; and Stripe/Prodigi webhook signature verification. We maintain an append-only security audit log of authentication events, admin actions, and webhook anomalies for forensic review.
No system is perfectly secure. You play a role too: use a strong, unique password; enable two-factor authentication on your email account (since password resets flow through email); and contact us immediately if you suspect unauthorized access to your account.
7. Data Retention
We retain personal information only as long as necessary for the purposes described in this policy and as required by law. Specific retention periods:
- Account data — while your account is active, plus 30 days after account deletion to allow for recovery and to satisfy any pending obligations
- Order records — 7 years from order date, for tax, accounting, and anti-fraud compliance under U.S. law
- Security audit events — 2 years from the event date
- Generated images in storage — deleted within 30 days of account deletion; if images are part of a completed order, retained as long as necessary to fulfill warranty and dispute claims
- Email delivery logs — retained by Postmark for 45 days per their policy
- Backups — may contain copies of data for up to 30 days after deletion from production systems
8. Your Rights & Choices
Subject to your jurisdiction’s law (including the California Consumer Privacy Act / CPRA, EU General Data Protection Regulation, and similar state-level statutes), you have the following rights regarding your personal information:
- Right to access. Request a copy of the personal information we hold about you.
- Right to correct. Request correction of inaccurate or incomplete information.
- Right to delete. Request deletion of your account and associated data, subject to our retention obligations (see Section 7).
- Right to portability. Request an export of your account data and generated images in a commonly used, machine-readable format.
- Right to opt out of sale or sharing. We do not sell or share your personal information for cross-context behavioral advertising, and there is no opt-out required of you.
- Right to withdraw consent. Where processing is based on consent (e.g., EU/UK users), you may withdraw consent at any time.
- Right to non-discrimination. We will not deny, charge differently, or provide a different level of service because you exercise any of these rights.
To exercise any of these rights, email us at support@frameforged.com. We will respond within 30 days (45 days under the GDPR where complex requests require extended review, with notice to you). We may need to verify your identity before fulfilling the request; in most cases, replying from the email address on file is sufficient.
9. International Data Transfers
We are based in the United States and our primary infrastructure is in the U.S. If you access the Service from outside the U.S., your information will be transferred to, processed, and stored in the U.S. For transfers of personal data originating in the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses (SCCs) or equivalent mechanisms with our sub-processors.
10. Data Breach Notification
In the event of a confirmed personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, in accordance with applicable law (including GDPR Articles 33–34 and U.S. state data-breach notification statutes). Notification will include the nature of the breach, the data categories affected, the likely consequences, and the measures we have taken or propose to take.
11. Cookies & Local Storage
We use minimal browser storage for essential functionality only:
- localStorage — stores your JWT session token so you remain logged in between visits
- localStorage — temporarily holds your shopping cart contents between page navigations
We do not use third-party tracking cookies, advertising identifiers, pixels, or cross-site trackers. We do not currently use any analytics service. If we add analytics in the future, we will update this policy and, where applicable under the law of your jurisdiction, request your consent.
12. Children’s Privacy
The Service is not intended for children under the age of 13 (or 16 for users in the European Economic Area and the United Kingdom). We do not knowingly collect personal information from children in those age ranges. If you believe a child has provided us with personal information, please contact us at support@frameforged.com and we will promptly delete the account and any associated data.
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify registered users by email at least seven (7) days before the changes take effect and update the “Last updated” date at the top of this page. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
14. Contact
For privacy-related questions, data subject requests, or any other inquiries, contact us at support@frameforged.com.
Strickland Services Group LLC
Tallahassee, Florida, United States