Privacy Policy

Last updated: May 2026

This Privacy Policy explains how Frame Craft ("Frame Craft", "we", "us") collects, uses, shares, retains, and protects personal information when you visit framecraft.ca (the "Site"), create an account, upload photos, or place an order with us. It also explains your rights under Canadian privacy law and how to contact us about your personal information.

We are a Canadian business that ships only within Canada. Your personal information is handled in accordance with Canada's federal Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, the substantially similar privacy laws of your province (including Quebec's Law 25, Alberta's and British Columbia's PIPAs).

Our promise

We do not sell, rent, lease, license, or trade your personal information or your photos to any third party — ever. Not to advertisers, not to data brokers, not to AI training datasets, not to marketing partners. The only times we share data with outside services are strictly to deliver what you ordered or to comply with the law.

1. What personal information do we collect, and how do we use it?

In short: We collect what we need to fulfill your order and operate your account — nothing speculative. Photos, contact, shipping, and payment info. That's the bulk of it.

Information	Source	Why we collect & use it
Account info Name, email address, password (hashed), phone (optional).	You, when you register an account or sign in with Google.	Create your account, authenticate sign-in, send order-related emails, customer support.
Order info Items ordered (size, finish), order history, shipping address, billing address, order notes.	You, at checkout.	Process and fulfill your order; send shipping updates; deal with returns and defects; satisfy tax-record retention.
Photos & uploaded content Image files, EXIF metadata, crop selections.	You, when you upload photos in the Studio.	Produce the physical product. See Section 3 — Your Photos for the full story.
Payment info Credit card brand, last 4 digits, billing postal code, Stripe customer ID.	You, via Stripe's payment form (we never see the full card number).	Charge your payment method via Stripe; recognize repeat purchases; fraud prevention.
Technical & device info IP address, browser type, device type, operating system, referring URL, pages visited, session timestamps.	Automatically, when you use the Site.	Operate and secure the Site (rate-limiting, fraud and abuse detection, error monitoring); aggregate analytics to improve the product.
Communications Support emails and chat transcripts, survey responses.	You, when you contact us.	Respond to your enquiry, train our support team, document issues.
Marketing preferences Email subscription status, opt-in/out timestamps.	You, when you subscribe or unsubscribe.	Honour your CASL consent preferences; send promotional emails only if you opted in.

We collect personal information only with your knowledge and consent — either expressly (e.g., when you place an order) or by reasonable implication (e.g., browsing the Site implies consent to the limited analytics described below). The collection is limited to what we need for the purposes identified here.

2. How do we share your information with third parties?

In short: We share only with vendors that help us fulfill your order — and only the minimum each needs. We never sell or rent your data.

We share personal information with the following categories of recipients:

Recipient	What we share	Why
Our printing partner	The print file (your photo) and the shipping label — no email, account info, or other photos.	To produce your frame.
Imagineship (carrier & DDP service, imagineship.com)	Recipient name, shipping address, package dimensions, customs declaration.	To deliver your order and prepay duties.
Stripe Payments Canada, Ltd.	Card details (collected directly by Stripe), order amount, billing email.	To process payment and prevent fraud.
Amazon Web Services (S3)	Uploaded photos, encrypted at rest in the AWS region we've selected.	Secure photo storage during order processing.
Google LLC (OAuth and Analytics)	For OAuth: your name, email, and profile picture URL — only if you choose "Sign in with Google". For Analytics: anonymized site-traffic events (no personal identifiers).	Sign-in convenience; aggregate site analytics.
Email delivery provider	Your email address and the contents of transactional and (if opted-in) marketing emails.	To send order confirmations, shipping notifications, and customer support replies.
Legal or regulatory authorities	Only what is specifically required by a lawful order (subpoena, search warrant, court order).	To comply with Canadian law. We will notify you of any such request to the extent we are legally permitted to do so.
Successor entity	In the event of a merger, acquisition, or sale of all or substantially all of our assets, your personal information may be transferred to the acquiring party, subject to this Policy.	Business continuity. We'll notify customers if this happens.

Each of these service providers is contractually bound to use your personal information only for the purposes we've agreed to, and to protect it with safeguards consistent with this Policy and applicable law.

3. Your photos

In short: Your photos are yours. We use them only to print your order. We don't train AI on them, market with them, or share them with anyone other than our print partner.

Photos you upload to Frame Craft are among the most personal data we ever handle. We treat them accordingly.

You own your photos. Uploading a photo to Frame Craft does not transfer any ownership to us. See Section 6 of our Terms of Use for the full IP picture.
Storage. Uploaded photos are stored in Amazon S3, encrypted at rest with AES-256, in a Canada or North America AWS region. Only authenticated Frame Craft staff with a legitimate business need (order fulfillment, support, defect resolution) can access them.
What we do with them. Process the file, render previews, generate the print file, and transmit it to our printing partner — exclusively for the purpose of producing the order you placed. That's the entire list.
What we don't do with them. We do not: sell or licence them; share them with advertisers; use them in marketing materials (Instagram, the Site, ads) without your specific written permission, on a photo-by-photo basis; use them to train artificial intelligence, machine-learning models, or computer-vision systems; share them publicly; or share them with any third party other than our printing partner for the purpose of producing your specific order.
Retention. Photos are deleted from our active systems 90 days after the related order is fulfilled (or 90 days after order cancellation), unless you are signed in and the photo is still in your active studio workspace or order history. You can request earlier deletion at any time.
Sensitive photos. We treat all photos as sensitive. Photos depicting children, identifiable third parties, medical conditions, or other sensitive subject matter are not handled or shared differently from any other photo — but you are responsible for ensuring you have any required consents before uploading. See our Terms § 6 — Photos & Content you upload.

4. How long do we keep your personal information?

In short: As long as we need it to do what you asked, plus the legal minimum we're required to keep for tax and accounting.

We retain personal information only for as long as is reasonably necessary for the purposes identified in this Policy:

Account information: for as long as your account is active, plus up to 12 months after account closure to handle returns, defect claims, and post-purchase support.
Uploaded photos: deleted 90 days after order fulfillment or cancellation (or sooner on request), except for photos you actively keep in your studio workspace or saved drafts.
Order & transaction records: retained for at least 7 years to comply with the Canadian Income Tax Act and GST/HST record-keeping requirements.
Marketing consent records: retained for at least 3 years from the last express consent or unsubscribe action, as required by CASL.
Backups: personal information may persist in encrypted backups for up to 90 days after deletion from production systems; these backups are not used for any operational purpose.
Anonymous & aggregate data: may be retained indefinitely. Once data has been irreversibly anonymized, it's no longer personal information.

After the retention period expires, we securely delete or irreversibly anonymize the personal information.

5. Cookies, analytics & advertising

In short: We use a small number of cookies. The essential ones keep you signed in. The analytics ones tell us anonymous, aggregate things like "100 people visited the Shop page today." We don't use advertising cookies.

Essential cookies

Required for the Site to function. These keep you signed in, remember your cart, and protect against cross-site request forgery. You cannot disable these and use the Site normally. Examples: payload-token, oauth_state.

Analytics cookies

We use Google Analytics to understand aggregate traffic patterns (popular pages, average time on Site, common drop-off points in the checkout flow). We have configured Google Analytics with IP anonymization. We do not allow Google Analytics to use your data for advertising or to combine it with other Google services on your behalf.

Advertising cookies

We do not currently use third-party advertising cookies, retargeting pixels, Meta Pixel, or similar tracking technologies.

You can disable non-essential cookies in your browser settings. Most browsers also support Global Privacy Control (GPC); we honour GPC signals as opt-outs of any non-essential tracking.

6. Does the Site collect information from children?

The Site is intended for adults. We do not knowingly collect personal information from individuals under the age of majority in their province or territory (18 or 19, depending on the province). If you believe a person under the age of majority has provided us with personal information, please contact our Privacy Officer (Section 11) and we will delete it.

Adults may, of course, upload and order frames featuring photos of their own children — that is one of our most common use cases. In that scenario, the adult customer is the data subject from a privacy-law standpoint, and is responsible for any consents required from a co-parent or guardian under family law.

7. How do we secure your information?

In short: Encryption in transit and at rest, role-based access, modern infrastructure. No system is perfectly secure, but we follow current best practice.

In transit: All connections to the Site use HTTPS (TLS 1.2 or higher).
At rest: Photos and database content are encrypted at rest by our infrastructure providers (AWS S3 with AES-256; managed MongoDB with at-rest encryption).
Access controls: Frame Craft staff access to personal information is role-based and audited. Engineers do not access production photos or customer data except as needed for support escalations.
Payment data: Card numbers are handled directly by Stripe, a PCI-DSS Level 1 service provider. We never receive your full card number.
Passwords: Stored using salted one-way hashing (we never see the plaintext); we recommend Sign in with Google for the strongest account protection.
Monitoring: We log security-relevant events, monitor for suspicious activity, and apply security patches promptly.

No method of internet transmission or electronic storage is 100% secure. While we take precautions consistent with industry standards, we cannot guarantee absolute security. If we become aware of a privacy breach posing a real risk of significant harm to you, we will notify you and the Office of the Privacy Commissioner of Canada in accordance with PIPEDA's breach-notification requirements.

8. Your privacy rights & how to exercise them

In short: You can see, fix, port, or delete the personal information we hold about you, and you can complain to a regulator if we get it wrong.

Under PIPEDA and provincial privacy law, you have the right to:

Know & access what personal information we hold about you.
Correct or update inaccurate or incomplete personal information.
Withdraw consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions and reasonable notice (note: withdrawing consent may prevent us from fulfilling outstanding orders).
Delete your account, your photos, and most personal information we hold about you (subject to mandatory retention obligations such as tax-record requirements).
Receive a portable copy of personal information you have provided to us, in a structured, commonly used format.
Opt out of marketing emails by clicking the unsubscribe link in any marketing message, or by contacting us. Transactional emails about your order cannot be opted out of while the order is in progress.
File a complaint with us first (via our Privacy Officer in Section 11), and — if not satisfied with our response — with the appropriate regulator (see below).

To exercise any of these rights, email our Privacy Officer at [email protected]. We respond to verified privacy requests within 30 days. We may need to verify your identity before fulfilling a request.

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) and, if you reside in a province with its own privacy regulator, that office as well — for example the Commission d'accès à l'information du Québec, Alberta's Office of the Information and Privacy Commissioner, or British Columbia's Office of the Information and Privacy Commissioner.

9. Storage & cross-border processing

In short: We try to keep your data in Canadian data centres. Some of our service providers are based in the United States, and may process data there — Canadian privacy law still applies.

Frame Craft stores customer data primarily on infrastructure located in Canada or in AWS Canadian regions. However, some of our service providers (notably Stripe, Google for OAuth/Analytics, and our email delivery provider) may process certain data in the United States or in other countries. While that data is outside Canada, it may be subject to lawful access requests by foreign governments under foreign law (for example, the U.S. CLOUD Act). We use service providers that offer contractual safeguards designed to provide protections substantially equivalent to those required under PIPEDA.

Our printing partner is located outside Canada (production occurs in our supplier facility in China before shipment to Canada via Imagineship). We share only the print file and shipping label with the printing partner — no account information, no email address, no other photos.

10. Updates to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our service providers, applicable law, or for clarity. When we make material changes, we will update the "Last updated" date at the top of this page and, where required, notify you in advance by email (if you have an account) or by a prominent notice on the Site. Continued use of the Site after the effective date of an updated Policy constitutes acceptance of the changes. If you do not agree to an update, please contact our Privacy Officer to close your account.

11. How to contact our Privacy Officer

Frame Craft has designated a Privacy Officer who is responsible for our compliance with PIPEDA and applicable provincial privacy law, including Quebec's Law 25.

Email: [email protected]
For general questions: [email protected]

Please include enough detail for us to understand and act on your request. We aim to respond within 30 days of a verified request.

12. Supplemental notice for Quebec residents (Law 25)

In short: If you live in Quebec, you have additional rights under Loi 25. The summary is here; the full English-language Policy above applies in addition.

If you reside in Quebec, the following supplemental rights and disclosures apply to you under An Act respecting the protection of personal information in the private sector (Quebec, "Law 25"):

Person in charge of protecting personal information: Frame Craft's Privacy Officer (Section 11) is the "person in charge of the protection of personal information" for the purposes of Law 25.
Automated decision-making: Frame Craft does not currently use personal information to make decisions about you based exclusively on automated processing. If that changes, we will notify you at or before the time of the decision and inform you of your right to obtain human review.
Right to data portability: You may request a copy of computerized personal information you have provided to us, in a structured, commonly used technological format.
Right to de-indexing & cessation of dissemination: You may request that we cease disseminating, or de-index, any personal information about you that we have made public, if the dissemination causes you serious injury and the right of the public to know is not preponderant.
Cross-border transfers: Before transferring personal information outside Quebec, we conduct a privacy impact assessment as required by Law 25. The recipients with which we share data are listed in Section 2; further detail is available on request.
Confidentiality of the deceased: Personal information regarding a deceased individual may be communicated to the executor, heir, or other person empowered under the Civil Code of Quebec, on presentation of proof of authority.
Language: An English version of this Privacy Policy is provided on the Site. Une version française peut être fournie sur demande à [email protected].
Regulator: You may file a complaint with the Commission d'accès à l'information du Québec (cai.gouv.qc.ca) if you are dissatisfied with our handling of your personal information.