Still Field StudioStill Field Studio

Legal · Privacy policy

Privacy policy.

Last updated · May 12, 2026

This policy describes what personal information Still Field Studio(“the Studio,” “we,” “us”) collects when you use this website, what we do with it, who processes it on our behalf, and the rights you have over it. If anything here is unclear, write to contact@stillfield.studio.

01 — What we collect

  • Contact form data. When you submit the contact form: your name, email, optional phone, project type, budget range, subject, message, and the browser / referrer headers automatically sent with your request.
  • Festival film signup. When you ask to be notified about The Festival Film: your email and the source of the signup.
  • Server logs. Standard infrastructure logs: IP address, user agent, referrer, request path, response code. Retained briefly by our hosting providers for security and debugging.
  • Cookies. The site uses only essential first-party cookies set by our hosting infrastructure for request routing. We do not use marketing or tracking cookies. We do not use third-party advertising.
  • Analytics. If analytics are enabled, we use a privacy-respecting, cookieless aggregator that records page views without identifying individual visitors or storing personal data. No data is shared with ad networks.

02 — Why we collect it (legal basis)

  • Contact form submissions — to respond to your inquiry. Legal basis under GDPR: legitimate interest in operating our business and pre-contract communication.
  • Festival film signup — to send you the update you asked for. Legal basis: your explicit consent (you opted in by submitting the form).
  • Server logs — to keep the site secure and debuggable. Legal basis: legitimate interest.

03 — Who processes data on our behalf

We use these third-party services to operate the site. Each has its own privacy policy; we have data-processing agreements with them where applicable.

  • Vercel — site hosting and content delivery. Processes server logs (United States).
  • Supabase — database for contact form submissions and festival signups (United States).
  • Resend — when active, transactional email delivery for replies and notifications (United States).
  • Cloudflare — if Turnstile spam protection is active, basic request fingerprinting for bot detection.

04 — Where data is stored

Most processing happens on infrastructure based in the United States. If you are located in the European Economic Area, the United Kingdom, or Switzerland, your data may be transferred to and stored in the United States. We rely on the Standard Contractual Clauses adopted by the European Commission and equivalent UK / Swiss frameworks for these transfers.

05 — How long we keep it

  • Contact form submissions — retained while your inquiry is open and for up to 12 months after the last related correspondence, then deleted unless we have an ongoing relationship that justifies longer retention (e.g. an active project file).
  • Festival film subscribers — retained until you unsubscribe or until the project concludes and we wind down the list.
  • Server logs— retained per our providers' standard retention windows (typically 7 to 30 days).

06 — Your rights

Depending on where you live, you may have one or more of the following rights:

  • Access — request a copy of the personal information we hold about you.
  • Correction — ask us to fix data that is inaccurate or incomplete.
  • Deletion — ask us to delete your data, subject to legal-retention obligations.
  • Portability — receive your data in a portable, machine-readable format.
  • Withdrawal of consent — withdraw any consent you previously gave (e.g. unsubscribe from the festival film list).
  • Objection — object to our processing of your data on the basis of legitimate interest.
  • Complaint— lodge a complaint with your local data-protection authority. For California residents, the California Privacy Protection Agency. For the EU / EEA, your member-state supervisory authority. For the UK, the Information Commissioner's Office.

To exercise any of these, write to contact@stillfield.studio. We will respond within 30 days. We may ask for proof of identity before releasing data.

07 — Sale of personal information (CCPA)

We do not sell personal information. We do not share personal information with third parties for cross-context behavioral advertising. California residents have the right to opt out of any such sale or sharing under the California Consumer Privacy Act; that right is honored by default because we don't do it.

08 — Children's privacy

The site is not directed at children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child has provided us information, write to contact@stillfield.studio and we will delete it.

09 — Security

The site runs over HTTPS. Submissions to our database are protected by row-level security policies — anonymous clients can insert contact form rows but cannot read them back; only authenticated server processes can read inbound messages. Service-role credentials are kept on the server and never exposed to the browser. No security is perfect; we use industry-standard practices and respond promptly to reports.

10 — Changes to this policy

We may update this policy. The current version always lives at this URL with the revision date at the top. Material changes will be reflected by an updated date. If we still have your email and the change materially affects your rights, we will notify you by email.

11 — Contact

Privacy questions, requests, or concerns: contact@stillfield.studio.