Privacy Policy

Last updated: 2026-05-14

Then & Now Studio is a small photography business operated by Ross Frazier in Longview, Texas. This page explains what information we collect about clients and website visitors, why we collect it, how it is stored, who else sees it, and how you can ask us to delete it.

What we collect

• Name, email address, phone number, and street address — collected when you book a scanning pickup, reserve a portrait session, register an account, or fill out the contact form. We need a name and email to communicate; the phone number is used only for booking-related coordination; the street address is the pickup or session location.
• Contract acceptance metadata (IP address and browser identifier at the moment you accept a booking agreement) — captured to support dispute defense if the validity of a digital signature is ever questioned.
• Account credentials — a salted hash of your password (never the password itself) and, if you opt in, a two-factor authentication secret.
• Booking history — the dates, locations, statuses, and payment-processor identifiers for your past bookings, kept for tax and accounting reasons.
• Contact form submissions — what you typed plus the IP address you sent it from, used to limit spam and to follow up with you.

How it is stored

Phone numbers, street addresses, IP addresses, browser identifiers, two-factor secrets, and contact-form messages are encrypted at rest. The encryption key lives in a configuration file the website operator can read but the running database file cannot. A cold copy of the database file (for example, a leaked cloud snapshot) reveals only encrypted gibberish for these fields. Nightly database backups are additionally encrypted with a separate key held off-server, so even the operator cannot read backup files without that second key.

Email addresses and names are stored in plain text because they appear in every outgoing email message and processor invoice anyway.

Who else sees your data

The website does not sell or share data with advertisers. The following third parties receive information from us because they perform a function we cannot:

• Stripe — payment card processor. Receives name, email, billing address, and your card details (we never see the card number ourselves). Stripe retains transactional records per their own retention policy.
• DocuSeal — digital signing service for booking and model release contracts. Receives the signer's name, email, IP, and the signed PDF.
• Nextcloud — self-hosted file storage for finished scans and portrait galleries. Photos are stored in folders that are made available to clients via expiring share links.
• SMTP provider — sends booking confirmations and notification emails. Sees recipient address and message body.
• Calendar (CalDAV) — schedule of bookings. Event titles and locations contain client name and address.

How long we keep things

• Active account and booking records — for as long as your account exists, and up to seven years afterward for transactional records (Stripe-recommended for chargeback windows and tax reporting).
• Contract acceptance metadata — kept on file for one year past the date of the related booking, then the IP and browser identifier are automatically nulled while the timestamp and agreement version remain.
• Contact form submissions — automatically deleted 90 days after they are received.
• Email verification tokens — discarded after one hour.
• Encrypted nightly backups — kept for seven days, then rotated out.

Your rights

You can download a JSON copy of your data at any time, or request that your account be anonymized.

• Export — visit your dashboard while logged in and click "Download my data."
• Delete — visit your dashboard and click "Delete my account." Your data is anonymized 30 days after the request to give you a window to cancel. Transactional booking rows remain on file but are no longer linked to your personal information. Deletion does not remove records held by Stripe or DocuSeal, which have their own data-subject-request processes you can contact directly.

If you have questions, or you prefer to make a privacy request by email, write to privacy@thenandnowstudio.com.

Cookies and analytics

The site uses a single first-party session cookie to keep you logged in. It is HttpOnly, transmitted only over HTTPS, and expires after eight hours of inactivity. We also run Umami, a privacy-friendly analytics tool that we host ourselves on the same server as the rest of the site. Umami records page views, referrer, and approximate location (derived from your IP, which is not stored) — without using cookies and without collecting any personal data. Analytics data is never shared with third parties. Once you are logged into your account, Umami stops tracking you. We do not run any third-party trackers, advertising, or social-media scripts.

Changes to this policy

If we materially change how data is collected, used, or shared, we will update the "Last updated" date above and, where reasonable, notify active clients by email.