ShotCart← Home

Privacy Policy

Effective June 1, 2026

This Privacy Policy describes how Kind Reaper Development LLC ("ShotCart," "we," "us") collects, uses, discloses, and retains personal information when you use the ShotCart platform at shotcart.app and shotc.art (the "Service"). ShotCart operates a marketplace that lets independent photographers sell digital photos to their customers in person and online.

At launch, the Service is available only to photographers and customers located in the United States. By using the Service you confirm that you are at least 18 years old (or have your parent or legal guardian's consent) and that you accept this Privacy Policy.

1. Information We Collect

1.1 Information you give us directly

When a photographer creates an account, we collect:

  • Email address (used as your sign-in identifier)
  • Password (stored hashed by our authentication provider; we never see the plain-text value)
  • Display name
  • Optional business name
  • Optional public profile URL (website, Instagram, Linktree, etc.)
  • Watermark text and other account preferences (gallery expiry, default pricing, sales-tax toggle)

When you photograph a customerthrough the Service, you (the photographer) may optionally enter the customer's display name (used as a private reference label) and email. Customers themselves never sign up; their email is captured by Stripe at checkout when they make a purchase.

We do not collect phone numbers, postal addresses, government ID, card numbers, bank account numbers, or social security numbers directly. When that information is required (for example, to onboard a photographer onto Stripe Connect or to charge a customer), it is collected by Stripe and we never see the underlying values.

1.2 Photos

Photographers upload photographs to the Service for sale to their customers. Photographs are themselves personal information when they depict identifiable people. Photos are stored encrypted at rest with Cloudflare R2 and are accessible only via short-lived signed URLs.

1.3 Payment information

All card and bank-account information is collected, stored, and processed by Stripe under Stripe's own Privacy Policy. ShotCart receives only non-sensitive metadata about each transaction (amount, fees, reference code, the customer's email if they enter one at checkout, and Stripe's identifier for the photographer's connected account).

1.4 Operational information

Our hosting provider Vercel records standard request information (IP address, user agent, request path, timestamp) in access logs for security and abuse-prevention purposes. These logs are retained for a short window in line with Vercel's defaults and are not used for advertising or analytics.

1.5 Tracking we do NOT use

ShotCart does not use Google Analytics, Meta Pixel, or any third-party advertising, remarketing, or behavioral tracking technology. We do not display ads. We do not sell, rent, or share personal information with advertising networks.

1.6 Cookies

The Service uses a small number of strictly-necessary cookies for authentication (keeping you signed in to your photographer dashboard) and for cross-site request protection. These cookies are HTTP-only, expire when your session ends or is revoked, and cannot be disabled without breaking the sign-in flow. We do not use cookies for analytics or advertising.

2. How We Use Your Information

  • Provide the Service: create and authenticate your account, host your photos, fulfill orders, run customer galleries, calculate and remit your payouts.
  • Support: respond to messages you send to appsupport@shotc.art and resolve issues.
  • Service email: send transactional and operational email through our email provider Sender.net — account confirmations, receipts, payout notifications, account-status changes, and similar messages necessary to operate the Service.
  • Safety, fraud, and compliance: detect abusive behavior, prevent unauthorized access, comply with subpoenas and other legal process, and meet tax and accounting requirements.
  • Product improvement: diagnose bugs and improve the Service based on aggregate, non-identifying patterns.

We do not use your personal information for advertising or for any purpose unrelated to operating the Service.

3. Service Providers ("Sub-processors")

ShotCart relies on the following third-party providers to operate the Service. Each is contractually bound to handle your information only on ShotCart's instructions and to maintain appropriate security:

  • Supabase — authentication and primary database storage.
  • Cloudflare R2 — photo file storage.
  • Stripe — payment processing, Stripe Connect payouts, optional Stripe Tax calculation.
  • Vercel — application hosting and request edge.
  • Sender.net — transactional and operational email delivery.

4. How We Share Information

We share personal information only as described below:

  • With photographers: when you scan a gallery and make a purchase, your customer email and the order details are shared with the photographer who took the photos. The photographer is independently responsible for handling that information.
  • With our service providers listed above, only for the purposes of operating the Service.
  • To comply with law: when required by subpoena, court order, or comparable legal process, or when we believe in good faith that disclosure is necessary to prevent imminent harm.
  • In a business transfer: if Kind Reaper Development LLC is acquired or merged, personal information may transfer to the successor entity, subject to the same protections.

We do not sell or rent personal information. We do not share personal information with advertisers or data brokers.

5. Data Retention

We retain personal account information for 18 months after your account is deactivated (either by you through the in-app delete-account flow, or by us under our Terms of Service), after which it is permanently deleted.

Photographs are retained for the lifetime of each customer gallery — up to 90 days (Free plan) or 180 days (Pro plan) past each customer interaction — plus a short reconciliation window, after which they are permanently purged from Cloudflare R2.

Payment-transaction records (orders, payouts, refunds, tax forms, dispute history) are held by Stripe under Stripe's own retention policy, which is designed to comply with applicable tax and financial-record retention requirements (typically seven years in the United States). ShotCart does not retain card numbers, bank account details, or other sensitive payment data at any point.

Operational logs (IP, user agent, request metadata) are retained for a short window per our hosting provider's defaults and are not used to build long-term profiles.

6. Security

We use industry-standard safeguards: encrypted database connections, encrypted file storage, hashed passwords, short-lived signed URLs for photo access, and HTTPS-only delivery. No system is perfectly secure, and we cannot guarantee that an unauthorized party will never gain access. If we become aware of a security incident affecting your personal information, we will notify you and applicable authorities as required by law.

7. Children

The Service is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe we have collected information from a child under 13, contact us at appsupport@shotc.art and we will delete it.

Photographs uploaded to the Service may depict minors. Photographers are independently responsible for obtaining verifiable parental or guardian consent before photographing and selling images of any minor, and for complying with state right-of-publicity and child-protection laws.

8. California Residents — CCPA, CPRA, and CalOPPA Disclosures

This section provides additional disclosures for residents of California under the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA"), and under the California Online Privacy Protection Act ("CalOPPA").

8.1 Categories of personal information we collect

In the preceding 12 months we have collected the following categories of personal information from California consumers, as defined by the CCPA:

  • Identifiers — name, email address, account identifiers.
  • Customer records information — payment-transaction metadata.
  • Internet or other electronic network activity — IP address, request metadata, application interactions.
  • Visual information — photographs uploaded by photographers and, where they depict identifiable individuals, the images themselves.

We do not collect: geolocation data beyond country-level edge information, biometric information, sensory data (audio, olfactory), professional or employment-related information beyond what a photographer voluntarily provides as a business name or URL, inferences drawn from personal information for profiling purposes, or sensitive personal information as defined by the CPRA.

8.2 Sources, purposes, and disclosures

Sources of personal information, purposes for collection, and the third parties with whom we share each category are described in Sections 1, 2, 3, and 4 of this Privacy Policy.

8.3 No sale or sharing for cross-context behavioral advertising

ShotCart does not sell personal information and does not share personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We have not sold or shared personal information in the preceding 12 months.

8.4 Your California rights

As a California resident you have the right to:

  • Know what personal information we have collected, used, disclosed, and retained about you.
  • Delete personal information we hold about you, subject to legal exceptions.
  • Correct inaccurate personal information.
  • Opt out of the sale or sharing of personal information (not applicable — we do neither).
  • Limit the use of sensitive personal information (not applicable — we do not collect sensitive personal information as defined by the CPRA).
  • Non-discrimination — we will not deny you service, charge a different price, or provide a different level of service because you exercised a CCPA/CPRA right.

To exercise any of these rights, email appsupport@shotc.art from the email address associated with your account, or use the in-app delete-account flow at Settings → Danger Zone for deletion. We will verify your identity (typically by confirming you control the email on file) and respond within 45 days, with one 45-day extension where permitted by law.

8.5 Authorized agents and minors

An authorized agent may submit a request on your behalf with proof of authorization. We do not knowingly sell or share the personal information of consumers we know to be under 16.

8.6 Do Not Track signals (CalOPPA)

ShotCart does not track users across third-party websites and does not respond differently to Do Not Track browser signals because we do not engage in cross-site tracking in the first place.

9. Your Choices Outside California

Regardless of where you live in the United States, you may:

  • Access and update most account information from your photographer dashboard.
  • Delete your account at any time from Settings → Danger Zone.
  • Request a copy of the personal information we hold about you by emailing appsupport@shotc.art.

10. International Users

The Service is operated from the United States. At launch, photographer signup is restricted to the United States. We do not currently offer the Service to residents of the European Economic Area, the United Kingdom, or other jurisdictions with comprehensive data-protection regimes. If you access the Service from outside the United States and provide personal information to us, you understand that the information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Effective" date at the top of this page and, for material changes, notify active photographers by email. Continued use of the Service after a revised Privacy Policy takes effect constitutes acceptance of the revision.

12. Contact

Questions, requests, or complaints regarding this Privacy Policy can be sent to:

Kind Reaper Development LLC
Attn: Privacy
appsupport@shotc.art