Privacy Policy

Effective Date: 2026-03-03 · Last Updated: 2026-03-03

Corsetta LLC ("Corsetta," "we," "us," or "our") operates the Corsetta platform, a bridal shop operations software service. This Privacy Policy describes how we collect, use, disclose, and protect personal information when you use our website at corsetta.io, our web application at www.corsetta.io/app, our customer portal, and any related services (collectively, the "Service").

We are committed to protecting the privacy of our users and the customers they serve. Please read this policy carefully to understand our practices regarding your personal information.

1. Who We Are

• Entity: Corsetta LLC, a Maine limited liability company
• Privacy Contact: privacy@corsetta.io
• Support: support@corsetta.io

2. Scope of This Policy

This policy applies to:

• Shop staff users who create accounts and use the Corsetta platform to manage bridal shop operations
• End clients (brides, customers) whose information is entered into the Service by shop staff or who access the customer portal
• Visitors to our marketing website at corsetta.io

This policy does not apply to third-party websites or services linked from our platform. We encourage you to review the privacy policies of any third-party services you interact with.

3. Our Role: Controller vs. Processor

Corsetta plays two distinct roles depending on the type of personal information involved:

When Corsetta Is the Data Controller

We are the controller (or "business" under CCPA) for personal information we collect directly from our users, including:

• Shop staff account information (name, email, phone, authentication credentials)
• Billing and subscription information
• Marketing website visitor data and waitlist submissions
• Platform usage analytics

When Corsetta Is the Data Processor

We act as a processor (or "service provider" under CCPA) for personal information that shops enter about their customers (brides, clients). In this context:

• The bridal shop is the controller and determines what data to collect and how to use it
• Corsetta processes this data only to provide the Service, in accordance with the shop's instructions
• Shops are responsible for obtaining appropriate consent from their customers before entering their data into Corsetta

Corsetta does not sell, share for advertising purposes, or use shop customer data for any purpose other than providing, maintaining, and improving the Service as directed by the shop.

4. Information We Collect

A. Shop Staff Account Data (Corsetta as Controller)

• Account information: Full name, email address, phone number
• Authentication data: Hashed password, multi-factor authentication configuration, session tokens, recovery codes
• Shop membership: Role (owner, manager, stylist, alterations specialist), shop association, permissions
• Device and technical data: Browser type, operating system, device identifiers, IP address (collected via error monitoring and session registration)
• Usage data: Feature usage, login timestamps, pages visited within the application

B. End Client Data (Corsetta as Processor, entered by shops)

• Identity: First name, last name
• Contact: Email address, phone number
• Wedding details: Wedding date, partner name
• Body data: Body measurements, weight tracking history (see Section 11 — Sensitive Personal Information)
• Garment information: Garment type, designer, style number, color, size, condition notes, physical location within the shop
• Photos: Fitting progress photos (intake, progress, final, before/after images)
• Service records: Alteration details, fitting notes, scheduled appointments, service line items
• Financial: Payment amounts and payment status. We do not store credit card numbers, bank account details, or other sensitive financial instrument data — payment processing is handled by Stripe
• Communication preferences: SMS opt-in/opt-out status, email opt-in/opt-out status
• Portal activity: Access timestamps and sign-off actions when clients use the customer portal

C. Marketing Website Visitors

• Analytics data: Pages visited, referral source, and session metrics (collected via Vercel Web Analytics on selected public pages and Mixpanel with PII filtering enabled — see Section 10)
• Waitlist submissions: Name and email address
• CAPTCHA data: Cloudflare Turnstile tokens on public-facing forms (used solely for bot protection)

5. How We Use Information

For Staff Account Data (Controller Purposes)

• Creating and maintaining your account and authentication
• Providing, operating, and maintaining the Corsetta platform
• Customer support and troubleshooting
• Security monitoring, fraud prevention, and abuse detection
• Product improvement and analytics (using aggregated, de-identified data)
• Communicating service updates, security alerts, and billing notices
• Billing and subscription management

For End Client Data (Processor Purposes, on behalf of shops)

• Managing alteration orders, fittings, and appointments
• Storing garment and measurement records
• Photo documentation of alteration progress
• Sending SMS and email reminders as configured by the shop
• Providing customer portal access for status viewing and sign-offs
• Payment tracking and reporting
• Enabling offline access to records for shop staff in areas with limited connectivity

6. How We Share Information

We share personal information only in the following circumstances:

• With sub-processors: We use trusted third-party service providers to operate our platform (see Section 7)
• Within shops: End client data is accessible to authorized staff within the shop that entered it, based on role-based permissions
• Legal requirements: We may disclose information in response to valid legal process, such as a subpoena, court order, or government request
• Business transfers: In connection with a merger, acquisition, or sale of assets, personal information may be transferred to the acquiring entity. We will notify you before your information becomes subject to a different privacy policy
• With your consent: We may share information in other situations with your explicit consent

What We Do Not Do

• We do not sell personal information to any third party
• We do not share personal information for cross-context behavioral advertising
• We do not use end client data for Corsetta's own marketing purposes
• We do not provide personal information to data brokers
• We do not use photos or other end client data for AI model training, marketing, or any purpose beyond providing the Service

7. Sub-Processors

We use the following third-party service providers to operate and deliver the Service:

Each sub-processor is contractually obligated to handle personal information in accordance with their respective privacy and security commitments. We will use reasonable efforts to notify affected users if we add or change sub-processors that materially affect the processing of personal information.

8. Data Retention

We retain personal information for as long as reasonably necessary to provide the Service and fulfill the purposes described in this policy:

• Active account data: Retained for the duration of your subscription. Upon cancellation or termination, we aim to delete or anonymize account data within a reasonable wind-down period after the data export window closes
• End client data: Retained for the duration of the shop's subscription. Upon termination, we aim to delete end client data within a reasonable period following the data export window
• Fitting photos: Same retention as end client data. Photo blobs are removed from local device storage (IndexedDB) immediately after successful upload to cloud storage
• Billing records: Retained as required by applicable tax and accounting laws
• SMS consent records: Retained in accordance with TCPA guidance
• Error logs (Sentry): Generally retained for up to 90 days
• Waitlist data: Retained until you convert to a customer or request deletion, whichever comes first
• Offline cached data: Persists on your device until you log out, uninstall the application, or clear browser data (see Section 9)

For end client data, individual deletion requests from brides or customers should be directed to the shop that entered the data (as the data controller). We will cooperate with the shop to fulfill such requests.

9. Offline & Device Storage

Corsetta is designed as an offline-first application to support environments with unreliable internet connectivity (such as sewing floors and fitting rooms). This means certain data is stored locally on your device:

• IndexedDB: Customer records, alteration jobs, fitting schedules, garment information, and temporarily fitting photos (until uploaded to cloud storage) are cached in your browser's IndexedDB for offline access
• localStorage: Device identifiers and session persistence tokens are stored in your browser's localStorage
• Service Worker: Application code and assets are cached by a service worker for offline functionality. This is not used for tracking

Important notes about local device storage:

• Locally stored data is scoped to the authenticated shop (multi-tenant isolation is maintained)
• Photo blobs are automatically cleared from IndexedDB after successful upload to cloud storage
• Local data persists between sessions (this is necessary for offline functionality)
• Uninstalling the application or clearing browser data will remove locally cached data
• We do not transmit locally cached data to any party other than Corsetta's servers for synchronization

Device security recommendation: Because sensitive data may be cached on your device, we strongly recommend enabling device encryption, screen lock/passcode protection, and restricting physical access to devices used with Corsetta — particularly shared devices such as shop iPads.

10. Cookies & Tracking Technologies

Essential Technologies

• Authentication cookies: Session cookies set by Supabase Auth to maintain your login state. These are required for the application to function
• localStorage tokens: Device identifiers and session persistence used for security features (session management, device recognition)
• Service worker cache: Application code and static assets are cached for offline functionality. The service worker does not track user behavior

Analytics

• Vercel Web Analytics: We use Vercel's cookie-free web analytics on selected public pages (such as /, /checklist, /careers, /privacy, and /terms) to understand aggregate page traffic. We do not use Vercel analytics on authenticated application routes
• Mixpanel: We use Mixpanel for product analytics to understand feature usage and improve the Service. Mixpanel is configured with PII filtering — we do not send names, email addresses, phone numbers, or other personally identifiable information to Mixpanel
• Privacy Choices: You can opt out of optional analytics from the Privacy Choices control in the footer and on this page. Your selection is stored on this device and applies to both Mixpanel and Vercel analytics

CAPTCHA

• Cloudflare Turnstile: We use Cloudflare Turnstile on certain public-facing forms (such as lead capture and booking forms) for bot protection. Turnstile may set cookies or use browser signals to verify that a visitor is human. This data is processed by Cloudflare in accordance with their privacy policy

What We Do Not Use

• Third-party advertising cookies or tracking pixels
• Cross-site tracking technologies
• Social media tracking widgets
• Fingerprinting technologies for advertising purposes

11. Sensitive Personal Information

Certain information processed through Corsetta is treated as sensitive and receives enhanced protection:

• Body measurements: Body measurements used for garment fitting and alteration purposes. Access is restricted to authorized shop staff only
• Weight tracking: Weight history is an opt-in feature that individual customers or shops can disable. Weight data is treated as potentially health-related information
• Fitting photos: Photos taken during fittings may capture images of customers during garment try-on. These photos are stored with short-lived signed URLs (not publicly accessible), encrypted in transit and at rest, and accessible only to authorized shop staff. We do not use any form of facial recognition, biometric scanning, or AI analysis on fitting photos
• Wedding dates: Combined with names, wedding dates can identify individuals through public records. We treat this information as contextually sensitive

Shops are responsible for obtaining appropriate consent from their customers before capturing fitting photos and recording body measurements or weight data.

12. SMS & Email Communications

SMS (via Twilio)

• Corsetta enables shops to send SMS reminders to their customers for upcoming fittings and appointments
• SMS is only sent to customers who have explicitly opted in (opt-in status is recorded per customer)
• Customers can opt out at any time by replying STOP to any message, or by contacting the shop
• Message frequency varies based on the shop's reminder configuration (typically 1-2 messages per fitting)
• Message and data rates may apply
• Corsetta enforces per-shop monthly SMS budgets to prevent excessive messaging
• When SMS is unavailable (opt-out, budget exceeded, or no phone number), the system may fall back to email if configured

Email (via SendGrid)

• Transactional emails: Fitting reminders, portal access links, and security alerts are sent as necessary for Service operation. These are not marketing communications
• Service communications: We may send you emails about platform updates, security notices, and billing. These cannot be opted out of while you maintain an account
• Every non-transactional email includes an unsubscribe mechanism

13. Customer Portal

End clients (brides and customers) may receive a link to a customer portal where they can view alteration status and sign off on completed work. Important details:

• Portal access is via a secure, time-limited token — no account creation or password is required
• Tokens expire after a set period and can be revoked by the shop at any time
• The portal displays alteration status, fitting schedule, and, if enabled by the shop, fitting photos
• Portal usage data (access timestamps, sign-off actions) is collected and stored as part of the Service
• End clients who have questions about their data should contact the shop that provided them access

14. Data Security

We implement commercially reasonable security measures to protect personal information, including:

• Encryption in transit: All communications use TLS/HTTPS
• Encryption at rest: Data is encrypted at rest in our cloud database and storage infrastructure
• Multi-tenant isolation: Row-Level Security (RLS) policies ensure that each shop's data is logically isolated at the database level
• Signed URLs: Fitting photos are accessed via short-lived signed URLs, not public links
• Role-based access: Permissions within each shop are controlled by role assignments
• Multi-factor authentication: MFA is available and configurable per shop security policy
• Session management: Active sessions are tracked and can be revoked
• Error monitoring: Sentry is configured with PII scrubbing to minimize exposure of personal data in diagnostic logs

No method of electronic transmission or storage is 100% secure. While we use commercially reasonable measures, we cannot guarantee absolute security.

15. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Right to know: Request information about what personal data we have collected about you
• Right to access: Obtain a copy of your personal information
• Right to correct: Request correction of inaccurate personal information
• Right to delete: Request deletion of your personal information, subject to certain exceptions
• Right to data portability: Receive your data in a commonly used, machine-readable format
• Right to opt out: Opt out of the sale or sharing of personal information (note: we do not sell or share personal information)
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights

How to Exercise Your Rights

• Shop staff: Contact us at privacy@corsetta.io
• End clients (brides/customers): Please contact the shop that entered your data first, as they are the data controller. The shop can work with us to fulfill your request. You may also contact us directly if needed
• Verification: We may need to verify your identity before processing your request
• Response time: We aim to respond to requests within 45 days. If additional time is needed, we will notify you

State-Specific Rights

Residents of states with comprehensive privacy laws (including California, Virginia, Colorado, Connecticut, and others) may have additional rights such as the right to limit the use of sensitive personal information and the right to appeal a denied request. If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights regarding your personal information. Contact us for details about exercising state-specific rights.

16. Do Not Sell or Share

Corsetta does not sell your personal information. We do not share your personal information for cross-context behavioral advertising. This applies to all categories of personal information we collect.

We honor Global Privacy Control (GPC) signals. When we detect a GPC signal from your browser, we treat it as a valid opt-out request.

17. Children's Privacy

The Service is not directed at children under the age of 13 (or 16 in jurisdictions where applicable). We do not knowingly collect personal information from children. If we become aware that we have collected data from a child without appropriate consent, we will take steps to delete it promptly. If you believe a child's information has been submitted to us, please contact us at privacy@corsetta.io.

18. Data Breach Notification

In the event of a confirmed data breach affecting personal information, we will use commercially reasonable efforts to notify affected users and relevant authorities promptly. Notification will include:

• The nature of the breach and the types of data affected
• Steps we have taken in response
• Steps you can take to protect yourself
• Contact information for follow-up questions

For end client data, we will notify the affected shop (as the data controller), and the shop is responsible for notifying its customers in accordance with applicable law.

19. International Data Transfers

All data is processed and stored in the United States. Our sub-processors are US-based (see Section 7). If you access the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

If you are located in the European Economic Area (EEA) or United Kingdom and use the Service, please contact us to discuss applicable data transfer mechanisms.

20. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make changes, we will update the "Last Updated" date at the top of this page. For material changes, we will use reasonable efforts to provide advance notice via email to registered users and/or an in-app notification. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

21. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about our data practices, please contact us:

• Privacy inquiries: privacy@corsetta.io
• General support: support@corsetta.io

We aim to acknowledge all privacy-related inquiries within 5 business days and provide a substantive response within 45 days.