Privacy Policy

Art of Vision is a digital agency operating client websites and the AOV Connect platform — a multi-tenant broker that connects authenticated services (payments, business profiles, etc.) to the consumer sites we build.

Contact: hello@artofvision.us

We collect different categories of data depending on context:

• Marketing-site visitors (artofvision.us): basic analytics (page views, referrer, device type) and contact-form submissions you send us. No advertising trackers.
• Connect platform users (connect.artofvision.us): email address (for magic-link sign-in), session cookies, and audit-log entries for actions you take inside the admin.
• Connected merchant data (Square): on behalf of client brands that authorize their Square merchant via OAuth, we hold short-lived access tokens and long-lived refresh tokens scoped to that brand's merchant account. We use these solely to fetch catalog, customer, booking, and payment data needed to power the consumer site we operate for that brand. Tokens auto-rotate and can be revoked at any time from the Square dashboard.
• Connected Google Business Profile data: when a brand adds AOV (connect@artofvision.us) as a Manager on their Google Business Profile, we fetch review and listing data via the Google Business Profile API under the agency-manager pattern. We mirror reviews into our database keyed by Google's review ID and display them on the brand's own consumer site. We do not aggregate, anonymize for resale, or share Business Profile data across brands.
• Consumer site visitors (kbaesthetic.co, fcepro.com, sunnysweethc.com, and others we operate): see each brand's own site for that brand's privacy disclosures. AOV is the operator and processor; the brand is the controller.

• Operate the websites and admin tools we built for our clients.
• Mirror Google Business Profile reviews onto each client's consumer site, with attribution to the original reviewer (display name and avatar as Google provides them).
• Process payments (Square) and bookings (Square Bookings) on behalf of client brands.
• Send transactional email (booking confirmations, reminders, contact replies) via Resend on behalf of each brand using their own verified sender domain.
• Maintain audit logs of admin actions for security and accountability.

We do not sell or rent personal data. We do not use connected merchant or Google Business Profile data to train AI/ML models. We do not operate cross-site advertising networks.

• Marketing analytics: aggregated, retained 13 months.
• Contact form submissions: retained until resolved + 12 months, then deleted.
• Connect tokens + sessions: retained while the connection is active; refresh tokens rotate within 30 days, access tokens within 24 hours. Removed immediately on disconnection.
• Google Business Profile mirrored reviews: retained while the brand is a Connect customer and we have manager access to the Business Profile. Removed within 30 days of disconnection or upon request.
• Bookings, payments, customer records: retained as required by the underlying processor's retention policy (typically 7 years for tax/financial records); the brand is the controller and decides retention beyond that.

• Vercel — hosting, serverless compute, and edge-network delivery.
• Supabase — managed Postgres database, authentication for the Connect admin.
• Resend — transactional email delivery via verified per-brand sender domains.
• Cloudflare — DNS and CDN routing.
• Square — payments, catalog, bookings on behalf of connected merchants.
• Google — Business Profile API for review mirroring on listings where AOV is added as a Manager.
• Backblaze B2 — encrypted offsite backup of database snapshots.

You have the right to access, correct, export, and delete data we hold about you. You also have the right to withdraw any consent you've given (e.g. revoke our Square OAuth or remove us as a Google Business Profile Manager — both immediately stop our ability to read further data, though previously fetched and mirrored data is removed within 30 days).

For the data we hold directly: email hello@artofvision.us from the email address associated with the data. For data on a specific brand's site we operate, contact that brand or us — we will route the request to the brand and assist with fulfillment.

All connections use TLS. Refresh tokens and authentication secrets are stored encrypted at rest in Supabase. Database snapshots are encrypted in transit and at rest in Backblaze B2. Access to the Connect admin requires magic-link email authentication; sensitive admin actions are scoped to specific brand permissions and recorded in an audit log.

Our services are not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided data, contact us and we will delete it.

We will update the "Last updated" date above whenever this policy changes. Material changes will be announced on the marketing site and emailed to active Connect admin users.