Privacy policy
What this site collects, why, and how it is handled. In short: not much, only what you give, and it is not shared, sold, or rented.
Last updated: 2026-05-28.
This site is a personal studio site for the painter Payal Agarwal. It exists so you can see the work, read about the practice, and reach out about a painting or a commission. It is not a store, it is not an ad platform, and it does not host third-party trackers. This page describes what is collected when you visit, why, and the choices you have.
The short version
- Nothing is collected about you unless you give it (by submitting a form or joining the Studio List).
- A self-hosted analytics pixel counts page views and notes which paintings draw interest. It does not set advertising cookies and does not share data with third parties.
- Your information is never sold, rented, or traded.
- You can request a copy of what is held about you, ask for corrections, or ask for it to be deleted, at any time, via the contact form.
What is collected when you submit a form
The site has a few forms: the per-painting inquiry, the commission inquiry, press inquiry, gallery and representation inquiry, the general contact form, the Studio List signup, and the workshop waitlist. When you submit any of these, the following is collected:
- Your name (when the form asks for it).
- Your email address.
- The contents of your message (when there is a message field).
- The painting or topic the form is attached to, so the reply has context.
- The date and time of the submission.
- An anonymous visitor identifier (described below) so the inquiry can be matched to the rest of your visit on the site.
If you tick the Studio List opt-in box on an inquiry form, your email is also added to the Studio List with a confirmation step (see "The Studio List" below).
What is collected when you only browse
The site uses a single self-hosted analytics pixel called dragdrop. It is run on infrastructure controlled by Payal, not by a third-party advertising or analytics company. When you load a page, the pixel records:
- The URL you visited and the page that referred you.
- An anonymous visitor identifier (a random string called
dd_vid) stored in your browser's local storage so repeat visits can be counted as the same session. - A hashed, salted fingerprint of your IP address and browser user-agent string. The hash is one-way and is re-salted on a rolling basis so requests cannot be correlated across days. Raw IPs are not stored.
- If you arrived through a campaign link, any UTM parameters and click identifiers present in the URL.
The pixel does not set advertising cookies. It does not sync with ad networks. It does not build a profile of you across other websites. If you disable JavaScript, the pixel does not run and the site continues to work normally.
Local storage and cookies
The site does not use third-party advertising or analytics cookies. It uses your browser's local storage for two small things:
- A theme preference (light or dark) so the site remembers how you like to read it.
- The anonymous visitor identifier
dd_vid, and, if you arrived via a campaign link, the corresponding click identifiers.
You can clear both at any time by clearing your browser's site data for this domain.
The Studio List
The Studio List is a short letter from the studio, roughly once a month, with a few additional event-driven notes each year. It is not promotional and it does not contain discounts.
- Signup is double opt-in. After you enter your email you will receive a confirmation message; only once you click the link in that message is your email added to the list.
- Every Studio List email contains an unsubscribe link in the footer. Unsubscribing removes your email from the active list immediately.
- The list is held on the same self-hosted infrastructure that runs the rest of the site's forms. It is not synced with Mailchimp, Kit, Buttondown, or any other third-party email provider.
- Emails to the list may include a small open-tracking pixel so it can be told whether messages are being read. This too is self-hosted and the data is used only to keep the list healthy and the cadence right.
Why this information is collected
Each piece of information has a single, narrow purpose:
- Name, email, and message: to reply to your inquiry and to keep a record of correspondence about a painting, a commission, a press request, or a gallery conversation.
- Studio List email: to send the Studio List letter and event drops, only if you have confirmed your opt-in.
- Visitor identifier and page views: to understand which paintings, exhibitions, and pages draw real attention, so the site can be improved and the next show planned thoughtfully.
- Hashed IP and user-agent: to filter out bots and to count distinct visits without storing identifying information.
Information collected for one purpose is not repurposed. Inquiry emails are not added to the Studio List unless you ticked the opt-in box. Visit data is not used to target you with advertising anywhere.
Sharing
Your information is not sold, rented, or traded. It is not shared with advertising networks, data brokers, or third-party analytics companies. There are only three narrow cases where information leaves the site's own systems:
- Galleries: when a painting is currently exhibited and represented by a gallery, an inquiry about that specific piece may be passed to the gallery so they can serve you. This is made clear on the inquiry form for that piece.
- Email delivery: outbound email (replies, Studio List letters, double opt-in confirmations) is sent through Amazon Simple Email Service (SES), operated by Amazon Web Services in the United States. Your email address is shared with SES solely for the purpose of delivering the message. AWS holds the email content only as long as required to transit the message and produce delivery/bounce reports.
- Legal compulsion: if a valid legal order requires disclosure, the minimum information required will be produced. Otherwise, nothing leaves.
How long things are kept
- Inquiry messages and the resulting correspondence are kept indefinitely in Payal's inbox, in the same way a working artist keeps a folder of letters. You may ask for yours to be deleted at any time.
- Studio List subscriptions are kept until you unsubscribe. After unsubscribing, your email is removed from the active list; a hashed record may remain only to prevent accidental re-add.
- Anonymous visit data is retained at full detail for up to 24 months, then aggregated into counts and the per-visit records are deleted.
- Form submissions are kept for the life of the inquiry or commission relationship. Once a piece is sold or a project closed, related records are retained as business records for as long as is reasonable under US tax and recordkeeping practice, then deleted.
Your rights
Depending on where you live, you have specific rights over the information held about you. Regardless of location, you may exercise the following on this site:
- Access: request a copy of what is held about you.
- Correction: fix anything that is wrong or out of date.
- Deletion: ask for your information to be removed. Some records may be retained where required by law (for example, completed sales for tax purposes), and that exception will be made clear in the response.
- Portability: receive your information in a readable format.
- Opt-out: withdraw consent for the Studio List at any time using the unsubscribe link in any email, or by writing in via the contact form.
If you live in California, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act, including the right to know which categories of personal information are collected, the right to delete, the right to correct, the right to limit the use of sensitive personal information, and the right to opt out of sale or sharing. This site does not sell or share personal information for cross-context behavioural advertising, so there is nothing to opt out of, but the right exists and is honoured. You also have the right to not be discriminated against for exercising any of these rights.
If you live in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, New Hampshire, New Jersey, or any other US state with a comprehensive consumer privacy law, you have parallel rights of access, correction, deletion, portability, and opt-out of targeted advertising or sale. Again, no targeted advertising or sale takes place, but the rights are honoured.
If you live in the European Economic Area, the United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation and the UK GDPR, including the rights above, the right to restrict or object to certain processing, and the right to lodge a complaint with your local supervisory authority. The legal basis for processing on this site is your consent (for the Studio List) and legitimate interest (for replying to inquiries, keeping basic site analytics, and keeping records of past correspondence and sales). For analytics, the data collected is anonymous and pseudonymous; no profiling decisions are made about you.
To exercise any of these rights, send a note via the contact form with enough detail to identify the information you mean. A response will usually arrive within a few days; the maximum is 45 days under US state laws and 30 days under GDPR.
Email practice
The Studio List, and every other email sent from this site, follows the US CAN-SPAM Act and Canada's Anti-Spam Legislation:
- Subject lines describe the actual content of the message.
- The sender is identified, with a physical address in the footer.
- Every email contains a working unsubscribe link.
- Email addresses are not harvested, purchased, scraped, or appended.
- Unsubscribe requests are honoured immediately, not within ten business days.
Children
This site is intended for adults. It does not knowingly collect information from anyone under 16. If you believe a child has submitted a form here, send a note via the contact form and the record will be removed.
Security
The site is served over HTTPS. Form submissions are sent encrypted in transit. The systems that store inquiries and the Studio List are operated by Payal on infrastructure she controls. No security is absolute, but the surface area here is small and the data held is modest by design.
International visitors
The site is operated from the United States. If you visit from outside the US, your information will be processed in the US and may be processed by US-based service providers; specifically Amazon Web Services (AWS), Inc., which delivers outbound email via SES. AWS adheres to the EU–US Data Privacy Framework and offers Standard Contractual Clauses for transfers from the EEA, UK, and Switzerland. By submitting a form, you understand that this transfer occurs. Where you have rights under GDPR or another non-US framework, they are honoured as described above.
Changes to this policy
If something material changes (a new form, a new service, a new tracker), this page will be updated and the "Last updated" date at the top will move. For changes that affect existing Studio List subscribers in a material way (for example, a new processor), a notice will go out in the next letter.
Questions or requests
This policy is reviewed periodically. Questions or requests are read personally; please use the contact form.