Privacy Policy

Last updated: 20 February 2026 · Version 1.1 · Applies to all stlucia.studio properties

This Privacy Policy explains how St. Lucia Studio Ltd, trading as stlucia.studio ("we," "us," "our"), collects, uses, shares, and protects your personal information when you visit or use any of our websites and services at stlucia.studio and its subdomains (together, the "Network"). We are the data controller for all personal data processed across the Network.

Our Network currently includes:

stlucia.studio — Saint Lucia Business Guide (this site)
talent.stlucia.studio — Talent platform for job seekers
hire.stlucia.studio — Employer hiring platform
homes.stlucia.studio — Real estate listings

Where a service collects additional personal data (for example, talent.stlucia.studio collects video resumes), that service's own privacy notice supplements this policy. Links are provided in Section 17.

Data Controller
What We Collect
Lawful Basis
How We Use Your Data
How We Share Your Data
AI Chatbot
Email Newsletter
Business Directory
Advertising
Payments and Stripe
Cookies and Tracking
Data Retention
Security and International Transfers
Your Rights
Children's Privacy
Changes to This Policy
Service-Specific Policies
Contact Us

1. Data Controller

The data controller responsible for your personal data across the stlucia.studio Network is:

St. Lucia Studio Ltd
Castries, Saint Lucia
General enquiries: privacy@stlucia.studio
Data protection contact: dpo@stlucia.studio

2. What We Collect

The information we collect depends on how you use the Network.

Information you give us voluntarily:

Email address — when you subscribe to our newsletter, use the "Ask Saint Lucia" chatbot and choose to receive a follow-up summary, or create an account on any Network service.
Name and contact details — when you submit an enquiry about advertising, a premium directory listing, or any other business enquiry via contact forms.
Payment information — when you purchase a paid service (e.g., a premium business directory listing or advertising slot). Payment details are processed directly by Stripe; we receive only a tokenised reference and transaction confirmation (see Section 10).
Chatbot messages — the text of questions you submit to the "Ask Saint Lucia" AI chatbot and any email address you choose to provide within the chat (see Section 6).
Business information — name, address, category, description, and contact details submitted for inclusion in the stlucia.studio Business Directory (see Section 8).

Information collected automatically:

Usage data — pages visited, links clicked, time spent, actions taken, and referral source (UTM parameters, referring URL).
Device and browser data — browser type, operating system, device type, screen resolution, and language setting.
IP address — used for approximate geolocation (country/region level), security, and fraud prevention. Not used to identify individuals.
Chatbot session data — an anonymous session identifier stored in your browser's sessionStorage for the duration of your tab session; the URL of the page you were on; your conversation history in that session.
Analytics events — specific interactions tracked for product improvement (e.g., chatbot opened, email form submitted, directory search performed). These events are associated with an anonymous visitor ID, not your name or email.

3. Lawful Basis for Processing

We process your personal data under the following legal bases as defined by the GDPR and the Saint Lucia Data Protection Act:

Consent (Art. 6(1)(a) GDPR): For all analytics tracking (self-hosted analytics, Google Analytics 4) and marketing technologies (Facebook Pixel), marketing email communications, and in-chatbot email capture. These technologies activate only after you click "Accept" on the consent banner. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
Performance of a contract (Art. 6(1)(b) GDPR): When you purchase a paid service (directory listing, advertising slot), we process your data to fulfil that transaction.
Legitimate interests (Art. 6(1)(f) GDPR): To improve the guide, understand how it is used, prevent fraud, ensure security, and conduct aggregated analytics. Our legitimate interests do not override your fundamental rights and freedoms.
Legal obligation (Art. 6(1)(c) GDPR): To comply with applicable laws, tax requirements, or legal processes.

4. How We Use Your Data

We use the data we collect to:

Deliver the guide content and maintain site functionality (basis: legitimate interest)
Power the "Ask Saint Lucia" AI chatbot — your messages are sent to Anthropic's Claude API to generate responses (basis: legitimate interest; see Section 6)
Send you the St. Lucia Business Weekly email newsletter — only with your explicit consent (basis: consent; see Section 7)
Process payments for premium directory listings and advertising slots (basis: contract)
Display and maintain the Business Directory (basis: legitimate interest, contract for listed businesses)
Manage advertising slot bookings and deliver ad impressions (basis: contract)
Analyse usage patterns to improve the guide and develop new features (basis: legitimate interest, consent for analytics cookies)
Respond to enquiries and support requests (basis: legitimate interest)
Prevent fraud and ensure Network security (basis: legitimate interest)
Comply with legal obligations (basis: legal obligation)

5. How We Share Your Data

We share your personal data in the following circumstances:

Business Directory listings: Contact information submitted for a directory listing is displayed publicly on the site as intended. Businesses may request removal or correction at any time by contacting us.
Service providers: We use trusted third-party processors who handle data on our behalf under data processing agreements:
- Supabase, Inc. (USA) — database hosting, authentication, file storage, and Edge Functions for our backend API and cross-Network authentication
- Plausible Analytics (EU) — privacy-friendly, cookie-free website analytics. No personal data or cookies are used.
- Anthropic, PBC (USA) — the Claude API powers the "Ask Saint Lucia" chatbot. Your messages and page context are processed by Anthropic under a data processing agreement. Anthropic does not use this data to train its models.
- Resend, Inc. (USA) — transactional and marketing email delivery. Your email address is transferred to Resend solely to deliver emails you have requested or consented to receive.
- Stripe, Inc. (USA) — secure payment processing for paid services. Stripe is a PCI-DSS Level 1 certified payment processor. We receive only a payment token and transaction status; full card details are never stored on our systems.
- Cloudflare, Inc. (USA) — DNS, CDN, DDoS protection, and static site hosting. Cloudflare may process request metadata (IP address, headers) as part of its network services.
- Google LLC (USA) — Google Analytics 4 for website usage analysis, available only with your consent. Also Google Fonts (font file delivery; Google may log the request IP).
- Meta Platforms, Inc. (USA) — Facebook Pixel for advertising measurement, available only with your consent.
- GitHub / Microsoft (USA) — static website hosting via GitHub Pages for some Network properties.
Legal requirements: We may disclose data if required by law, regulation, court order, or to protect our rights and the safety of users.
Business transfers: If our business is acquired or merged, data may transfer to the successor entity. We will notify users of any such change.

We do not sell your personal data to third parties.

6. AI Chatbot — "Ask Saint Lucia"

The "Ask Saint Lucia" chatbot appears on stlucia.studio pages as a floating widget. It is powered by Anthropic's Claude Haiku model via our Supabase Edge Function. Here is exactly what happens when you use it:

Your messages and page context — your text, the current page URL, and up to the last 10 messages in your session — are sent to Anthropic's API to generate a response. Anthropic processes this data under a DPA and does not use it to train models.
Session identifier — a randomly generated anonymous ID is stored in sessionStorage. It is deleted automatically when you close the tab and is never linked to your name or email unless you voluntarily provide your email within the chat.
Conversation logging — chatbot sessions may be logged in our Supabase database for quality improvement and safety monitoring. Logged records are associated with your anonymous session ID and page context, not your identity, unless you have provided your email.
In-chatbot email capture — after a few messages the chatbot may offer to email you a personalised summary. Providing your email is entirely voluntary. If provided, it is added to our email subscriber list (see Section 7) with source "chatbot". You can unsubscribe at any time.
Rate limiting — anonymous users are limited to 5 messages per session to manage costs and prevent abuse.

Important: The chatbot is informational only. AI-generated responses may contain errors and do not constitute legal, financial, tax, or immigration advice. Always verify important details with a qualified professional or official government source (e.g., govt.lc).

7. Email Newsletter and Marketing Communications

We send an email newsletter — St. Lucia Business Weekly — to subscribers who have given explicit consent. We also share updates from other Network services (Talent, Hire, Homes) with relevant subscriber segments.

Consent only: We never add you to our marketing list without your explicit opt-in. Filling in an email form on any guide page, subscribing through the chatbot, or opting in during account registration each count as consent. Pre-ticked boxes are not used.
What we send: Saint Lucia business, investment, living, and employment news; Platform feature announcements; and occasional partner promotions clearly identified as such. We always identify ourselves clearly as the sender.
Unsubscribe: Every marketing email contains a one-click unsubscribe link. You may also write to privacy@stlucia.studio to be removed from all lists. We process unsubscribes within 10 business days.
Re-subscription: If you previously unsubscribed, we will not re-add you without fresh consent, even if you re-submit an email form.
Email provider: Resend, Inc. delivers our emails. Your address is transferred to Resend under a DPA. Resend may process data in the United States.
Records kept: Your email address, subscription date, source (e.g., "index page," "chatbot"), and unsubscribe date if applicable. Stored in our Supabase database.

8. Business Directory

The stlucia.studio Business Directory lists over 200 Saint Lucia businesses. Directory entries display publicly available business contact information. If your business is listed and you wish to update or remove your entry, contact us at privacy@stlucia.studio. We will action correction or removal requests within 14 days.

Businesses that apply for a premium directory listing provide their business name, description, contact details, and billing information. This data is processed to provide the listing service and stored in our Supabase database.

9. Advertising

We sell advertising space on guide pages. Advertisers provide their name, company, email address, and campaign brief via our advertising enquiry form. This data is used solely to manage the advertising relationship and is not shared with third parties beyond what is necessary to deliver the campaign.

We may display third-party display advertising on some pages in future. Where we do, the advertising provider's own privacy policy applies to data collected through those ad units. We will update this policy before activating any third-party ad network.

10. Payments and Stripe

Paid services on the Network (such as premium directory listings, advertising slots, and employer subscriptions on hire.stlucia.studio) are processed through Stripe, Inc., a PCI-DSS Level 1 certified payment processor.

When you make a payment, you are redirected to or interact with a Stripe-hosted payment form. Your full card number, expiry date, and CVV are entered directly into Stripe's secure environment and are never transmitted to or stored on our servers.
We receive a payment token (Stripe customer ID and charge ID), the transaction amount, and a success/failure status.
Stripe may collect and process additional data as described in Stripe's Privacy Policy.
Billing records (transaction date, amount, service purchased, and your email address) are retained by us for accounting and legal compliance purposes for a minimum of 7 years.

11. Cookies, Tracking Technologies, and Your Choices

We use cookies and browser storage to operate the Network, analyse how it is used, and measure advertising effectiveness. Technologies are grouped into three categories — Essential, Analytics, and Marketing — so you can make an informed choice about what you allow.

11.1 Cookie Consent Banner

When you first visit any page on the Network, a banner at the bottom of the screen asks you to Accept or Decline optional (analytics and marketing) tracking. Both buttons are given equal prominence. Your choice is saved in your browser's localStorage alongside a timestamp and is remembered for subsequent visits.

If you accept: Analytics and marketing technologies listed below will activate.
If you decline: Only essential technologies will operate. No analytics or marketing data is collected, no third-party tracking services are contacted, and no persistent identifiers are created.
Do Not Track (DNT): If your browser sends a Do Not Track signal, we honour it — analytics and marketing tracking are disabled automatically, regardless of any prior consent choice.

11.2 Changing Your Preferences

You can change your cookie preference at any time by:

Clicking the "Cookie Settings" link in the page footer, which re-displays the consent banner.
Clearing your browser's localStorage for stlucia.studio — the consent banner will reappear on your next visit.
Contacting us at privacy@stlucia.studio to request that any stored analytics data linked to your visitor ID be deleted.

11.3 Category: Essential (no consent required)

These technologies are strictly necessary for the Network to function. They cannot be switched off.

Authentication session cookies — keep you logged in across *.stlucia.studio services. Set by Supabase Auth on the .stlucia.studio domain.
Security tokens — CSRF protection to prevent cross-site request forgery.
Language preference — stored in localStorage to remember your chosen guide language (EN, TR, PL).
Bookmarked sections — stored in localStorage so your saved guide sections persist between visits.
Referral code — stores the referral source from your arrival URL to credit the correct referrer.
Cookie consent choice — your Accept/Decline decision and timestamp, stored in localStorage as stlucia_consent and stlucia_consent_ts.
Chatbot session — an anonymous session ID and conversation history stored in sessionStorage (deleted when you close the tab). Used solely to maintain conversation context within a single tab.

11.4 Category: Analytics (consent required)

These technologies help us understand how visitors use the Network so we can improve content and performance. They activate only after you click "Accept" on the consent banner.

Self-hosted analytics (stlucia.studio) — our own analytics system records page views, scroll depth, time on page, clicks, and performance metrics. Data is sent to our Supabase database and associated with a randomly generated anonymous visitor ID stored in localStorage. No device fingerprinting is used. An approximate country/city is resolved via a single call to ipapi.co using your IP address; this call is made only after consent and the result is cached per session.
Plausible Analytics — privacy-friendly, cookie-free analytics. No personal data is stored and no cookies are set. Plausible operates from the EU.
Google Analytics 4 — tracks page views, user journeys, and conversion events. Sets _ga (2-year expiry) and _ga_* (2-year expiry) cookies. Data sent to Google LLC (USA). IP anonymisation is enabled.

11.5 Category: Marketing (consent required)

These technologies measure the effectiveness of our advertising campaigns. They activate only after you click "Accept" on the consent banner.

Facebook Pixel (Meta) — tracks ad conversions and page views for our Facebook/Instagram ad campaigns. Sets the _fbp cookie (3-month expiry). Data sent to Meta Platforms, Inc. (USA).

11.6 Summary Table

Technology	Category	Storage	Duration	Consent?
Auth session	Essential	Cookie	Session / 7 days	No
Language pref	Essential	localStorage	Persistent	No
Consent choice	Essential	localStorage	Persistent	No
Chatbot session	Essential	sessionStorage	Tab only	No
Self-hosted analytics	Analytics	localStorage	Persistent	Yes
Plausible Analytics	Analytics	None	N/A	No
Google Analytics 4	Analytics	Cookie	2 years	Yes
Facebook Pixel	Marketing	Cookie	3 months	Yes

12. Data Retention

Newsletter subscriber records: Retained for the duration of your subscription plus 36 months after unsubscribe (to evidence consent history). Suppression records (unsubscribed emails) are kept indefinitely to prevent re-subscription without fresh consent.
Chatbot conversation logs: Anonymised logs retained for up to 24 months for quality improvement; identifiable records (where email was provided) retained for 12 months then anonymised.
Payment and billing records: Retained for a minimum of 7 years from the transaction date to comply with Saint Lucia accounting and tax law.
Advertising enquiry records: Retained for the duration of the advertising relationship plus 12 months.
Directory listing data: Retained while the listing is active. Removed within 14 days of a valid removal request.
Usage and analytics data: Aggregated analytics retained indefinitely. Identifiable usage logs (IP-linked) deleted after 24 months.
Legal hold: Data subject to a legal claim may be retained beyond standard periods until the matter is resolved.

13. Security and International Transfers

Your data is stored using Supabase infrastructure hosted in the United States (East region). As a platform operated from Saint Lucia, your data may be transferred to and processed in countries outside your country of residence, including the United States.

For transfers of personal data from the European Economic Area (EEA) or United Kingdom, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our data processing agreements with service providers, supplemented by appropriate technical measures.

We implement the following technical and organisational security measures:

Encrypted data transmission (HTTPS/TLS 1.2+)
Row-level security on all database tables (users can only access their own data)
Hashed passwords (bcrypt) — we cannot see your password
Access-controlled file storage buckets
Regular security reviews and access audits
DDoS protection via Cloudflare

No method of electronic transmission or storage is 100% secure. If you believe your data has been compromised, contact us immediately at privacy@stlucia.studio.

Data breach notification: In the event of a personal data breach likely to pose a risk to your rights, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and notify affected individuals without undue delay where a high risk exists (GDPR Art. 34).

14. Your Rights

Under the GDPR and the Saint Lucia Data Protection Act, you have the following rights:

Access (Art. 15): Request a copy of the personal data we hold about you.
Rectification (Art. 16): Correct inaccurate or incomplete data.
Erasure (Art. 17): Request deletion of your data ("right to be forgotten"), subject to legal retention requirements.
Restriction (Art. 18): Ask us to limit how we process your data in certain circumstances.
Portability (Art. 20): Receive your data in a machine-readable format (JSON or CSV).
Object (Art. 21): Object to processing based on legitimate interests, including profiling.
Withdraw consent: Where processing relies on consent, withdraw it at any time.

To exercise any right, contact privacy@stlucia.studio. We will respond within 30 days (with up to a 60-day extension where notified).

Complaints: If you believe your rights have been violated, you may lodge a complaint with a supervisory authority. For EU/EEA users, contact your local Data Protection Authority — see edpb.europa.eu for a full list.

15. Children's Privacy

The stlucia.studio Network is not directed at or intended for children under 18. We do not knowingly collect personal data from anyone under 18. If we become aware that we have done so, we will delete that data promptly. If you believe a child's data has been submitted to us, please contact privacy@stlucia.studio.

16. Changes to This Policy

We review and update this Privacy Policy when our practices change. We will notify you of material changes by:

Posting the updated policy on this page with a new "Last updated" date and version number.
Sending an email notification to newsletter subscribers for significant changes.

Continued use of any Network service after the effective date of changes constitutes acceptance of the updated policy.

17. Service-Specific Privacy Policies

Some Network services collect additional personal data (such as video resumes, professional profiles, or property listings) and have their own supplementary privacy notices:

talent.stlucia.studio — Talent Platform Privacy Policy (covers video resumes, profile data, employer access, AI headshots, subscription payments)
hire.stlucia.studio — Employer Platform Privacy Policy (to be published at launch)
homes.stlucia.studio — Real Estate Platform Privacy Policy (to be published at launch)

Where a supplementary policy exists, it takes precedence over this policy for data collected by that service.

18. Contact Us

For questions about this Privacy Policy, your data, or to exercise your rights:

St. Lucia Studio Ltd
Castries, Saint Lucia
General enquiries: privacy@stlucia.studio
Data protection contact: dpo@stlucia.studio
Website: stlucia.studio