Privacy
Your privacy is respected.
Here is an account of what this site handles.
Last updated July 17, 2026
This site is designed to collect as little information as practical. It does not use advertising trackers, behavioral analytics, or marketing cookies. This page explains the information that is still necessary to serve the website, prevent abuse, answer inquiries, and process purchases.
When you simply visit
The website and its photographs, fonts, styles, and scripts are delivered by Vercel. Like nearly every web host, Vercel necessarily processes request information such as your IP address, browser and device information, requested URL, date and time, and technical or security events. Tyler Sutton Photography does not add analytics scripts or use this information to build advertising profiles.
The site sets no first-party marketing or analytics cookies. It uses one item in sessionStorage to remember, only within your current browser tab, whether you dismissed a portfolio scrolling hint. That value is not sent to the server and disappears when the tab session ends.
Links to Instagram and other outside websites are optional. If you follow one, that service receives your request under its own privacy practices. This site sends a no-referrer policy so the destination is not told which page on this site you came from.
When you send an inquiry
The inquiry form asks for your name, email address, session type, and message. A preferred date and location are optional. Please do not place sensitive personal, financial, medical, or identification information in the message.
When you begin using the form, the site loads Cloudflare Turnstile to distinguish people from automated abuse. This means Cloudflare receives network, browser, and challenge information at that point. The site does not load Turnstile for visitors who do not interact with the form, and the server does not include the optional visitor-IP field when it validates a Turnstile token.
Submitted inquiry details pass through the Vercel-hosted server and Resend, then arrive in the Tyler Sutton Photography business email inbox hosted by Google. The information is used only to respond to your request, discuss services, maintain business correspondence, and prevent abuse. It is not sold or used for third-party advertising.
When you make a purchase
If the shop is available and you choose to buy a digital product, checkout takes place on Stripe. Stripe collects and processes your payment details and purchaser information under its own privacy terms. Tyler Sutton Photography does not receive or store your full card number.
Stripe returns a checkout-session identifier so the server can verify payment and release the download. Resend sends the recovery email to the address supplied during checkout. The recovery link contains the checkout-session identifier and should be treated as a private link.
Abuse prevention and short-lived records
Upstash Redis is used to make rate limits and delivery safeguards work across server instances. Raw IP addresses and Stripe session identifiers are not stored in Redis keys. They are transformed with a secret-keyed, purpose-specific HMAC before use.
- Inquiry and checkout rate-limit identifiers normally expire after about 15 minutes.
- The identifier used to prevent an immediate duplicate inquiry normally expires after about 10 minutes.
- A pseudonymous fulfillment marker is retained for up to 90 days to prevent duplicate purchase emails.
- Upstash rate-limit analytics are disabled.
Service providers
The site relies on a small number of providers for specific functions:
- Vercel — hosting, delivery, and operational logs.
- Cloudflare — Turnstile abuse prevention for people using the inquiry form.
- Upstash — short-lived pseudonymous rate-limit and fulfillment records.
- Resend — delivery of inquiry and purchase emails.
- Google — hosting the business email inbox.
- Stripe — hosted checkout and payment processing when the shop is used.
These providers may process information in the United States or other countries where they operate. Their linked policies describe their own retention, security, and international-transfer practices.
Retention and deletion
The automated technical records have the short expiration periods listed above. Inquiry and purchase emails currently remain in the business email account until they are manually deleted; there is not currently an automatic deletion schedule. Some correspondence and transaction records may need to be kept for contracts, accounting, fraud prevention, or other legal obligations.
You may ask for access to, correction of, or deletion of information you submitted. A deletion request will be honored where reasonably possible, subject to records that must be retained for legitimate business or legal reasons. Provider-controlled records may also be subject to each provider’s retention rules.
Security and limits
The site uses HTTPS, restrictive browser-security policies, input limits, same-origin submission checks, abuse rate limits, Turnstile token validation, and signed Stripe webhooks. No internet service can promise absolute security, but the site is intentionally designed to minimize the information it collects and the places that information is sent.
This website is intended for adults arranging photography services or purchasing products. It does not knowingly ask children to submit personal information through the inquiry form.
Questions or privacy requests
Contact Tyler Sutton Photography at tsuttphoto@gmail.com. Please describe the email address or inquiry involved so the relevant record can be located.