&Kept

Privacy Policy

Last updated: March 2026

1. Introduction

Welcome to &Kept ("we," "our," or "us"). We are committed to protecting your privacy, your creative work, and your business data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, in compliance with the California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR), and other applicable privacy laws.

2. Information We Collect

Personal Information

When you create an account, we collect:

  • Name and email address (via Replit authentication)
  • Profile information you choose to provide
  • Payment information (processed securely through Stripe — we do not store full card numbers)

Content You Create

When you use our service, we store:

  • Portfolio documentation including names, stories, descriptions, process notes, and provenance information
  • Photos and videos you upload
  • AI-generated valuations, pricing intelligence results, and heritage assessments
  • Collection and organization data
  • Collaborator information you provide
  • Audio recordings (voice stories)

Business and Strategic Data (Creators)

For creator accounts, we additionally store:

  • Strategic profile data (values, mission, goals) — entered directly or imported from a Studio Strategy Workshop with your consent
  • Revenue streams, sales channels, and market information
  • Financial records (income, expenses, sales data)
  • Supplies and equipment inventory
  • Pricing history and strategy

Automatically Collected Information

When you access our service, we automatically collect:

  • Device information (browser type, operating system)
  • Log data (IP address, access times, pages viewed)
  • Usage patterns and feature interactions
  • Session cookies for authentication

3. How We Use Your Information

We use your information to:

  • Provide the Service: Store, display, and manage your portfolio, collection, or business data
  • Generate AI Assessments: Process your content to provide heritage valuations, pricing intelligence, and descriptions
  • Power Your Strategy: Use your workshop and strategic data to populate your operating system tools
  • Process Payments: Manage subscriptions through Stripe
  • Communicate: Send service-related notifications and respond to support requests
  • Ensure Security: Detect and prevent fraudulent or unauthorized activity

4. Creative Work and Business Data Protection

&Kept has structural protections for your creative work and business data that go beyond standard privacy practices:

  • No cross-user aggregation: Your business data, financial records, pricing strategies, client lists, and sales data are never combined with other users' data for any purpose
  • No AI training on your content: Your creative work, photos, stories, business data, and strategic information are never used to train AI models
  • No creative work analysis: When you use the supply scanning feature, photos are processed in memory only and are never stored, logged, cached, or used for training. The AI is architecturally prohibited from analyzing any creative work visible in your photos
  • No data mining: We do not mine your content for trends, insights, or analytics that benefit anyone other than you
  • No third-party data sharing: Your creative work, business data, and strategic information are never shared with, sold to, or made accessible to third parties

These protections are architectural constraints built into the Service. They are not configurable settings and cannot be overridden.

5. Workshop Data

If you participate in a Studio Strategy Workshop, the following data may be imported into the Service with your consent:

  • Values, mission statement, and creative goals
  • Revenue streams and how you earn
  • Sales channels and where you sell
  • Markets and who buys your work
  • Products and services you offer
  • Materials and mediums you work with
  • Practice struggles and direction

This data is used solely to populate your strategic profile within the Service. It is never shared with other users, used for aggregate analysis, or accessed for any purpose beyond serving your account. You may modify or delete any imported data at any time.

6. Third-Party Services

We use the following third-party services to operate &Kept:

  • OpenAI: Powers heritage assessments, valuations, pricing intelligence, and writing assistance. Content sent to OpenAI is used solely for generating responses and is not used for training (per OpenAI API data usage policy).
  • Google Gemini: Used for image descriptions, supply scanning, and quality evaluation. Gemini API does not use API data for training when billing is enabled (per Google AI data policy).
  • Stripe: Processes all payments securely. We do not store complete credit card information.
  • Replit: Provides authentication and hosting infrastructure.
  • Resend: Sends transactional emails (collaborator invitations, password setup, notifications).

Each third-party service has its own privacy policy governing data usage. We recommend reviewing their policies. No third-party service receives your business data, financial records, strategic information, or client lists.

7. Data Storage and Security

Your data is stored securely using industry-standard measures:

  • All data transmissions are encrypted using SSL/TLS protocols
  • Photos and videos are stored with encryption at rest
  • Database access is restricted and monitored
  • Regular security audits and updates are performed
  • Supply scanning photos are processed in memory only and never persisted

8. Sharing Your Information

We do not sell your personal information. We may share your information only in the following circumstances:

  • With Collaborators: When you invite others to view or edit your objects or collections
  • With Legacy Stewards: When you designate a trusted person to manage your collection or portfolio
  • Public Gallery: If you opt to share objects in the public gallery
  • Service Providers: With trusted third parties who assist us in operating our service (as described in Section 6)
  • Legal Requirements: When required by law, court order, or to protect our legal rights
  • Business Transfers: In connection with any merger, acquisition, or sale of assets — in which case your Creative Sanctity protections transfer with the Service

9. Your Rights

All Users

You have the right to:

  • Access and download your data at any time (via Export feature)
  • Correct inaccurate information in your account settings
  • Delete your account and associated data
  • Pause your account while retaining data for up to 60 days
  • Export all your objects, collections, and financial data as PDF
  • Modify or delete any workshop-imported data
  • Revoke collaborator access at any time

California Residents (CCPA)

Under CCPA, California residents have additional rights:

  • Right to know what personal information is collected and how it is used
  • Right to delete personal information (with certain exceptions)
  • Right to opt-out of the sale of personal information (we do not sell your data)
  • Right to non-discrimination for exercising your privacy rights

EU/UK Residents (GDPR)

Under GDPR, EU and UK residents have additional rights:

  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing
  • Right to lodge a complaint with a supervisory authority

10. Data Retention

We retain your data as follows:

  • Active accounts: Data is retained while your account is active
  • Paused accounts: Data is retained for 60 days after pausing
  • Deleted accounts: Data is permanently deleted within 30 days
  • Legal obligations: Some data may be retained as required by law

Your creative work, business data, and strategic information are never retained for aggregate analysis or AI training purposes, even after deletion.

11. Cookies and Tracking

We use the following types of cookies:

  • Essential Cookies: Required for authentication and session management
  • Preference Cookies: Remember your settings (dark mode, accessibility preferences)
  • Analytics Cookies: Help us understand how you use our site (only with your consent)

We do not use third-party advertising or tracking cookies. You can manage your cookie preferences at any time.

12. Children's Privacy

Our service is not intended for children under 13 years of age (or the age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

13. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have different data protection laws. We take appropriate safeguards to ensure your information remains protected in accordance with this Privacy Policy.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before they take effect. The "Last updated" date at the top indicates when the policy was last revised. Your continued use after the effective date constitutes acceptance of the updated policy. The Creative Work and Business Data Protection commitments in Section 4 may only be strengthened, never weakened, in future revisions.

15. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

For GDPR-related inquiries, you may also contact us with "Data Privacy Request" in the subject line. We will respond within 30 days.