AVAILABLE
Legal

Privacy Policy

Last updated: 2026-05-18

1. Who we are

Vokar Studio is operated by Blue Star Innovation Technology Limited (Hong Kong SAR). Registered address: ROOM 602, 6/F, KAI YUE COMMERCIAL BUILDING, NO. 2C ARGYLE STREET, MONGKOK, KL. Contact: [email protected].

2. What we collect

  • Email address (required for waitlist, Magic Link auth, and campaign updates)
  • Order and fulfillment information: name, email, phone, shipping address, order items, customization text, coupon code, and order notes collected during checkout.
  • Payment information: payment provider, payment status, provider session / transaction identifiers, and limited payment metadata returned by the provider. We never receive or store your full card number, card security code, private wallet key, or seed phrase.
  • Country (derived from IP via Cloudflare; not GPS or precise location)
  • IP hash (SHA-256, irreversible) and device fingerprint (FingerprintJS) — used only for fraud detection
  • Optional survey answers (preferred destination, source, role)
  • Google OAuth profile data when you choose Google login: email address, Google account ID, display name, and profile picture if provided by Google.
  • Passkey credentials: public key, credential ID, sign-in counter, device label, and transport hints. We never receive or store your fingerprint, face data, or device unlock secret.
  • Photo wall uploads (only after explicit user submission, with moderation)

3. How we use it

  • Notify you when the Kickstarter goes live
  • Track referral conversions and issue digital / physical rewards
  • Create orders, process payment status, arrange shipping, provide customer support, and handle order issues.
  • Authenticate accounts with email verification code, Google OAuth, or Passkey sign-in.
  • Send mission updates (drip emails) — unsubscribe at any time
  • Aggregate, anonymized analytics for product improvement

4. Legal bases for processing

  • Performance of a contract: checkout, payment status, shipping, account access, and order support.
  • Consent: marketing emails, photo wall submissions, optional surveys, and non-essential analytics cookies if enabled.
  • Legitimate interests: fraud prevention, site security, abuse prevention, internal diagnostics, and improving our products.
  • Legal obligations: tax, accounting, sanctions screening, and compliance recordkeeping where required.

5. What we do NOT do

  • Sell your data to third parties.
  • Email you outside campaign-relevant context.
  • Track you across other websites.
  • Share personal data for cross-site behavioral advertising.
  • Profile minors. (We do not knowingly collect data from anyone under the age of 16, unless local law allows a lower age with valid guardian consent.)

6. Third parties we use

  • CloudflareCDN, DDoS protection, HTTPS
  • ResendTransactional email delivery
  • StripeCard payment processing when enabled
  • PayPalPayPal payment processing when enabled
  • NOWPaymentsCrypto payment processing
  • KickstarterCampaign hosting; their privacy policy applies separately
  • EtsyExternal purchase of Starship and Card Holder products
  • Google OAuthOptional Google sign-in when enabled
  • FingerprintJSDevice fingerprinting for fraud prevention
  • Reown / WalletConnectWallet connection for crypto checkout; analytics are disabled in our app configuration.

7. Analytics

We do not currently use third-party behavior analytics tools. If we enable a behavior analytics tool later, we will update this policy before using it and request consent where required.

8. International processing

Vokar Studio is operated from Hong Kong SAR. Because our service providers operate globally, your data may be processed and stored outside Hong Kong, including in the United States, the European Economic Area, or other regions where our providers maintain infrastructure. We use these providers only for the purposes described in this policy and rely on their published privacy, security, and contractual commitments.

9. Data retention

  • Verified email accounts: until you request deletion
  • Pending (unverified) emails: 48 hours, then automatically purged
  • Orders and fulfillment records: kept as long as needed for delivery, customer support, tax, accounting, chargeback, and compliance purposes.
  • Payment provider identifiers and payment status: kept with the order record for reconciliation, support, refunds where applicable, and dispute handling.
  • Email verification code records: 10 minutes until expiry; stored as a hash, not the plain verification code.
  • Google OAuth temporary state cookies: 10 minutes, then deleted after callback or expiry.
  • Anonymous boarding pass previews: 180 days
  • Server access logs: 90 days
  • Referral records: 5 years (audit/compliance)

10. Your rights

Depending on your location, you may have the right to access, correct, delete, export, restrict, or object to the processing of your personal data, and to withdraw consent where processing is based on consent. Email [email protected] — we respond as soon as possible.

11. Cookies

We use only essential cookies for login, language, preview access, referral attribution, and checkout continuity. Analytics cookies are off by default and require your consent.

  • vokar-useruser account session, 60 days
  • vokar-adminadmin session for internal operations, 30 days
  • vokar-gateprivate preview access gate, up to 1 year while preview mode is enabled
  • vokar-goog-state / vokar-google-stateGoogle OAuth CSRF state token, 10 minutes
  • vokar-goog-nextGoogle OAuth return path, 10 minutes
  • langlanguage preference, 1 year
  • vokar-cartlocalStorage cart data, kept on your device for checkout continuity
  • vokar-cookie-consentcookie preference record, 180 days

12. Jurisdiction

Hong Kong SAR. Disputes are resolved per Hong Kong law.