Privacy Policy
1. Introduction
Welcome to [Chales Colin Harris] (“we”, “us”, or “our”). We are committed to protecting your personal data and respecting your privacy.
This Privacy Policy explains what personal information we collect when you visit our website at [www.yourwebsite.com], purchase prints or digital works, enquire about commissions, or subscribe to our newsletter. It also sets out how we use that information, on what legal basis, and what rights you have in relation to it.
This policy applies to all visitors and customers of our website, regardless of location, but has been written to comply specifically with:
- The UK General Data Protection Regulation (UK GDPR)
- The Data Protection Act 2018
- The Privacy and Electronic Communications Regulations 2003 (PECR)
If you have any questions about this policy or how we handle your data, please contact us at the details in Section 11.
2. Who We Are
[Your Full Name / Business Name] is the data controller responsible for your personal data. We are a sole trader / limited company [delete as applicable] based in [Town/City], [Country]. LumenX Studios is a third party with data processing access.
Contact details:
- Name: [Your Name]
- Address: [Your Business Address]
- Email: [[email protected]]
- Phone: [Your Phone Number]
As we are based in the United States and our website is accessible internationally, we are required to comply with UK GDPR and US Michigan Law. Where visitors from the European Union access our website, we also endeavour to comply with EU GDPR requirements.
3. What Personal Data We Collect
3.1 Information You Provide Directly
When you interact with our website, you may provide us with the following:
- Contact details: name, email address, telephone number, and postal address
- Purchase information: billing and shipping address, items ordered, and order history
- Payment details: we do not store card numbers — payments are processed securely by our third-party payment provider (see Section 6)
- Correspondence: messages sent via our contact form or by email, including commission enquiries
- Newsletter sign-up: name and email address
- Account information: if you create an account, your username and password (stored encrypted)
3.2 Information Collected Automatically
When you visit our website, we automatically receive certain technical data:
- IP address and approximate geographic location
- Browser type and version, and device type
- Pages visited, time spent on each page, and referring URLs
- Cookies and similar tracking technologies (see Section 8)
3.3 Information from Third Parties
We may receive information about you from the following sources:
- Payment processors (e.g. Stripe, PayPal) — confirmation of payment and transaction identifiers
- Analytics providers (e.g. Google Analytics) — aggregated website usage data
- Social media platforms — if you interact with us via Instagram, Facebook, or other channels
4. How and Why We Use Your Data
We only use your personal data where we have a lawful basis to do so. The list below sets out the purposes for which we use your data and the legal basis we rely upon.
- To process your orders and arrange delivery of prints or digital files — Performance of a contract
- To handle returns, refunds, or complaints — Performance of a contract / Legal obligation
- To respond to your enquiries and commission requests — Legitimate interests / Pre-contractual steps
- To send you order confirmation and shipping updates — Performance of a contract
- To send you our newsletter and marketing communications (with your consent) — Consent
- To maintain our accounts and financial records — Legal obligation (7 years under HMRC rules)
- To improve our website and understand how visitors use it — Legitimate interests
- To prevent fraud and ensure website security — Legitimate interests / Legal obligation
- To comply with legal and regulatory obligations — Legal obligation
We will never use your personal data for purposes that are incompatible with those stated above, and we will not sell your personal data to any third party.
5. How Long We Keep Your Data
We retain personal data only for as long as is necessary for the purposes described in this policy, or as required by law.
- Order records and financial data: 7 years (to comply with HMRC requirements)
- Customer account data: for the duration of your account plus 2 years after closure
- Newsletter/marketing data: until you unsubscribe, then deleted within 30 days
- Contact form enquiries: 2 years from the date of last contact
- Website analytics data: as configured in our analytics platform (typically 26 months)
- Security logs: 12 months
After the applicable retention period has passed, your data will be securely deleted or anonymised.
6. Sharing Your Data with Third Parties
We do not sell, rent, or trade your personal data. We share your data only with the following categories of trusted third-party service providers, and only to the extent necessary to deliver our services:
- Payment processors (e.g. Stripe / PayPal) — to securely process your payments
- Shipping and fulfilment providers — to deliver your physical prints
- Print laboratories — where we use professional print labs to produce fine art prints
- Email marketing platforms (e.g. Mailchimp) — to send newsletters to subscribers
- Website hosting and IT providers — to host and maintain our website
- Analytics providers (e.g. Google Analytics) — to understand website usage
All third parties are required to handle your data in accordance with applicable data protection law. Where required, we have Data Processing Agreements (DPAs) in place.
We may also disclose your personal data to law enforcement or regulatory authorities if required to do so by law, or to protect the rights, property, or safety of ourselves or others.
7. International Data Transfers
Some of our third-party service providers are based outside the UK and European Economic Area (EEA). Where we transfer personal data internationally, we ensure appropriate safeguards are in place, such as:
- UK adequacy regulations or EU adequacy decisions
- Standard Contractual Clauses (SCCs) approved by the relevant authority
- Binding Corporate Rules (BCRs) where applicable
You can obtain further details about the safeguards we use for international transfers by contacting us using the details in Section 11.
8. Cookies
Our website uses cookies — small text files placed on your device — to help us provide a better user experience and to understand how visitors use our site.
8.1 Types of Cookies We Use
- Strictly necessary cookies: essential for the website to function (e.g. shopping cart, session management). These cannot be disabled.
- Analytics cookies: help us understand how visitors interact with our site (e.g. Google Analytics). These are only placed with your consent.
- Marketing cookies: used to track your browsing to deliver relevant advertising. These are only placed with your consent.
- Preference cookies: remember your settings and choices on our website.
8.2 Your Cookie Choices
When you first visit our website, you will be shown a cookie consent banner where you can accept or decline non-essential cookies. You can also manage or withdraw your cookie preferences at any time by clicking the “Cookie Settings” link in our website footer.
You can also control cookies through your browser settings, though disabling certain cookies may affect website functionality.
9. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
- Right of access: to request a copy of the personal data we hold about you (Subject Access Request)
- Right to rectification: to ask us to correct inaccurate or incomplete data
- Right to erasure (‘right to be forgotten’): to ask us to delete your data, subject to certain exceptions
- Right to restriction of processing: to ask us to limit how we use your data in certain circumstances
- Right to data portability: to receive your data in a structured, machine-readable format
- Right to object: to object to our processing of your data where we rely on legitimate interests
- Rights related to automated decision-making: we do not use solely automated decision-making that produces legal or similarly significant effects
- Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
To exercise any of these rights, please contact us using the details in Section 11. We will respond within 30 days. We will not charge a fee for reasonable requests.
If you are not satisfied with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
9.1 Additional Rights for Michigan Residents
If you are a resident of Michigan, you may have additional rights under Michigan law, including the Michigan Identity Theft Protection Act (MCL 445.61 et seq.) and, where applicable, the Michigan Consumer Protection Act (MCL 445.901 et seq.). This section describes those rights and how you may exercise them.
Data Breach Notification
Under the Michigan Identity Theft Protection Act, in the event of a security breach involving your “personal information” (as defined under MCL 445.63), we are required to notify you in an expedient manner and without unreasonable delay. Notification will be provided by one or more of the following methods: written notice, electronic notice (where you have consented), or substitute notice if the cost of direct notification would be excessive. We will also notify the Michigan Attorney General’s office where required by law.
Your Michigan Privacy Rights
Michigan residents may have the following rights in relation to their personal information, subject to applicable exceptions:
- Right to know: you may request information about the categories and specific pieces of personal data we have collected about you, the sources from which it was collected, the purposes for which it is used, and the categories of third parties with whom it has been shared.
- Right to deletion: subject to certain legal exceptions, you may request that we delete personal information we have collected from you.
- Right to non-discrimination: we will not discriminate against you for exercising any of your privacy rights. We will not deny you goods or services, charge different prices, or provide a different level of quality because you exercised a right under applicable Michigan law.
How to Submit a Michigan Privacy Request
To exercise any of the rights described in this section, please contact us using the details in Section 11. We may need to verify your identity before processing your request. We will respond to verifiable requests within 45 days; if we require additional time (up to 90 days total), we will notify you of the extension and the reason for it. There is no charge for submitting a request, unless requests are excessive or repetitive, in which case we may charge a reasonable fee or decline to process the request.
10. How We Protect Your Data
We take the security of your personal data seriously and implement appropriate technical and organisational measures, including:
- SSL/TLS encryption for all data transmitted to and from our website (HTTPS)
- Secure, access-controlled hosting infrastructure
- Limited staff access to personal data on a need-to-know basis
- Regular software updates and security patches
- Strong password policies and, where applicable, two-factor authentication
Payment card details are never stored on our systems. All payments are processed directly by our PCI-DSS compliant payment processor.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform you without undue delay where required.
11. Contact Us
If you have any questions, concerns, or requests relating to this Privacy Policy or how we handle your personal data, please contact:
[Your Name / Data Protection Contact]
- Email: [[email protected]]
- Post: [Your Business Address]
- Phone: [Your Phone Number]
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the “Last updated” date at the top of this document and, where appropriate, notify you by email or via a notice on our website.
We encourage you to review this policy periodically to stay informed about how we are protecting your information.