Privacy Policy

1. Introduction

Glasgow GFX ("we," "our," or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website www.glasgowgfx.co.uk and use our printing services.

This policy complies with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Privacy and Electronic Communications Regulations (PECR)

2. Data Controller

Glasgow GFX is the data controller responsible for your personal data.

3. Information We Collect

3.1 Information You Provide

We collect information that you voluntarily provide when you:

• Create an account: Name, email address, password, phone number
• Place an order: Billing address, delivery address, payment information (processed by Stripe)
• Upload artwork: Design files, images, and related metadata
• Contact us: Name, email, message content, and any other information you choose to provide
• Business customers: Company name, VAT number, business address

3.2 Information Collected Automatically

• Usage data: Pages visited, time spent, clicks, and navigation paths
• Device information: IP address, browser type, operating system, device identifiers
• Cookies: See our Cookie Policy for details

3.3 Information from Third Parties

• Payment processors: Stripe provides transaction confirmation and fraud detection data
• Shipping carriers: Royal Mail, DPD, and Evri provide delivery tracking information
• OAuth providers: If you sign in with Google, we receive your name, email, and profile picture

4. How We Use Your Information

We process your personal data for the following purposes:

4.1 Order Processing (Legal Basis: Contract Performance)

• Process and fulfill your orders
• Communicate about your orders and deliveries
• Handle returns, refunds, and customer support inquiries

4.2 Account Management (Legal Basis: Contract Performance)

• Create and maintain your user account
• Provide access to order history and saved designs
• Send account-related notifications

4.3 Legal Compliance (Legal Basis: Legal Obligation)

• Maintain records for tax and accounting purposes (7 years)
• Respond to legal requests and prevent fraud
• Enforce our terms and conditions

4.4 Marketing (Legal Basis: Consent or Legitimate Interest)

• Send promotional emails (only with your consent)
• Display targeted advertisements (only with your cookie consent)
• You can unsubscribe at any time via the link in our emails or in your account settings

4.5 Improvement and Analytics (Legal Basis: Legitimate Interest)

• Analyze website usage to improve user experience
• Monitor and prevent fraud and security threats
• Develop new products and services

5. How We Share Your Information

We do not sell your personal data. We share data only as described below:

5.1 Service Providers

• Payment processing: Stripe (PCI DSS compliant)
• Shipping: Royal Mail, DPD, Evri
• Email services: Resend
• Cloud hosting: Vercel, Supabase, AWS
• Analytics: Google Analytics (only with your consent)

5.2 Legal Requirements

We may disclose your information to comply with legal obligations, court orders, or to protect our rights and safety.

5.3 Business Transfers

If we are acquired or merge with another company, your data may be transferred to the new entity. We will notify you of any such change.

6. Data Retention

We retain your data as follows:

• Account data: Until you delete your account, plus 30 days for recovery
• Order data: 7 years (UK tax law requirement)
• Uploaded files: 90 days after order completion
• Marketing consent: Until you withdraw consent
• Guest cart data: 7 days of inactivity
• Audit logs: 180 days

7. Your Rights Under UK GDPR

You have the right to:

• Access: Request a copy of your personal data (free of charge)
• Rectification: Correct inaccurate or incomplete data
• Erasure ("Right to be Forgotten"): Delete your data (subject to legal retention requirements)
• Restriction: Limit how we use your data
• Data Portability: Receive your data in a machine-readable format
• Object: Object to processing based on legitimate interest or for marketing
• Withdraw Consent: Withdraw consent at any time (doesn't affect previous processing)
• Complain: Lodge a complaint with the Information Commissioner's Office (ICO)

To exercise your rights, please contact us at support@glasgowgfx.co.uk. We will respond within 30 days.

8. Data Security

We implement industry-standard security measures to protect your data:

• HTTPS encryption for all data transmission
• Password hashing with bcrypt
• Firewall-protected servers
• Regular security audits and monitoring
• File upload virus scanning
• Role-based access controls for staff
• PCI DSS compliant payment processing (via Stripe)

However, no system is 100% secure. Please use a strong password and enable two-factor authentication if available.

9. International Data Transfers

Some of our service providers (e.g., Stripe, Google) may process data outside the UK or EU. We ensure adequate safeguards are in place:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions by the UK government
• Providers certified under privacy frameworks (e.g., EU-US Data Privacy Framework)

10. Children's Privacy

Our services are not directed to individuals under 16. We do not knowingly collect data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.

11. Changes to This Privacy Policy

We may update this policy from time to time. We will notify you of material changes by:

• Posting the new policy on this page
• Updating the "Last Updated" date
• Sending an email to registered users (for significant changes)
• Displaying a prominent notice on our website

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

Information Commissioner's Office (ICO):
If you're not satisfied with our response, you can contact the ICO:
https://ico.org.uk/make-a-complaint/