Table of Contents
1. GDPR Overview & Our Commitment
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that governs how personal data of individuals within the European Economic Area (EEA) is collected, processed, and stored.
Printedin is fully committed to GDPR compliance. We process personal data lawfully, fairly, and transparently. We collect data only for specified, explicit, and legitimate purposes and ensure it is adequate, relevant, and limited to what is necessary.
Our GDPR Principles: We adhere to all seven principles of GDPR — lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability.
2. Data Controller Information
Under GDPR, Printedin acts as the Data Controller for the personal data of our users. This means we determine the purposes and means of processing personal data.
| Company Name | Optimal Trading LLC LTD (trading as Printedin) |
| Registered Address | 30 Buttermarket, Bury St Edmunds, Suffolk, IP33 1DW, England |
| Registration Number | 14228479 |
| Data Protection Contact | dpo@printedin.com |
3. Legal Basis for Processing
Under Article 6 of GDPR, we process personal data based on the following legal grounds:
| Legal Basis | Processing Activity |
|---|---|
| Contract Performance (Art. 6(1)(b)) | Account creation, order processing, book printing and delivery, customer support |
| Consent (Art. 6(1)(a)) | Marketing communications, newsletter subscriptions, analytics cookies |
| Legitimate Interest (Art. 6(1)(f)) | Fraud prevention, security monitoring, service improvement, essential analytics |
| Legal Obligation (Art. 6(1)(c)) | Tax records, financial reporting, legal compliance, law enforcement requests |
Where we rely on consent as the legal basis, you have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing performed before the withdrawal.
4. Categories of Personal Data
We process the following categories of personal data:
| Category | Data Types | Purpose | Retention |
|---|---|---|---|
| Identity Data | Name, email, phone | Account management | Until account deletion |
| Address Data | Billing & shipping address | Order delivery | 7 years (tax law) |
| Payment Data | Payment method details | Transaction processing | Per payment processor policy |
| Content Data | Uploaded photos, text | Book production | 90 days post-delivery |
| Technical Data | IP address, browser info | Security & analytics | 26 months |
| Usage Data | Pages visited, actions taken | Service improvement | 26 months |
| Design Data (registered) | Canvas JSON, uploaded images | Product creation & order fulfillment | 30 days of inactivity (auto-cleanup) |
| Guest Uploads | Uploaded images (anonymous) | Guest design tool access | 7 days (unclaimed data cleanup) |
Design data auto-cleanup (Art. 5(1)(e) — Storage Limitation): In accordance with GDPR's storage limitation principle, design data is not retained indefinitely. For registered users, designs inactive for 30 days are marked as "Abandoned" and associated uploaded files are permanently deleted. For guest (anonymous) users who do not create an account, uploaded images are automatically deleted after 7 days. This ensures personal data (including uploaded photos) is not stored longer than necessary for its processing purpose. Designs converted to orders are excluded from this policy. The legal basis for this processing is legitimate interest (Art. 6(1)(f)) — maintaining sustainable infrastructure costs. See Terms of Service §5.4.
Usage limits (Art. 5(1)(c) — Data Minimisation): Each user account is limited to 20 designs and 100 MB of total storage. These limits serve the principle of data minimisation by preventing excessive accumulation of personal data (uploaded photos, design content). The legal basis is legitimate interest (Art. 6(1)(f)). Limits may be adjusted; see Terms of Service §4.1.
5. Data Subject Rights
Under GDPR, you have the following rights regarding your personal data. We will respond to all valid requests within 30 days (extendable by 60 days for complex requests):
Right of Access (Art. 15)
You have the right to obtain confirmation of whether we process your personal data and request a copy of your data in a commonly used electronic format.
Right to Rectification (Art. 16)
You have the right to request correction of inaccurate personal data or completion of incomplete data. You can update most information directly through your profile settings.
Right to Erasure (Art. 17)
You have the right to request deletion of your personal data ("right to be forgotten"), subject to applicable legal obligations (e.g., tax records that must be retained).
Right to Restriction (Art. 18)
You can request restriction of processing of your data while we verify its accuracy, assess our legitimate interests, or when processing is unlawful but you oppose erasure.
Right to Data Portability (Art. 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON or CSV), and to transmit it to another controller.
Right to Object (Art. 21)
You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Rights Related to Automated Decision-Making (Art. 22)
We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you.
How to exercise your rights: Send an email to dpo@printedin.com with your request. We may need to verify your identity before processing your request.
6. Data Processing Activities
We maintain a Record of Processing Activities (ROPA) as required by Article 30 of GDPR. Our key processing activities include:
- User Registration: Processing name, email, and password for account creation.
- Product Design: Processing uploaded images and text to create design previews.
- Order Fulfillment: Processing addresses and payment data for printing and shipping.
- Customer Support: Processing communications and account data to resolve inquiries.
- Marketing: Processing email addresses for newsletter distribution (consent-based).
- Analytics: Processing usage data to improve our services (legitimate interest).
Sub-Processors
We engage the following categories of sub-processors, all with appropriate Data Processing Agreements (DPAs):
| Category | Purpose | Location |
|---|---|---|
| Cloud Hosting | Infrastructure & data storage | EU |
| Payment Processor | Payment handling | EU (Ireland) |
| Print Partner | Book manufacturing | EU (Germany / Turkey) |
| Email Service | Transactional & marketing emails | EU (Germany) |
| Analytics | Website analytics | EU (compliant configuration) |
7. International Data Transfers
We primarily store and process personal data within the European Economic Area (EEA). When data transfers outside the EEA are necessary, we ensure adequate protection through:
- Adequacy Decisions: Transfers to countries with EU adequacy decisions.
- Standard Contractual Clauses (SCCs): EU-approved contract terms ensuring equivalent data protection.
- Supplementary Measures: Additional technical and organizational measures where required (encryption, pseudonymization).
Turkey Transfers: For orders shipped from our Turkey print facility, minimal data (name, address) is transferred under Standard Contractual Clauses with additional encryption safeguards.
8. Data Protection Measures
In accordance with Article 32 of GDPR, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk:
Technical Measures
- End-to-end TLS 1.3 encryption for all data in transit
- AES-256 encryption for personal data at rest
- Bcrypt password hashing with adaptive cost factor
- Regular automated security scanning and testing
- Network segmentation and firewall protection
- Database access logging and monitoring
Organizational Measures
- Staff data protection training and awareness programs
- Access control based on the principle of least privilege
- Non-disclosure agreements with all employees and contractors
- Data Protection Impact Assessments (DPIAs) for high-risk processing
- Regular reviews and audits of data processing activities
- Incident response procedures and escalation protocols
9. Data Breach Notification
In accordance with Articles 33 and 34 of GDPR, we have established data breach response procedures:
- Supervisory Authority: We will notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to individuals' rights and freedoms.
- Affected Individuals: We will notify affected data subjects without undue delay when a breach is likely to result in a high risk to their rights and freedoms.
- Documentation: All data breaches are documented in our breach register, regardless of severity, including facts, effects, and remedial actions taken.
10. Data Protection Officer
We have appointed a Data Protection Officer (DPO) who oversees GDPR compliance across our organization. You can contact our DPO for any questions or concerns related to data protection:
Data Protection Officer
Email: dpo@printedin.com
Address: Optimal Trading LLC LTD, Data Protection Officer, 30 Buttermarket, Bury St Edmunds, Suffolk, IP33 1DW, England
Response Time: Within 30 days (extendable by 60 days for complex requests)
11. Supervisory Authority & Complaints
If you believe that our processing of your personal data violates GDPR, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:
Information Commissioner's Office (ICO)
Website: ico.org.uk
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
Phone: +44 303 123 1113
You also have the right to lodge a complaint with the supervisory authority in your country of residence, your place of work, or the place where the alleged infringement took place.
We encourage you to contact us first so we can attempt to resolve your concerns directly.