Skip to content
Laravel
Cart

Privacy policy

What we keep, and what we don't.

The short version: we collect only what we need to send you a parcel and run the shop. We don't sell your data, we don't profile you for advertising, and we don't track you around the internet.

Last updated · May 2026

1. Who is responsible for your data

Lettrist, the small studio operating lettrist.com, is the data controller for personal data we collect through this site. If you need the legal entity name for a formal subject-access request, write to [email protected] and we'll provide it. The same address is the right place for any question about this policy.

2. What data we collect

We collect the following categories of personal data:

  • Order data — your name, billing address, shipping address, email address and, where you provide it, a phone number for the carrier.
  • Payment data — handled by our payment processor; we receive only the last four digits of the card and a success/failure status. We never see or store the full card number, CVV or expiry.
  • Correspondence — emails you send us and our replies.
  • Technical data — IP address, browser type and pages visited, recorded in short-lived server logs.

We do not knowingly collect any "special category" data (such as health, ethnicity or political opinions).

3. Why we collect it (lawful basis)

We process your data on the following lawful bases under the UK GDPR / EU GDPR:

  • Performance of a contract — to take and fulfil your order, dispatch your parcel and handle returns.
  • Legal obligation — to keep accounting and tax records as required by law.
  • Legitimate interests — to keep the site running, prevent fraud, and answer your emails. We've assessed these uses as not overriding your rights.
  • Consent — where we ever ask for it explicitly (for example, if we ever introduce optional analytics or a marketing list, which today we do not run).

4. Who we share data with

We share the minimum data necessary with a small set of suppliers, each of whom acts as a data processor on our behalf:

  • Our payment processor — to take payment.
  • Our shipping carrier — name, shipping address and (optionally) phone number, so they can deliver the parcel.
  • Our hosting provider — which stores the site and its short-lived logs.
  • Our accountant — for the order data required by tax law.

We do not sell or rent personal data to anyone, ever. We do not share data with advertising networks or data brokers.

5. International transfers

Our hosting and our payment processor may store data on servers outside your home country. Where personal data leaves the European Economic Area or the United Kingdom, we rely on the European Commission's Standard Contractual Clauses (or the UK equivalent) with the receiving party as the legal basis for the transfer.

6. How long we keep your data

  • Order records — kept for at least 7 years to satisfy accounting and tax obligations, then deleted or anonymised.
  • Correspondence — kept for up to 3 years from the last reply, then deleted.
  • Server logs — rotated and deleted within 30 days.

7. Your rights

Under data-protection law you have the right to:

  • Access the personal data we hold about you and receive a copy of it.
  • Correct data that is inaccurate or incomplete.
  • Erase data we no longer need (subject to our legal record-keeping obligations).
  • Restrict or object to certain processing.
  • Portability — receive your data in a structured, machine-readable format.
  • Withdraw consent at any time, where we relied on consent.
  • Complain to a supervisory authority — your local data-protection regulator, or the regulator of the country in which the studio is established.

To exercise any of these, write to [email protected]. We'll respond within 30 days.

8. Security

We take reasonable technical and organisational measures to keep your data safe: TLS in transit, restricted administrative access, and a deliberately minimal set of systems holding personal data. No system is ever perfectly secure; if we ever discover a breach affecting your data, we will notify you and the relevant regulator within the timeframes required by law.

9. Children

lettrist.com is not directed at children and we do not knowingly collect personal data from anyone under 16. If you believe we hold data about a child, write to us and we'll delete it.

10. Changes to this policy

We may update this policy occasionally. The "Last updated" date at the top reflects the current version. Material changes will be highlighted at the top of this page for at least 30 days.