Your data, kept simple.
Last updated: 29 April 2026. This notice explains how Narrowboat Gifts handles personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Who we are
Narrowboat Gifts is the data controller for personal data collected through this site. ICO registration is in progress and the registration number will be published here once issued.
You can reach us at [email protected] for any privacy enquiry.
What we collect & why
| Data | Purpose | Lawful basis |
|---|---|---|
| Name & shipping address | Deliver your order | Contract performance |
| Email address | Order confirmation, tracking, support | Contract performance |
| Payment details | Take payment (we never see card numbers — Stripe does) | Contract performance |
| Boat name, canal route, date | Print on your poster | Contract performance |
| IP address (server logs) | Security, abuse prevention | Legitimate interest |
Who we share it with
Only the third-party processors we need to fulfil your order. Each is bound by a written processing agreement under UK GDPR Article 28:
- Stripe Payments UK Ltd — payment processing. PCI DSS Level 1. stripe.com/gb/privacy
- Gelato Group AS (Norway, prints in UK) — printing & shipping. Receives your name, shipping address, and the print file. gelato.com/legal/privacy-policy
- Resend Inc. (US, EU sending domains) — transactional email. Receives your email, order ID, and order summary. resend.com/legal/privacy-policy
- Supabase Inc. (database in London, UK) — order storage. supabase.com/privacy
- Cloudflare — DNS & email forwarding for our domain. cloudflare.com/privacypolicy
- Netlify (US) — site hosting + serverless functions. netlify.com/privacy
Where data leaves the UK, transfers are protected by standard contractual clauses or adequacy decisions where applicable. We never sell, rent, or trade your personal data. We don't use it for retargeting ads.
How long we keep it
- Order records — 7 years (UK accounting / HMRC requirement).
- Email correspondence — 24 months from last contact, then deleted unless you've asked us to keep it.
- Print files (your customisation) — 90 days after dispatch, then deleted from our storage.
- Server logs — 30 days.
Your rights
Under UK GDPR you have the right to:
- Access your personal data (a "subject access request")
- Have inaccurate data corrected
- Have your data erased ("right to be forgotten") — subject to our legal obligation to retain order records for 7 years
- Restrict processing
- Data portability
- Object to processing
- Withdraw consent at any time (though most of what we do is on contract-performance basis, not consent)
To exercise any of these, email [email protected]. We'll respond within one calendar month, no charge for reasonable requests.
Cookies
This site uses no analytics cookies, no advertising cookies, no third-party trackers. We use one strictly-necessary cookie: a session cookie set by Stripe Checkout when you reach the payment step. It expires when you close the browser. No consent banner because no consent is required for strictly-necessary cookies under PECR.
Complaints
If we've handled your data badly, please tell us first so we can fix it. If you're not satisfied, you can complain to the Information Commissioner's Office at ico.org.uk/make-a-complaint or on 0303 123 1113.