Privacy Policy

Your Privacy Matters: I, Tom Zawadzki, am committed to respecting and protecting your privacy. This Privacy Policy explains how I collect, use, store, and share your personal information when you use my website (tomzawadzki.com) or purchase something from my shop. It also outlines your rights regarding your personal data. I aim to be transparent and use plain English so you can easily understand my practices.

By using my website or providing me with your information, you agree to the terms of this Privacy Policy. If you have any questions or concerns, you can always contact me.

Information I Collect

I only collect personal information that is necessary to fulfill your orders or to provide you with a good experience on my website. The types of information I may collect include:

  • Information You Provide Directly: When you place an order, create an account on my site, or contact me (through a form or email), you may give me details such as your name, billing and shipping address, email address, phone number, and payment information. I will also have a record of what products you ordered. If you voluntarily subscribe to a newsletter or mailing list (if I have one), I would collect your email address and any preferences you provide.

  • Automatically Collected Information: When you visit my website, certain data gets collected automatically by my website platform (Squarespace) or analytics tools. This can include your IP address, browser type, device information, pages you visit on my site, and how you found my site (e.g. via Google search). This information is generally collected via cookies or similar tracking technologies (see Cookies below). This data is typically aggregated and isn’t used to personally identify you, but it helps me understand how people use the site and improve its performance and content.

  • Order and Transaction Information: Details of purchases you make (date, items, amount, any preferences like print size) are recorded. Note that I do not personally see or store your full payment card details – payments are handled securely by third-party payment processors (such as Stripe or Square), which only provide me with confirmation of payment and some summary info (like the last four digits of a card, for reference).

How I Use Your Information

I use the personal information you provide for the following purposes:

  • To Fulfil Your Orders: The primary use of your information is to process and deliver your purchases. I need your name and address to ship your print to you, and your email to send order confirmations and updates. If there are any issues or delays, I will use your contact info to keep you informed. Your phone number, if provided, may be used by me or the courier for delivery purposes (for example, some delivery services send text updates).

  • Printing and Shipping (Third-Party Fulfilment): I partner with professional lab for producing and shipping most of my standard prints. This means I will share the necessary information with the lab to fulfil your order – typically your name, delivery address, and the print details (e.g. print size, image to print). Lab uses this information solely to print the artwork and send it to you. They operate under strict privacy practices as a professional lab. They will not use your information for any purpose other than fulfilling my orders. For limited edition prints that I handle personally, your details stay with me as I prepare and send those to you.

  • To Provide Customer Support: If you contact me with questions, inquiries about a product, or any problems, I will use your information (like email or order history) to respond and resolve issues. Knowing what you ordered or what you were browsing helps me answer your questions more effectively.

  • To Improve Your Experience & My Services: I analyze how users interact with my website so I can improve the layout, content, and overall user experience. For instance, I might look at which gallery collections are most viewed or where in the checkout process people drop off. This analysis might be done through tools like Squarespace Analytics or Google Analytics, which use cookies. The data is generally aggregated, and I do not profile individual visitors in any invasive way. It’s more about understanding trends (e.g. most visitors are from the UK, or mobile vs desktop usage) so I can cater better to my audience.

  • Marketing & Updates (If Applicable): At the moment, I do not send out regular newsletters – any marketing is quite minimal and often opt-in (for example, if you explicitly sign up to hear about new prints or events). If in future I do have a mailing list, I would use your email to send you news, offers or updates only if you have given clear consent (such as subscribing via a form and confirming you want these emails). You can opt out at any time, and I will include an unsubscribe link in any such communications. I will not spam you – I hate cluttered inboxes too!

  • Legal Obligations & Record-Keeping: I may need to retain and use certain information to comply with legal requirements. For example, accounting and tax laws might require me to keep records of sales (which include personal data like names, addresses, purchase amounts) for a certain number of years. If needed, I might use your data to meet obligations such as financial audits or to comply with a lawful request by authorities.

Cookies and Tracking Technologies

My website uses cookies and similar technologies to function effectively and to enhance your experience.

  • What Are Cookies? Cookies are small text files placed on your device when you visit a website. They help the site remember your actions or preferences over time. For example, a cookie might remember the items you put in your shopping cart so you don’t lose them while browsing.

  • How I Use Cookies: The Squarespace platform may use essential cookies for things like enabling the shopping cart and checkout process. Without these, the site wouldn’t work properly for shopping. I also use analytics cookies (like those from Google Analytics or Squarespace’s built-in analytics) to collect information about traffic and usage patterns. This helps me see how many people visit, which pages are popular, etc. All this information is anonymous and used in aggregate form – for example, I might see that “100 people visited the Urban gallery page this week” but it does not tell me who those individuals are.

  • Third-Party Cookies: If I have any embedded content or social media integration, those third parties may set cookies as well. For example, if I embedded an Instagram feed or a YouTube video of behind-the-scenes, Instagram or Google might set their own cookies. Currently, my site is pretty straightforward, but I may use Squarespace’s built-in features that interact with third parties (like payment processors or analytics) which can involve cookies.

  • Your Choices: By using my site, a cookie banner or notice may have informed you about the use of cookies. You have the option to disable cookies through your browser settings if you prefer. You can usually remove or block cookies, but please be aware that doing so might affect site functionality (for instance, the cart might not remember what you added if cookies are off). If you want to clear any tracking, you can also clear your browser’s cookies after visiting the site.

Sharing of Your Information

I treat your personal information with care and do not sell or rent it to any third-party for their marketing purposes. I share your information only in a few specific scenarios, all of which are related to serving you:

  • Service Providers: As mentioned, I use certain trusted third-party companies to operate my business:

    • Loxley Colour (Print Lab): Receives your name, address, and order details to print and ship your standard print orders. They will not contact you except as needed for delivery, and the package will usually appear as if it came from me.

    • Payment Processors: I rely on services like Stripe and/or Square to process payments securely. When you enter your payment details at checkout, that data goes directly to the payment processor. They adhere to strict security standards (PCI-DSS compliance). I do not see your full credit card info. I only get the confirmation that you paid, the amount, and your contact info to complete the order. These payment companies might handle your data under their own privacy policies , which comply with legal requirements.

    • Website Host (Squarespace): My website is built on the Squarespace platform. Squarespace provides the online e-commerce platform that allows me to showcase products and process orders. They store data on my behalf (for example, when you enter your info to place an order, it’s stored in Squarespace’s databases). Squarespace is a well-established, secure platform and they state that they implement measures to protect personal data. They might access your data but only as needed to support my website’s functioning (for example, troubleshooting an issue or storing backups). They won’t use your data for their own purposes.

    • Email Service (if used): If I use a third-party service to send emails (for order confirmations or a newsletter if you subscribed), your email and name might be stored in that service. For instance, I might use a service like MailChimp or MailerLite for any marketing newsletters. If so, that service would only have the info you provided at signup (e.g. name, email) and every email would have an unsubscribe option. I would ensure any such provider is reputable and GDPR-compliant.

  • Couriers/Postal Services: In order to deliver your order, the shipping carrier (Royal Mail, DPD, DHL, UPS, etc., depending on your location and shipping choice) will obviously see your delivery address and name on the parcel. I share the necessary details with the courier either by printing a label or via an online booking. For example, if using Royal Mail Click & Drop or a courier booking site, your address and maybe phone/email (for delivery updates) are entered into their system. This information is used solely to get the package to you.

  • Legal Requirements: I may disclose your information if required to do so by law or if you violate my Terms and Conditions. For instance, in the unlikely event of a legal dispute, I might need to provide relevant information to law enforcement or a court (only if formally required and lawful). Also, for tax and accounting purposes, my records (which include sales details) might be reviewed by authorized persons (like a tax auditor or accountant), who are of course obliged to keep such information confidential.

  • Business Transfers: This is quite hypothetical given I’m a one-person business, but I’ll include it for completeness: if in the future I ever restructure or transfer ownership of the business or its assets, customer information could be one of the assets transferred to the new owner (for example, if someone bought the website/shop). If that happened, your personal information would still be protected under this Privacy Policy and I’d ensure the new owner has to honor the commitments made here. But to be clear, I have no plans of selling or transferring your data anywhere – it’s just a standard clause many include.

Data Storage and Security

I take reasonable precautions to protect your personal information. The systems I use (Squarespace, payment gateways, Loxley’s ordering system) employ secure encryption (HTTPS/SSL) when transmitting data. For example, when you enter sensitive information like your credit card number, that transmission is encrypted. My website’s URL uses https://, indicating it’s secure.

I limit access to your personal data. For instance, I (Tom) am the only one who directly accesses order information. Loxley receives only what they need to fulfill the print. My laptop and devices are protected with passwords and security software, and I keep them updated to guard against vulnerabilities. I also choose strong, unique passwords for all the services I use to manage the website and orders.

Despite all these measures, no method of transmission over the Internet or electronic storage is 100% secure. While I strive to use commercially acceptable means to protect your personal data, I cannot guarantee absolute security. In the unlikely event of a data breach that affects your personal information, I will follow all applicable laws – which may include notifying you and relevant authorities of the breach.

Data Retention

I will retain your personal information only for as long as necessary to fulfill the purposes outlined in this policy. This generally means:

  • Order information (like your name, contact, shipping address, and purchase details) is retained in my order records. I keep these records as long as needed for my business accounting and in case of any follow-up issues. In practice, that often means I may keep order data for several years – for example, UK tax law requires me to keep sales records for around 6 years. This helps with any required financial reporting or if you come back in the future with questions about your past purchases.

  • Email correspondence: If you contact me via email, I may retain those communications for reference as long as needed to manage our interaction or as required for customer service records.

  • Newsletter subscription: If you’ve opted into a newsletter (again, currently hypothetical), I will keep your details on that list until you unsubscribe or until I decide to discontinue the newsletter service. If you unsubscribe, I will remove your email from the active mailing list promptly. (However, note that I might still keep a record that you were subscribed at one time, as part of my business records, unless you specifically request complete erasure.)

  • Analytics data: Google Analytics data is retained according to the settings I’ve selected in that service (often aggregated data is kept for 26 months or more). This data is not personally identifiable in my case, but just letting you know how long such info might persist. You can of course clear cookies or use browser tools to block Google Analytics if you wish not to be tracked.

When I no longer have a legitimate need or obligation to retain your personal data, I will securely delete or anonymize it. For example, outdated customer records may be purged periodically.

Your Rights

You have rights regarding the personal data I hold about you, particularly as a user in the UK or EU under the General Data Protection Regulation (GDPR). I am fully committed to upholding these rights:

  • Access: You have the right to request a copy of the personal information I have about you. This is commonly known as a “Subject Access Request.” If you want to see the data I have on file (order info, contact details, etc.), you can contact me and I will provide you with a copy, free of charge, within the legally required time frame (usually within one month).

  • Rectification: If any of your information is incorrect or incomplete, you have the right to ask me to correct it. For instance, if you notice I misspelled your name or have an outdated address, let me know and I’ll update it.

  • Erasure: Also known as the “right to be forgotten.” You can request that I delete your personal data. Note that this right is not absolute – if I have a legal obligation or compelling reason to keep certain data (e.g. I can’t delete details of a transaction that’s needed for tax records, or I may retain info about a resolved dispute for legal protection), I might decline the deletion for those specific details. But if you, say, created an account on my site and now want it removed, I can delete your account and personal info associated with it. If you requested erasure of order info, I would remove what I am not required to keep by law. I will always explain to you if any data cannot be fully erased and why.

  • Restriction: You have the right to ask me to limit processing of your data in certain circumstances. For example, if you contest the accuracy of the data, you can request I restrict use of that data until it’s verified or corrected.

  • Objection: You can object to my processing of your information. If I were sending marketing emails, you could object or opt-out (which is basically unsubscribing). Or if you have a particular situation where you want to object to data processing that I’m doing under legitimate interests, you can tell me. For example, if you object to me using your email to send you a satisfaction follow-up, let me know.

  • Data Portability: For data you provided to me directly and that I process by automated means based on your consent or a contract (e.g., order info), you have the right to request that I provide that data in a commonly used, machine-readable format (for example, a CSV file), and/or request that I transmit it to another data controller (another service) where technically feasible.

To exercise any of these rights, please contact me  I may need to verify your identity before proceeding with a request (for instance, confirming you have access to the email associated with the records, or asking for an order number). This is to ensure I don’t disclose or alter someone’s data without proper authorization.

I will do my best to respond to and address any requests or concerns within a timely manner (under GDPR, generally within one month).

Children’s Privacy

My website and offerings are not directed to children under the age of 16. I do not knowingly collect personal information from anyone under 16. If you are under 16, please do not use this site or provide any information. If I discover that I have inadvertently collected personal data from a child under 16, I will delete it. If you are a parent or guardian and believe I might have information about a minor, please contact me immediately and I will remove it.

Updates to This Policy

I may update this Privacy Policy from time to time to reflect changes in my practices or for other operational, legal, or regulatory reasons. If I make significant changes, I will notify users either by posting a prominent notice on the website or by sending an email notification (if appropriate). The “last updated” date at the bottom will always indicate when the latest changes were made.

I encourage you to review this policy periodically to stay informed about how I am protecting your information. Your continued use of the website after any changes to the Privacy Policy constitutes acceptance of those changes.

Contact Me

If you have any questions or concerns about this Privacy Policy or about how your data is handled, please contact me. I’m a real person (not a faceless corporation) and I take your privacy seriously, so I will be glad to discuss any concerns you have.

If, after contacting me, you feel that I have not adequately addressed your privacy concern, you have the right to lodge a complaint with the relevant supervisory authority. In the UK, this is the Information Commissioner’s Office (ICO). (If you’re in another country, you can contact your local data protection authority.) I would appreciate the chance to resolve your concerns first, but it’s important you know your rights.

Thank you for taking the time to read this Privacy Policy. I value your trust, and I will work hard to keep your personal information secure and confidential.

Last updated: January 2026