守 · Privacy Policy

Privacy Policy

We collect the minimum needed to make your Saya and get it to your door — and nothing for advertising. No analytics scripts, no tracking pixels, no marketing lists. This page explains exactly what we hold, where it lives, and your rights over it.

Who we are

The data controller for this site is [Business name], trading as Sayabi, of [registered address]. For anything in this policy, email orders@example.com. The details in square brackets and the email address are placeholders — they must be replaced with the real business details before launch.

What we collect, and why

• Your name, email address, and shipping address — collected through Stripe Checkout when you pay, and used to make your order, dispatch it, and write to you about it.
• Payment card details — these go directly to Stripe, our payment processor, and never touch our servers. We never see your full card number.
• Uploaded artwork, for custom orders — your logo or initials file is stored with Vercel Blob, our hosting provider's file storage, so we can print it onto your Saya. Files sit at long, unguessable web addresses, so treat anything you upload as visible to anyone who has the link.
• Order details — a copy of each order is emailed to our fulfilment inbox via Resend, our email provider, so we can make and ship it.

That's the lot. We don't buy data about you, build profiles, or collect anything about your browsing.

Our lawful basis

We process the data above because we need it to perform our contract with you — Article 6(1)(b) of the UK GDPR. We can't make or ship an order without it. We keep order records afterwards to meet our legal obligations under UK tax law — Article 6(1)(c).

Cookies

This site sets exactly one cookie: a cart cookie that remembers what's in your basket. It is httpOnly (it can't be read by scripts in your browser), it expires after 30 days, and it contains no tracking identifiers. We set no analytics, advertising, or marketing cookies of any kind.

Because the cart cookie is strictly necessary to provide the service you've asked for, the Privacy and Electronic Communications Regulations (PECR) don't require your consent for it — which is why this site has no cookie banner.

Who handles your data for us

Three providers process data on our behalf, each handling only what they need:

• Stripe — payments and checkout.
• Vercel — site hosting and artwork file storage.
• Resend — order notification email.

Each acts on our instructions under a data processing agreement. We never sell your data, and we share it with no one else unless the law requires us to.

International transfers

Stripe, Vercel, and Resend are US-headquartered providers, so some of your data is transferred outside the UK. Those transfers are made under UK GDPR-compliant safeguards — the UK International Data Transfer Agreement (IDTA), or Standard Contractual Clauses with the UK Addendum, as set out in each provider's data processing terms.

How long we keep your data

Order records — what you bought, your name and address, and payment references — are kept for around six years, as UK tax law requires. Uploaded artwork is retained so we can reprint your design quickly if you reorder or need a replacement, but we'll delete it whenever you ask.

Your rights

Under the UK GDPR you can ask us, at any time, for:

• access — a copy of the personal data we hold about you;
• rectification — correction of anything inaccurate;
• erasure — deletion of your data, where we're not legally required to keep it;
• portability — your data in a structured, machine-readable format; and
• restriction of, or objection to, our processing.

Email us and we'll respond within one month. If you're unhappy with how we've handled your data, you have the right to complain to the Information Commissioner's Office at ico.org.uk.

No automated decision-making

We make no automated decisions about you and do no profiling. Every order is reviewed, printed, and packed by a person.

Changes to this policy

If what we collect or how we use it ever changes, we'll update this page. Last updated: [date placeholder].

This page is a template and not legal advice. Have it reviewed by a qualified solicitor before launch.