GDPR Notice

1. Who We Are (Data Controller)

PicBooks acts as the Data Controller for all personal data collected through our website and services.

Contact: hello@picbooks.co.uk  |  49 Ruabon Crescent, Greater Manchester, WN2 4PJ

2. Our Lawful Basis for Processing

Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on:

• Contract performance — processing your order, including your photos, name, and delivery address
• Legitimate interests — improving our service using anonymised aggregated counters
• Legal obligation — maintaining financial records as required by HMRC (7 years)
• Consent — for any future marketing communications (you can withdraw consent at any time)

3. Special Category Data — Photos of Children

We recognise that photos of minors represent sensitive personal data requiring heightened protection. Our specific safeguards include:

• Purpose limitation — images of children are processed solely for printing your colouring book and no other purpose whatsoever
• Data minimisation — we collect only the photos necessary to fulfil your order
• Storage limitation — photos are permanently deleted within 30 days of order fulfilment
• Access restriction — access to uploaded images is strictly limited to authorised personnel involved in order processing
• No profiling — we do not create profiles of children or use their images in any automated decision-making
• Limited third-party sharing — see section 5 below; images are sent to Google's Gemini service for line-art generation under their UK Adequacy / DPF certification, never used for training, never shared with anyone else
• Parental consent — by uploading images of minors you confirm you are the parent/guardian or have obtained explicit parental consent

4. Data Retention

• Photos — deleted within 30 days of order fulfilment; sooner on request
• Order details — retained for 7 years as required by HMRC financial regulations
• Email communications — retained for 2 years
• Aggregated traffic counters — retained indefinitely (no individual data)

5. International Transfers

To convert your photos into line art, your images are processed by Google's Gemini API, which runs on Google's global infrastructure. This may involve transfer of your photos to servers outside the UK/EEA (typically the United States).

This transfer relies on the following safeguards:

• Google LLC is certified under the UK Extension to the EU-US Data Privacy Framework (DPF), providing GDPR-equivalent protection
• Photos sent to Gemini are not retained by Google after the API call completes
• Photos are not used to train Google's models
• The transfer is necessary to perform the contract you entered into when placing your order

All other personal data (name, address, payment, email) is stored on UK or EEA servers.

6. Your Rights Under UK GDPR

You have the following rights, which we will action within 30 days of your request:

• Right of Access (Article 15) — obtain a copy of your personal data
• Right to Rectification (Article 16) — correct inaccurate data
• Right to Erasure (Article 17) — "right to be forgotten"
• Right to Restrict Processing (Article 18) — limit how we use your data
• Right to Data Portability (Article 20) — receive your data in a portable format
• Right to Object (Article 21) — object to processing based on legitimate interests
• Rights related to automated decision-making (Article 22) — we do not use automated decision-making or profiling

To exercise any right, email hello@picbooks.co.uk. You will not be charged for making a request.

7. Right to Complain

If you believe we have handled your data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Phone: 0303 123 1113
• Post: ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

8. Data Protection Officer

As a small business we are not required to appoint a formal DPO; data protection queries are handled directly by our management team.