Privacy Policy
Last updated: 18 May 2026
Who We Are
This website is operated by Nadia Poe, a sole trader based in London, United Kingdom.
- Data controller: Nadia Poe
- Email: [email protected]
- Website: nadiapoe.co.uk
This policy explains how we collect, use, and protect your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
What Data We Collect
When you place an order
- Full name
- Email address
- Delivery address
- Phone number (if provided)
We do not collect or store your payment card details. All payments are processed securely by Stripe, our payment provider.
When you use the contact form
- Name
- Email address
- Your message
When you sign up to our newsletter
- Email address
When you browse the website
We use Cloudflare Web Analytics, which is cookieless and does not collect any personal data. It records aggregate page views and performance metrics only — no individual visitors are identified or tracked.
How We Use Your Data
| Data | Purpose | Legal basis |
|---|---|---|
| Name, email, address (orders) | To fulfil your order, send confirmation and shipping emails, and handle any returns or queries | Contract — necessary to perform our contract with you |
| Email (contact form) | To respond to your enquiry | Legitimate interest — you have contacted us and expect a reply |
| Email (newsletter) | To send updates about new paintings, prints, and events | Consent — you actively opted in. You can unsubscribe at any time |
| Aggregate analytics | To understand how the website is used and improve it | Legitimate interest — no personal data is collected |
Who We Share Your Data With
We share your data only with the following third-party services, solely to fulfil our obligations to you:
| Service | Purpose | Their privacy policy |
|---|---|---|
| Stripe | Payment processing | stripe.com/gb/privacy |
| Resend | Order confirmation and shipping emails | resend.com/legal/privacy-policy |
| Royal Mail | Parcel delivery (name and address on the label) | royalmail.com/privacy-notice |
| Cloudflare | Website hosting and cookieless analytics | cloudflare.com/privacypolicy |
We do not sell, rent, or share your personal data with any other third parties for marketing purposes.
International Data Transfers
Some of our third-party service providers (Stripe, Resend, Cloudflare) are based in the United States. Where your data is transferred outside the United Kingdom, it is protected by appropriate safeguards including the UK Extension to the EU-US Data Privacy Framework and Standard Contractual Clauses approved by the UK government.
Cookies
Nadia Poe does not set any cookies on your device. We do not use cookies for tracking, advertising, or analytics — our analytics provider (Cloudflare Web Analytics) is entirely cookieless, and essential functional data (such as your shopping basket and your list of liked paintings) is stored in your browser’s local storage and never sent to a third party.
This local storage is used solely to provide the features you interact with:
- Shopping Basket: Remembers which items you have added to your basket as you browse.
- Liked Paintings: Remembers which paintings you have “liked” so they appear in your favourites list.
- Region Preference: Remembers your selected region so prices display in your local currency.
This storage is strictly necessary to provide the services you have requested and is exempt from consent requirements under PECR regulation 6(4). No personal data is stored or tracked.
The site is served through Cloudflare, our hosting and security provider. To protect the site from bots and abuse, Cloudflare’s network sets a small number of strictly-necessary cookies at the edge before requests reach us:
| Cookie | Set by | Purpose | Duration |
|---|---|---|---|
__cf_bm |
Cloudflare | Bot management — distinguishes humans from automated traffic | 30 minutes |
cf_clearance |
Cloudflare | Records that a visitor has passed a security challenge | 30 days |
__cfruid / _cfuvid |
Cloudflare | Rate-limiting and load balancing | Session |
These cookies are set by Cloudflare’s infrastructure, not by Nadia Poe. They contain no personally identifiable information, are not used for tracking or profiling, and are exempt from consent requirements under PECR regulation 6(4) as they are strictly necessary to deliver a secure website. For more information, see Cloudflare’s cookie documentation.
How Long We Keep Your Data
| Data | Retention period | Reason |
|---|---|---|
| Order data (name, email, address) | 6 years from date of order | HMRC requires financial records to be kept for at least 6 years |
| Contact form messages | 12 months | To handle follow-up queries |
| Newsletter email addresses | Until you unsubscribe | We delete your email promptly after you unsubscribe |
Your Rights
Under UK GDPR, you have the right to:
- Access your personal data — request a copy of what we hold
- Rectify inaccurate data — ask us to correct any errors
- Erase your data — ask us to delete it (subject to legal retention requirements)
- Restrict processing — ask us to limit how we use your data
- Object to processing based on legitimate interest
- Data portability — receive your data in a machine-readable format
- Withdraw consent at any time (e.g. unsubscribe from the newsletter)
To exercise any of these rights, use our contact form. We will respond within one month.
Children’s Privacy
This website is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it promptly.
Changes to This Policy
We may update this policy from time to time. The updated version will be posted on this page with a revised date.
Complaints
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
We would appreciate the opportunity to address your concerns directly first — please use our contact form.