Kirsty Lloyd ~ May Annella Privacy Policy

Effective Date: 14th August 2025 Last Updated: 4th June 2026 

Website: https://www.mayannella.com/ 

Data Controller: Kirsty Lloyd, trading as May Annella 

Contact: Kirsty@mayannella.com

Mailing Address: Springfield House, Laurel Hill, Stirling, FK7 9JQ

Introduction

Welcome to May Annella. This Privacy Policy explains how I, Kirsty Lloyd, trading as May Annella, collect, use, share and protect your personal information when you visit my website https://www.mayannella.com/ (the “Site”), create an account, make a purchase, sign up to my newsletter or enquire about licensing my artwork.

I am committed to protecting your privacy and handling your data responsibly, transparently, and in full compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), the Consumer Rights Act 2015, and the Consumer Contracts Regulations 2013.

1. My Contact Details

Name: Kirsty Lloyd, trading as May Annella 

 Email: Kirsty@mayannella.com

 Website: https://www.mayannella.com/  Mailing Address: Springfield House, Laurel Hill, Stirling, FK7 9JQ

The supervisory authority for data protection in the UK is the Information Commissioner’s Office (ICO). You can contact the ICO at https://www.ico.org.uk or by calling 0303 123 1113.

2. What Personal Data I Collect and Why

2.1 Customers: Physical Products (Limited Edition and Open Edition Art Prints)

When you purchase a physical art print I collect your name, email address, billing address, delivery address, order details and payment confirmation, and any communication you send me about your order.

I use this information to process and fulfil your order, arrange printing and shipping through my fulfilment partner The Print Space, and provide customer support. My lawful basis is contract performance (Article 6(1)(b) UK GDPR).

All physical prints are produced on demand and made specifically to order by The Print Space. When you place an order your name, email address and delivery address are automatically shared with The Print Space and Shippy Pro to enable fulfilment and delivery tracking. You will receive tracking information directly from this service.

2.2 Customers: Digital Products 

When you purchase a digital colour palette I collect your name, email address, billing address, order details and payment confirmation.

Digital products are delivered as instant downloads. My lawful basis is contract performance (Article 6(1)(b) UK GDPR).

Your right to cancel digital products: Under the Consumer Contracts Regulations 2013 you have a 14-day cooling off period on digital purchases. However by completing your purchase and accessing your instant download you expressly acknowledge and agree that the digital content has been delivered and your right to cancel is waived, as permitted by Regulation 37 of the Consumer Contracts Regulations 2013. Your statutory rights under the Consumer Rights Act 2015 regarding satisfactory quality and fitness for purpose remain fully intact.

2.3 Payment Processing

All payments are handled securely by my third party payment processors Stripe, PayPal and Apple Pay. Stripe and PayPal are both certified as PCI Level 1 Service Providers.

I never store your full payment card details on my website. If you choose to save your payment details for future purchases, only a secure token and the last 4 digits of your card are stored by Stripe or PayPal within their own secure systems. Your full card details never touch my website.

Apple Pay transactions are processed securely through Stripe and are subject to both Stripe’s and Apple’s privacy policies.

If you choose to save your payment details for future purchases this is handled entirely by Stripe or PayPal under their own privacy policies and requires your explicit consent at checkout.

2.4 Customer Accounts

If you create an account on my website I collect and store your name, email address, encrypted password, order history, saved preferences and profile avatar image if you choose to upload one.

My lawful basis is contract performance and legitimate interests in providing you with account functionality (Article 6(1)(b) and 6(1)(f) UK GDPR). You can request deletion of your account at any time by contacting me.

2.5 Contact and Enquiry Forms

When you submit a contact or enquiry form I collect your name, email address and the content of your message. I use this solely to respond to your enquiry. My lawful basis is legitimate interests (Article 6(1)(f) UK GDPR).

My forms are protected by Cloudflare Turnstile, a privacy preserving bot protection service that analyses technical signals from your browser to verify you are human. It does not use tracking cookies or collect personal data for advertising purposes.

2.6 Newsletter and Email Marketing

If you sign up to my newsletter via MailPoet I will collect your email address and name. I use this to send you newsletters, updates and occasional marketing communications.

My lawful basis is consent (Article 6(1)(a) UK GDPR and PECR Regulation 22). You can withdraw your consent and unsubscribe at any time by clicking the unsubscribe link in any email or by contacting me directly. Withdrawal of consent does not affect the lawfulness of processing before withdrawal.

I have a signed Data Processing Agreement in place with MailPoet (Wysija SARL, a French company). Your subscriber data is stored in my own WordPress database on my Hostinger server. MailPoet’s sending infrastructure uses servers in Germany and Finland (EU). Sending records are retained for 3 months and rendered email content is purged after 30 days.

I also have a signed Data Processing Agreement in place with Automattic, the company behind WordPress and WooCommerce, which governs how they process data as part of platform operation.

2.7 Blog

My website includes a blog containing articles and updates about my work. Blog posts do not have a comments section and no personal data is collected through reading my blog.

2.8 Licensing Enquiries (Business Clients)

My website includes a password protected licensing page for business clients interested in licensing my artwork commercially. When you make a licensing enquiry I collect your name, business name, email address and the details of your enquiry.

As licensing is a business to business service the Consumer Rights Act 2015 and Consumer Contracts Regulations 2013 cooling off provisions do not apply. Licensing arrangements are governed by separate contractual terms agreed between us.

My lawful basis is legitimate interests and contract performance (Article 6(1)(b) and 6(1)(f) UK GDPR).

2.9 Website Analytics and Advertising

I use Independent Analytics, a privacy friendly analytics tool installed on my website. It collects anonymised data about how visitors use my site including pages visited and general traffic patterns. It does not use cookies and does not collect personally identifiable information such as IP addresses. All data is stored locally on my server.

I use Google Merchant Centre and Bing Shopping to promote my products through Google and Microsoft advertising networks. I also have my product catalogue connected to Pinterest and use Pinterest tags to measure catalogue performance and reach relevant audiences. These services use cookies and tracking technologies and are only activated after you have given your explicit consent through my cookie banner.

Product feeds for Google Merchant Centre and Bing Shopping are generated using CTX Feed, a WooCommerce plugin by WebAppick, which processes product data only.

If I add any further analytics or advertising tools in future this policy will be updated and your consent will be managed through my cookie consent banner.

2.10 External Platforms

My website contains links to my social media profiles and to third party marketplaces where my work is also available, including Spoonflower, Creative Market and Patternbank. When you click these links and visit those platforms you leave my website. I am not responsible for the privacy practices of those platforms and recommend you read their own privacy policies. I do not receive any personal data about you from these platforms as a result of clicking those links.

2.11 Visual Data

With your explicit consent I may use photographs of finished products featuring my artwork for promotional purposes on my website or social media. You have the right to withdraw this consent at any time by contacting me directly.

3. How I Share Your Information

I will never sell your personal data. I share it only with the following trusted third party partners where necessary to provide my services:

The Print Space (Printspace Studios Limited) 74 Kingsland Road, London E2 8DL,  info@theprintspace.co.uk

My print fulfilment partner. Your name, email address and delivery address are automatically shared when you place an order for a physical print to enable on demand printing and fulfilment. The Print Space acts as a data processor, processing your data solely for the purpose of fulfilling and delivering your order. They have confirmed in writing that your data is not accessed or used for any other purpose following order processing. Your fulfilment data is stored on Microsoft Azure cloud infrastructure, secured via Azure’s enterprise security infrastructure in accordance with cloud security best practices. The Print Space operates in full compliance with UK GDPR as a data processor. Written confirmation of their data processing practices is held on file. Their privacy policy is available at theprintspace.co.uk.

Shippy Pro (Italian Valley S.r.l.) Piazza Francesca Morvillo 15, Florence, Italy

Used by The Print Space to manage shipping and delivery tracking. Your name, email address and delivery address are processed to enable delivery tracking and notifications. Shippy Pro is an EU company operating under GDPR. Their privacy policy is available at shippypro.com/en/legal/privacy.

Stripe and PayPal Payment processors handling all card and PayPal transactions. Your payment information is transferred securely to them for processing. Neither processor stores full card details on my website servers.

Apple Pay Processed through Stripe and subject to both Stripe’s and Apple’s privacy policies.

MailPoet (Wysija SARL) Email newsletter delivery. Your name and email address are processed through their sending infrastructure in Germany and Finland (EU) to deliver newsletters you have subscribed to. A Data Processing Agreement is in place.

Hostinger My website hosting provider. Your data is stored on Hostinger servers in the UK with backup storage in Germany (EU). Hostinger acts as a data processor under a Data Processing Agreement incorporated into their Terms of Service.

Automattic The company behind WordPress and WooCommerce. Processes limited technical data as part of platform operation. A Data Processing Agreement is in place.

Cloudflare Turnstile Bot and spam protection on my forms. Processes limited technical signals from your browser only. Does not use tracking cookies or collect personal data for advertising.

Google Merchant Centre and Bing Shopping Used to promote my products through Google and Microsoft advertising networks. Only activated after your explicit cookie consent.

CTX Feed (WebAppick) — A WordPress plugin used to generate product data feeds submitted to Google Merchant Centre and Bing Shopping. It processes product information including titles, descriptions, prices and images from my WooCommerce store to create structured feed files. It does not process customer personal data. Their privacy policy is available at webappick.com.

Pinterest I have my product catalogue connected to Pinterest. Pinterest tags may be activated on my website after your explicit cookie consent to measure catalogue performance and reach relevant audiences.

WPForms If you submit a contact form your submission data is stored temporarily in my WordPress database. Form entries are reviewed and manually deleted every six months or when your enquiry is resolved, whichever is sooner.

4. Your Consumer Rights

Physical Art Prints

Under the Consumer Rights Act 2015 and Consumer Contracts Regulations 2013 you have the following rights when purchasing physical art prints:

  • You have a 14 day cooling off period from the day you receive your order during which you may cancel without giving a reason
  • You must notify me of your cancellation within this period by contacting me at Kirsty@mayannella.com
  • As all prints are produced specifically on demand for your order the personalised goods exemption under Regulation 28(1)(b) of the Consumer Contracts Regulations 2013 may apply
  • Where a cancellation right applies you are responsible for the cost of returning the item unless it is faulty or not as described
  • Refunds will be processed within 14 days of receiving the returned item
  • All physical products must be of satisfactory quality, fit for purpose and as described under the Consumer Rights Act 2015

Digital Products

Under Regulation 37 of the Consumer Contracts Regulations 2013 the 14 day cancellation right does not apply to digital content once download has begun, provided you have given your express prior consent and acknowledged that cancellation rights are thereby lost. By completing your purchase and downloading your colour palette you confirm this consent and acknowledgement.

Your rights under the Consumer Rights Act 2015 remain fully intact. Your digital product must be of satisfactory quality, fit for purpose and as described.

5. International Data Transfers

Some of my service providers operate outside the UK. Where your data is transferred internationally I ensure it is protected by appropriate safeguards including:

  • UK adequacy decisions covering transfers to EU and EEA countries including Germany and Finland where MailPoet and Hostinger backup servers are located
  • UK-US Data Bridge covering transfers to US based providers where applicable
  • Standard Contractual Clauses included in Data Processing Agreements with Hostinger, MailPoet and Automattic for any transfers outside the EEA

6. How Long I Retain Your Data

  • Order and transaction data: 6 years plus the current year to comply with UK tax and HMRC requirements
  • Customer account data: for as long as your account remains active. Inactive accounts are deleted after 1 year. Deleted within 30 days of account closure request unless legal retention applies
  • Pending, failed and cancelled orders: 14 days
  • Newsletter subscriber data: for as long as you remain subscribed. Promptly removed on unsubscribe. Subscribers who have not engaged for 12 months are marked inactive and removed from active sending
  • Contact and enquiry form data: reviewed and manually deleted every six months or when your enquiry is resolved, whichever is sooner
  • MailPoet sending records: deleted after 3 months
  • Rendered email content: purged after 30 days
  • Analytics data: anonymised with no personal identifiers, retained for website improvement purposes

7. Cookies and Tracking

My website uses cookies and similar technologies. For full details please see my separate https://www.mayannella.com/cookie-policy/.

My cookie consent is managed through Complianz. Non essential cookies including statistics and marketing cookies are only placed on your device after you have given your explicit consent through my cookie banner.

8. Your Data Protection Rights

Under UK GDPR you have the following rights, all of which you can exercise free of charge by contacting me at Kirsty@mayannella.com:

  • Right to be informed: to know how your data is used, which this policy fulfils
  • Right of access: to request a copy of the personal data I hold about you
  • Right to rectification: to ask me to correct inaccurate or incomplete data
  • Right to erasure: to ask me to delete your data where there is no lawful reason to retain it
  • Right to restrict processing: to ask me to pause processing your data
  • Right to data portability: to receive your data in a structured machine readable format
  • Right to object: to object to processing based on legitimate interests or for direct marketing. For direct marketing I will stop immediately upon receiving your request
  • Right to withdraw consent: where processing is based on consent you can withdraw at any time without affecting the lawfulness of prior processing

I will respond to all requests within one calendar month of receipt.

9. How to Complain

If you have concerns about how I have handled your personal data please contact me first at Kirsty@mayannella.com: so I can try to resolve it.

If you remain unsatisfied you have the right to lodge a complaint with the ICO:

Information Commissioner’s Office: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Helpline: 0303 123 1113 Website: ico.org.uk/make a complaint

10. Updates to This Policy

I review this Privacy Policy periodically and will post any updates on this page with a revised effective date. I recommend checking this page occasionally to stay informed.

This policy is written in accordance with the UK GDPR (as incorporated by the European Union (Withdrawal) Act 2018), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), the Consumer Rights Act 2015, the Consumer Contracts Regulations 2013, and the Data (Use and Access) Act 2025.

Still Have Questions?

Don’t hesitate to reach out! I’m here to help you bring your vision to life.

Get in Touch