Before we get into the details

We did not start this business to write privacy policies. We started it because we believe in beautiful, handmade things and the people who spend their lives making them. But when you shop with us, you share personal information, and you deserve a clear, honest account of what we do with it.

This document covers everything — what we collect, why we need it, who we share it with, how long we keep it, and what choices you have over it at any point. We have written it in plain language because a policy nobody reads does not protect anyone.

Our store ships to customers across the world, which means we operate with multiple data protection frameworks in mind. These include the General Data Protection Regulation in the European Union, the UK GDPR, the California Consumer Privacy Act, Canada's PIPEDA, Australia's Privacy Act 1988, and other national data protection laws in the countries we serve. Wherever you are shopping from, this policy is written with your rights in mind.

Who we are and how you can reach us

We are a handicraft products business that sells authentic, handmade goods crafted by skilled artisans from communities around the world. Throughout this policy, the words we, us, and our refer to our business and the team that runs it. The word you refers to you — the person visiting our site, browsing our collections, or placing an order.

Our registered business address is https://handicraftstudio.com/. You can reach our privacy team directly atsupport@handicraftstudio.com, and we respond to every message personally — not through an automated system. For formal data requests, we commit to acknowledging receipt within 72 hours and providing a full response within 30 calendar days, as required under applicable data protection frameworks.

Note: If you are based in the EU or UK and feel your rights have not been respected, you have the right to contact your national data protection supervisory authority directly. We would always prefer to resolve things with you first, but that route is always open to you.

What personal information we collect from you

When you browse without buying anything

Even a casual visit to our website results in some automatic data collection. This includes your IP address, the device and browser you are using, the pages you view, how long you spend on each, and the links you click. We collect this to understand how our website performs and where it could be improved for future visitors.

When you place an order

To fulfil your purchase and get a handcrafted item to your door, we need your full name, delivery address, email address, and phone number. Payment information is processed entirely by our third-party payment gateway, which means your card details never pass through our servers and are never stored anywhere we control.

When you register for an account

If you choose to create an account, we store your name, email address, encrypted password, and order history. Registering is entirely optional — you can complete a purchase as a guest without creating an account, and we treat guest shoppers with exactly the same care and respect.

When you reach out to us

Messages sent through our contact form, via email, or through social media are stored so we can reply properly and keep track of any ongoing conversation. We do not use the content of these messages for any purpose other than responding to you and resolving your query.

When you subscribe to updates

Signing up for our newsletter requires only your name and email address. We add people to our mailing list only when they actively opt in — there are no pre-ticked boxes on our site. If you later unsubscribe, we act on that within 48 hours and retain a note of your preference to make sure you are never accidentally re-added.

Why we hold this information and what we use it for

We collect information for specific, stated purposes and we do not repurpose it without informing you first. Below is a straightforward account of what we do with your data and why.

To complete and deliver your order

Your name, shipping address, and contact details are the bare minimum we need to get a handcrafted piece from an artisan's workshop to your front door. Without this information, a purchase simply cannot be completed.

To keep you informed about your purchase

Order confirmations, dispatch notifications, and delivery updates are sent to the email address you provide at checkout. These are transactional communications — not marketing — and they are sent regardless of whether you have opted into our newsletter.

To resolve problems if they arise

If something arrives damaged, goes missing, or does not match what you ordered, we need to be able to contact you. Your details make it possible to put things right quickly and without unnecessary back-and-forth.

To make our website better

Anonymised browsing data helps us understand which pages attract the most interest, where visitors seem to get stuck, and what could be written more clearly. No individual is identified in this kind of analysis — it is purely about patterns across the site as a whole.

To send you news and updates, if you have asked for them

Customers who have opted in receive occasional emails about new collections, artisan stories, and seasonal promotions. Every such email has a clear and functional unsubscribe link at the bottom.

To meet our obligations under applicable regulations

Tax and accounting regulations in our jurisdiction require us to retain certain financial records for a set period. We hold only what is necessary, for only as long as required, and nothing beyond that.

Our grounds for processing your personal data

If you are based in the European Economic Area or the United Kingdom, data protection frameworks require us to identify a specific basis for every type of processing we carry out. This section sets that out plainly. Even for customers outside these regions, this reflects our approach to data processing across the board.

Contractual necessity

We process your name, address, and contact details when you place an order because it is genuinely necessary to fulfil the purchase you have made. Without this processing, we cannot complete our side of the transaction.

Your consent

Marketing emails and non-essential cookies are only placed and sent when you have given explicit consent. That consent can be withdrawn at any time and we will act on it immediately.

Our legitimate interests

We process anonymised website analytics and retain records of customer correspondence under our legitimate interest in running a properly functioning, accountable business. We carry out a genuine assessment to ensure our interests are proportionate and do not override your rights.

Compliance with applicable regulations

Certain records must be kept to meet tax, anti-fraud, and consumer protection requirements. We retain this data only for as long as the relevant obligation demands, and we delete it once that period expires.

Cookies and how we use them on our site

Cookies are small text files that websites place on your device. They do different jobs depending on the type, and we want you to understand exactly which ones we use and why.

Strictly necessary cookies

These keep your shopping cart intact while you browse, maintain your session, and secure your connection to the site. Without them, the website cannot function at all. They do not require your consent because they are genuinely necessary for the service to work.

Preference cookies

These remember things like your preferred currency or language so you do not have to reset them every time you visit. They improve the convenience of repeat visits but are not essential to core functionality.

Analytics cookies

Services such as Google Analytics place cookies that count visits, record which pages are viewed, and identify patterns in how people move through the site. All data from these cookies is aggregated and anonymised — it tells us about groups of visitors, never about individuals.

Marketing cookies

These measure the effectiveness of any advertising we run and help us understand whether campaigns are reaching the right audiences. They are placed only if you actively accept them through our cookie consent panel on your first visit.

Cookie preferences can be updated at any time through the settings panel on our site. You can also clear or block cookies through your own browser settings, though doing so may affect how some parts of the website function.

Who else we share your information with

We do not sell your personal data. We do not trade it, rent it out, or hand it to anyone for their own marketing or commercial purposes. When we do share information, it is limited, purposeful, and only with parties who are bound to handle it properly.

Delivery and logistics partners

Your name and shipping address are passed to the courier or logistics service handling your delivery. They are permitted to use this information only for the purpose of completing that specific delivery.

Payment processing providers

All payment data goes directly to our payment gateway. We do not receive or store your full card number at any point. The payment provider is responsible for securing your financial information and is independently certified to do so.

Email and communication platforms

Your name and email address are stored with the platform we use to send newsletters, if you have opted in. This provider processes your data strictly on our instructions and for no other purpose.

Analytics services

Aggregated, anonymised traffic data goes to the analytics platform we use to study site performance. No personally identifying information is included in these transfers.

Regulatory authorities, when formally required

If we receive a formally documented, lawful request from a government body or regulatory authority under the applicable national framework, we may be required to share certain records. We scrutinise every such request and inform you wherever we are permitted to do so before complying.

Moving your data across international borders

Because we sell to customers in many countries and work with service providers based in different regions, personal data sometimes crosses international borders. We want to be transparent about how that happens and what protections are in place.

For customers in the European Economic Area and the United Kingdom, transfers to countries that the European Commission has not recognised as providing adequate data protection must be underpinned by approved safeguards. In practice, we rely primarily on standard contractual clauses — contractual commitments between the parties involved that create binding data protection obligations on both sides.

Customers in countries with specific data localisation or transfer notification requirements are welcome to write to us about their particular situation. We will answer honestly about how their data moves and what protections apply, and we will point them toward the relevant national authority if our knowledge falls short.

Note: If you would like to see the specific transfer mechanisms we have in place for a particular service provider or region, contact us and we will share that documentation in plain terms.

How long we hold your personal data

We keep information only for as long as we have a genuine, documented reason to hold it. When that reason expires, we delete it.

Order data

Your name, delivery address, and purchase history are retained for up to seven years. This is required by tax and accounting regulations in most of the jurisdictions where we operate, and it is not something we have discretion over.

Account data

If you hold a registered account, your information stays with us while it remains active. Accounts that have not been used for three consecutive years will receive an email from us asking whether the account should be kept or deleted. If we receive no response, we will close the account and remove the data.

Marketing and newsletter data

Your email address remains on our mailing list until you unsubscribe. Once you do, we remove you within 48 hours and keep only a minimal record of that opt-out status to prevent you from being accidentally re-added in the future.

Customer correspondence

Messages and enquiries are stored for up to two years, after which they are deleted. Where a message relates to an ongoing dispute, an open complaint, or an order under investigation, we retain it until the matter is fully resolved.

How we protect the information we hold

We take the security of your information seriously and have put in place practical, proportionate measures to protect it. These are not box-ticking exercises — they are things we actively maintain and review.

Every page of our website runs over HTTPS, which means data moving between your browser and our servers is encrypted throughout. Access to customer data within our team is restricted to staff members who need it to carry out a specific job — our fulfilment team, customer service agents, and our accountant are examples of who might need access and why.

Our hosting infrastructure is provided by services that hold recognised industry security certifications, and we review these providers periodically. We do not stay with a service we no longer trust.

We will never contact you by email asking for your password. We will never send a link directing you to enter sensitive information on a page outside of our standard, secure sign-in page. Any message claiming to be from us that asks for this should be treated with caution, and we would ask you to let us know if you receive one.

In the event of a data breach that affects your personal information in a meaningful way, we will inform you without unnecessary delay. We will explain what happened, what data was affected, and the steps we have taken to contain the situation.

Your rights over your personal data

These rights are real and exercising them is straightforward. Write to us atsupport@handicraftstudio.com and we will handle your request promptly and without unnecessary friction.

The right to see what we hold about you

You can request a complete copy of your personal data, free of charge. We will provide it within 30 calendar days of receiving your request.

The right to correct information that is wrong

If your name is misspelled, your address is outdated, or any other detail is incorrect, just tell us and we will update it. No formal process is required — a simple message is enough.

The right to have your data deleted

You can ask us to erase your personal information, and we will do so wherever we are not required to retain it under applicable data retention regulations. Where certain records must be kept, we will explain clearly what cannot be deleted and why.

The right to restrict how we process your data

If you believe we are using your information in a way that is not appropriate, you can ask us to pause that processing while we look into the matter together.

The right to object to processing

Where we are relying on our legitimate interests as the basis for processing your data, you can raise an objection. We will take it seriously and respond with a genuine explanation of how we have weighed the competing considerations.

The right to take your data elsewhere

For information you have directly provided to us, you can ask us to send it in a structured, machine-readable format so you can port it to another service if you choose.

The right to withdraw consent

Where we are processing your data based on consent — such as sending marketing emails — you can pull that consent back at any moment. We will stop the relevant processing immediately and without question.

For customers in California

The California Consumer Privacy Act gives you the right to know whether we sell personal data — we do not. You also have the right to request deletion, to opt out of any sale, and to receive equal service whether or not you choose to exercise your privacy rights. All of these rights apply in full.

For customers in the EU and UK

If you feel your rights under the GDPR or UK GDPR have not been respected, you have the right to file a complaint with your national supervisory authority. In the UK, that is the Information Commissioner's Office. We would always prefer to sort things out with you directly first, but this route is always available to you.

For customers in Canada, Australia, and elsewhere

Customers in Canada have rights under the Personal Information Protection and Electronic Documents Act. Customers in Australia are protected under the Privacy Act 1988. Customers across Southeast Asia, the Middle East, and other regions have rights under their respective national frameworks. We extend the same care to all customers regardless of jurisdiction.

Children and our website

Our website is intended for adults. We do not knowingly collect or hold personal information from anyone under the age of 16, and our products are not marketed toward children.

If you are a parent or guardian and you have reason to believe that a child has submitted personal details to us, please contact us straight away. We will delete the information concerned as quickly as possible once we have verified the situation, and we will confirm once it has been done.

Links to websites outside our own

Our product pages and blog sometimes include links to artisan community websites, social media profiles, and organisations we admire or work with. We include these links in good faith, but once you navigate away from our site, we have no control over how those external pages handle your information.

Each external website operates under its own privacy terms, and we recommend reading those before sharing any personal information there. If a link on our site takes you somewhere that feels wrong or unexpected, please let us know.

How and when we update this policy

We review this privacy policy at least once every twelve months and update it whenever we make a meaningful change — whether that involves adopting a new service provider, adjusting our retention periods, or responding to changes in the data protection frameworks that apply to our customers.

When we make a significant update, we notify registered account holders by email. Visitors without accounts will see a clear notice displayed on the website. The effective date shown at the top of this page always reflects the most recent revision.

Continuing to use our website after a policy change is updated and notified constitutes acceptance of the revised terms. If anything in a future update does not sit right with you, we welcome the conversation — please write to us before taking any other step.

How to contact us with privacy questions

Privacy policies can sometimes raise as many questions as they answer, and we genuinely want to hear from you if something here is unclear or feels incomplete. Write to us at support@handicraftstudio.com and you will get a real reply from a real person.

For formal requests to access, correct, or delete personal data, we will acknowledge your message within 72 hours and provide a complete response within 30 calendar days. We aim to be faster than that, but this is the commitment we can make with confidence.

If you feel that we have not handled your information correctly and a direct conversation with us has not resolved the matter, you are entitled to contact the data protection authority in your country. We will cooperate fully with any such process and will never take steps to discourage you from pursuing that route.

Note: This policy was written to be read, not just stored on a page. If anything here feels overly complicated, technically unclear, or just hard to follow, tell us and we will explain it differently. That offer stands any time.