Dear Milo
← Back to shop

Privacy Policy

Last updated: 5 May 2026

This Privacy Policy explains how [LEGAL_ENTITY] ("Dear Milo", "we", "us", "our") collects, uses, stores, and protects your personal information when you use dearmiloshop.com (the "Site") or buy our products. We are the data controller for the personal information described in this policy.

Identity and contact details

  • Registered name: [LEGAL_ENTITY]
  • Company number: [COMPANY_NUMBER]
  • Registered address: [REGISTERED_ADDRESS]
  • ICO registration number: [ICO_REGISTRATION_NUMBER]
  • Privacy contact: support.dearmilo@gmail.com

If you live in the UK or EU, this policy meets our obligations under the UK GDPR, the Data Protection Act 2018, and the EU GDPR. If you live in California, see "Notice for California Residents" below.

What we collect and why

  • Identity and contact data (name, email, billing and shipping address) — to fulfil your order and send confirmations. Lawful basis: performance of a contract (Article 6(1)(b) UK GDPR).
  • Order details (items, customisation, pet name) — to produce your custom product. Lawful basis: contract.
  • Pet photos (images you upload) — to generate your AI preview and produce the embroidery design. Lawful basis: contract.
  • Payment information (card last 4 digits, transaction ID) — to process payment. We never see or store full card numbers; Stripe handles this. Lawful basis: contract / legal obligation.
  • Account information (email, hashed password, order history) — if you create an account. Lawful basis: contract / consent.
  • Marketing preferences — only if you opt in. Lawful basis: consent (Article 6(1)(a) UK GDPR).
  • Technical data (IP address, browser, device, cookies) — security, fraud prevention, analytics (with consent). Lawful basis: legitimate interest / consent.
  • Communications (emails, support) — to respond to you. Lawful basis: legitimate interest.

We do not collect special category data. Please don't include any in messages or photos.

Pet photos and AI processing

When you upload a photo, it is sent to Google's Gemini API (Google Ireland Limited / Google LLC) to generate your embroidery preview, and stored in Supabase (EU-hosted). Once your order is fulfilled, we keep the photo for 90 days in case you reorder or query the order. You can request earlier deletion.

We do not use your pet photos to train any AI model.

If you opt into UGC marketing use (separate optional checkbox at checkout), we may store and use your photos for promotional content. You can withdraw this at any time.

Who we share your data with

We share data only with vetted service providers. Each provides UK GDPR-compliant Standard Contractual Clauses (SCCs).

  • Stripe — payment processing (UK, EU, US). PCI-DSS Level 1.
  • Supabase — database, auth, file storage (EU — Frankfurt).
  • Google / Gemini API — AI preview generation (EU and US).
  • Printful — order fulfilment and shipping (US and EU).
  • Vercel — website hosting (US with EU edge).
  • TikTok / Meta / Google Ads — advertising, only with your marketing consent.

We do not sell your data.

How long we keep your data

  • Order records: 6 years (required by HMRC).
  • Pet photos: 90 days after order fulfilment.
  • Account data: while active + 2 years of inactivity.
  • Cookie consent records: 12 months.

Your rights

Under UK and EU GDPR you have the right to: access, rectify, erase, restrict, object, port your data, withdraw consent, and lodge a complaint with the ICO (ico.org.uk). Email support.dearmilo@gmail.com to exercise any of these. We respond within 30 days.

Marketing & UGC consent

You will only receive marketing emails if you tick the (unticked by default) opt-in box at checkout. You can unsubscribe in one click from any email.

The optional UGC opt-in grants us a non-exclusive, royalty-free licence to use your pet photo and embroidery image in marketing. You can withdraw this at any time by emailing us; we'll remove the content from new uses within 30 days.

Security

We protect your data with HTTPS/TLS 1.3 encryption in transit, encryption at rest, hashed passwords (Argon2 via Supabase Auth), Row Level Security on our database, webhook signature verification on payment events, and rate limiting on sensitive endpoints.

Children

Dear Milo is not directed at children under 16. If you believe a child has given us their data, email us and we'll delete it.

Notice for California Residents (CCPA / CPRA)

We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising unless you've consented through our cookie banner. You have the right to know, delete, correct, and limit use of sensitive personal information. Email support.dearmilo@gmail.com to exercise these rights.

Contact

support.dearmilo@gmail.com
You can also complain to the ICO at ico.org.uk or 0303 123 1113.