Legal

Privacy Policy

How Shieldwright collects, uses, and protects your personal information.

Last updated: 9 March 2026

1 Who I Am

Shieldwright is an independent artisan workshop crafting handmade decorative shields, wall pieces, and heraldic art. I operate the website at shieldwright.eu and am responsible for the personal data you provide to me.

For the purposes of EU data protection law, I (Shieldwright) act as the data controller. My contact details are set out in Section 13 below.

2 Information I Collect

I collect personal data that you provide directly to me, data I receive from third parties, and data that is generated automatically when you use my website.

Information you give us

  • Name, email address, phone number, and delivery/billing address when you place an order.
  • Payment details such as card number and billing address — these are processed securely by my payment provider and never stored by me.
  • Account credentials if you create an account on my website.
  • Messages or enquiries you send me via my contact form or by email.
  • Your email address if you subscribe to my newsletter.
  • Personal preferences, heraldic details, or customisation notes you include when commissioning a bespoke shield or piece.

Information I receive from third parties

  • Order and payment confirmation data from my payment processors (Stripe, PayPal).
  • Delivery status updates from my shipping partners.
  • If you connect a social media account (e.g. to log in via Google), basic profile data shared by that platform.

Information collected automatically

  • IP address, browser type, operating system, and device information.
  • Pages visited, time on site, referring URLs, and clickstream data.
  • Cookie identifiers — see Section 10 and my Cookies Policy for full details.

3 How I Use Your Information

I use your personal data for the following purposes:

Fulfilling your orders

  • Processing and confirming purchases, taking payment, and arranging delivery.
  • Sending order confirmation, dispatch, and delivery notification emails.
  • Handling returns, refunds, and any post-purchase queries.

Customer support

  • Responding to questions, complaints, or requests you send me.
  • Keeping a record of our correspondence for quality and compliance purposes.

Marketing & communications

  • Sending my newsletter and promotional emails, where you have opted in.
  • Personalising on-site content and recommendations based on your browsing history.
  • Running targeted advertising campaigns on social media platforms and Google, where you have consented to analytics cookies.

Improving my service

  • Analysing website usage to improve navigation, performance, and content.
  • Understanding purchasing trends to inform my range of shield designs and commissions.

Legal & security obligations

  • Detecting and preventing fraud, unauthorised access, and other illegal activities.
  • Complying with applicable laws, regulations, and court orders.
  • Enforcing our Terms & Conditions and other agreements.

5 Sharing Your Information

I do not sell, rent, or trade your personal data. I share it only where necessary to operate my business:

Service providers

  • Payment processors (Stripe, PayPal) — to securely handle transaction authorisation and fraud screening.
  • Shipping & fulfilment partners — your name and delivery address are shared with couriers (e.g. DPD, DHL) to dispatch your order.
  • Email service providers — to send transactional emails and newsletters on my behalf.
  • Analytics providers (e.g. Google Analytics) — anonymised usage data to help me understand site performance.
  • IT & hosting providers — to maintain and host my website securely.

Legal requirements

I may disclose your data to law enforcement, regulators, or courts when required by law or to protect my rights and the safety of others.

Business transfers

If Shieldwright is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. I will notify you before your data is transferred and becomes subject to a different privacy policy.

Commission & Custom Orders

For bespoke shield commissions, I may retain design briefs, heraldic specifications, and correspondence for the duration of the commission and up to 3 years afterwards, to assist with future orders or queries.

Data Processor Agreements

All third-party service providers who process personal data on my behalf are bound by data processing agreements and are required to keep your data secure and to use it only for the purposes I specify.

6 International Transfers

Some of my service providers are based outside the European Economic Area (EEA). When I transfer personal data to countries that do not have equivalent data protection laws, I ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission or the UK ICO.
  • Transfers to countries recognised by the UK or EU as providing an adequate level of data protection.
  • Binding corporate rules where applicable.

You may request a copy of the safeguards I rely upon for any specific transfer by contacting me using the details in Section 13.

7 Data Retention

I retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. My standard retention periods are:

  • Order and transaction records — 7 years, to comply with tax and accounting obligations.
  • Customer account data — for the duration your account is active and for up to 3 years after your last interaction with me.
  • Marketing preferences and email lists — until you withdraw consent or unsubscribe, whichever is earlier.
  • Customer support correspondence — 3 years from the date of your last contact.
  • Website analytics data — up to 26 months in anonymised or aggregated form.

When your data is no longer required, it is securely deleted or anonymised so that it can no longer be linked to you.

8 Your Rights

Under the EU GDPR you have the following rights in relation to your personal data. You can exercise any of these at any time by contacting me.

Right of Access

Request a copy of the personal data I hold about you (a Subject Access Request).

Right to Rectification

Ask me to correct inaccurate or incomplete personal data I hold about you.

Right to Erasure

Request that I delete your personal data, subject to certain legal exceptions.

Right to Restriction

Ask me to restrict how I use your data in certain circumstances.

Right to Portability

Receive your data in a structured, machine-readable format and transfer it to another controller.

Right to Object

Object to me processing your data for direct marketing or on grounds of legitimate interests.

We aim to respond to all requests within one calendar month. I will not charge a fee for exercising your rights unless a request is manifestly unfounded or excessive.

Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with a supervisory authority. In Poland, this is the Office for Personal Data Protection (UODO) at uodo.gov.pl. If you are based in the UK, you may contact the Information Commissioner's Office (ICO) at ico.org.uk.

9 Security

I take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it from unauthorised access, disclosure, alteration, or destruction. These include:

  • SSL/TLS encryption for all data transmitted between your browser and my website.
  • Payment card data is never stored on my servers — all card processing is handled directly by PCI-DSS compliant payment providers.
  • Access to systems containing personal data is restricted to authorised personnel only, using role-based access controls.
  • Regular security reviews and software updates to address vulnerabilities.

While I take all reasonable steps to protect your data, no method of transmission over the internet is completely secure. If you suspect any unauthorised access to your account, please contact me immediately.

10 Cookies

My website uses cookies and similar tracking technologies to improve functionality, analyse site traffic, and support my marketing. A cookie is a small text file stored on your device.

I obtain your consent before placing any non-essential cookies. You can manage your cookie preferences at any time via my cookie consent banner or the “Cookie Settings” link in the footer.

For full details of the cookies I use — including their type, purpose, and duration — please read my dedicated Cookies Policy.

11 Children's Privacy

My website and services are not directed at children under the age of 16. I do not knowingly collect personal data from children. If you believe a child has provided me with personal data without appropriate consent, please contact me and I will delete that data promptly.

12 Changes to This Policy

I may update this Privacy Policy from time to time to reflect changes in my practices, technology, or legal requirements. When I make changes, I will revise the “last updated” date at the top of this page. Where changes are material, I will notify you by email or by displaying a prominent notice on the website.

I encourage you to review this policy periodically to stay informed about how I protect your information.

13 Contact Me

If you have any questions, concerns, or requests regarding this Privacy Policy or the way I handle your personal data, please contact me:

I will always aim to respond within 30 days. For complex requests I may need additional time, in which case I will let you know and explain the reason for the delay.