Legal
Privacy Policy
This Privacy Policy explains how Hero Frame (βweβ, βusβ, βourβ) collects, uses, shares and protects personal data when you visit heroframe.co or place an order. We are the data controller for your personal data and we comply with the UK GDPR and the Data Protection Act 2018.
Last updated: 19 May 2026
1. Who we are
Hero Frame is a UK-based studio designing and producing personalised framed artwork. For any privacy question or to exercise your rights, contact hello@heroframe.co.
2. What data we collect
- Identity & contact: name, billing/shipping address, email, phone number.
- Order data: products purchased, price, customisation choices (sport, team, names, dates, occasion), order status.
- Content you upload: reference photos, names and inscriptions you provide for personalisation, and AI-generated previews based on them.
- Account data: email, hashed password, wishlist, saved designs.
- Payment data: processed directly by Shopify Payments, Klarna, Apple Pay, Google Pay and other PCI-DSS compliant processors. We never see or store full card numbers.
- Technical data: IP address, device, browser, pages viewed, referrer, cookies and similar identifiers (see our Cookie Policy).
- Communications: emails, live-chat messages, reviews and survey responses.
3. How and why we use it (lawful bases)
- To fulfil your order β process payment, create the artwork, arrange production and delivery. Lawful basis: contract.
- To provide customer support and handle returns, refunds and complaints. Lawful basis: contract and legal obligation.
- To run and secure our website, prevent fraud and abuse, and maintain backups. Lawful basis: legitimate interests.
- To send marketing emails about new releases, offers and inspiration. Lawful basis: consent (you can unsubscribe in every email).
- To improve products and the site using analytics. Lawful basis: consent for non-essential cookies.
- To comply with law β tax records, accounting, responding to lawful requests. Lawful basis: legal obligation.
4. AI previews and uploaded photos
When you upload a reference photo or describe a person, our preview tool may send the image and your prompt to AI providers (such as Google and OpenAI via the Lovable AI Gateway) to generate a draft of your artwork. We use these images only to create your preview and produce your order. We do not sell them, do not use them to train third-party models, and delete uploads associated with abandoned drafts within 90 days. Completed-order artwork is retained as part of your order record.
5. Who we share data with
We only share what is necessary, under written contracts that require equivalent protection:
- Shopify β e-commerce platform and checkout.
- Printful and our framing partners β to produce and ship your order.
- Payment processors β Shopify Payments, Klarna, PayPal, Apple Pay, Google Pay.
- Couriers β Royal Mail, DPD, Evri or equivalent, for delivery.
- Supabase / Lovable Cloud β secure database and file storage.
- AI providers β Google Gemini, OpenAI (via Lovable AI Gateway) for preview generation.
- Email & analytics β transactional and (with consent) marketing email, plus privacy-respecting analytics.
- Professional advisers and authorities where required by law.
We never sell your personal data.
6. International transfers
Some providers are based outside the UK (e.g. in the EEA or the United States). Where we transfer data internationally we rely on UK adequacy regulations, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses, together with additional safeguards where appropriate.
7. How long we keep it
- Order and tax records: 6 years after the end of the tax year (UK HMRC requirement).
- Account data: until you delete your account, then deleted within 30 days (subject to legal retention).
- Marketing data: until you unsubscribe, then deleted from active lists within 30 days.
- Abandoned design uploads: up to 90 days.
- Support correspondence: up to 3 years.
8. Your rights
Under UK GDPR you have the right to: access your data; have it corrected or erased; restrict or object to processing; data portability; and withdraw consent at any time. To exercise any right, email hello@heroframe.co. We will respond within one month. You also have the right to complain to the UK Information Commissioner's Office (ico.org.uk, 0303 123 1113).
9. Security
We use HTTPS everywhere, encrypted storage, role-based access controls, and trusted hosting providers. No system is 100% secure β if we ever discover a personal data breach that is likely to result in a risk to your rights, we will notify the ICO within 72 hours and you without undue delay where required.
10. Children
Our site is intended for adults aged 18+. We do not knowingly collect personal data from children. If you believe a child has provided us with data, contact us and we will delete it.
11. Changes
We may update this policy from time to time. The "Last updated" date above shows when. Material changes will be highlighted on this page or by email.
