GDPR - Instructions for Use

Table of Contents

1) Legal framework (official links)

• GDPR – Regulation (EU) 2016/679 (official text, EUR-Lex): https://eur-lex.europa.eu/eli/reg/2016/679/oj
• EU Standard Contractual Clauses (SCCs) – Commission Implementing Decision (EU) 2021/914 (EUR-Lex): https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj
• European Data Protection Board (EDPB) – guidance: https://edpb.europa.eu/
• Spanish Supervisory Authority (AEPD): https://www.aepd.es/

2) Controller identification

3) Scope and roles

3.1 Who this Notice applies to

• Visitors to the Canvartin website.
• Customers purchasing posters, canvases, or papercraft products.
• Individuals requesting personalisation (custom text/images).
• Individuals contacting customer support (order questions, returns, complaints).
• Recipients of service messages necessary to perform a contract (order confirmation, shipping updates).

3.2 Controller vs. other controllers

• If you buy through a third-party platform (e.g., marketplace), that platform typically acts as an independent controller for its own purposes. The controller receives only the information needed to fulfil the order and provide support.
• Payment providers and carriers may act as controllers for certain processing required by law and to run their services. Where they act as processors, processing is governed by GDPR Article 28.

3.3 No unrelated processing

Personal data are processed only for defined purposes described in this Notice, aligned with GDPR Article 5(1)(b) (purpose limitation) and Article 5(1)(c) (data minimisation).

4) GDPR principles applied

Processing is organised to comply with GDPR Article 5(1) principles:

• Lawfulness, fairness, transparency (Article 5(1)(a)) – clear information and valid legal bases.
• Purpose limitation (Article 5(1)(b)) – no incompatible uses.
• Data minimisation (Article 5(1)(c)) – only data needed for orders, delivery, personalisation, and support.
• Accuracy (Article 5(1)(d)) – reasonable steps to keep data correct.
• Storage limitation (Article 5(1)(e)) – retention tied to purpose and legal duties.
• Integrity and confidentiality (Article 5(1)(f)) – security measures under Article 32.
• Accountability (Article 5(2)) – documented compliance steps where required.

5) Personal data categories

5.1 Identification and contact data

• Name and surname.
• Email address.
• Phone number (including WhatsApp if used for support).
• Delivery address and billing address.
• Country/region (for shipping, VAT, and customer support context).

5.2 Order and transaction data

• Order number, order date, purchased items (posters, canvases, papercraft kits), quantity, price, currency.
• Shipping method, tracking reference (if available), delivery status, delivery exceptions.
• Invoice/receipt details (as required for accounting and tax compliance).
• Refund/return references and outcome.

5.3 Communications and support data

• Messages you send (email/WhatsApp), including attachments you choose to provide.
• Information needed to resolve requests (e.g., delivery issue description, damage claims, missing items).
• Complaint and dispute records, including correspondence and resolution steps.

5.4 Personalisation content (custom data)

• Custom text (names, dates, short messages) to be printed or included in a design.
• Images you upload or provide for printing (e.g., photos, artworks), where applicable.
• Design choices you select (size, layout, colour options), where applicable.

5.5 Data not intentionally collected

The controller does not request or require special categories of personal data under GDPR Article 9. If you voluntarily include such data in personalisation content or messages, it will be processed only to the extent strictly necessary to fulfil your request and respond to you.

6) Processing by product line: Posters / Canvases / Papercraft

6.1 Posters (non-personalised)

For standard posters, processing is limited to what is needed to accept the order, produce/pack the poster, and ship it.

• Typical data used: identity and contact data; delivery address; order details; payment confirmation; customer service communications.
• Typical purpose: order fulfilment, delivery, after-sales support.
• Primary legal basis: contract performance (GDPR Article 6(1)(b)).

6.2 Canvases (non-personalised)

For standard canvases, processing is limited to what is needed to fulfil the purchase contract, ship the product, and manage after-sales requests.

• Typical data used: identity and contact data; delivery address; order details; payment confirmation; customer service communications.
• Typical purpose: production coordination (if applicable), packaging, shipping, returns handling.
• Primary legal basis: contract performance (GDPR Article 6(1)(b)).

6.3 Papercraft products (kits and printed parts)

For papercraft products, processing is limited to accepting and fulfilling the order, shipping, and support. Papercraft kits may include components such as printed paper parts and, depending on the kit, accessories (e.g., craft knife, white glue, plastic ruler, plastic packaging, ballpoint pen). The presence of accessories does not change the categories of personal data processed; it may increase the need for accurate delivery details and careful after-sales handling.

• Typical data used: identity and contact data; delivery address; order details; support communications.
• Typical purpose: order fulfilment, delivery, replacement of missing components, complaint handling.
• Primary legal basis: contract performance (GDPR Article 6(1)(b)).

7) Personalisation (custom orders)

7.1 What “personalisation” means

Personalisation refers to processing that uses information you provide to create a product specifically for you. Examples include adding names, dates, short messages, custom colour requests, or printing your image on a poster/canvas (where offered).

7.2 Personalisation data and responsibilities

• Accuracy of custom inputs: you are responsible for checking spelling, dates, and correctness of personalisation details before confirming the order. The controller uses the data exactly as provided, unless clarification is requested.
• Third-party rights: if you provide images or text relating to third parties, you confirm that you have the right to provide them for printing/production. The controller processes such content to fulfil the contract (GDPR Article 6(1)(b)).
• Content limitations: the controller may refuse personalisation requests that appear unlawful or that cannot be produced within reasonable constraints, based on legitimate interests and legal compliance (GDPR Article 6(1)(f) and/or Article 6(1)(c), depending on the situation).

7.3 Legal bases for personalisation

• Contract performance (GDPR Article 6(1)(b)) – creating a custom product you requested.
• Legitimate interests (GDPR Article 6(1)(f)) – quality control, preventing misuse (e.g., fraudulent or abusive requests), and maintaining evidence of the agreed custom specification in case of disputes.
• Legal obligation (GDPR Article 6(1)(c)) – invoice/accounting retention when personalisation details appear on an order record.

7.4 Minimisation for custom content

Personalisation is designed around GDPR Article 5(1)(c): only the content strictly required to produce the personalised item is processed. Excess content included in messages (unrelated personal details) is not required and should not be shared.

7.5 Personalisation proof and dispute handling

To resolve “not as ordered” disputes, the controller may retain:

• your confirmed custom text/image file,
• a record of your approval (where applicable),
• order communications confirming the custom specification,
• production notes strictly related to fulfilling the order.

This supports contract performance (Article 6(1)(b)) and legitimate interests in dispute prevention and resolution (Article 6(1)(f)).

8) Purposes and legal bases (GDPR Article 6)

Purpose	What this includes	Primary legal basis (GDPR)	Key GDPR references
Order creation and management	Accepting orders, confirming details, preparing production/packing instructions, status updates.	Art. 6(1)(b) Contract performance	GDPR (Art. 6; Art. 13(1)(c))
Delivery and logistics	Address validation (where needed), shipping labels, carrier handover, delivery notifications, handling failed deliveries.	Art. 6(1)(b) Contract performance	GDPR Art. 6; Art. 5(1)(c)
Customer support and communications	Answering questions, providing instructions and clarifications, handling complaints, replacements, missing items.	Art. 6(1)(b) Contract performance Art. 6(1)(f) Legitimate interests	GDPR Art. 6; Art. 13; Art. 21
Personalisation production	Processing custom text/images to create the personalised poster/canvas/papercraft element you ordered.	Art. 6(1)(b) Contract performance	GDPR Art. 6; Art. 5(1)(b)-(c)
Accounting, invoicing, and compliance	Invoices/receipts, bookkeeping, mandatory record retention, responding to lawful authority requests.	Art. 6(1)(c) Legal obligation	GDPR Art. 6(1)(c); Art. 13(1)(c)
Returns, refunds, and disputes	Return authorisation, refund processing, fraud prevention in returns, evidence preservation.	Art. 6(1)(b) Contract performance Art. 6(1)(c) Legal obligation (where applicable) Art. 6(1)(f) Legitimate interests	GDPR Art. 6; Art. 5(1)(e); Art. 21
Security, fraud prevention, and misuse prevention	Protecting communications and order integrity, detecting suspicious activity, preventing identity misuse and chargeback abuse.	Art. 6(1)(f) Legitimate interests	GDPR Art. 6(1)(f); Art. 32; Art. 5(1)(f)

8.1 Legitimate interests balancing (GDPR Article 6(1)(f), Article 21)

Where processing relies on legitimate interests, the controller assesses:

• Purpose test: the interest pursued (e.g., fraud prevention, dispute resolution, operational continuity).
• Necessity test: whether the processing is necessary and proportionate for that purpose.
• Balancing test: impact on individuals, reasonable expectations, and available safeguards.

You may object to processing based on legitimate interests at any time (GDPR Article 21). Where the objection is valid, processing will be stopped unless compelling legitimate grounds override your interests, rights, and freedoms, or the processing is needed for legal claims.

9) Recipients, processors, and disclosures

9.1 Recipient categories (GDPR Article 13(1)(e))

Personal data may be shared only to the extent necessary with:

• Payment service providers (payment confirmation, refund handling, fraud checks).
• Carriers and delivery services (name, address, contact details necessary for delivery; shipment status).
• Professional advisors (accounting, legal) where required for compliance and legal defence.
• Public authorities where disclosure is required by law (GDPR Article 6(1)(c)).
• Service providers acting as processors under GDPR Article 28, only under documented instructions and appropriate safeguards.

9.2 Processors (GDPR Article 28)

Where an external provider processes personal data on the controller’s behalf, the controller ensures that:

• processing is governed by a contract meeting GDPR Article 28(3) requirements,
• the provider implements appropriate security measures (GDPR Article 32),
• sub-processors (if any) are controlled and authorised according to GDPR Article 28(2)–(4),
• data are processed only for the controller’s documented purposes.

9.3 No sale of personal data

The controller does not sell personal data to third parties.

10) International transfers (GDPR Chapter V)

10.1 When transfers may occur

Transfers outside the European Economic Area (EEA) may occur if a recipient/service provider processes or stores data in a third country or allows remote access from a third country. Transfers may also occur when communicating with you if you are located outside the EEA.

10.2 Transfer mechanisms (Articles 44–49)

International transfers are carried out only in accordance with GDPR Chapter V (GDPR Articles 44–49). Where applicable, the controller relies on:

• Adequacy decisions (GDPR Article 45) where the European Commission has decided that a country ensures an adequate level of protection.
• Appropriate safeguards (GDPR Article 46), including the EU Standard Contractual Clauses (SCCs): https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj
• Derogations (GDPR Article 49) only when applicable and interpreted restrictively (e.g., transfer necessary for contract performance).

10.3 Additional safeguards

Where SCCs are used, the controller applies additional safeguards when needed, consistent with GDPR Article 32 and relevant EDPB guidance: https://edpb.europa.eu/

11) Retention (GDPR Article 5(1)(e))

11.1 Core rule

Personal data are retained only as long as needed for the stated purposes and for compliance with legal obligations. Retention decisions consider:

• contract duration and after-sales support period,
• legal duties (e.g., accounting, tax),
• limitation periods for claims and disputes,
• data minimisation and proportionality (GDPR Article 5(1)(c) and 5(1)(e)).

11.2 Retention by category (practical overview)

Category	Retention approach	Purpose alignment
Orders, delivery, and support history	Kept for the time necessary to perform the contract and manage reasonable after-sales support, then deleted or anonymised unless required for compliance or claims.	Art. 6(1)(b), Art. 6(1)(f), Art. 5(1)(e)
Invoices and accounting records	Kept for the period required by applicable accounting/tax law; access limited to authorised persons.	Art. 6(1)(c), Art. 5(1)(e)
Personalisation files and approvals	Kept as needed to produce the personalised product and to handle disputes/returns; then deleted unless continued retention is required for legal claims or mandatory bookkeeping.	Art. 6(1)(b), Art. 6(1)(f), Art. 5(1)(e)
Returns/refunds documentation	Kept as needed to complete the return/refund and to manage fraud risks and disputes; longer if required by law or to defend legal claims.	Art. 6(1)(b), Art. 6(1)(c), Art. 6(1)(f)
Suppression (do-not-contact) records	Kept to ensure marketing opt-outs are respected.	Art. 6(1)(f), Art. 21

12) Data subject rights (GDPR Articles 12–23)

12.1 Your rights

• Right of access (GDPR Article 15).
• Right to rectification (GDPR Article 16).
• Right to erasure (GDPR Article 17).
• Right to restriction of processing (GDPR Article 18).
• Right to data portability (GDPR Article 20), where applicable.
• Right to object (GDPR Article 21), including an absolute right to object to direct marketing.
• Rights related to automated decision-making (GDPR Article 22), where applicable.
• Right to withdraw consent (GDPR Article 7(3)) where processing is based on consent.

12.2 How requests are handled (Articles 12–14)

• Transparent communication: information will be provided in a concise, transparent, intelligible form (GDPR Article 12(1)).
• Time limits: responses are provided without undue delay and within one month, extendable by two months where necessary (GDPR Article 12(3)).
• Identity verification: additional information may be requested where there are reasonable doubts about identity (GDPR Article 12(6)).
• Fees: requests are generally handled free of charge; a reasonable fee may apply for manifestly unfounded or excessive requests (GDPR Article 12(5)).

12.3 Limits and exceptions

Rights are not absolute. The controller may refuse or limit a request where allowed by GDPR (e.g., where retention is required by law or needed for legal claims), and will explain the reasons as required by GDPR Article 12(4).

13) Objections, withdrawals, and suppression lists

13.1 Objection to processing (Article 21)

Where processing relies on legitimate interests (GDPR Article 6(1)(f)), you may object at any time on grounds relating to your particular situation (GDPR Article 21(1)). The controller will stop processing unless compelling legitimate grounds override your interests, rights, and freedoms, or processing is required for legal claims.

13.2 Direct marketing (Article 21(2)–(3))

If personal data are processed for direct marketing, you may object at any time. After an objection, the data will no longer be processed for direct marketing (GDPR Article 21(2)–(3)).

13.3 Withdrawal of consent (Article 7(3))

Where processing is based on consent, consent may be withdrawn at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal (GDPR Article 7(3)).

13.4 Suppression lists

To respect objections/opt-outs, the controller may keep a minimal record (e.g., email address) on a suppression list. This ensures that you are not contacted again for marketing, aligning with legitimate interests and compliance duties (GDPR Article 6(1)(f); Article 21).

14) Returns, refunds, and disputes

14.1 Return requests and required data

When you request a return or refund, the controller processes the information needed to:

• identify your order (order number, purchase date, item details),
• confirm eligibility and conditions (where applicable),
• coordinate the return shipment or provide instructions,
• inspect returned goods (where applicable),
• issue a refund or replacement,
• record the outcome for accounting and customer support continuity.

14.2 Legal bases for returns-related processing

• Contract performance (GDPR Article 6(1)(b)) – managing returns, replacements, and refunds as part of the sales relationship.
• Legal obligation (GDPR Article 6(1)(c)) – where retention is required for accounting/tax or consumer law compliance.
• Legitimate interests (GDPR Article 6(1)(f)) – fraud prevention, dispute resolution, and maintaining evidence of the condition of goods and return handling steps.

14.3 Evidence and documentation

For disputes and quality issues, the controller may ask for and process:

• photos of damage, incorrect printing, or missing components,
• delivery packaging photos (when relevant),
• carrier tracking details,
• communication history needed to resolve the issue.

Any documentation is limited to what is necessary (GDPR Article 5(1)(c)) and retained only as long as needed for the return/dispute process and related legal obligations (GDPR Article 5(1)(e)).

14.4 Personalised products and returns

Personalised products may require additional verification of the agreed custom specification. The controller may retain a record of the personalisation input and approval steps to assess whether the delivered item matches the confirmed order. This supports contract performance and legitimate interests in fair dispute handling (GDPR Article 6(1)(b) and Article 6(1)(f)).

15) Security and confidentiality (GDPR Article 32)

15.1 Security objective

The controller implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk (GDPR Article 32(1)), taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing, as well as risks of varying likelihood and severity to individuals.

15.2 Risk-based approach (what risks are considered)

Security measures are selected to reduce risks such as:

• unauthorised access to order details (names, addresses),
• account takeover (if accounts exist),
• unauthorised disclosure of personalisation content (custom text/images),
• fraudulent refund and return claims using someone else’s identity or order information,
• phishing and social engineering attempts targeting customer support channels,
• accidental loss or deletion of records needed for order fulfilment,
• loss of confidentiality during communications with service providers,
• unlawful processing beyond stated purposes.

15.3 Organisational measures

• Access governance: access to personal data is restricted to what is necessary for order fulfilment and support (need-to-know principle), supporting GDPR Article 5(1)(f) and Article 32(1)(b).
• Role separation: where tasks are delegated, permissions are separated to reduce exposure of personal data.
• Confidentiality: persons with access to personal data are subject to confidentiality obligations appropriate to the context (GDPR Article 28(3)(b) for processors; general confidentiality principles under Article 5(1)(f)).
• Data handling procedures: documented steps for receiving, using, and disposing of personal data, including personalisation files and return evidence.
• Training and awareness: measures to reduce errors and improve recognition of phishing and fraudulent requests.
• Vendor management: selection and review of service providers, with contractual obligations where providers act as processors (GDPR Article 28) and assessment of transfer safeguards (GDPR Chapter V).
• Incident management: procedures to identify, assess, and respond to suspected personal data incidents, aligned with GDPR Articles 33–34.
• Physical security: reasonable measures to protect printed order documents and physical records (if any) and to prevent unauthorised viewing of shipping labels and customer details during packing.

15.4 Technical measures (security controls described at a functional level)

Security controls are implemented to support confidentiality, integrity, and availability (GDPR Article 32(1)). Controls are described at a functional level to remain accurate as systems evolve and to avoid misleading statements.

• Secure communications: measures to protect personal data during transmission to reduce the risk of interception.
• Authentication and authorisation: mechanisms to prevent unauthorised access to administrative functions and order records.
• Change control: controls to reduce accidental misconfiguration that could expose customer data.
• Backups and recovery: measures supporting restoration of availability and access to personal data in a timely manner after an incident (GDPR Article 32(1)(c)).
• Integrity checks: measures to reduce the risk of unauthorised alteration of order data (addresses, personalisation text).
• Minimised exposure: limiting the amount of personal data displayed in operational contexts (e.g., limiting full address visibility when not needed).

15.5 Protection of personalisation content

Because personalisation content may include names, messages, and images, additional care is applied:

• Purpose limitation: personalisation files are used only to produce the item you ordered and to resolve related disputes (GDPR Article 5(1)(b)).
• Controlled access: access limited to persons involved in fulfilling the personalised order.
• Controlled sharing: personalisation files are not shared with unrelated parties; sharing occurs only where required to fulfil production/shipping.
• Retention discipline: deletion or anonymisation after the purpose is met, subject to legal obligations and claims defence (GDPR Article 5(1)(e)).

15.6 Payment security boundary

Payment processing is typically performed by payment service providers. The controller processes only what is necessary to confirm payment status, match transactions to orders, and manage refunds and disputes. This supports data minimisation (GDPR Article 5(1)(c)) and reduces exposure of sensitive payment details.

15.7 Security testing and review (ongoing appropriateness)

In line with GDPR Article 32(1)(d), the controller applies processes for:

• periodic review of security measures,
• verification that access restrictions remain appropriate,
• assessment of whether retention and deletion practices are effectively applied,
• verification that processor arrangements remain compliant with GDPR Article 28.

15.8 Confidentiality in customer support channels

Support communications may contain order details and addresses. To reduce risks:

• the controller may request minimal verification (e.g., order number and email) before discussing order-specific details,
• the controller avoids requesting unnecessary data (e.g., full payment card numbers),
• attachments are requested only when needed (e.g., damage photos for a claim),
• data shared via messaging services are handled with care and retained only as necessary.

16) Personal data breaches (GDPR Articles 33–34)

If a personal data breach occurs, the controller evaluates the likelihood and severity of risks to individuals. Where required:

• Supervisory authority notification: without undue delay and, where feasible, within 72 hours after becoming aware of the breach (GDPR Article 33).
• Communication to affected individuals: without undue delay if the breach is likely to result in a high risk to rights and freedoms, unless an exception applies (GDPR Article 34).

17) Children’s data

The controller does not knowingly collect personal data from children. If you believe that a child has provided personal data, you may contact the controller to request deletion where applicable, subject to legal retention obligations.

18) Changes to this Notice

This Notice may be updated to reflect changes in processing or legal requirements. The latest version will be published on the website with an updated “Last updated” date. Processing remains governed by GDPR transparency and fairness requirements (GDPR Articles 12–14).

19) Contact and complaints

Annex: GDPR Articles referenced (official links)

25) Cookies and similar technologies (online identifiers) – transparency and choices

25.1 When this section applies

This section applies when you interact with the website and any embedded services that store or access information on your device (for example through cookies, local storage, pixels, or similar technologies). Where such technologies involve personal data, the processing is also subject to GDPR (Regulation (EU) 2016/679).

25.2 Legal rules referenced

• GDPR (Regulation (EU) 2016/679): EUR-Lex (GDPR)
• ePrivacy Directive (Directive 2002/58/EC, as amended) – device storage/access rule (cookies): EUR-Lex (ePrivacy)

25.3 Categories of cookie-related data that may be processed

• cookie identifiers and preference signals (consent status, language selection),
• approximate location derived from IP address,
• device and browser characteristics (user agent, screen parameters),
• basic interaction data (pages visited, time stamps),
• referrer and campaign parameters (e.g., UTM tags) where present.

25.4 Purposes and legal bases

Cookie/technology category	Purpose	Legal basis (GDPR Article 6)	Consent expectation
Strictly necessary	Enable core site functions you explicitly request (navigation, checkout continuity, security functions).	Art. 6(1)(b) Contract (where needed to provide requested service) and/or Art. 6(1)(f) Legitimate interests (secure and stable website operation).	Typically not subject to opt-in under ePrivacy where strictly necessary, but still disclosed transparently.
Preferences	Remember choices (e.g., language) to improve usability.	Art. 6(1)(f) Legitimate interests and/or Art. 6(1)(a) Consent where required by applicable national rules.	May require consent depending on implementation and national rules.
Analytics	Understand aggregated website usage to improve content and navigation.	Art. 6(1)(a) Consent where analytics are not strictly necessary.	Opt-in where required; configurable to reduce identifiability where applicable.
Marketing	Measure advertising effectiveness and show relevant ads across websites/apps.	Art. 6(1)(a) Consent.	Opt-in.

25.5 Cookie preference controls and withdrawal

• Where a cookie banner/consent tool is used, you can accept, reject, or customise non-essential cookies. You can change your preferences later via the same tool (where available).
• You can also delete cookies via your browser settings. Deleting cookies may remove stored preferences and may affect functionality.
• Where processing relies on consent, you can withdraw consent at any time (GDPR Article 7(3)): GDPR (Art. 7).

25.6 Cookie recordkeeping

Where required to demonstrate compliance, the controller may store a record of your cookie consent choice (time, scope, and preference signal) to meet accountability requirements (GDPR Article 5(2)) and consent conditions (GDPR Article 7(1)).

---

26) Marketing, service messages, and contact preference management

26.1 Transactional / service communications

The controller sends messages that are necessary to perform the contract or to manage your request (for example: order confirmation, delivery updates, clarification of personalisation details, return instructions). These communications are not sent for advertising purposes.

• Legal basis: contract performance (GDPR Article 6(1)(b)).
• GDPR reference: GDPR Art. 6

26.2 Direct marketing (where offered)

Where marketing is offered (for example newsletters, promotions, new product announcements), the controller processes your contact details and preferences to deliver those communications.

• Legal basis: consent (GDPR Article 6(1)(a) and Article 7) where required.
• Right to object: where direct marketing is conducted based on legitimate interests under applicable law, you can object at any time (GDPR Article 21(2)–(3)).

26.3 Preference management, unsubscribe, and proof of compliance

• The controller maintains opt-in/opt-out records to demonstrate that communications were sent lawfully (GDPR Article 5(2), Article 7(1)).
• After you unsubscribe or object, the controller may keep limited data on a suppression list to ensure you are not contacted again for marketing (legitimate interests: GDPR Article 6(1)(f); right to object: GDPR Article 21).

---

27) Reviews, testimonials, and user-submitted content (where applicable)

27.1 What data may be processed

• display name / nickname,
• review text, rating, and submission date,
• order reference verification signals (where used to prevent fake reviews),
• photos you submit with a review (if any).

27.2 Purposes and legal bases

• Purpose: publish customer feedback and improve product quality and customer information.
• Legal basis: Art. 6(1)(f) legitimate interests (transparent customer information and quality improvement), or Art. 6(1)(a) consent where required by context (e.g., publishing identifiable photos).
• Right to object: where legitimate interests apply, you may object under GDPR Article 21(1).

27.3 Minimisation for images

If you upload images that contain personal data (faces, names, addresses visible in the background), the controller processes only what is necessary for the review purpose and may request replacement or redaction where appropriate, consistent with data minimisation (GDPR Article 5(1)(c)).

---

28) Social media pages and messaging (independent controllers)

28.1 Controller’s processing

If you contact the controller through social media messages or comments, the controller processes the content you provide to respond to your enquiry and manage customer service.

• Legal basis: contract performance (GDPR Article 6(1)(b)) and/or legitimate interests (GDPR Article 6(1)(f)).

28.2 Platform processing

Social media platforms typically process personal data for their own purposes as independent controllers. Their processing is governed by their own privacy notices. The controller does not control the platform’s processing activities.

---

29) Shipping labels, misdelivery risk, and address verification

29.1 Shipping label data

To deliver physical products (posters, canvases, papercraft), the controller processes and shares with carriers the minimum information required for delivery, such as the recipient name, delivery address, and contact details where needed.

• Legal basis: contract performance (GDPR Article 6(1)(b)); minimisation principle (GDPR Article 5(1)(c)).

29.2 Address accuracy and delivery exceptions

When a delivery fails (incorrect address, incomplete details, undeliverable location), the controller may:

• contact you to confirm or correct delivery details,
• use carrier-provided exception information to resolve the issue,
• retain delivery-status evidence to manage disputes and customer support.

• Legal basis: contract performance (GDPR Article 6(1)(b)); legitimate interests for dispute prevention (GDPR Article 6(1)(f)).

29.3 Wrong recipient / misdelivery reports

If you report a misdelivery, the controller processes the information needed to investigate (order reference, carrier tracking, proof of delivery). Processing remains limited to what is necessary to resolve the delivery incident (GDPR Article 5(1)(c)) and is retained only as long as needed (GDPR Article 5(1)(e)).

---

30) Physical records and packaging-related visibility

30.1 Paper documents used for fulfilment

If paper-based order documents are used during packing (for example a picking/packing note), they contain only the information required to fulfil the order. Such documents are handled to reduce visibility of personal data to unauthorised persons.

• GDPR reference: integrity and confidentiality (GDPR Article 5(1)(f)); security (GDPR Article 32).

30.2 Disposal

When paper documents are no longer needed, they are disposed of in a manner intended to prevent unauthorised access to personal data, consistent with GDPR Article 32 and storage limitation (GDPR Article 5(1)(e)).

---

31) Records of processing activities and accountability documentation (Article 30; Article 5(2))

31.1 Accountability

The controller applies the accountability principle (GDPR Article 5(2)) and maintains compliance documentation where required.

31.2 Records of processing activities (GDPR Article 30)

Where applicable, the controller maintains records of processing activities, which may include:

• purposes of processing,
• categories of data subjects and personal data,
• categories of recipients,
• international transfers and safeguards (where applicable),
• retention approach,
• general security measures (GDPR Article 30(1)).

GDPR reference: GDPR Art. 30

---

32) Data Protection Impact Assessments and prior consultation (Articles 35–36)

32.1 DPIA (GDPR Article 35)

If the controller introduces processing that is likely to result in a high risk to the rights and freedoms of natural persons, the controller will carry out a Data Protection Impact Assessment (DPIA) as required by GDPR Article 35.

• GDPR reference: GDPR Art. 35

32.2 Prior consultation (GDPR Article 36)

Where a DPIA indicates that processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller will consult the competent supervisory authority before processing, as required by GDPR Article 36. GDPR Art. 36

---

33) Special operational cases: replacements, missing items, and partial shipments

33.1 Replacements and missing items

If you report missing or incorrect items (including papercraft kit components), the controller processes the minimum information required to:

• identify the original order and the reported issue,
• confirm the appropriate corrective action,
• ship a replacement component or product where applicable,
• retain evidence of the resolution for after-sales support continuity.

• Legal basis: contract performance (GDPR Article 6(1)(b)); legitimate interests for consistent dispute handling (GDPR Article 6(1)(f)).

33.2 Partial shipments

Where an order is fulfilled in more than one shipment (for example due to availability), the controller processes shipment identifiers and carrier references to manage delivery and customer communications. Processing remains limited to what is needed to complete fulfilment.

---

34) Legal basis precision, compatibility, and secondary uses

34.1 No incompatible secondary use

If the controller considers processing personal data for a purpose other than the one for which the data were collected, the controller will assess compatibility in line with GDPR Article 6(4) and provide information as required by GDPR Articles 13–14.

• GDPR reference: GDPR Art. 6(4)

34.2 Legal obligation vs. contract vs. legitimate interests

Where multiple legal bases could appear relevant, the controller selects the most appropriate basis for the specific processing purpose and applies safeguards to ensure fairness and proportionality (GDPR Article 5(1)(a)).

---

35) Data about third parties provided by customers (recipient addresses, gift orders, shared images)

35.1 When you provide another person’s details

If you provide another person’s name/address for delivery (for example a gift order) or submit an image containing third-party personal data, you are responsible for ensuring you have a lawful basis to share that information with the controller for the stated purpose.

35.2 How the controller processes such data

• Purpose: deliver the order, produce the personalised item, provide support.
• Legal basis: contract performance (GDPR Article 6(1)(b)) and minimisation (GDPR Article 5(1)(c)).
• Retention: aligned with the order and dispute handling retention logic already described (GDPR Article 5(1)(e)).

---

36) Operational rules for rights requests (clarifications, partial fulfilment, and secure delivery)

36.1 Scope of disclosure for access requests

In response to an access request (GDPR Article 15), the controller provides:

• confirmation whether personal data are processed,
• a copy of personal data undergoing processing,
• the information required by GDPR Article 15(1), subject to rights and freedoms of others.

GDPR reference: GDPR Art. 15

36.2 Rights of others

Where fulfilling a request would adversely affect the rights and freedoms of others, the controller may redact or limit disclosure as permitted by GDPR while still providing a meaningful response (GDPR Article 15(4)).

36.3 Secure delivery of responses

The controller may select a response channel that reduces the risk of unauthorised disclosure (GDPR Article 5(1)(f); Article 32), and may request identity verification where reasonable doubts exist (GDPR Article 12(6)).

---

37) Business continuity and organisational changes

37.1 Reorganisation, transfer, or restructuring

If the controller’s business structure changes (for example a reorganisation affecting fulfilment operations), personal data may be transferred only to the extent necessary and in accordance with GDPR principles.

37.2 Legal bases and safeguards

• Legal basis: legitimate interests in continuity of service and administration (GDPR Article 6(1)(f)), and/or legal obligation (GDPR Article 6(1)(c)) where applicable.
• Safeguards: minimisation, access restriction, confidentiality, and transparency updates as required (GDPR Articles 5 and 12–14).

---

38) EU representative (Article 27)

GDPR Article 27 applies to certain controllers not established in the Union. The controller is established in Spain. GDPR reference: GDPR Art. 27

---

Annex (expanded): Additional GDPR articles referenced in this continuation