Privacy Policy

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller is Szymon Padlewski trading as Zew Studio, contactable at contact@zewstudio.com.

We process your personal data under the following legal bases depending on the type of data and the purpose:

• Contract performance (Article 6(1)(b)): We process your name, email, shipping address, and phone number to fulfil your order and deliver your Products. We process your Strava activity data to create your custom poster.
• Consent (Article 6(1)(a)): We access your Strava account data only after you explicitly authorise us via the "Connect with Strava" OAuth flow. We set analytics cookies (Google Analytics) only with your consent via our cookie banner.
• Legitimate interests (Article 6(1)(f)): We use server log files and essential cookies to maintain security, prevent fraud, and ensure our site functions correctly.
• Legal obligation (Article 6(1)(c)): We retain order and transaction records as required by UK tax and accounting law (up to 6 years).

Under the UK GDPR, you have the following rights in relation to your personal data:

• The right to access the personal data we hold about you
• The right to rectification of inaccurate data
• The right to erasure ("right to be forgotten")
• The right to restrict processing
• The right to data portability
• The right to object to processing
• The right to withdraw consent at any time

To exercise any of these rights, please contact us at contact@zewstudio.com. We will respond to your request within one month of receiving it, as required by UK GDPR. In certain cases we may extend this by a further two months, in which case we will inform you.

Please note that certain data (such as order records required for tax purposes) cannot be deleted until the legal retention period has expired, even if you request erasure.

A cookie is a small file which asks permission to be placed on your computer's hard drive. We use essential cookies for authentication and site functionality, and analytics cookies (with your consent) to understand how visitors use our site.

For full details on the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.

When you complete a purchase on our checkout page you will be required to provide your name, address as well as your contact email and number in order to fulfil your order. This information is collected securely through Stripe during the checkout process and is used solely for order fulfilment and shipping purposes.

For physical orders, your name, shipping address, email, and phone number are shared with our print and fulfilment partner, Prodigi, solely for the purpose of printing and delivering your order. See section 10 (Third-Party Services) for more details.

Since we do not store payment information ourselves, we do not use it for any unsolicited marketing.

Your contact email and phone number are only used to update you on the progress of an order and for customer support purposes.

When you design your own print, the information you enter is kept by us in a secure database. We do not use this information in any way other than to produce a digital version of your design and to fulfil your order. We do not give this information out to any external or third-parties except as necessary to fulfil your order (e.g., to our print provider, Prodigi).

This includes the information from any GPX or FIT files you upload as well as the information you consent Strava to provide us access to when you use the "Connect with Strava" button. By connecting your Strava account, you authorise us to access your activity data for the sole purpose of creating your custom poster.

We only access the minimum amount of data necessary to create your poster (activity routes, statistics, and metadata). We store your activity data (routes, distances, elevations, dates, and similar statistics) as part of your order record. We do not store your Strava profile information such as your profile name, profile picture, bio, or other personal profile details. We only store your athlete ID (a numeric identifier) and activity data needed for poster creation.

When you connect your Strava account, we store encrypted OAuth tokens (access token and refresh token) in our database to maintain your session. These tokens are encrypted at rest. If your connection is inactive for 1 month, we will automatically deauthorise the connection and delete the stored tokens.

We use third-party providers to process data on our behalf or as independent service providers, including Stripe (payments), Prodigi (printing and fulfilment), Strava (activity import), Mapbox (mapping), and Google Analytics (analytics, with consent where required). We share only the data needed for those services. Details are provided below:

• Stripe: Payment processing. Stripe collects your payment details, billing address, and shipping address during checkout. See Stripe's Privacy Policy
• Prodigi: Print fulfilment and shipping. We share your name, shipping address, email, and phone number with Prodigi to print and deliver physical orders. See Prodigi's Privacy Policy
• Strava: Activity data access via OAuth. See Strava's Privacy Policy
• Mapbox: Map data and styling for topographic posters. See Mapbox's Privacy Policy
• Google Analytics: Website analytics and traffic analysis. Google Analytics uses cookies to collect information about how visitors use our site (with consent where required). See Google's Privacy Policy
• NextAuth.js: Authentication and session management

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected. Specific retention periods are as follows:

• Order and transaction data (including name, address, email): Retained for up to 6 years after the date of the transaction, as required by UK tax and accounting regulations (HMRC).
• Strava OAuth tokens: Stored in encrypted form while your connection is active. Automatically deauthorised and deleted after a period of inactivity.
• Activity data (routes, statistics): Retained as part of your order record for the duration of the order data retention period.
• Analytics data (Google Analytics): Subject to Google's data retention settings. We configure a 14-month retention period.
• Log files: Retained for up to 90 days for security and debugging purposes.

Some of our third-party service providers process data outside the United Kingdom:

• Stripe processes payment data in the United States and other jurisdictions, relying on Standard Contractual Clauses (SCCs) and their compliance with data protection standards.
• Google Analytics processes data in the United States, relying on SCCs and Google's data processing terms.
• Prodigi may fulfil orders from production facilities in various countries. Prodigi acts as a data processor on our behalf and is contractually bound to protect your data.

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the UK Information Commissioner's Office, or transfers to countries with an adequacy decision.