RED&BRICK LTD
Last updated: 21 June 2025
This Privacy Policy explains how RED & BRICK LTD (“RED & BRICK“, “we“, “our“, “us“) collects, uses, shares and protects your personal data when you visit imagestoreonline.com (the “Site“) or use our related services (collectively, the “Services“). It also describes your data-protection rights and how to exercise them.
We process personal data in accordance with the UK General Data Protection Regulation (“UK GDPR“), the UK Data Protection Act 2018, and—where applicable—the EU GDPR (together the “GDPR“).
1. Who is the Data Controller?
RED & BRICK LTD
Company No. 15024307
Registered office: 291 Northfield Avenue, London W5 4XB, United Kingdom
Email: info@imagestoreonline.com
We have appointed a part-time Data Protection Officer (DPO) who can be contacted at the above email address (subject line “FAO DPO”).
If you are located in the European Economic Area (EEA) we have appointed GDPR-REP.eu (Belgium) as our EU representative pursuant to Article 27 EU GDPR.
2. What Personal Data Do We Collect?
| Category | Examples | Source |
| Identity Data | full name, username, title, VAT number (business users) | you |
| Contact Data | billing address, email, telephone | you |
| Account Data | login credentials, user ID, subscription tier, download history | you / generated |
| Payment Data | card token, last 4 digits, expiry date, transaction IDs | payment processor |
| Technical Data | IP address, device type, OS, browser, language, referrer URL | your device / cookies |
| Usage Data | page views, clicks, time on page, search queries, error logs | analytics cookies |
| Marketing Data | newsletter opt-ins, marketing preferences, opens & clicks | you / email provider |
| Generated Content | AI prompts and resulting images linked to your user ID | you / system |
| Compliance Data | KYC documents (passport, certificate of incorporation), sanctions screening outcome | you / public registers / screening tools |
We do not intentionally collect special-category data (Art. 9 GDPR) or data relating to children under 16. Users must be at least 18 to create an account.
3. For What Purposes and on What Legal Bases Do We Process Your Data?
| Purpose | Legal Basis (Art. 6 GDPR) | Legitimate Interest (if applicable) |
| Account creation & administration | contract performance (Art. 6 (1)(b)) | – |
| Processing payments & delivering digital content | contract performance | – |
| Fraud prevention, AML/KYC checks, sanctions screening | legal obligation (Art. 6 (1)(c)); legitimate interests (Art. 6 (1)(f)) | protecting our business and the financial system |
| Customer support & dispute handling | contract performance; legitimate interests | resolving issues efficiently |
| Analytics, site optimisation, service improvement | legitimate interests | understanding how the Site is used to enhance UX |
| Direct email marketing (existing customers) | legitimate interests (soft opt-in, PECR reg 22(3)); or consent where required | informing customers about similar products |
| Newsletter, promotions, optional updates | consent (Art. 6 (1)(a)) | – |
| Legal claims, enforcement of T&Cs | legitimate interests | defending our rights |
Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
4. Cookies & Similar Technologies
The Site uses cookies and local-storage tags.
- Essential cookies – required for basic functionality (e.g. session ID, CSRF token).
- Analytics cookies – e.g. Google Analytics 4 to aggregate usage statistics.
- Marketing cookies – set only if you accept them (e.g. email tracking pixel, retargeting).
For detailed cookie names, lifetimes and providers please see our Cookie Policy. You may adjust preferences anytime via the “Cookie Settings” link in the footer.
5. How We Share Your Data
We disclose personal data only to the extent necessary and under data-processing agreements where required:
- Payment Service Provider (Stripe Payments Europe Ltd, PCI-DSS Level 1) – card processing, fraud screening.
- Cloud Infrastructure & Hosting (AWS EU West, London) – secure hosting, image storage.
- Email & CRM (SendGrid/Twilio Inc., USA) – transactional & marketing emails (EU Standard Contractual Clauses 2021).
- Analytics Provider (Google LLC, USA) – pseudonymised usage data (IP anonymisation enabled).
- ID-Verification Vendor (Sumsub Ltd., UK) – KYC checks for high-risk transactions.
- Professional Advisers – auditors, lawyers, insurers.
- Government or law-enforcement agencies where legally required.
We do not sell personal data.
6. International Transfers
Some processors are located outside the UK/EEA. Transfers are safeguarded by:
- UK adequacy regulations (e.g. transfers to EEA);
- UK/EU Standard Contractual Clauses (SCCs 2021); and
- supplementary technical & organisational measures (encryption at rest and in transit, role-based access).
7. Data Retention
| Data Category | Retention Period |
| Account & Transaction Records | 7 years after last transaction (UK tax & AML retention) |
| KYC Documents | 5 years after business relationship ends (MLR 2017) |
| Marketing Data | until you unsubscribe or 2 years after last interaction, whichever is sooner |
| Analytics Logs | 26 months rolling window (Google Analytics 4 default) |
| Support Tickets | 3 years from closure |
We may retain data longer if required to establish or defend legal claims.
8. Security Measures
- TLS 1.3 across all pages (HSTS enforced).
- AES-256 encryption at rest for stored files and database backups.
- Role-based access control & MFA for staff.
- Quarterly penetration tests and external PCI DSS scans.
- Incident-response plan aligned with ISO/IEC 27035.
9. Automated Decision-Making & Profiling
We do not make decisions solely by automated means that produce legal effects. Fraud-scoring involves automated tools but always includes human review before adverse action.
10. Your Data-Protection Rights
Subject to conditions and legal limits, you have the right to:
- Access – obtain a copy of your personal data (Art. 15).
- Rectification – correct inaccurate or incomplete data (Art. 16).
- Erasure – request deletion (Art. 17).
- Restriction – limit processing (Art. 18).
- Portability – receive data in a structured, machine-readable format (Art. 20).
- Object – object to processing based on legitimate interests or direct marketing (Art. 21).
- Withdraw consent – where processing relies on consent (Art. 7(3)).
To exercise any right please email info@imagestoreonline.com from the address registered to your account. We will respond within one month (extendable by two months for complex requests).
11. Complaints
If you have concerns about our data practices, please contact our DPO in the first instance. You also have the right to lodge a complaint with:
- UK: Information Commissioner’s Office (ICO) – ico.org.uk
- EEA: your local supervisory authority; list at edpb.europa.eu.
12. Changes to This Policy
We may update this Policy periodically. We will post the revised version with a new “Last updated” date and notify registered users by email for material changes. Continued use of the Services after the effective date constitutes acceptance.
13. Contact Us
RED & BRICK LTD – Privacy Team
291 Northfield Avenue
London W5 4XB
United Kingdom
Email: info@imagestoreonline.com
© 2026 RED & BRICK LTD. All rights reserved.