0 items - $0.00 0
0 items - $0.00 0

Privacy Policy

HomePrivacy Policy

RED&BRICK LTD

Last updated: 21 June 2025

This Privacy Policy explains how RED & BRICK LTD (“RED & BRICK“, “we“, “our“, “us“) collects, uses, shares and protects your personal data when you visit imagestoreonline.com (the “Site“) or use our related services (collectively, the “Services“). It also describes your data-protection rights and how to exercise them.

We process personal data in accordance with the UK General Data Protection Regulation (“UK GDPR“), the UK Data Protection Act 2018, and—where applicable—the EU GDPR (together the “GDPR“).

1. Who is the Data Controller?

RED & BRICK LTD
Company No. 15024307
Registered office: 291 Northfield Avenue, London W5 4XB, United Kingdom
Email: info@imagestoreonline.com

We have appointed a part-time Data Protection Officer (DPO) who can be contacted at the above email address (subject line “FAO DPO”).

If you are located in the European Economic Area (EEA) we have appointed GDPR-REP.eu (Belgium) as our EU representative pursuant to Article 27 EU GDPR.

2. What Personal Data Do We Collect?

Category

Examples

Source

Identity Data

full name, username, title, VAT number (business users)

you

Contact Data

billing address, email, telephone

you

Account Data

login credentials, user ID, download history

you / generated

Payment Data

card token, last 4 digits, expiry date, transaction IDs

payment processor

Technical Data

IP address, device type, OS, browser, language, referrer URL

your device / cookies

Usage Data

page views, clicks, time on page, search queries, error logs

analytics cookies

Marketing Data

newsletter opt-ins, marketing preferences, opens & clicks

you / email provider

Generated Content

AI prompts and resulting images linked to your user ID

you / system

Compliance Data

KYC documents (passport, certificate of incorporation), sanctions screening outcome

you / public registers / screening tools

We do not intentionally collect special-category data (Art. 9 GDPR) or data relating to children under 16. Users must be at least 18 to create an account.

3. For What Purposes and on What Legal Bases Do We Process Your Data?

Purpose

Legal Basis (Art. 6 GDPR)

Legitimate Interest (if applicable)

Account creation & administration

contract performance (Art. 6 (1)(b))

Processing payments & delivering digital content

contract performance

Fraud prevention, AML/KYC checks, sanctions screening

legal obligation (Art. 6 (1)(c)); legitimate interests (Art. 6 (1)(f))

protecting our business and the financial system

Customer support & dispute handling

contract performance; legitimate interests

resolving issues efficiently

Analytics, site optimisation, service improvement

legitimate interests

understanding how the Site is used to enhance UX

Direct email marketing (existing customers)

legitimate interests (soft opt-in, PECR reg 22(3)); or consent where required

informing customers about similar products

Newsletter, promotions, optional updates

consent (Art. 6 (1)(a))

Legal claims, enforcement of T&Cs

legitimate interests

defending our rights

Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

4. Cookies & Similar Technologies

The Site uses cookies and local-storage tags.

  • Essential cookies – required for basic functionality (e.g. session ID, CSRF token).
  • Analytics cookies – e.g. Google Analytics 4 to aggregate usage statistics.
  • Marketing cookies – set only if you accept them (e.g. email tracking pixel, retargeting).

For detailed cookie names, lifetimes and providers please see our Cookie Policy. You may adjust preferences anytime via the “Cookie Settings” link in the footer.

5. How We Share Your Data

We disclose personal data only to the extent necessary and under data-processing agreements where required:

  • Payment Service Provider (Stripe Payments Europe Ltd, PCI-DSS Level 1) – card processing, fraud screening.
  • Cloud Infrastructure & Hosting (AWS EU West, London) – secure hosting, image storage.
  • Email & CRM (SendGrid/Twilio Inc., USA) – transactional & marketing emails (EU Standard Contractual Clauses 2021).
  • Analytics Provider (Google LLC, USA) – pseudonymised usage data (IP anonymisation enabled).
  • ID-Verification Vendor (Sumsub Ltd., UK) – KYC checks for high-risk transactions.
  • Professional Advisers – auditors, lawyers, insurers.
  • Government or law-enforcement agencies where legally required.

We do not sell personal data.

6. International Transfers

Some processors are located outside the UK/EEA. Transfers are safeguarded by:

  • UK adequacy regulations (e.g. transfers to EEA);
  • UK/EU Standard Contractual Clauses (SCCs 2021); and
  • supplementary technical & organisational measures (encryption at rest and in transit, role-based access).

7. Data Retention

Data Category

Retention Period

Account & Transaction Records

7 years after last transaction (UK tax & AML retention)

KYC Documents

5 years after business relationship ends (MLR 2017)

Marketing Data

until you unsubscribe or 2 years after last interaction, whichever is sooner

Analytics Logs

26 months rolling window (Google Analytics 4 default)

Support Tickets

3 years from closure

We may retain data longer if required to establish or defend legal claims.

8. Security Measures

  • TLS 1.3 across all pages (HSTS enforced).
  • AES-256 encryption at rest for stored files and database backups.
  • Role-based access control & MFA for staff.
  • Quarterly penetration tests and external PCI DSS scans.
  • Incident-response plan aligned with ISO/IEC 27035.

9. Automated Decision-Making & Profiling

We do not make decisions solely by automated means that produce legal effects. Fraud-scoring involves automated tools but always includes human review before adverse action.

10. Your Data-Protection Rights

Subject to conditions and legal limits, you have the right to:

  1. Access – obtain a copy of your personal data (Art. 15).
  2. Rectification – correct inaccurate or incomplete data (Art. 16).
  3. Erasure – request deletion (Art. 17).
  4. Restriction – limit processing (Art. 18).
  5. Portability – receive data in a structured, machine-readable format (Art. 20).
  6. Object – object to processing based on legitimate interests or direct marketing (Art. 21).
  7. Withdraw consent – where processing relies on consent (Art. 7(3)).

To exercise any right please email info@imagestoreonline.com from the address registered to your account. We will respond within one month (extendable by two months for complex requests).

11. Complaints

If you have concerns about our data practices, please contact our DPO in the first instance. You also have the right to lodge a complaint with:

  • UK: Information Commissioner’s Office (ICO) – ico.org.uk
  • EEA: your local supervisory authority; list at edpb.europa.eu.

12. Changes to This Policy

We may update this Policy periodically. We will post the revised version with a new “Last updated” date and notify registered users by email for material changes. Continued use of the Services after the effective date constitutes acceptance.

13. Contact Us

RED & BRICK LTD – Privacy Team
291 Northfield Avenue
London W5 4XB
United Kingdom
Email: info@imagestoreonline.com

© 2025 RED & BRICK LTD. All rights reserved.

Minimum 4 characters