Privacy Policy (UK/EU GDPR)

Last updated: 25/05/2026

Website: www.sayshe.studio

Data Controller: Cynthia Sheeamalan (SAYSHE Studio)

This Privacy Policy explains how Cynthia Sheeamalan (SAYSHE Studio) (“we”, “us”, or “our”) collects, uses, and protects your personal data when you visit our website, contact us, or interact with our services.

We comply with the UK General Data Protection Regulation (UK GDPR), the EU GDPR, and applicable data protection laws.

1. Who we are

We are Cynthia Sheeamalan (SAYSHE Studio), an independent artist/creative based in the UK.

If you have any questions about this policy or your data, you can contact us at:

Email: hello@sayshe.studio

2. What personal data we collect

We may collect the following types of personal data:

a) Information you provide directly

  • Name

  • Email address

  • Contact details

  • Commission or enquiry details

  • Messages you send via contact forms or email

b) Automatically collected data

When you visit our website, we may collect:

  • IP address

  • Browser type and version

  • Device information

  • Pages visited and time spent

  • Referring website

This is typically collected via analytics tools and cookies.

c) Transaction data (if applicable)

If you purchase artwork or services:

  • Billing name and address

  • Payment confirmation details (processed via third-party providers)

We do not store full payment card details.

3. How we use your data

We use your personal data for the following purposes:

  • Responding to enquiries or commission requests

  • Providing artistic services or fulfilling orders

  • Managing client communications

  • Improving our website and user experience

  • Analysing website performance and traffic

  • Complying with legal or tax obligations

4. Lawful basis for processing

We process your data under the following legal bases:

  • Consent – when you contact us or opt into communications

  • Contract – when processing is necessary to fulfil a commission or purchase

  • Legal obligation – for accounting or tax requirements

  • Legitimate interests – for website security, analytics, and business improvement

5. How we store your data

We take reasonable technical and organisational measures to protect your personal data.

Your data is stored securely and only accessed when necessary.

We retain personal data only for as long as necessary:

  • Enquiries: up to [e.g. 12–24 months]

  • Commission/client records: up to [e.g. 6 years for tax compliance]

  • Analytics data: as set by provider defaults (often 14–26 months)

6. Sharing your data

We do not sell your personal data.

We may share data with trusted third-party providers, including:

  • Website hosting providers

  • Email services (e.g. contact form or newsletter tools)

  • Analytics providers (e.g. Google Analytics)

  • Payment processors (e.g. Stripe, PayPal)

These providers only process data on our behalf and must comply with GDPR requirements where applicable.

7. International transfers

Some service providers may store or process data outside the UK or EEA.

When this happens, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs)

  • Adequacy decisions by the UK or European Commission

8. Your data protection rights

Under UK/EU GDPR, you have the right to:

  • Access your personal data

  • Request correction of inaccurate data

  • Request deletion of your data (“right to be forgotten”)

  • Restrict or object to processing

  • Withdraw consent at any time

  • Request data portability

  • Lodge a complaint with a supervisory authority

In the UK, this is the Information Commissioner’s Office (ICO): https://ico.org.uk

9. Cookies and tracking technologies

We use cookies and similar technologies to improve website functionality and analyse traffic.

For full details, please see our Cookie Policy.

10. Third-party links

Our website may include links to external websites (e.g. social media platforms, galleries, or shops).

We are not responsible for the privacy practices of those websites and recommend reviewing their policies separately.

11. Data security

We take reasonable steps to protect your personal data from:

  • Loss

  • Misuse

  • Unauthorised access

  • Disclosure or alteration

However, no method of online transmission is 100% secure.

12. Children’s privacy

This website is not intended for children under 13 (or 16 in some EU jurisdictions). We do not knowingly collect data from children.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated “Last updated” date.

14. Contact us

If you have any questions about this Privacy Policy or your personal data, please contact:

Email: hello@sayshe.studio

Website: www.sayshe.studio