Privacy Policy

This Privacy Policy explains how Tairo Ventures Ltd, trading as Ottilie Paperie, collects, uses, stores, and protects personal data in connection with our website and services. It is written to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data controller

The data controller responsible for your personal data is Tairo Ventures Ltd, a private limited company registered in England and Wales under company number 17186608, with its registered office at 66 Paul Street, London, EC2A 4NA. References to “we”, “us”, and “our” in this Policy are references to Tairo Ventures Ltd.

Tairo Ventures Ltd is registered with the UK Information Commissioner’s Office (ICO) under registration reference ZC165220.

2. Personal data we collect

We collect and process the following categories of personal data:

• Identity and contact data: your name, email address, postal address, and telephone number.
• Order data: the details of your commission, including the images and text you submit, your brief, your approvals, and any correspondence between us.
• Recipient data (where applicable): for the Full and Deluxe packages, the names and postal addresses of the individuals to whom you ask us to post cards.
• Payment data: transaction information processed by our payment provider. We do not see, store, or have access to your full card number, CVV, or other sensitive payment credentials.
• Technical data: IP address, browser type, device information, pages visited, and similar information collected through cookies and analytics where you have consented (see our Cookies Policy).

3. How we use your data and our legal bases

We use your personal data for the following purposes and rely on the legal bases set out below:

• To perform the contract we have with you, including fulfilling your commission, communicating about your order, posting cards to you or to your recipients, and providing customer support. Legal basis: performance of a contract.
• To comply with our legal obligations, including tax, accounting, anti-fraud, and statutory record-keeping requirements. Legal basis: legal obligation.
• To run our business in a secure and effective way, including detecting fraud, investigating disputes, maintaining our records, and improving our service. Legal basis: our legitimate interests in operating and protecting the business, balanced against your rights.
• To send you optional marketing communications, but only where you have explicitly opted in. Legal basis: consent. You can withdraw consent at any time.

4. Recipient data on behalf of you

Where you upload an address book or otherwise supply recipient details, we process that data on your behalf and only for the purpose of posting your cards to those recipients. You confirm by supplying that data that you have a lawful basis to share it with us. Recipient data is deleted within ninety (90) days of fulfilment of your order, except where retention is required for record-keeping or to defend a legal claim.

5. Sharing your data

We share your data only where necessary, and only with the following categories of recipient:

• Payment providers (for example, Stripe) to process your payment.
• Postal and courier services (for example, Royal Mail and international carriers) to dispatch your order.
• Cloud hosting and software providers that store and process data on our behalf under written contracts that require them to safeguard your data.
• Professional advisers (such as accountants and lawyers) where strictly necessary, and under duties of confidentiality.
• Government, regulatory, or law-enforcement authorities where required by law.

We do not sell your personal data and we do not share it for the marketing purposes of any third party.

6. International transfers

Some of our service providers are based outside the United Kingdom or the European Economic Area. Where personal data is transferred to a country that does not provide an equivalent level of protection, we put appropriate safeguards in place, such as the UK International Data Transfer Agreement or Standard Contractual Clauses with additional measures, to protect your data in accordance with UK GDPR.

7. How long we keep your data

We retain personal data only for as long as is necessary for the purposes for which it was collected, and to comply with our legal obligations. As a guide:

• Order records: retained for six (6) years from the end of the financial year in which the order was placed, to comply with UK tax and accounting requirements.
• Images and Customer Content: retained for twenty-four (24) months from order fulfilment unless you ask us to delete sooner, after which it is securely destroyed.
• Recipient address data: deleted within ninety (90) days of order fulfilment.
• Marketing data: retained while you remain subscribed and for a short retention period thereafter for suppression purposes.

8. Your rights

Under UK GDPR you have the following rights in respect of your personal data, exercisable free of charge in most circumstances:

• The right to access the personal data we hold about you.
• The right to rectification of inaccurate or incomplete data.
• The right to erasure (the “right to be forgotten”), subject to our legal retention obligations.
• The right to restrict processing in certain circumstances.
• The right to object to processing based on legitimate interests.
• The right to data portability for data processed by automated means on the basis of consent or contract.
• The right to withdraw consent at any time where consent is the legal basis.

To exercise any of these rights, please contact us at studio@ottiliepaperie.com. We will respond within one (1) month of receiving a valid request.

9. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These include access controls, encryption in transit, vetted third-party processors, and limited internal access on a need-to-know basis.

10. Children

Our services are intended for adult customers (those aged eighteen and over). We do not knowingly collect personal data from children. Where a commission relates to a child (for example, a baby announcement card), the personal data of that child is provided by the parent or guardian under their own legal authority and consent.

11. Cookies

Our use of cookies is described in our Cookies Policy.

12. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified through the Site. The “Last updated” date at the top of this Policy indicates when the most recent revision took effect.

13. Complaints

If you are not satisfied with how we have handled your personal data, you have the right to lodge a complaint with the United Kingdom’s data protection authority, the Information Commissioner’s Office (ICO), at ico.org.uk. We would, however, appreciate the chance to address your concerns before you approach the ICO. Please contact us first.