Service · Data & cookies

PRIVACY NOTICE

Controller SUMI / 墨Scope EU · UK · US · worldwide

This notice explains what personal data we handle when you visit this site or place an order, the legal bases on which we do so, and the rights you have over your data. We try to keep it short and plain.

Who we are

The data controller is SUMI / 墨 (“SUMI”, “we”). For questions about this notice or to exercise your rights, write to studio@kanji-calligraphy.com.

Data we collect

  • You give us: name, email address, shipping address, billing address, phone (optional), order history. Email + a one-time code if you sign in.
  • Automatic: IP address, browser and device characteristics, referring URL, pages viewed, approximate location derived from IP, and cookie identifiers.
  • From payment providers: we receive a confirmation that the charge succeeded plus the last four digits and brand of the card. We do not see or store full card numbers.

Why we use it

  • To process orders, payments, and shipping
  • To send transactional emails (order confirmation, dispatch, delivery)
  • To handle returns, refunds, and customer support
  • To prevent fraud and abuse
  • To comply with tax, accounting, and consumer-protection law
  • With your consent, to measure how the site is used and to show relevant marketing
  • Performance of a contract (Art. 6(1)(b)) — for orders, shipping, returns and customer support.
  • Legal obligation (Art. 6(1)(c)) — for tax records, fraud prevention and consumer-protection records.
  • Legitimate interests (Art. 6(1)(f)) — for site security, basic abuse prevention, and aggregated business analytics that do not require cookies.
  • Consent (Art. 6(1)(a)) — for analytics cookies, advertising cookies, and optional marketing emails. You can withdraw consent at any time without affecting prior processing.

Who we share it with

We share data only with processors needed to run the store:

  • Shopify Inc. — e-commerce, hosting, checkout, payments
  • Print & fulfilment partners — name and shipping address only, to produce and ship your order
  • Carriers — DHL, UPS, USPS, Royal Mail, and regional equivalents — for delivery
  • Resend — transactional and one-time-code email delivery
  • Google (Analytics 4, Tag Manager) — only if you accept analytics cookies
  • Vercel — site hosting, performance metrics

We do not sell your personal data to third parties.

International transfers

Some of our processors are based outside the EEA / UK (notably the United States and Canada). Where this is the case, we rely on the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or a valid adequacy decision (e.g. the EU–US Data Privacy Framework where the recipient is self-certified). Copies of the safeguards are available on request.

Retention

  • Order records: kept for the period required by tax and accounting law in our jurisdiction (typically 7–10 years).
  • Account data: kept while your account is active; deleted within 30 days of a deletion request, except where retention is required by law.
  • Analytics: aggregated and pseudonymised data retained for up to 14 months in GA4.
  • Support correspondence: 24 months from last contact.

Cookies & tracking

We use the following categories of cookie. Analytics and marketing cookies are blocked by default and only loaded after you accept via the cookie banner. You can change your choice anytime via “Cookie preferences” in the footer.

  • Strictly necessary — cart, checkout session, authentication, and your cookie choice. Cannot be turned off.
  • Analytics — Google Analytics 4 via Google Tag Manager. Helps us understand which pages and products work. Loaded only with consent.
  • Advertising — currently inactive. Should we add advertising cookies in the future, they will be gated behind the same banner and listed here before going live.

We honour the Google Consent Mode v2 signal: when consent is denied, analytics tags receive cookieless pings only and we do not load any advertising tag.

Your rights (GDPR / UK GDPR)

  • Access — get a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — request deletion (“right to be forgotten”)
  • Restriction — limit processing in specific cases
  • Portability — receive your data in a structured, machine-readable format
  • Objection — to processing based on legitimate interests, including profiling
  • Withdraw consent — at any time, without affecting prior processing
  • Lodge a complaint with your supervisory authority (in the EU, your national DPA; in the UK, the ICO at ico.org.uk)

To exercise any right, email studio@kanji-calligraphy.com. We respond within one month.

California (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect, to request deletion, to correct inaccurate information, and to opt out of the “sale” or “sharing” of personal information for cross-context behavioural advertising. We do not sell personal information for money. To opt out of any sharing for advertising purposes, set your cookie banner to “Necessary only” or send a Global Privacy Control signal — we honour it.

Contact

Email studio@kanji-calligraphy.com. Postal address available on request for formal data-protection correspondence.

Last updated: 2026.