Service · Data & cookies

PRIVACY NOTICE

Controller SUMI / 墨Scope EU · UK · US · worldwide

This notice explains, in general terms, what personal data we handle when you visit this site or place an order, the legal bases on which we do so, and the rights you have over your data. It does not create any contractual obligation beyond what is required by applicable data-protection law.

Who we are

The data controller is SUMI / 墨 (“SUMI”, “we”). For questions about this notice or to exercise your rights, see the Contact section below. If you have an active order, the most reliable channel is to reply directly to your order confirmation email — that thread already carries the order context.

Data we collect

  • You give us: name, email address, shipping address, billing address, phone (optional), order history, and any content you submit through forms (e.g. contact, support).
  • Automatic: IP address, browser and device characteristics, referring URL, pages viewed, approximate location derived from IP, and cookie or similar identifiers.
  • From payment and fraud-prevention providers: confirmation that the charge succeeded, the last four digits and brand of the card, and risk-scoring signals. We do not see or store full card numbers.

You are responsible for ensuring that the data you provide is accurate and up to date. We are not responsible for the consequences of inaccurate or out-of-date information you submit.

Why we use it

  • To process orders, payments, and shipping
  • To send transactional emails (order confirmation, dispatch, delivery)
  • To handle returns, refunds, and customer support
  • To prevent and detect fraud, abuse and security incidents
  • To comply with tax, accounting, consumer-protection and other legal obligations
  • To operate, secure, maintain and improve the site and our services
  • With your consent, to measure how the site is used and to show relevant marketing
  • Performance of a contract (Art. 6(1)(b)) — for orders, shipping, returns and customer support.
  • Legal obligation (Art. 6(1)(c)) — for tax records, fraud prevention and consumer-protection records.
  • Legitimate interests (Art. 6(1)(f)) — for site security, abuse prevention, IT operations, and aggregated business analytics that do not require cookies. You may object on grounds relating to your particular situation.
  • Consent (Art. 6(1)(a)) — for analytics cookies, advertising cookies, and optional marketing emails. You can withdraw consent at any time without affecting prior processing.

Who we share it with

We share personal data only with categories of recipients needed to operate the store. The list of specific providers may change from time to time without notice; the categories below remain stable.

  • E-commerce, hosting and infrastructure providers — to host the site, process checkout, and serve content.
  • Payment service providers and fraud-prevention partners — to authorise and settle payments and to screen for fraud.
  • Print, fulfilment and packaging partners — name and shipping address only, to produce and pack your order.
  • Carriers and customs brokers — to deliver the parcel and to clear customs where applicable.
  • Email and communications providers — for transactional, support and (with consent) marketing email.
  • Analytics, tag-management and (where applicable) advertising partners — only where you have given the relevant cookie consent.
  • Professional advisers, auditors and authorities — where reasonably required, or to comply with legal obligations or protect our rights.

We do not sell personal data for monetary consideration. A current list of named processors can be requested via the Contact section.

International transfers

Some of our processors are based outside the EEA / UK (notably the United States, Canada and other jurisdictions where our partners operate). Where this is the case, we rely on the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum or Addendum, a valid adequacy decision (e.g. the EU–US Data Privacy Framework where the recipient is self-certified), or another lawful transfer mechanism. Copies of the safeguards are available on request.

Retention

We keep personal data only for as long as is necessary for the purposes set out in this notice and to comply with our legal, accounting and reporting obligations. The criteria we use are:

  • Order records: for the period required by tax, accounting and consumer-protection law in our jurisdiction (typically up to 10 years).
  • Account data: while your account is active and for a reasonable period thereafter, unless retention is required by law.
  • Analytics: aggregated and pseudonymised data is retained for as long as is reasonably useful for analysis, subject to the limits of the analytics provider.
  • Support correspondence: for a reasonable period from last contact, to handle related queries and to defend potential claims.
  • Fraud-prevention records: for a reasonable period to prevent recurrence.

Security

We use technical and organisational measures intended to protect personal data against unauthorised access, loss, misuse and alteration, including transport encryption (TLS) and access controls. However, no system is perfectly secure. You acknowledge that you transmit data to us at your own risk and you are responsible for keeping any password or access credentials confidential.

Cookies & tracking

We use the following categories of cookie. Analytics and marketing cookies are blocked by default and only loaded after you accept via the cookie banner. You can change your choice anytime via “Cookie preferences” in the footer.

  • Strictly necessary — cart, checkout session, authentication, and your cookie choice. Cannot be turned off.
  • Analytics — to understand which pages and products work. Loaded only with consent.
  • Advertising — currently inactive. Should we add advertising cookies in the future, they will be gated behind the same banner and listed here before going live.

Where supported, we honour the Google Consent Mode v2 signal. Until you accept analytics cookies, we do not load any analytics or advertising tag — no measurement requests are sent. When you accept, the same consent signal is forwarded so that downstream tags treat your data accordingly.

Your rights (GDPR / UK GDPR)

  • Access — get a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — request deletion (“right to be forgotten”)
  • Restriction — limit processing in specific cases
  • Portability — receive your data in a structured, machine-readable format
  • Objection — to processing based on legitimate interests, including profiling
  • Withdraw consent — at any time, without affecting prior processing
  • Lodge a complaint with your supervisory authority (in the EU, your national DPA; in the UK, the ICO at ico.org.uk)

To exercise any right, see the Contact section. We respond within the period required by applicable law (one month under GDPR, extendable by two further months where requests are complex or numerous). We may need to verify your identity before acting on a request, and we may decline manifestly unfounded or excessive requests as permitted by law.

California (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect, to request deletion, to correct inaccurate information, and to opt out of the “sale” or “sharing” of personal information for cross-context behavioural advertising. We do not sell personal information for money. To opt out of any sharing for advertising purposes, set your cookie banner to “Necessary only” or send a Global Privacy Control signal — we honour it where supported. We do not discriminate against you for exercising any CCPA right.

Children

The site is not directed at children under the age of majority in their country of residence and we do not knowingly collect personal data from them. If you believe a minor has provided us with personal data without parental consent, please contact us and we will delete it.

Third-party sites

The site may link to or embed content from third-party sites or services. Their data practices are governed by their own privacy notices. We are not responsible for, and make no representations about, the content, privacy practices or security of any third-party site or service.

Updates to this notice

We may update this notice from time to time to reflect changes in our processing, our service providers, or applicable law. The version in force is the one published on this page. Where a change is material, we will use reasonable efforts to highlight it at the top of the page or notify you by other appropriate means.

Contact

For privacy-related requests, the most reliable channel is the contact form, which routes to the studio inbox. If you have an active order, replying to your order confirmation email is faster as it already carries the order context. A postal address for formal data-protection correspondence will be published here as the studio scales.

Last updated: 2026.