Privacy
This page explains, in plain English, what data we collect, what we do with it, how long we keep it, and what you can ask of us.
Who we are
RGBloom Ltd, registered in England and Wales. Company No. 17236942. Registered with the Information Commissioner's Office (registration ZC155495). Registered office: Unit 2 Hazlewell Court, Bar Road, Cambridge, CB23 8DS, UK.
What we collect, and when
Until you place an order, we collect nothing about you.
The book editor runs in your browser. Your photos and your work-in-progress book live on your own device, not on our servers. We run no tracking pixels and keep no record of who visits the site or what they look at.
When you place an order, the editor sends us:
- Your book, and all photos you use in it.
- The address(es) you would like the book(s) sent to.
- Your email - but only if you choose to give it. It is optional.
- Your payment, which is handled by Mollie inside their own form. We never see your card details, and Mollie does not ask you for an email address to pay.
That is the whole list.
After an order is placed, we ask one optional question - how you heard about us. You can answer it or ignore it. If you choose "somewhere else" and write a note, that note is kept with your order and deleted on the same 30-day clock as the rest; otherwise your answer only adds one to an anonymous count (below).
We also keep a few anonymous counts to help us run the business - roughly which parts of the country orders go to, what kind of device they were placed from, and how people heard about us. Nothing in them is linked to you or your order, and they hold no names or addresses. It is counting after the fact ("twelve orders this week, mostly from phones"), not tracking who visits.
We never ask for even your name or phone number, and your email address is optional.
Transferring photos from your phone
If you transfer photos from your phone to the editor on your laptop using the QR code, those photos go directly from one device to the other where the network allows. If a direct route is not possible, they pass through our server in memory only - never written to disk, never seen by anyone, gone the moment the transfer finishes.
How long we keep it
We delete everything to do with your order within 30 days of the order date.
That includes the book itself, your address, and any contact details you provided. After that window there is no way for us to find your order - by design.
The exception is the accounting record we are legally required to keep for HMRC: the order ID, the date, the amount, and the payment reference for the transaction. That is the entire accounting record. It does not include your name, address, or anything you wrote in the book.
Who else sees your data
We use a small number of other companies to do specific things:
- Mollie (Netherlands) - takes your payment.
- Proton Mail (Switzerland) - sends your order confirmation email, if you gave us an email address.
- Allstar Services Ltd (UK) - our printer. Receives the PDF and your shipping address(es).
Each of these has a data processing agreement with us that limits what they can do with your data. None of them are used for marketing or analytics. We do not sell, share, or rent your data to anyone else.
Where the data lives
Our server is in the UK, in a data centre run by our hosting provider under a data processing agreement. Mollie and Proton have their own data flows, but the personal data they handle for us either stays in the UK or is covered by the UK's adequacy arrangements with the EU (Mollie) and Switzerland (Proton). We do not knowingly send your data anywhere else.
Your rights
Under UK GDPR you can ask us to:
- Tell you what data we hold about you.
- Correct anything that is wrong.
- Delete it - the 30-day window already does most of this automatically.
- Send your data to you in a portable format.
- Restrict or object to how we use it.
Email privacy at rgbloom dot com and we will reply within a month - usually much sooner. We will not ask why.
You can also complain to the Information Commissioner's Office at ico.org.uk if you are unhappy with how we have handled your data.
A note on photos of other people
Photos in your book sometimes contain other people. Under UK GDPR those other people are data subjects too, even though they are not RGBloom's customers. We rely on you to have any permissions you need from the people you photograph. We mention it so the position is clear.
Because we delete everything 30 days after the order date, requests about specific photos almost always end up answered with "we have already deleted that." If a faster deletion is wanted, write to privacy at rgbloom dot com and we will do it the same day.
If something goes wrong
If something goes wrong with the data - an outage, a mistake, anything that puts your information at risk - we will tell the Information Commissioner's Office within 72 hours, as required, and tell anyone who has been affected as soon as we sensibly can. We will say what happened, what data was or was not affected, and what we are doing about it.
Changes to this page
If we change this page in a way that materially affects what we do with your data, we will keep the previous version available on request from privacy at rgbloom dot com.