Privacy

This page explains, in plain English, what data we collect, what we do with it, how long we keep it, and what you can ask of us.

Who we are

RGBloom Ltd, registered in England and Wales. Company No. 17236942. Registered with the Information Commissioner's Office (registration ZC155495). Registered office: Unit 2 Hazlewell Court, Bar Road, Cambridge, CB23 8DS, UK.

What we collect, and when

Until you place an order, we collect nothing about you.

The book editor runs in your browser. Your photos and your work-in-progress book live on your own device, not on our servers. We run no tracking pixels and keep no record of who visits the site or what they look at.

When you place an order, the editor sends us:

That is the whole list.

After an order is placed, we ask one optional question - how you heard about us. You can answer it or ignore it. If you choose "somewhere else" and write a note, that note is kept with your order and deleted on the same 30-day clock as the rest; otherwise your answer only adds one to an anonymous count (below).

We also keep a few anonymous counts to help us run the business - roughly which parts of the country orders go to, what kind of device they were placed from, and how people heard about us. Nothing in them is linked to you or your order, and they hold no names or addresses. It is counting after the fact ("twelve orders this week, mostly from phones"), not tracking who visits.

We never ask for even your name or phone number, and your email address is optional.

Transferring photos from your phone

If you transfer photos from your phone to the editor on your laptop using the QR code, those photos go directly from one device to the other where the network allows. If a direct route is not possible, they pass through our server in memory only - never written to disk, never seen by anyone, gone the moment the transfer finishes.

How long we keep it

We delete everything to do with your order within 30 days of the order date.

That includes the book itself, your address, and any contact details you provided. After that window there is no way for us to find your order - by design.

The exception is the accounting record we are legally required to keep for HMRC: the order ID, the date, the amount, and the payment reference for the transaction. That is the entire accounting record. It does not include your name, address, or anything you wrote in the book.

Who else sees your data

We use a small number of other companies to do specific things:

Each of these has a data processing agreement with us that limits what they can do with your data. None of them are used for marketing or analytics. We do not sell, share, or rent your data to anyone else.

Where the data lives

Our server is in the UK, in a data centre run by our hosting provider under a data processing agreement. Mollie and Proton have their own data flows, but the personal data they handle for us either stays in the UK or is covered by the UK's adequacy arrangements with the EU (Mollie) and Switzerland (Proton). We do not knowingly send your data anywhere else.

Your rights

Under UK GDPR you can ask us to:

Email privacy at rgbloom dot com and we will reply within a month - usually much sooner. We will not ask why.

You can also complain to the Information Commissioner's Office at ico.org.uk if you are unhappy with how we have handled your data.

A note on photos of other people

Photos in your book sometimes contain other people. Under UK GDPR those other people are data subjects too, even though they are not RGBloom's customers. We rely on you to have any permissions you need from the people you photograph. We mention it so the position is clear.

Because we delete everything 30 days after the order date, requests about specific photos almost always end up answered with "we have already deleted that." If a faster deletion is wanted, write to privacy at rgbloom dot com and we will do it the same day.

If something goes wrong

If something goes wrong with the data - an outage, a mistake, anything that puts your information at risk - we will tell the Information Commissioner's Office within 72 hours, as required, and tell anyone who has been affected as soon as we sensibly can. We will say what happened, what data was or was not affected, and what we are doing about it.

Changes to this page

If we change this page in a way that materially affects what we do with your data, we will keep the previous version available on request from privacy at rgbloom dot com.

Last updated: 3 July 2026