Privacy Policy

This policy describes how Sarah Brophy collects, shares and uses personal data from individuals who access this website, submit a Contact Me form, use our services and/or place orders. It should be read in conjunction with the Cookie Policy. By using this website you agree to the policies in place.

Data Controller

Sarah Brophy (www.sarahbrophy.co.uk) is the data controller for this website and business.

UK GDPR

I adhere to the UK GDPR and the Data Protection Act 2018 when collecting, storing and using personal data through this website or through direct contact with me (for example, workshop bookings or purchases made in person).

Name and contact details

Sarah Brophy. Email: sarahbrophyart@gmail.com

The purposes of processing

Your personal data is collected for order processing including products and workshops. It is also used to provide you with information about forthcoming workshops, news and events or any other useful or pertinent information about any aspect of Sarah Brophy (“the business”) when you have provided express permission to be provided this information which could be in the form of a newsletter or email. It will also be used when responding to any email or website “contact me” enquiries.

Categories of personal data collected

The categories of data collected can include, first name, last name, email address, telephone number, postal address. When making a purchase the third party payment provider will also require payment information. Data is also collected in the form of cookies when using the website. Please refer to the separate Cookie Policy for further details.

How personal data is collected

Data can be collected on this website when completing a “Contact Me” form. It will also be collected via the Third Party payment provider when making a purchase. During live events (including workshops) data may be collected on a hard copy newsletter sign up request form.

The lawful basis and legitimate interest for the processing

  • Order processing → Contractual

  • Workshop bookings → Contractual

  • Responding to enquiries → Legitimate interests

  • Marketing emails → Consent

  • Analytics → Consent (because analytics cookies require it)

The recipients of the personal data

I will not share your personal data with anyone except the payment processor linked to Squarespace (or any such third party payment processor that may be used outside of use of this website) that will use your data to complete the financial transaction when you make a purchase. For clarity this website is hosted by Squarespace and the email provided is Gmail.

Third‑party service providers

I use a small number of trusted third‑party service providers to support the running of this website and business. These include Squarespace (website hosting), Stripe (payment processing), Gmail (email services), and Squarespace Analytics (website analytics). These providers only process your personal data as necessary to deliver their services and in accordance with their own privacy and security standards.

International data transfers

Your personal data may be transferred to and stored at a destination outside the UK. The website is hosted by Squarespace which is US based and therefore the services they provide may require the transfer of data outside the UK. This can include payment processing and analytics.

I use Gmail for my email service which has global servers.

I am not responsible for the service these third party suppliers provide however I will ensure I take all reasonable measures to ensure they comply with the appropriate standards.

Data security measures

I will take all appropriate and reasonable security measures to keep any data collected safe and secure. Any hard copy data collected in the form of newsletter request forms (or any such similar approach) will be transferred to an electronic format and the hard copy form destroyed in an appropriate manner.

The retention period for personal data

  • Order records: 7 years

  • Workshop bookings: 7 years

  • Email enquiries: 1 year

  • Mailing list: until you unsubscribe

  • Website analytics: varies (often 14–26 months)

The rights available to individuals in respect of the processing

You can request access, rectification, erasure, restriction, and objection to the use of your data.

You have a right to object to the use of your data.

To make your objection please email sarahbrophyart@gmail.com. I will respond within 4 weeks.

The right to withdraw consent

You can withdraw your consent to the use of your data at anytime by emailing sarahbrophyart@gmail.com. I will confirm once this has been actioned (typically within 2 weeks).

You also have the right to data portability, which allows you to request a copy of the personal data you have provided to me in a structured, commonly used and machine‑readable format.

Automated decision making and profiling

I do not use any automatic decision making or profiling.

The right to lodge a complaint with ICO

Should you wish to make a complaint about the collection, storage or use of your data and it cannot be resolved by Sarah Brophy please contact ICO. Make a complaint | ICO