Privacy policy
How we collect, use and protect your personal data. Last reviewed 19 May 2026.
1. Who we are
Norma Ltd is the data controller for personal data collected through https://www.normamade.com. We are registered in England and Wales.
Our data protection contact is: privacy@normamade.com. Write to us at this address for any data protection enquiry or rights request.
2. Lawful basis for processing
We process your personal data on the following legal bases:
- Contract performance: processing your order, managing your account, arranging delivery, and handling returns.
- Legal obligation: retaining transaction records for HMRC, complying with anti-fraud and anti-money-laundering requirements.
- Legitimate interests: fraud prevention, improving our service, and maintaining the security of our platform. We conduct a balancing test before relying on this basis and do not override your interests or rights.
- Consent: sending marketing email, loading analytics cookies, and loading support-chat cookies. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
3. Categories of data we collect
- Identity data: name, company name (for B2B accounts).
- Contact data: email address, billing address, delivery address or addresses.
- Payment data: payment is processed by Stripe. We do not store card numbers or full payment details on our systems. We retain Stripe transaction references and billing metadata.
- Design uploads: artwork, logos, and any other files you upload to generate your products. We store these to fulfil your order and keep them available for reorder for 3 years after last activity.
- Order history: details of products ordered, quantities, pricing, and fulfilment status.
- Browsing behaviour: page views, events, and conversion data collected via PostHog (EU), loaded only after you have given consent via our cookie banner.
- Credit data: for B2B buyers requesting Net 30 invoicing, we run a credit check via Creditsafe UK, using your company name and registered address.
4. Retention periods
- Order and transaction records: 7 years from the date of transaction, as required by HMRC.
- Account data (including design uploads): 3 years after your last login or order activity, after which we will delete your account data unless you ask us to retain it for a specific reason.
- Analytics data: 13 months, in accordance with ICO guidance on analytics cookie retention.
- Marketing consent records: retained until you withdraw consent or request deletion.
5. Sub-processors
We share data with the following third-party processors where necessary to provide our service. We have data processing agreements in place with each of them.
- Stripe (payments) - USA. Transfer mechanism: Standard Contractual Clauses (SCCs).
- Resend (transactional email) - EU. Transfer mechanism: adequacy decision / EU standard.
- Intercom (customer support chat) - USA. Transfer mechanism: SCCs.
- PostHog (product analytics) - EU. Transfer mechanism: EU standard.
- Creditsafe (B2B credit checks) - UK.
- Printful (order fulfilment) - USA. Transfer mechanism: SCCs.
- Neon (database hosting) - USA. Transfer mechanism: SCCs.
- Cloudflare (CDN and file storage) - USA. Transfer mechanism: SCCs.
- Sentry (error monitoring) - USA. Transfer mechanism: SCCs.
We do not sell personal data to any third party.
6. International transfers
Where sub-processors are located outside the UK or the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner as an appropriate safeguard for international data transfers. You may request a copy of the relevant SCCs by emailing privacy@normamade.com.
7. Your rights
Under UK GDPR you have the right to:
- Access: request a copy of personal data we hold about you.
- Rectification: ask us to correct inaccurate or incomplete data.
- Erasure: ask us to delete your personal data where we no longer have a lawful basis to hold it.
- Restriction: ask us to restrict processing while a complaint is resolved.
- Portability: receive your data in a structured, machine-readable format, or ask us to transmit it to another controller.
- Objection: object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds.
- Withdraw consent: withdraw consent at any time for any processing based on consent, including marketing emails and analytics cookies.
8. How to exercise your rights
Email privacy@normamade.com with your request. We will acknowledge within 5 working days and respond fully within 30 calendar days. We may ask you to verify your identity before acting on a request.
9. Complaints
If you are unhappy with how we handle your personal data, you have the right to complain to the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
We would appreciate the opportunity to address any concern before you contact the ICO, so please contact us first at privacy@normamade.com.
10. Cookies
For details of the cookies we set, their purposes, and how to manage your preferences, see our Cookie policy.
11. Changes to this policy
We may update this policy as our practices change or legislation requires. We will post the updated policy on this page with a new version date. Material changes affecting how we process your data will be notified to registered users by email where we hold your contact details.
This policy was last reviewed on 19 May 2026 (version 2026-05-19.v1.0).