How we collect, use, and protect your personal data.
Last updated: February 2025
This privacy policy explains how Graftstudio Ltd (“we”, “us”, “our”) collects, uses, stores, and protects your personal data when you visit our website at graftstudio.com, use our services, or otherwise interact with us.
We are committed to protecting your privacy and handling your data in an open, transparent manner. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
Graftstudio Ltd is a Shopify Select partner specialising in high-performance eCommerce for direct-to-consumer and B2B brands. Our services include Shopify development, design, strategy, and retained support.
The personal data we collect depends on how you interact with us. We may collect and process the following categories of information:
We use the personal data we collect for the following purposes:
Under the UK GDPR, we must have a lawful basis for processing your personal data. The bases we rely on are:
Where you have given clear, affirmative consent for us to process your personal data for a specific purpose. This includes subscribing to marketing communications and accepting non-essential cookies. You may withdraw consent at any time by contacting us or using the unsubscribe mechanism in our emails.
Where processing is necessary for the performance of a contract with you, or to take steps at your request prior to entering into a contract. This applies to processing required to deliver our services and manage our client relationships.
Where processing is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your rights. Our legitimate interests include:
Where processing is necessary to comply with a legal obligation, such as maintaining financial records for tax purposes.
Our website uses cookies and similar tracking technologies to distinguish you from other visitors, analyse traffic, and improve your browsing experience. A cookie is a small text file stored on your device by your web browser.
These are necessary for the website to function correctly. They enable core features such as page navigation and do not collect personally identifiable information. These cookies cannot be disabled.
We use Google Analytics 4 (GA4) to understand how visitors interact with our website. GA4 collects data such as pages visited, session duration, and traffic sources. IP anonymisation is enabled where supported. Google Analytics may set the following cookies:
For more information on how Google processes data, visit Google’s Privacy Policy. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
If we use Klaviyo for email marketing, tracking cookies may be set to measure the effectiveness of our campaigns and personalise content. These cookies are only placed with your consent.
You can control and manage cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our website. Most browsers allow you to:
We share personal data with trusted third-party service providers who assist us in operating our business. These providers process data on our behalf and are contractually obligated to handle it securely and in accordance with applicable data protection law.
Our website is hosted on Vercel. Vercel may process server log data (including IP addresses) for the purpose of delivering and securing our website. Vercel’s infrastructure is primarily located in the United States and Europe. For details, see Vercel’s Privacy Policy.
We use Google Analytics 4 to collect anonymised website usage statistics. Data may be transferred to Google servers in the United States. Google is certified under the EU-US Data Privacy Framework. See Google’s Privacy Policy.
We use Calendly to manage consultation bookings. When you schedule a call, Calendly processes your name, email address, and any information you provide in the booking form. See Calendly’s Privacy Notice.
We may use Klaviyo to manage email marketing communications. If you subscribe to our mailing list, your email address and engagement data are processed by Klaviyo. Klaviyo stores data in the United States and complies with applicable data transfer mechanisms. See Klaviyo’s Privacy Notice.
As a Shopify Select partner, we build and maintain Shopify stores on behalf of our clients. When working on client projects, we may access customer data within Shopify in accordance with our contractual obligations. See Shopify’s Privacy Policy.
We maintain a presence on LinkedIn for professional networking and marketing purposes. If you interact with our LinkedIn content, LinkedIn may share limited information with us in accordance with your LinkedIn privacy settings. See LinkedIn’s Privacy Policy.
Some of the third-party services listed above are based outside the United Kingdom. Where your data is transferred internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs), adequacy decisions, or the provider’s participation in recognised data transfer frameworks (e.g. the EU-US Data Privacy Framework).
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our general retention periods are as follows:
When personal data is no longer required, we securely delete or anonymise it.
Under the UK GDPR, you have the following rights in relation to your personal data:
To exercise any of these rights, please contact us at hello@graftstudio.com. We will respond to your request within one month. In certain circumstances, we may extend this period by a further two months, in which case we will inform you and explain the reason for the delay.
There is no fee for making a request, unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on it.
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction. These measures include:
While we strive to protect your personal data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to taking all reasonable steps to safeguard your information.
We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the “Last updated” date at the top of this page.
We encourage you to review this policy periodically to stay informed about how we are protecting your data. Your continued use of our website after any changes to this policy constitutes your acceptance of the updated terms.
If you have any questions about this privacy policy, wish to exercise your data protection rights, or have a concern about how we handle your personal data, please contact us:
We take all complaints seriously and will endeavour to resolve any issues promptly. If you are not satisfied with our response, or believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the UK supervisory authority:
We would appreciate the opportunity to address your concerns before you approach the ICO, so please do contact us in the first instance.
