Privacy Policy
Last updated: 2026-05-06
1. Who We Are
Take Up Space Ltd ("we", "us", "our"), a company registered in England and Wales under company number 12203181, with its registered office at 21 Dunwich, Shoreham by Sea, BN43 5PE, is the data controller of personal data collected through zenwallclocks.com. We trade as Zen Wall Clocks.
2. What This Notice Covers
This Privacy Policy explains what personal information we collect when you use zenwallclocks.com or buy from us, why we collect it, who we share it with, how long we keep it, and what rights you have over it.
We are based in the United Kingdom, so we process personal information in accordance with UK data protection law (the UK General Data Protection Regulation and the Data Protection Act 2018). Most of our customers reside in the United States; if this applies to you, additional rights apply under the California Consumer Privacy Act (CCPA, as amended by the CPRA) and similar laws in other states — see Section 10 below.
3. Personal Data We Collect
We collect:
- Order data — your name, billing address, delivery address, email address, and (optionally) phone number. Collected when you place an order.
- Payment data — your card payment is handled directly by Stripe. We never see, store or transmit your full card number, expiry, or CVC. We receive only a transaction reference and the last four digits of your card from Stripe to identify the payment.
- Order content — your design choices for each clock (the quote, font, colours, frame, hands, size). Stored against your order.
- Communications — any email correspondence you send us, retained for customer service.
- Technical data — your IP address, user-agent and pages visited are processed in aggregate by our analytics provider (see Section 8). We do not log raw IP addresses against your account.
We do not collect special category data (race, health, beliefs etc.) in normal operation. If you volunteer such information in a custom quote or in correspondence, we treat it confidentially.
4. How We Use Your Personal Data, and Our Lawful Bases
| Purpose | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Processing your order, taking payment, arranging delivery, customer service | Performance of a contract (Article 6(1)(b)) |
| Keeping records for accounting and tax purposes | Legal obligation (Article 6(1)(c)) |
| Detecting and preventing fraud | Legitimate interests (Article 6(1)(f)) |
| Understanding aggregate site usage to improve the service | Legitimate interests (Article 6(1)(f)) |
| Responding to your enquiries | Legitimate interests (Article 6(1)(f)) |
We do not currently send marketing emails. If we add a marketing mailing list in future we will ask for your explicit consent and make unsubscribing easy.
5. Who We Share Your Personal Data With
We share your personal data only with the service providers we need to fulfil your order. Each is a data processor acting on our instructions under contract:
| Processor | Purpose | Location |
|---|---|---|
| Stripe | Card payment processing | United States |
| Cloudflare | Image storage and CDN delivery | Global edge network |
| Railway | Application hosting and database | United States |
| Spoke Custom Products | Print and shipping fulfilment | United States |
| Umami | Aggregate analytics | [Self-hosted on Railway / Umami Cloud, EU] |
| [Email provider] | Sending order confirmations | [Region] |
We do not sell your personal data and we do not share it with third parties for their own marketing.
We may disclose personal data if required by law, court order, or to protect our legal rights.
6. International Transfers
We are based in the United Kingdom and most of our customers are based in the United States. Personal information naturally moves between the United States (where you place your order and where the clock is printed and shipped) and the United Kingdom (where we administer the business). Where personal data crosses borders we rely on the UK Government's adequacy decisions, the UK International Data Transfer Agreement, or Standard Contractual Clauses, as appropriate.
7. How Long We Keep Your Personal Data
| Data type | Retention period |
|---|---|
| Order records | 7 years (statutory record-keeping requirement under UK and U.S. tax law) |
| Customer service email | 2 years from last contact |
| Aggregate analytics | 24 months |
| Marketing preferences | Until you withdraw consent |
After these periods, we delete or anonymise the data.
8. Cookies and Similar Technologies
We use a small number of strictly necessary cookies and similar technologies to make zenwallclocks.com work. We do not use advertising, profiling or tracking cookies. Because we only use strictly necessary technologies, we do not display a cookie consent banner — this is permitted under the Privacy and Electronic Communications Regulations (PECR).
| Item | Purpose | Type / Duration |
|---|---|---|
| session (Flask) | Keeps your shopping cart and login state | Session cookie; cleared when you close your browser |
| __stripe_mid, __stripe_sid | Stripe payment fraud prevention | Set by Stripe during checkout. See Stripe's privacy policy. |
| Umami analytics | Aggregate page-view counts and referrers | No cookies set. Sessions identified server-side via a daily-salted hash that cannot be linked back to you. |
You can block or delete cookies in your browser settings. If you block our session cookie, your shopping cart will not work; if you block Stripe's cookies, you will not be able to complete payment.
9. Your Rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you
- Have inaccurate personal data corrected
- Have personal data deleted (subject to legal retention obligations)
- Restrict or object to certain processing
- Receive your data in a portable format
- Withdraw consent (where consent was the basis for processing)
- Complain to the Information Commissioner's Office
To exercise any of these rights, email [email protected]. We will respond within one month.
10. Additional Information for U.S. Residents
If you reside in the United States, the following additional information applies. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and similar laws in Virginia, Colorado, Connecticut, Utah, and a growing list of other states give you specific rights over your personal information. We honour these rights for residents of any U.S. state, regardless of whether your state has passed a comparable law.
Categories of personal information we collect
In the past 12 months we have collected the following CCPA categories of personal information from the sources shown:
| Category | Examples | Source |
|---|---|---|
| Identifiers | Name, email, billing/shipping address, phone, IP address | You; your browser |
| Customer records (Cal. Civ. Code §1798.80(e)) | Name, address, payment-card last four digits | You; Stripe |
| Commercial information | Products purchased, design choices for each clock | You |
| Internet or other electronic network activity | Pages visited, aggregate referrer data | Your browser; Umami analytics |
| Geolocation (general / city-level only) | Inferred from IP address for shipping estimates | Your browser |
We do not collect biometric data, sensitive personal information as defined by CPRA (race, religion, precise geolocation, government IDs, financial account log-ins, contents of mail, health information, sexual orientation, etc.), or information about anyone we know to be under 16.
Business and commercial purposes
We use the personal information described above to fulfil your order, take payment, deliver the clock, respond to your enquiries, detect fraud, and understand aggregate site usage. We do not use your personal information for cross-context behavioural advertising or for our own targeted advertising.
Sale or sharing of personal information
We do not sell your personal information and we do not share it for cross-context behavioural advertising. (CPRA's "sharing" definition covers sharing for targeted advertising — it does not cover sharing with the processors listed in Section 5 to fulfil your order, which is permitted.)
Because we do not sell or share your personal information, the "Do Not Sell or Share My Personal Information" link required by CPRA is not applicable. If this changes in the future we will add the required link before any sale or sharing begins.
Your U.S. privacy rights
Under CCPA/CPRA and similar state laws, you have the right to:
- Know what categories of personal information we have collected about you, the sources, and the third parties we shared it with
- Receive a copy of the specific personal information we have collected about you in the past 12 months
- Request deletion of personal information we hold about you
- Request correction of inaccurate personal information
- Limit our use of sensitive personal information (we do not collect any, so this right is not relevant in practice)
- Opt out of any sale or sharing for targeted advertising (we do neither)
- Not be discriminated against for exercising any of these rights
How to exercise your rights
Email [email protected] with the request and the email address you used to place your order. We verify your identity by matching the request against our order records, then respond within 45 days (extendable by a further 45 days for complex requests, with notice). If you use an authorised agent, please include their written authorisation.
Right to appeal
If we deny your request, you may appeal by replying to our denial within 60 days. We will respond within 45 days. If you remain dissatisfied, you may complain to your state's Attorney General, the California Privacy Protection Agency (if you are a California resident), or the Federal Trade Commission at ftc.gov.
11. Security
We protect personal data with appropriate technical and organisational measures including TLS encryption in transit, encrypted database backups, restricted access on a need-to-know basis, and reputable processors (Stripe, Cloudflare, Railway). No system is perfectly secure; if a breach occurs that is likely to risk your rights, we will notify the ICO and you as required.
12. Changes to This Notice
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent change. For material changes we will notify customers by email where possible.
13. Contact
Questions about this notice or your data? Email [email protected].