Skip to content
⚠ Dev mock mode, checkout doesn't charge, emails log to console, all auth is fake ⚠ Dev mock mode

Privacy & GDPR

Last updated: 2026-06-29

I'm Ulf, one carver, one shop. I keep as little personal data about you as is needed to ship your order, answer your email, and meet my legal obligations. This page is written so that an EU customer, including those in Germany, the Netherlands, Poland and France where most of my buyers live, can see exactly what I do with their data and how to ask me to change it. It is written to comply with the EU General Data Protection Regulation (EU 2016/679, "GDPR") and the equivalent UK GDPR.

1. Who is responsible (data controller)

The data controller for the personal data processed through this site is the operator of ULF WoodART, a sole craftsperson trading under that name. You can reach me for any data-protection matter at hello@ulfwoodart.com. The postal address registered with my tax authority will be added here once company registration is complete. I do not have a designated Data Protection Officer because the scale of processing does not meet the GDPR Art. 37 thresholds, but I personally answer every data subject request within the statutory 30 days.

2. What personal data I collect

I distinguish between data you actively give me and data the site collects automatically when you visit.

2.1 Data you give me

  • Order data. Email address, shipping name and address, phone number (only where the carrier requires it), and a record of what you bought and what you paid. Required to fulfil the contract.
  • Account data (if you create one). Email address, an optional display name, and a record of your sign-ins through Clerk. Required only if you want a saved order history and wishlist; guest checkout is always available.
  • Wishlist data. A list of product IDs you've saved. If you haven't created an account, this lives only in your browser; once you sign in it is merged into your account row.
  • Custom-order inquiry. Whatever you write in the commission form (name, email, message). Used solely to answer you.
  • Payment data. When you pay, your card or PayPal details go directly to Stripe or PayPal, I never see them and I do not store card numbers on this site.

2.2 Data collected automatically

  • Technical logs. Cloudflare records IP address, request URL, user agent, and timestamp for every request. These logs are kept for up to 30 days and are used only to operate the service and investigate abuse.
  • Cookies. A small number of strictly necessary cookies (session, locale preference, cookie-consent state). Analytics cookies are not set until you give consent (see §6).
  • Analytics. Once you consent, anonymous page views, country, and aggregated interaction events flow to PostHog (and as a fallback Google Analytics). No identifiers tying these events to your account are sent.

I do not collect special-category data (race, religion, health, etc.) and I have no interest in profiling you. There is no automated decision-making (GDPR Art. 22) on this site.

3. Why I process it, and on what legal basis

  • To ship your order and provide customer service, GDPR Art. 6(1)(b), performance of a contract.
  • To meet tax and accounting obligations, Art. 6(1)(c), legal obligation. Invoices and order records are retained for the legal period (see §5).
  • To run and secure the site (logs, fraud monitoring, error reporting), Art. 6(1)(f), legitimate interest. My interest is in keeping the shop online and free from abuse; this interest does not override your rights and freedoms because the data is minimal and technical.
  • To send transactional emails (order confirmation, shipping update, reply to your inquiry), Art. 6(1)(b), performance of a contract or pre-contractual steps.
  • To run analytics and measure how the site performs, Art. 6(1)(a), your consent. You can withdraw consent at any time via the cookie banner.
  • To send a one-off "we shipped your piece" follow-up or restock note, Art. 6(1)(a), consent (only if you opted in at checkout). Never used for unrelated marketing.

4. Who I share your data with (processors and transfers)

I use a small set of third-party processors. Each one is bound by a Data Processing Agreement that meets GDPR Art. 28 requirements. I do not sell your data, ever.

  • Stripe Payments Europe Ltd. (Ireland) / Stripe Inc. (USA). Processes card payments. They see your card number, billing address, and payment metadata. Standard Contractual Clauses cover the EU→US transfer where the data leaves the EEA.
  • PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg). Processes PayPal payments. They see your PayPal identifier and the order total.
  • Resend, Inc. (USA). Sends transactional emails. They see your email address and the body of the message I send you.
  • Clerk, Inc. (USA). Handles sign-in for customer accounts and admin. They see your email and a hashed credential, they don't see your orders.
  • Cloudflare, Inc. (USA, with EU data centres). Hosts the site, the order database (D1), and the image storage (R2). EU traffic is served from EU edges where possible.
  • PostHog Inc. (USA, EU region available) and as a fallback Google Ireland Ltd. / Google LLC (USA). Aggregate analytics and technical error reports so I can fix bugs. Analytics is disabled by default; enabled only after you consent.
  • The carrier you choose at checkout (e.g. DHL, PostNL, DPD, La Poste, Deutsche Post). They see your shipping address and contact details.

For transfers outside the EEA, I rely on the European Commission's Standard Contractual Clauses (2021/914) and, where applicable, on adequacy decisions. You can request a copy of the relevant safeguards by emailing me.

5. How long I keep it

  • Order records and invoices, kept for the period required by EU tax law in my country of establishment, typically 7 to 10 years. After that they are deleted.
  • Account data, kept while your account is active. If you delete your account I remove the row immediately; order history tied to a legal obligation (above) is anonymised rather than deleted in place.
  • Wishlist data, kept while you keep the items on it. Local wishlist cookies expire after 1 year of inactivity.
  • Custom-order inquiries, kept for 2 years from your last message, then deleted.
  • Technical logs, kept for up to 30 days, then deleted by Cloudflare's rolling retention.
  • Analytics, aggregated; individual sessions purged after 12 months.

6. Cookies and consent

On your first visit you'll see a cookie banner. Strictly necessary cookies (session, locale, consent) are set without consent, they're required for the site to work. Analytics and any optional cookies are blocked until you click "Allow". You can change your mind at any time by clearing the consent cookie or re-opening the banner from the footer.

I do not use advertising cookies, fingerprinting, or third-party trackers beyond the analytics named in §4.

7. Your rights under the GDPR

You have the following rights regarding the personal data I hold about you. To exercise any of them, email me at hello@ulfwoodart.com. I respond within 30 days at the latest and the service is free, except in the rare case of manifestly unfounded or excessive requests (Art. 12(5)).

  • Right of access (Art. 15), a copy of the personal data I hold about you and a summary of how I use it.
  • Right to rectification (Art. 16), correction of inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten", Art. 17), deletion of your data where one of the GDPR grounds applies. Note that tax-retained order records can be anonymised but not erased before the statutory period ends.
  • Right to restriction of processing (Art. 18).
  • Right to data portability (Art. 20), a machine-readable export of the data you gave me.
  • Right to object (Art. 21), particularly to any processing based on legitimate interest.
  • Right to withdraw consent (Art. 7(3)), at any time, without affecting the lawfulness of processing before withdrawal.
  • Right to lodge a complaint with a supervisory authority (Art. 77), you can complain to your national data protection authority. A directory is at edpb.europa.eu/about-edpb/about-edpb/members_en.

8. Security

The site is served over HTTPS only. Customer accounts are authenticated by Clerk using industry-standard JWT and JWKS, with all credentials stored on their side. Card numbers never reach my servers. The order database is hosted on Cloudflare D1 with daily encrypted backups. Admin access is restricted to a hard-coded allow-list and gated by Clerk. I patch dependencies on a rolling basis.

9. Children

This shop is not directed at children. I don't knowingly process personal data of anyone under 16. If you believe a child has provided me with their data, email me and I will delete it.

10. Changes to this policy

I'll post any changes here, with a new "last updated" date at the top. Material changes (new processors, new legal basis, broader purposes) are announced in advance where I have a way to reach you, typically by a banner on the site or, for account holders, by email.

11. Contact

For any privacy question, complaint, or data-subject request, write to hello@ulfwoodart.com. I'll respond within 30 days at the latest, and usually within a few business days.

This text reflects current practice but is not yet a substitute for a lawyer-reviewed policy. Before going public in the EU I'll have a German/Dutch/Polish/French solicitor review it for jurisdiction-specific wording.

Wyrzeźbmy coś, czego jeszcze nie ma.

Imię w runach, bóstwo, którego nie ma w katalogu, kawałek na twój ołtarz. Powiedz, co masz na myśli, a podam ci drewno i czas oczekiwania.

Zamów rzeźbę