Privacy Policy
Last updated: 5 November 2025
Controller: Muruga Ltd (trading as Custom Comic Shop)
Contact (data protection): contact@customcomic.shop
1. Introduction – short summary
Custom Comic Shop (Muruga Ltd.) (“we”, “us”, “our”) creates bespoke comics from images and stories you upload. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, how long we keep it, and your rights under the UK GDPR and data protection law. If you have questions about this Policy or want to exercise any rights, contact contact@customcomic.shop.
Key points (short):
We process images and story text to produce the comic you ordered (lawful basis: performance of contract).
Reference photos are deleted within 14 days after final delivery unless you opt in to longer storage for marketing/portfolio. This retention is limited and documented. (See Data Retention Schedule.)
If an uploaded image shows a child under 13, we will only process that data with parental consent and additional safeguards.
We use Stripe for payments and third-party printers for fulfilment; their privacy and processor roles are explained below.
2. Data controller
Muruga Ltd is the data controller for personal data processed in connection with orders placed at customcomic.shop.
3. Categories of personal data we collect
We collect and process different categories of personal data depending on your interaction with us:
Identity & contact data: name, billing & delivery address, email, phone.
Order & payment data: order history, transaction ID, payment processor metadata (we do not store full payment card numbers – these are handled by Stripe).
Images & story content: photos you upload, names and narrative text used to create the comic. This may include special categories of personal data only where you voluntarily provide them (e.g., health details in story text – see Section 6).
Communications: customer service messages, preview approvals (email records), complaints, reviews (if you opt in). Personal data (including uploaded photographs, order information, and communication via email/WhatsApp) is processed in accordance with our Privacy Policy and in compliance with UK GDPR.
Technical & security logs: IP addresses, cookies, access logs and device/browser metadata.
4. Lawful bases for processing
We rely on the following lawful bases under UK GDPR:
Performance of a contract: to fulfil the contract when you place an order (produce, print, and deliver your comic). This covers processing images and story text necessary to produce the product.
Consent: for marketing communications, and for any optional uses of images (e.g., portfolio/marketing) that are not necessary to fulfil the order – this is obtained via an explicit opt-in. For processing of children’s data where consent is needed, parental consent will be required for under-13s.
Legal obligation: where we must keep records for tax, accounting and legal compliance (e.g., HMRC record keeping).
Legitimate interest: in limited cases such as fraud prevention, site security, defence of legal claims – where we balance our interests against your privacy. We will document any legitimate-interest assessment.
5. How we use your data (high-level)
We use personal data to:
Accept and process orders, create previews, fulfil and deliver goods (performance of contract).
Communicate with you about your order, send receipts, confirmations, and provide customer service.
Process payments using Stripe (processor) and keep payment transaction records for accounting and possible disputes.
Perform fraud checks and enforce our Terms & Conditions.
Comply with legal obligations (tax, accounting, dispute resolution).
With your explicit consent, use images/finished comics for marketing and portfolio purposes.
6. Special categories & sensitive content
If you include sensitive personal data (special category information) in stories or images (for example health-related details), we will only process that data if you explicitly tell us and provide a lawful basis (usually explicit consent). We discourage submission of unnecessary special category data. If a child under 13 is pictured, we will require parental consent before processing.
7. Automated decision-making & use of AI
We use AI tools to assist in generating artwork from images and textual prompts. Important points:
We do not make decisions that have legal or similarly significant effects about you based solely on automated processing (for example we will not refuse or materially change an order due to a fully automated decision). You have the right not to be subject to solely automated decisions.
Where AI is used to generate images, all outputs go through human review and approval before production to reduce copyright, safety, and accuracy risks. We keep logs of prompts and versions for quality control and to support any required investigations or DPIA documentation. See our DPIA summary below.
8. Sharing personal data – processors & third parties
We share personal data only where necessary and under contracts that require processors to follow privacy law:
Payment processor: Stripe (payments and transaction records). Stripe is a separate data controller/processor for payment card handling – see Stripe’s privacy info.
Printers & fulfilment partners: e.g., Mixam (or local printers). We pass images, delivery addresses and order details needed to fulfil printing and delivery. We put contractual safeguards in place with printers to require appropriate security and limited use.
Freelancers / contractors: design, editing or moderation contractors who work under contract and IP/data-processing clauses (they sign confidentiality and IP assignment agreements).
Legal & regulatory: if required by law, court order or to defend legal claims.
If we transfer personal data outside the UK, we will rely on an adequacy decision, Standard Contractual Clauses, or another lawful safeguard and will document the measures taken.
9. Data security
We use appropriate technical and organisational measures (encryption in transit and at rest where possible, access controls, logging, limited staff access, vetted processors) to protect personal data. Access to images and order data is restricted on a need-to-know basis. We also maintain incident response procedures and will follow ICO guidance on breach handling and reporting. If a notifiable breach occurs, we will report it to the ICO without undue delay and not later than 72 hours from discovery, where required.
10. Data Protection Impact Assessment (DPIA)
Because our processing uses AI with customer photographs (which can be high-risk), we carry out and document a DPIA to identify and mitigate risks (security, fairness, children’s data, IP concerns). The DPIA is available to our DPO/solicitor on request and will be revisited when we change significant parts of the AI pipeline. See ICO guidance on AI and DPIAs.
11. Your rights
Subject to legal exemptions, you have the following rights:
Right to be informed (this Policy).
Right of access to personal data we hold about you.
Right to rectification of inaccurate data.
Right to erasure (“right to be forgotten”) – where legal grounds allow (note: we may retain limited records for legal/tax reasons).
Right to restriction of processing.
Right to data portability (where applicable).
Right to object to processing (for direct marketing or where processing is based on legitimate interests).
Rights in relation to automated decision making and profiling (we do not carry out solely automated decisions with legal/similar effects).
To exercise your rights, email contact@customcomic.shop. We will respond within the legal timescales (usually one month; extended in complex cases with notice). If you remain unhappy you can complain to the Information Commissioner’s Office (ICO).
12. How long we keep your data – summary
We retain data only for as long as needed for the purposes set out in Section 5 and to meet legal obligations (e.g., HMRC). See the detailed Data Retention Schedule below for specific categories and retention periods. HMRC/company accounting rules require retention of accounting records for 6 years in many circumstances.
13. Children
We do not knowingly provide services directly to children under 13 without verified parental consent. If a child under 13 is pictured in an upload, we will request parental consent before processing that image, and we will apply extra safeguards to protect the child’s privacy. For children aged 13+, the child may give consent themselves for an information society service (ISS), but we will make reasonable efforts to verify this.
14. Changes to this Policy
We may update this Policy from time to time. When we make material changes we will post the updated Policy on our website with a revised “Last updated” date.
15. Contact & complaints
Data protection contact: contact@customcomic.shop.
If you are unhappy with our response you can complain to the ICO (www.ico.org.uk).
Data Retention Schedule – Custom Comic Shop (Muruga Ltd.)
1. Overview & General Principles
This Data Retention Schedule outlines how long Custom Comic Shop retains personal data and the legal justification for doing so.
We apply the principle of storage limitation and retain personal data only for as long as necessary to:
Fulfil the purpose for which it was collected, or
Meet legal, regulatory, or contractual obligations.
Retention periods are normally calculated from the date of final delivery of the order, unless stated otherwise.
Important notes:
Backup copies may persist temporarily; personal data will be removed from backups as soon as reasonably practicable.
Retention may be extended in exceptional circumstances such as:
Legal holds
Litigation
HMRC or regulatory investigations
Any such extension will be documented and justified.
2. Categories of Data & Retention Details
Order Records
Examples:
Name, email address, postal address, order details, invoices.
Purpose:
Order fulfilment
Accounting and financial records
Tax audits
Customer service and dispute handling
Retention Period:
6 years from the end of the financial year in which the order was completed.
Legal Basis:
Legal obligation (tax and accounting laws)
Performance of contract
Payment Transaction Metadata
Examples:
Stripe transaction IDs, payment status, last 4 digits of card (no full card data stored).
Purpose:
Proof of payment
Chargeback and fraud defence
Accounting records
Retention Period:
6 years, aligned with order records.
Legal Basis:
Legal obligation
Performance of contract
Uploaded Reference Photos & Story Text
Examples:
Customer-uploaded images and text used to create personalised comics.
Purpose:
Comic creation and production
Quality control
Handling disputes or corrections
Retention Period:
Deleted permanently within 14 days after final delivery
Exception: If the customer explicitly opts in to longer storage for marketing or portfolio use, the data is retained until the customer opts out.
Legal Basis:
Performance of contract (production)
Consent (for marketing/portfolio use)
Storage limitation principle
Justification:
A 14-day period is required for operational needs such as production checks, revisions, and dispute resolution. This aligns with ICO guidance when properly documented.
Approved Previews & Production Approvals
Examples:
Email confirmations, timestamps, or records confirming customer approval.
Purpose:
Evidence of customer approval
Contract performance verification
Dispute resolution
Retention Period:
6 years, aligned with order records.
Legal Basis:
Legal obligation
Evidence of contract performance
Customer Support Correspondence & Complaints
Purpose:
Handling customer queries and complaints
Legal defence
Service improvement
Retention Period:
3 years, or
Aligned with the relevant order record if the complaint relates to a specific order.
Legal Basis:
Legitimate interest
Performance of contract
Marketing Data
Examples:
Email marketing lists and consent records.
Purpose:
Sending marketing communications where consent has been provided.
Retention Period:
Until consent is withdrawn
Consent reviewed annually and refreshed where appropriate.
Legal Basis:
Consent
Right to withdraw consent at any time
Fraud Prevention Records & IP Logs
Purpose:
Fraud detection
Security monitoring
Investigation of suspicious activity
Retention Period:
2 years, or longer if required for an active investigation.
Legal Basis:
Legitimate interest
Legitimate Interest Assessment (LIA) documented
Access Logs & Security Logs
Purpose:
System security monitoring
Incident investigation
Retention Period:
12 months, or longer if required for an ongoing security investigation.
Legal Basis:
Legitimate interest
Security and system integrity
Backups
Purpose:
Disaster recovery
Business continuity
Retention Period:
Encrypted backups retained according to the backup policy
Maximum of 90 days (typical)
Notes:
Personal data in backups may persist briefly but will be overwritten or deleted automatically as part of backup cycles.
Legal Basis:
Operational necessity
Security safeguards applied
Employee & Payroll Records (If Applicable)
Purpose:
Employment administration
Tax and pension compliance
Retention Period:
6 years, or as required by employment law.
Legal Basis:
Legal obligation
Data Incident Records & DPIA Documentation
Purpose:
Regulatory compliance
Evidence for ICO or legal investigations
Retention Period:
At least 3 years after closure of the incident, or longer if legally required.
Legal Basis:
Regulatory compliance
Accountability principle
Data Protection Rights Requests (DSARs)
Examples:
Access, rectification, or erasure requests.
Purpose:
Evidence of compliance with data protection rights
Retention Period:
3 years after the request is closed.
Legal Basis:
Regulatory compliance
Accountability
3. Summary & ICO Compliance Justification
ICO guidance requires organisations to:
Justify data retention periods
Apply storage limitation under UK GDPR
Custom Comic Shop’s 14-day retention of uploaded images and story content is justified for:
Production
Quality checks
Dispute resolution
All such data is securely deleted thereafter, unless explicit customer consent is obtained for extended storage (e.g., marketing or portfolio use).
Custom Comic Shop
contact@customcomic.shop
+44 7503 217273