Andy Webb Art (“I”, “me”, “my”) is committed to the protection of your privacy and the security of your personal data.

This policy explains how I handle and use the data I collect from you in order to fulfil my obligations in a manner consistent with your rights under the law, including the General Data Protection Regulation (GDPR), effective from 25th May 2018.


The data controller is Andrew Webb, trading as Andy Webb Art from 22 Briary Lane, Royston, Hertfordshire SG8 9BX. is owned and operated by Andrew Webb, hosted in the UK by IONOS and powered by WordPress

My ecommerce platform is provided by WooCommerce (part of WordPress,  owned by Automattic Inc.


I collect information you give me voluntarily when you enlist my services, place an order, or contact me directly by email, phone, letter or via social media. This information may include your name, address, email address and phone number, or the name, address, email address and phone number of a third party on behalf of whom you are purchasing my goods or services.

My website also collects information about each visit you make using cookies. Cookies are small text files that are placed on your device to help the site provide a better user experience. In general, cookies are used to retain user preferences, store information for things like shopping baskets, and provide anonymised tracking data to third party applications like Google Analytics. As a rule, cookies will make your browsing experience better. However, you may prefer to disable cookies on this site and on others. The most effective way to do this is to disable cookies in your browser. I suggest consulting the Help section of your browser or looking at which offers guidance for all modern browsers


I only use your information for the specific purpose indicated at the point of consent i.e. when you provide information voluntarily in order to receive goods, services or information from me. For example, if you have placed an order with me, I may contact you to update you on the status of that order, but you will not receive other communications from me unless you have explicitly asked to receive them.

In order to fulfil my obligations to you when supplying goods, services or information, I will share your information with certain third-party service providers such as couriers and postal services.


All payments made on my website are processed through Stripe and PayPal. These companies process your payment details on my behalf – you can view their data protection policies at and

I do not store any customer payment information (i.e. debit or credit card details) on my own servers – these details are held in my accounts with Stripe and PayPal and are tokenized, ensuring they cannot be viewed by any third-party, including me.


I take the issue of data security very seriously and have put all reasonable measures in place to prevent your personal information from being lost, stolen or otherwise accessed, altered or transferred without your authorisation.

My website is SSL certificated, which means all data you provide is fully encrypted to prevent it being read by third parties. Your web browser will indicate that my site provides a secure ecommerce environment by showing a locked padlock icon. Once I have received your information I will use strict procedures to keep it secure and safe – please be aware however that the transmission of data via the internet can never be 100% secure and is done entirely at your own risk

Access to your information is strictly limited to those employees and aforementioned third-parties who have a need to know in order for me to fulfil my obligations to you.

I have put processes in place to identify any suspected security breach and will notify you and the Information Commissioner’s Office (ICO) of any such breach in cases where I am legally required to do so.


Your data is stored on secure servers hosted in the UK, or, where you have given consent, either by entering payment details to complete a purchase, or by opting in to an email newsletter, it will be handled by our third-party processors both inside and outside the EU to fulfil the specific purpose understood at the point of consent. This includes PayPal (EU) and Stripe (US). Stripe is certified to the EU-US and Swiss-US Privacy Shield Framework.

I will retain your data for as long as is necessary to fulfil my obligations to you, or as long as you permit me to keep it. I will review the data I hold on an annual basis and delete any personal information that no longer serves a purpose useful to you.


You have the following rights under the GDPR:

Right to withdraw consent – you can withdraw consent previously given at any time by contacting me directly or opting out from marketing emails

Right to access – you can request a copy of the personal information I hold on you to check that I am lawfully processing it

Right to rectification – you can request that I correct any incomplete or inaccurate information I hold on you

Right to erasure (the right to be forgotten) – you can request that I delete or remove your personal data where there is no legitimate reason for me to continue to process it, both from my database and those of any third-parties who have accessed your information

Right to object to processing – you can request that I stop processing your personal information where you believe your situation warrants it, even though I have a legitimate reason to do so. You can request that I suspend processing of your personal information if you want me to verify its accuracy or the reason for processing it. You can also object to certain types of processing, e.g. direct marketing and decisions based solely on automated processing

Right to data portability – you can request that I transfer or copy your data to another party


I make no guarantee that my website and social media pages are free from errors, defects or viruses and accept no liability for any losses that may occur from reliance on information contained within those sites.

My website may contain links to the websites and/or social media pages of other organisations, such as retailers or media outlets. Please note that I bear no responsibility for the web content or privacy policies of these organisations and advise caution when visiting them.


I reserve the right to review and amend this privacy policy at any time; any changes will be posted on this page, which you should refer back to regularly.


To exercise your rights as laid out in this policy, or to make any other enquiry or request, please email me at

This policy was last updated on 22nd June 2020