Privacy Policy
Last updated: 5 July 2026
This policy explains how Kisako Kito, trading as Kisako Artworks ("we", "us", "our"), collects and uses personal data when you browse our website, contact us or buy from us. We are the data controller for the personal data described in this policy.
If you have any questions about privacy, contact us at [email protected].
Personal data we collect
Depending on how you use the shop, we may collect:
- order and checkout details, such as your name, email address, delivery address, billing details, phone number, order contents and order history;
- payment status and transaction references. Payments are handled through Square and WooCommerce; we do not receive or store your full card details;
- delivery and fulfilment details, including tracking information where a tracked service is used;
- messages you send to us by email or through the contact form on our WordPress/WooCommerce site;
- marketing preferences and email address if you choose to sign up to marketing or newsletter emails;
- basic technical and security information, such as IP address, browser type, device information, request logs and error logs; and
- aggregate website analytics and performance information collected through Cloudflare Web Analytics.
How we use personal data
We use personal data for the following purposes and lawful bases:
- to process orders, take payment, arrange delivery, handle returns and provide customer service: performance of a contract;
- to keep accounting, tax and business records: legal obligation;
- to respond to enquiries, run the shop, keep the website secure, prevent misuse and understand basic site performance: legitimate interests; and
- to send opt-in marketing or newsletter emails: consent. You can withdraw that consent at any time by using the unsubscribe link in the email or by contacting us.
Marketing
We only send marketing or newsletter emails if you have opted in. Buying from us does not automatically subscribe you to marketing emails. We use Brevo to manage opt-in marketing emails, unsubscribe requests and suppression records.
We do not sell your personal data, use advertising pixels or profile you for advertising.
Cookies, local storage and analytics
The shop uses necessary cookies and similar storage so that the website, cart and checkout work. The WooCommerce Store API may use a session cookie, and this site stores WooCommerce cart session tokens in your browser's local storage so your cart can be maintained while you browse and proceed to checkout.
We use Cloudflare Web Analytics for basic aggregate analytics and performance reporting. Cloudflare states that its Web Analytics service does not use cookies or local storage to collect usage metrics.
If we add advertising pixels or other non-essential tracking in the future, we will update this policy and use the required consent controls before those technologies are enabled.
Who we share personal data with
We share personal data only where needed to run the shop, fulfil orders, meet legal obligations or protect our rights. This may include:
- WooCommerce and WordPress, which handle the shop backend and checkout;
- Square, which processes payments;
- Lettermint, which helps send transactional order and support emails;
- Brevo, which manages opt-in marketing emails;
- Cloudflare, which provides analytics, security or infrastructure services;
- hosting, DNS, security, backup and technical service providers;
- postal, courier or fulfilment providers used to deliver orders;
- font and website asset providers, such as Google Fonts; and
- accountants, legal advisers, insurers, banks, payment partners, regulators or public authorities where necessary.
International transfers
Some service providers may process personal data outside the United Kingdom. Where that happens, we rely on appropriate safeguards, such as UK adequacy regulations, approved contractual terms or the provider's lawful transfer mechanism.
How long we keep personal data
- Order, payment, delivery and accounting records are usually kept for 6 years so we can meet tax, accounting and legal obligations.
- General enquiries and contact-form messages are usually kept for up to 2 years, unless we need them for an order, dispute, legal issue or ongoing customer-service matter.
- Marketing records are kept until you unsubscribe or withdraw consent. We may keep a suppression record so we know not to email you again.
- Technical and security logs are usually kept for up to 90 days, unless we need to keep them longer to investigate abuse, fraud, security incidents or legal claims.
Security
We use reasonable technical and organisational measures to protect personal data. Payment card details are handled by Square and WooCommerce through the checkout process, not stored by us.
Customer accounts
Checkout is intended to work without requiring a customer account. If optional account features are added later, we will update this policy to explain the account data we collect and how it is used.
Your rights
Under UK data protection law, you may have the right to access, correct, erase, restrict or object to the use of your personal data, and to data portability.
You can object to our use of your personal data where we rely on legitimate interests. You can also object to direct marketing at any time.
You have the right to withdraw consent where we rely on consent, such as for opt-in marketing emails. You can withdraw that consent at any time by using the unsubscribe link in the email or by contacting us.
To exercise your rights, contact [email protected]. You can also complain to the Information Commissioner's Office (ICO) at ico.org.uk.
Changes to this policy
We may update this policy from time to time, for example if we change service providers or add new website features. The latest version will be published on this page.