Legal

Privacy Policy

Last updated: 5 June 2026

Orizu Studio (“Orizu Studio”, “I”, “me”) is a freelance web design and development practice run by Kene Orizu, based in London, United Kingdom. This policy explains what personal data I collect when you visit orizustudio.co.uk or get in touch about a project, why I collect it, and what your rights are. It is written to meet the UK GDPR and Data Protection Act 2018, the EU General Data Protection Regulation (GDPR), and the main US state privacy laws — including the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and equivalent laws in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Texas (TDPSA).

I am the data controller for the information described below. If anything here is unclear, email me at orizustudio@gmail.com and I’ll answer in plain English.

1. What I collect

I try to collect as little as possible. In practice, that means:

  • Information you give me through the contact form— your name, email address, the service you’re interested in, an indicative budget, where you heard about me, and the details of your project.
  • Information you give me by email — anything you choose to send when you reach out directly, including attachments.
  • Technical data from your browser — IP address, browser type, device type, and pages visited. This is logged by my hosting provider (Vercel) as part of normal request handling and security.

I do not run third-party advertising trackers. I do not sell, rent, or trade personal data, ever.

2. Why I use it

  • To reply to your enquiry and scope your project.
  • To deliver work I’ve been commissioned to do and to invoice for it.
  • To keep records required by HMRC and UK accounting law.
  • To keep the site secure and to debug technical issues.

My lawful bases under UK GDPR and EU GDPR are consent (when you submit the contact form), performance of a contract (when we’re working together), legal obligation (tax records), and legitimate interest(running and securing the website). For US visitors, processing happens because you’ve asked me to respond, because we’re working together, or to comply with the law.

3. Who I share it with

I use a small number of trusted suppliers to actually run the business. Each one only sees the data they need to do their specific job:

  • Vercel — hosts the website and handles request logs.
  • Google Workspace (Gmail) — handles email correspondence.
  • Stripe — processes any invoice payments. Stripe receives the data needed to take the payment; I never see your full card details.
  • HMRC and my accountant — where required by UK tax and accounting law.

Some of these providers store or process data outside your country — including in the United States and the European Union. Where data leaves the UK or EEA, transfers are protected by an adequacy decision (such as the UK–US Data Bridge and the EU–US Data Privacy Framework) or by Standard Contractual Clauses with appropriate supplementary safeguards. I do not sell, rent, share, or otherwise disclose your personal information for cross-context behavioural advertising or any other commercial purpose.

4. Cookies

This site does not set marketing or advertising cookies. It uses only the strictly necessary cookies required for the site to load and function (for example, a session cookie from the host). If that ever changes, I’ll add a cookie banner that asks first.

5. How long I keep it

  • Contact form enquiries that don’t turn into a project: up to 12 months, then deleted.
  • Client correspondence and project files:for the duration of the project and up to 7 years afterwards, so I can honour any warranty period and meet HMRC’s record-keeping requirements.
  • Invoices and payment records: 7 years (HMRC requirement).
  • Server logs: typically 30 days, then rotated out.

6. Your rights

Your rights depend on where you live. To exercise any of them, email orizustudio@gmail.com and tell me which country or US state you’re in so I can verify your request. I’ll respond within 30 days (UK/EU) or 45 days (US), and I won’t discriminate against you for exercising any right.

6a. United Kingdom & European Union (UK GDPR / EU GDPR)

  • Access— ask what data I hold about you and get a copy.
  • Rectification— have inaccurate or incomplete data corrected.
  • Erasure (“right to be forgotten”)— have your data deleted where there’s no legal reason to keep it.
  • Restriction— tell me to pause processing while a dispute is resolved.
  • Objection— object to processing based on legitimate interests or direct marketing.
  • Portability— receive your data in a structured, machine-readable format and have it sent elsewhere where technically feasible.
  • Withdraw consent— at any time, where consent is the lawful basis.
  • Not be subject to solely automated decisionswith legal or similarly significant effects. (I don’t make any.)

6b. California (CCPA / CPRA)

If you’re a California resident, you have the right to:

  • Knowwhat personal information I’ve collected about you in the last 12 months, the categories of sources, the purposes, and any third parties I share it with.
  • Deletepersonal information I’ve collected, subject to legal exceptions (such as tax records).
  • Correct inaccurate personal information.
  • Opt out of the sale or sharing of personal information for cross-context behavioural advertising. I do not sell or sharepersonal information as those terms are defined under the CPRA, so there is nothing to opt out of — but the right exists if that ever changes.
  • Limit the use of Sensitive Personal Information.I don’t use sensitive personal information for any purpose beyond providing the services you’ve asked for.
  • Non-discrimination— I won’t deny services, charge different prices, or provide a different quality of service because you exercised any of these rights.
  • Authorise an agent to make a request on your behalf, with written proof.

6c. Other US states (VCDPA, CPA, CTDPA, UCPA, TDPSA)

Residents of Virginia, Colorado, Connecticut, Utah, and Texas have substantially the same rights:

  • Confirm whether I’m processing your personal data and access a copy.
  • Correct inaccuracies in your personal data.
  • Delete personal data I’ve collected.
  • Receive a portable copy of your personal data.
  • Opt out of the sale of personal data, targeted advertising, and profiling that produces legal or similarly significant effects. I don’t do any of these, but the right applies.
  • Appeal a refusal — if I decline a request, I’ll explain why and tell you how to escalate to your state Attorney General.

7. How I keep it safe

Data in transit to and from this site is encrypted with HTTPS. Email correspondence is held in a Google Workspace account protected by two-factor authentication. Client files are kept in access-controlled storage. I keep things lean on purpose — fewer copies of your data means fewer places it can go wrong.

8. Complaints

If you’re unhappy with how your data has been handled, please tell me first so I can put it right. You can also complain to the relevant regulator:

  • UK — Information Commissioner’s Office (ICO): ico.org.uk/make-a-complaint.
  • EU/EEA— your national data protection authority. You can find yours via the European Data Protection Board: edpb.europa.eu.
  • California — the California Privacy Protection Agency (CPPA) at cppa.ca.gov or the California Attorney General at oag.ca.gov/privacy.
  • Other US states— your state Attorney General’s office.

9. Changes to this policy

I’ll update this page whenever the way I handle data changes meaningfully. The “Last updated” date at the top will always reflect the latest version.

Contact

Kene Orizu · Orizu Studio · London, UK
orizustudio@gmail.com