Privacy Policy
Last updated: April 2026
1. Who we are
Dear Atlas is a trading name of Helium Systems Ltd (“we”, “us”, “our”). We are the data controller for the personal data collected through this website.
- Website: dearatlas.studio
- Data protection enquiries: privacy@dearatlas.studio
- General enquiries: hello@dearatlas.studio
2. What data we collect
We collect the following categories of personal data:
Order information
- Email address
- Shipping address (name, street address, city, postcode, country)
- Order details (style, size, material, framing, title text)
Location data
- Latitude and longitude coordinates of the address you choose for your poster. These coordinates are essential to produce your print.
Payment information
- Payment is processed securely by Stripe. We never see, handle, or store your full card number, CVV, or other sensitive payment details. We receive only a confirmation of payment and a partial card reference for customer service purposes.
Account information (optional)
- If you choose to create an account: name, email address, account preferences, and saved designs
Rendered images
The poster images we produce for your order encode a specific geographic location (your chosen address) via the map rendering. We treat rendered images as personal data because they reveal a home address. These images are subject to the same protections and retention policies as other personal data.
3. Why we collect your data and our lawful basis
Under the UK General Data Protection Regulation (UK GDPR), we must have a lawful basis for processing your personal data. The bases we rely on are:
| Data | Purpose | Lawful basis |
|---|---|---|
| Email, shipping address | Order fulfilment and delivery | Contract performance (Art. 6(1)(b)) |
| Latitude/longitude coordinates | Producing the map poster | Contract performance (Art. 6(1)(b)) |
| Order details | Producing and tracking your order | Contract performance (Art. 6(1)(b)) |
| Payment confirmation | Processing payment | Contract performance (Art. 6(1)(b)) |
| Account data | Account creation and management | Consent (Art. 6(1)(a)) |
| Email (marketing) | Marketing communications | Consent (Art. 6(1)(a)) — opt-in only |
| Anonymous usage data | Website analytics | Legitimate interest (Art. 6(1)(f)) |
| Financial records | Tax compliance (HMRC) | Legal obligation (Art. 6(1)(c)) |
We do not sell your personal data to third parties. We share data only with the third-party processors listed below, and only to the extent necessary to fulfil your order and operate our service.
4. Third-party processors
We share your data with the following third-party service providers who process data on our behalf:
| Processor | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing | Email, payment details, order amount |
| Prodigi | Print production and fulfilment | Shipping address, rendered image, product specification |
| Vercel | Website hosting | Server logs (IP address, request data) |
| Neon | Database hosting | All order and account data |
| Cloudflare | DNS, CDN, and R2 object storage | Rendered images, request routing data |
| MapTiler | Map tile data and geocoding | Latitude/longitude coordinates, search queries (server-side only) |
| Resend | Transactional and marketing email | Email address, order details |
| Upstash | Job queue and rate limiting | Order reference, job metadata |
| Sentry | Error monitoring | Error context (may include request data; no payment details) |
| Plausible | Website analytics (cookieless) | No personal data. Plausible collects only anonymous, aggregated usage statistics. |
All processors are bound by data processing agreements (DPAs) that require them to process your data only on our instructions and in accordance with applicable data protection law.
5. International data transfers
Some of our third-party processors are based outside the United Kingdom. Where your data is transferred outside the UK, we ensure adequate protection through one or more of the following safeguards:
- Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office
- The processor is based in a country with an adequacy decision from the UK government
- The processor participates in an approved certification framework
You may request details of the specific safeguards applied to any transfer by contacting us at privacy@dearatlas.studio.
6. Data retention
We retain your data only for as long as necessary for the purpose it was collected. Our specific retention periods are:
| Data type | Retention period |
|---|---|
| Order personal data (email, shipping address) | Anonymised after 3 years (replaced with [redacted]) |
| Financial records (order amounts, transaction references) | Retained for 7 years (HMRC requirement) |
| Rendered poster images | Deleted after 1 year |
| Saved designs | Deleted on account deletion or after 2 years of inactivity |
| Job queue data (render jobs) | 7-day TTL on completed/failed jobs |
| Server logs | 30 days (platform default) |
Data retention is enforced automatically through scheduled processes. When personal data is anonymised, the email and shipping address fields are replaced with “[redacted]” while financial records are preserved for legal compliance.
7. Your rights
Under the UK GDPR, you have the following rights regarding your personal data:
- Right of access — You can request a copy of all personal data we hold about you.
- Right to rectification — You can ask us to correct any inaccurate or incomplete data.
- Right to erasure — You can ask us to delete your personal data, subject to legal retention requirements.
- Right to data portability — You can request your data in a structured, commonly-used, machine-readable format.
- Right to object — You can object to processing based on legitimate interest, including direct marketing.
- Right to restriction — You can request that we restrict processing of your data in certain circumstances.
- Right to withdraw consent — Where processing is based on consent (e.g., marketing emails or your account), you can withdraw consent at any time.
To exercise any of these rights, email us at privacy@dearatlas.studio.
8. Data subject access requests
If you make a data subject access request (DSAR), we will respond within 30 days, as required by the UK GDPR. We may need to verify your identity before releasing any data, which we will do by sending a confirmation link to the email address associated with your account or order.
Your data export will include: order history, shipping addresses, saved designs, account data, and any support correspondence we hold. The export will be provided in a structured format (JSON/CSV).
There is no charge for a DSAR unless the request is manifestly unfounded or excessive.
9. Account deletion
You can request deletion of your account at any time. When your account is deleted, we will:
- Delete your user account
- Anonymise your order records (personal data replaced with “[redacted]”; financial records preserved for HMRC compliance)
- Delete your saved designs
- Delete your rendered poster images from storage
- Remove your email from marketing lists
- Send you a confirmation of the erasure action
Account deletion is processed within 30 days of your request.
10. Cookies
We take a minimal approach to cookies. The only cookies used on this website are essential session cookies required for authentication and security. These are strictly necessary for the website to function and cannot be disabled.
We use Plausible Analytics for website usage statistics. Plausible is entirely cookieless and does not collect any personal data, meaning no cookie consent banner is required for analytics.
We do not use advertising cookies, social media tracking pixels, or any third-party marketing cookies.
For full details, see our Cookie Policy.
11. Children’s data
Our website and services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@dearatlas.studio and we will delete the data promptly.
12. Complaints
If you are unhappy with how we have handled your personal data, please contact us first at privacy@dearatlas.studio so we can try to resolve the issue.
You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
13. Changes to this policy
We may update this Privacy Policy from time to time. We will indicate the date of the most recent revision at the top of this page. If we make material changes that affect how we process your data, we will notify you by email (if we have your address) or by placing a prominent notice on the Website.
We encourage you to review this policy periodically.
14. Contact us
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:
- Data protection: privacy@dearatlas.studio
- General enquiries: hello@dearatlas.studio
- Website: dearatlas.studio