United Kingdom
We believe your personal information belongs to you, and we take that seriously. This policy explains clearly and honestly what information we collect, why we collect it, who we share it with, and how you can stay in control at every step.
We are Contrado Imaging Ltd — the company behind Contrado, Bags of Love, Photo Canvas, In Good Face, Sublicity, and our family of micro-sites. Whatever brand brought you here, this policy covers all of them. We make beautiful, custom-printed products and we only use your information to give you the best possible experience doing so.
Last updated: April 2026
The data controller responsible for your personal information is:
Contrado Imaging Ltd
Company No. 04666562
Registered Office: Office 015, 30 Great Guildford Street, Borough, London, SE1 0HS
Trading Address: Unit 6, Space Business Park, Abbey Road, Park Royal, London, NW10 7SU, UK
VAT Registration: GB 809656889
This policy covers all websites, apps, and services operated by Contrado Imaging Ltd, including but not limited to: contrado.com, contrado.co.uk, bagsoflove.co.uk, bagsoflove.com, photocanvas.co.uk, ingoodface.com, sublicity.com, and our associated international micro-sites and regional domains.
Contrado Imaging Ltd is registered with the UK Information Commissioner’s Office (ICO) as a data controller.
We have a dedicated point of contact for all data protection matters. If you have any questions about how we handle your personal data, wish to exercise your rights, or have a privacy concern, please contact us at:
Data Protection Team
Email: dataprotection@contrado.com
Post: Data Protection Team, Contrado Imaging Ltd, Unit 6, Space Business Park, Abbey Road, Park Royal, London, NW10 7SU, UK
We aim to respond to all data protection enquiries within 5 working days and to all formal rights requests within one calendar month as required by UK GDPR.
We only collect what we genuinely need to provide you with a great service.
We use AI and machine learning tools to improve our service and personalise your experience. This may result in derived data such as:
AI-derived insights are used to improve your experience, not to make binding decisions about you without human oversight. See Section 17 for more on automated decision-making.
We do not intentionally collect or process special category data (such as health data, biometric data, religious beliefs, or political opinions). If you upload imagery that incidentally contains such information (for example, a photo of a person), you should ensure you have appropriate permissions. We process uploaded artwork only to fulfil your order and do not analyse imagery for sensitive personal attributes.
UK GDPR requires us to have a lawful basis for every use of your personal data. The table below sets out what we use your data for and the legal basis we rely on.
| Purpose | Data Used | Legal Basis (UK GDPR Art. 6) |
|---|---|---|
| Processing and fulfilling your orders | Identity, contact, order, payment data | Contract (Art. 6(1)(b)) |
| Creating and managing your account | Identity, contact, account data | Contract (Art. 6(1)(b)) |
| Processing payments and preventing fraud | Payment, identity, technical data | Contract + Legitimate Interests (Art. 6(1)(b) & (f)) |
| Customer service and handling complaints | Identity, contact, communication history | Contract + Legitimate Interests (Art. 6(1)(b) & (f)) |
| Sending transactional emails (order confirmations, dispatch, delivery updates) | Identity, contact, order data | Contract (Art. 6(1)(b)) |
| Sending marketing communications to customers (soft opt-in) | Identity, contact, preference, behavioural data | Legitimate Interests (Art. 6(1)(f)) — see Section 18 |
| Sending marketing communications to opted-in subscribers | Identity, contact, preference data | Consent (Art. 6(1)(a)) |
| Personalising your browsing and product recommendations | Behavioural, preference, AI-derived data | Legitimate Interests (Art. 6(1)(f)) |
| Analytics and improving our website and services | Technical, behavioural data | Legitimate Interests (Art. 6(1)(f)) |
| Targeted / retargeted advertising (via Google, Meta, etc.) | Behavioural, cookie, technical data | Consent (Art. 6(1)(a)) — via cookie consent |
| Affiliate programme tracking (via Awin) | Technical, order, cookie data | Legitimate Interests (Art. 6(1)(f)) |
| Buy now, pay later credit decisions (via Klarna) | Identity, financial, order data | Contract (Art. 6(1)(b)) |
| Fraud detection and security | Identity, technical, behavioural, payment data | Legitimate Interests + Legal Obligation (Art. 6(1)(f) & (c)) |
| Complying with legal obligations (tax records, statutory reporting) | Identity, financial, transaction data | Legal Obligation (Art. 6(1)(c)) |
| Resolving disputes and enforcing our terms | Identity, contact, order, communication data | Legitimate Interests + Legal Obligation (Art. 6(1)(f) & (c)) |
| Product development, research, and market analysis | Aggregated/anonymised behavioural and order data | Legitimate Interests (Art. 6(1)(f)) |
Where we rely on legitimate interests as a legal basis, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. Our legitimate interests include:
You have the right to object to processing based on legitimate interests at any time. If you do, we will stop processing unless we can demonstrate compelling legitimate grounds that override your rights. Contact dataprotection@contrado.com to exercise this right.
We do not, and will not, sell your personal data to any third party. We value and maintain your trust. However, we share your data with the following categories of companies as an essential part of providing our services:
We may provide third parties with aggregated but anonymised information about our customers. Before doing so, we ensure it does not identify you.
In order to continuously improve our services, we may share anonymised, hashed, or partially non-identifiable data with selected partners for performance measurement and optimisation purposes. We implement industry-standard security measures throughout this process.
If you contact us via email, the contact form, or telephone, the data you provide will be saved with our customer service platform for a period of 90 days to answer your questions and process your requests. Our service providers are not permitted to use or monetise your data.
Contrado operates globally, and some of the third-party services we use may process data outside the UK and European Economic Area (EEA). When we transfer personal data internationally, we ensure it is protected by appropriate safeguards:
Key international transfers include:
You can request details of the safeguards in place for any specific international transfer by contacting dataprotection@contrado.com.
We only keep your data for as long as we need it. Here are our specific retention periods:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data (active accounts) | Duration of account + 3 years after closure | Service provision and legal claims limitation |
| Order and transaction records | 7 years from transaction date | HMRC tax record requirements |
| Payment card tokens | Until you remove them or close your account | Convenience (we never store full card numbers) |
| Customer service correspondence | 90 days (live chat/phone), 3 years (email) | Service quality and dispute resolution |
| Marketing consent records | Duration of consent + 2 years after withdrawal | Evidence of consent (regulatory requirement) |
| Website analytics data | 26 months (Google Analytics default) | Performance and improvement analysis |
| Uploaded designs and artwork | Duration of account (you can delete anytime) | Service provision and reorder capability |
| Cookie data | Varies by cookie — see Section 13 | Functionality and analytics |
| Fraud investigation records | 6 years from investigation conclusion | Legal claims and law enforcement cooperation |
| Inactive accounts (no login, no orders) | Archived after 3 years, deleted after 5 years | Data minimisation |
When data reaches the end of its retention period, it is securely deleted or irreversibly anonymised.
Under UK GDPR, you have the following rights regarding your personal data:
To exercise any of these rights, please contact dataprotection@contrado.com. We will respond within one calendar month. We may need to verify your identity before processing your request. There is no fee for exercising your rights, except in cases of manifestly unfounded or excessive requests.
Where we process your data based on consent (for example, marketing emails you opted into, or non-essential cookies), you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before you withdrew.
You can withdraw consent by:
Please note that our integrated systems may take a few days to update fully, so you might receive one or two more messages during this processing period.
If you are not satisfied with how we handle your personal data, you have the right to complain to the UK’s data protection supervisory authority:
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk
Live chat: ico.org.uk/global/contact-us/live-chat
We would appreciate the opportunity to address your concerns before you approach the ICO. Please contact us first at dataprotection@contrado.com.
Cookies are small text files placed on your device when you visit our websites. We use them to make our sites work, remember your preferences, understand how you use our sites, and show you relevant advertising.
These cookies are essential for our websites to function. You cannot opt out of them. They do not store personally identifiable information for marketing purposes.
| Cookie | Purpose | Duration |
|---|---|---|
| ASP.NET_SessionId | Microsoft ASP.NET session cookie — essential for site functionality | Session |
| Cookie consent preferences | Remembers your cookie choices so we don’t ask you again | 12 months |
| Authentication cookies | Keeps you logged into your account | Session / 30 days |
| Shopping basket | Remembers items in your basket | Session / 30 days |
| treeview | Preserves the state of site navigation | Session |
These cookies enable enhanced functionality and personalisation, such as remembering your language, currency, and design preferences.
| Cookie | Purpose | Duration |
|---|---|---|
| cuplphotos | Remembers your uploaded photo gallery from previous visits | Persistent |
| customer.visit | Remembers your previous visit | 2 months |
| designInfo, optInfo | Shows helpful design information to new users | 7 days |
| Currency / language preferences | Remembers your selected currency and language | 12 months |
These cookies help us understand how visitors use our sites so we can improve them. They collect information anonymously or in aggregated form.
| Cookie | Purpose | Duration |
|---|---|---|
| Google Analytics (_ga, _ga_*, _gid) | Collects anonymous information about how visitors use our site — page views, session duration, traffic sources | Up to 26 months |
| Hotjar / session recording tools | Anonymised heatmaps and session recordings to improve user experience | Session / 12 months |
These cookies are used to deliver adverts relevant to you and to measure the effectiveness of our advertising campaigns. They are set by us and by third-party advertising partners. They require your consent.
| Cookie / Technology | Provider | Purpose | Duration |
|---|---|---|---|
| Google Ads / remarketing | Shows you Contrado ads on other websites based on your browsing history | Up to 540 days | |
| Facebook Pixel / CAPI | Meta | Measures ad effectiveness, builds custom audiences, and shows you relevant ads on Facebook and Instagram | Up to 180 days |
| Pinterest Tag | Measures conversions from Pinterest advertising | Up to 12 months | |
| TikTok Pixel | TikTok | Measures conversions from TikTok advertising | Up to 12 months |
| Awin (affiliate tracking) | Awin | Tracks referrals from affiliate marketing partners to attribute sales | Up to 90 days |
| Klarna | Klarna | Provides buy-now-pay-later functionality and on-site messaging | Session / varies |
When you first visit our sites, a cookie consent banner allows you to accept or reject non-essential cookies. You can change your preferences at any time by clicking “Manage Cookies” in the footer of any page.
You can also control cookies through your browser settings:
Please note that blocking certain cookies may affect the functionality of our sites. Strictly necessary cookies cannot be disabled as they are essential for the sites to work.
Our sites and services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided personal data to us, please contact us at dataprotection@contrado.com and we will take steps to delete it.
Users between the ages of 16 and 18 may use our sites but should review these terms with a parent or guardian.
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it, including:
While we take every reasonable precaution, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to the highest practical standard.
We use automated systems in the following areas:
We do not use solely automated decision-making that produces legal effects or similarly significant effects on you without human involvement. If you have concerns about automated processing, contact dataprotection@contrado.com.
We want to keep you informed about our products, offers, and news — but only if you want to hear from us.
Under the Privacy and Electronic Communications Regulations 2003 (PECR), we may send marketing emails to existing customers about similar products and services to those they have previously purchased (the “soft opt-in” rule). Every marketing email includes a clear unsubscribe option.
If you have not previously purchased from us, we will only send you marketing communications if you have actively opted in.
Marketing communications may include: new product announcements, offers and discounts, seasonal promotions, product and industry trends, gift ideas, personalised recommendations, feedback surveys, and updates about our services.
You can opt out of marketing at any time by:
Opting out of marketing will not affect essential service communications such as order confirmations, dispatch notifications, and delivery updates.
Our sites may contain links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies. We encourage you to read the privacy policy of every website you visit.
Our sites include social media features such as Facebook, Instagram, Pinterest, Twitter/X, and TikTok share buttons and login functionality. These features may collect your IP address, which page you are visiting, and may set a cookie to enable the feature to function properly. Social media features are either hosted by a third party or hosted directly on our sites. Your interactions with these features are governed by the privacy policy of the company providing them.
If you choose to log in via a social media account (e.g. Facebook or Google), we receive limited profile information as permitted by your privacy settings on that platform. We never receive your social media password.
In the event of a personal data breach, we will:
We may update this policy from time to time to reflect changes in how we process your data, changes in law, or improvements to our practices.
If we make significant changes, we will notify you clearly — either via a prominent notice on our websites, by email, or through your account notifications — so that you can review the changes before continuing to use our services.
We recommend checking this page periodically. The “Last updated” date at the top of this policy indicates when it was last revised.
For any questions about this Privacy & Cookies Policy or how we handle your personal data:
Data Protection Team
Email: dataprotection @ contrado.com
General enquiries:
Email: info@contrado.co.uk (UK) / info@contrado.com (International)
Contact form on any Contrado Imaging website
Post:
Contrado Imaging Ltd
Unit 6, Space Business Park
Abbey Road, Park Royal
London, NW10 7SU, UK
Version 2.0 | April 2026
V.100000013 12/Apr/2026
