Skip to privacy notice

Privacy & Cookie Notice

Last updated: 10 July 2026

This notice explains how Millwards Digital handles personal data when you visit https://millwards.shop/, send an enquiry, use checkout or become a customer. It also explains the browser storage used by the site and the choices available to you.

1. Who is responsible

Millwards Digital is responsible for deciding how personal data described in this notice is used. You can contact us at support@millwards.shop.

When we handle personal data contained in a customer’s website content solely on that customer’s instructions, the customer may be the controller and Millwards Digital may act as its processor. Appropriate processing terms should be agreed where required.

2. Data we collect

Depending on how you use the service, we may collect:

Please avoid providing personal data that is not needed for the project. In particular, do not enter card details into free-text fields or upload passwords, malicious files, medical information or other highly sensitive data unless we have first agreed a suitable secure method and lawful purpose.

3. Purposes and legal bases

PurposeTypical dataUK GDPR basis
Respond to an enquiry and discuss requested servicesContact, business, message and attribution dataSteps at your request before a contract; legitimate interests in managing genuine business enquiries
Create, take payment for and administer an orderCheckout, payment status, order and project dataContract; legal obligation for financial records
Design, host, maintain and support a website or related serviceContact, project brief, uploads and communicationsContract; legitimate interests in secure and effective service delivery
Prevent fraud, misuse and security incidentsTechnical, transaction and communications dataLegitimate interests in protecting customers, systems and the business; legal obligation where applicable
Understand campaign effectiveness and site useAttribution and analytics-related usage dataConsent for non-essential analytics storage or access; legitimate interests may apply to aggregated information that is no longer personal data
Use optional marketing technologies or send electronic marketingConsent choice and relevant contact/usage dataConsent where required; we do not install an advertising pixel merely because a marketing category exists
Meet tax, accounting, dispute and regulatory requirementsOrders, payments and communicationsLegal obligation; legitimate interests in establishing or defending legal claims

Where we rely on legitimate interests, we consider whether the use is necessary and balanced against your rights. Where processing relies on consent, you may withdraw it for the future without affecting earlier lawful processing.

4. Checkout, Stripe and orders

Checkout sends the information needed to create and verify a Stripe Checkout session. Stripe processes payment details under its own privacy information and returns payment status and identifiers. We use that response to verify payment, create or update the order, reserve a selected domain where applicable, notify the business and send service email. A checkout success page must not treat a return URL alone as proof of payment.

Order metadata may include the selected package, domain, add-ons, contact/business details, a compact campaign-attribution record, project answers and safe references to uploaded files. It should not contain full card information. Essential checkout progress and an order summary may be kept in your browser so you can complete or recover the checkout.

5. Project files and uploads

Files you deliberately upload are used to assess and deliver your project, communicate about it, and maintain appropriate records. They may contain personal data if, for example, a photograph includes identifiable people. You must have authority and a lawful basis to provide those files.

Uploaded files should be checked for permitted type, size and content, assigned a server-generated filename and kept so unsafe active formats cannot execute publicly. Access may still be possible to authorised staff or service providers who need it for delivery. Ask us to agree another transfer method if a file is confidential or unusually sensitive.

6. Cookies and browser storage

The site uses browser storage technologies. Some are essential for a requested service; analytics and marketing storage are optional. The consent controls record separate choices and can be reopened using the Cookie preferences control in the footer.

NameLocation and categoryPurpose and duration principle
md_consent_v1Local storage; essentialStores essential, analytics and marketing choices with the update time. Kept until you change it, clear site data or it is superseded.
millwards_checkoutLocal storage; essentialPreserves checkout progress and entered data on the device. Removed after successful hand-off where possible, or when you clear checkout/site data.
millwards_orderLocal storage; essentialTemporarily preserves a local order summary for checkout continuity. It is not proof of payment.
md_campaign_attributionSession storage; essential attribution contextPreserves sanitised UTM and recognised click identifiers across the current tab session so an enquiry or checkout can be attributed. Normally removed when that browser session ends.
md_cinematic_v4Local storage; essential preferenceRemembers that the decorative opening sequence has already played, reducing repetition. Kept until site data is cleared or the key changes.
md_visitor_id, md_visitsLocal storage; analyticsProvide a pseudonymous visitor identifier and on-device visit history only when analytics is accepted. Removed when analytics is rejected.
md_session_idSession storage; analyticsProvides a pseudonymous identifier for the current analytics session only when analytics is accepted. Removed when analytics is rejected or the session ends.

Stripe and other third-party pages may set their own cookies or storage when you use their service. Their notices govern those technologies. Millwards Digital does not claim to use a particular analytics or advertising provider unless one is actually configured.

You can accept all optional categories, reject non-essential categories, or choose analytics and marketing separately. Rejecting optional storage does not prevent essential checkout persistence. You can also clear storage through browser settings, although doing so may remove saved checkout progress.

7. Who receives data

We do not sell personal data. We may disclose the minimum necessary information to:

Providers must handle information for the agreed purpose and under applicable data-protection obligations. We do not disclose enquiry data to unrelated third parties for their own direct marketing.

8. International transfers

Some providers, including payment, hosting or email providers, may process data outside the UK. Where UK data-protection law requires a transfer safeguard, we will rely on an applicable UK adequacy regulation, the UK International Data Transfer Agreement or Addendum, or another lawful safeguard, together with supplementary measures where appropriate. You may ask us for more information about safeguards relevant to your data.

9. How long data is kept

We keep personal data only for as long as reasonably needed for the relevant purpose, including:

Exact periods can vary with the nature of a project, legal duties, disputes and technical backup cycles. We review data when services end and do not keep it indefinitely merely because storage is available.

10. Security

We use proportionate technical and organisational measures intended to protect personal data, including access controls, transport encryption where supported, server-generated upload names, file validation and restricted administrative access. No internet service is completely secure, so please tell us promptly if you suspect misuse or send something in error.

11. Your rights

Depending on the circumstances, UK data-protection law may give you rights to:

These rights are not absolute. We may need to verify identity and may keep information where the law requires or permits it. To make a request, email support@millwards.shop. We normally respond within one month, subject to lawful extensions for complex or multiple requests.

12. Contact and complaints

For a privacy question or rights request, contact support@millwards.shop. You also have the right to complain to the UK Information Commissioner’s Office at ico.org.uk/make-a-complaint/. We would appreciate the opportunity to address your concern first, but you do not have to contact us before the ICO.

We may update this notice when the service, providers or legal requirements change. We will update the date above and provide an appropriate notice for a material change.