Privacy & Cookie Notice
Last updated: 10 July 2026
This notice explains how Millwards Digital handles personal data when you visit https://millwards.shop/, send an enquiry, use checkout or become a customer. It also explains the browser storage used by the site and the choices available to you.
1. Who is responsible
Millwards Digital is responsible for deciding how personal data described in this notice is used. You can contact us at support@millwards.shop.
When we handle personal data contained in a customer’s website content solely on that customer’s instructions, the customer may be the controller and Millwards Digital may act as its processor. Appropriate processing terms should be agreed where required.
2. Data we collect
Depending on how you use the service, we may collect:
- Enquiry data: name, email address, telephone number, business name, package interest, message and any campaign attribution submitted with the form.
- Checkout and account data: name, business name, email, telephone number, business type, optional business address, current website, referral source, requirements, selected package, domain choices and add-ons.
- Project brief data: business description, website goals, branding and content details, desired features, example sites, colour preferences, target areas, social links, competitor information and similar instructions you provide.
- Uploads: logos, photographs, brand guidelines, documents and other files you choose to provide, together with generated file references.
- Payment and order data: Stripe checkout session and customer identifiers, payment status, amounts, package, domain and order metadata. Full card details are entered with and handled by Stripe rather than stored by us.
- Communications: messages and service correspondence sent through forms, email or support.
- Technical and usage data: page URL, referrer, device or browser information, dates and interaction events where the relevant browser storage and consent settings allow this.
- Campaign attribution: recognised UTM fields and advertising click identifiers from a landing URL, such as
utm_source,utm_medium,utm_campaign,utm_term,utm_content,gclid,gbclid,fbclidandmsclkid. These values are sanitised and kept in session storage for attribution during that browsing session.
Please avoid providing personal data that is not needed for the project. In particular, do not enter card details into free-text fields or upload passwords, malicious files, medical information or other highly sensitive data unless we have first agreed a suitable secure method and lawful purpose.
3. Purposes and legal bases
| Purpose | Typical data | UK GDPR basis |
|---|---|---|
| Respond to an enquiry and discuss requested services | Contact, business, message and attribution data | Steps at your request before a contract; legitimate interests in managing genuine business enquiries |
| Create, take payment for and administer an order | Checkout, payment status, order and project data | Contract; legal obligation for financial records |
| Design, host, maintain and support a website or related service | Contact, project brief, uploads and communications | Contract; legitimate interests in secure and effective service delivery |
| Prevent fraud, misuse and security incidents | Technical, transaction and communications data | Legitimate interests in protecting customers, systems and the business; legal obligation where applicable |
| Understand campaign effectiveness and site use | Attribution and analytics-related usage data | Consent for non-essential analytics storage or access; legitimate interests may apply to aggregated information that is no longer personal data |
| Use optional marketing technologies or send electronic marketing | Consent choice and relevant contact/usage data | Consent where required; we do not install an advertising pixel merely because a marketing category exists |
| Meet tax, accounting, dispute and regulatory requirements | Orders, payments and communications | Legal obligation; legitimate interests in establishing or defending legal claims |
Where we rely on legitimate interests, we consider whether the use is necessary and balanced against your rights. Where processing relies on consent, you may withdraw it for the future without affecting earlier lawful processing.
4. Checkout, Stripe and orders
Checkout sends the information needed to create and verify a Stripe Checkout session. Stripe processes payment details under its own privacy information and returns payment status and identifiers. We use that response to verify payment, create or update the order, reserve a selected domain where applicable, notify the business and send service email. A checkout success page must not treat a return URL alone as proof of payment.
Order metadata may include the selected package, domain, add-ons, contact/business details, a compact campaign-attribution record, project answers and safe references to uploaded files. It should not contain full card information. Essential checkout progress and an order summary may be kept in your browser so you can complete or recover the checkout.
5. Project files and uploads
Files you deliberately upload are used to assess and deliver your project, communicate about it, and maintain appropriate records. They may contain personal data if, for example, a photograph includes identifiable people. You must have authority and a lawful basis to provide those files.
Uploaded files should be checked for permitted type, size and content, assigned a server-generated filename and kept so unsafe active formats cannot execute publicly. Access may still be possible to authorised staff or service providers who need it for delivery. Ask us to agree another transfer method if a file is confidential or unusually sensitive.
6. Cookies and browser storage
The site uses browser storage technologies. Some are essential for a requested service; analytics and marketing storage are optional. The consent controls record separate choices and can be reopened using the Cookie preferences control in the footer.
| Name | Location and category | Purpose and duration principle |
|---|---|---|
md_consent_v1 | Local storage; essential | Stores essential, analytics and marketing choices with the update time. Kept until you change it, clear site data or it is superseded. |
millwards_checkout | Local storage; essential | Preserves checkout progress and entered data on the device. Removed after successful hand-off where possible, or when you clear checkout/site data. |
millwards_order | Local storage; essential | Temporarily preserves a local order summary for checkout continuity. It is not proof of payment. |
md_campaign_attribution | Session storage; essential attribution context | Preserves sanitised UTM and recognised click identifiers across the current tab session so an enquiry or checkout can be attributed. Normally removed when that browser session ends. |
md_cinematic_v4 | Local storage; essential preference | Remembers that the decorative opening sequence has already played, reducing repetition. Kept until site data is cleared or the key changes. |
md_visitor_id, md_visits | Local storage; analytics | Provide a pseudonymous visitor identifier and on-device visit history only when analytics is accepted. Removed when analytics is rejected. |
md_session_id | Session storage; analytics | Provides a pseudonymous identifier for the current analytics session only when analytics is accepted. Removed when analytics is rejected or the session ends. |
Stripe and other third-party pages may set their own cookies or storage when you use their service. Their notices govern those technologies. Millwards Digital does not claim to use a particular analytics or advertising provider unless one is actually configured.
You can accept all optional categories, reject non-essential categories, or choose analytics and marketing separately. Rejecting optional storage does not prevent essential checkout persistence. You can also clear storage through browser settings, although doing so may remove saved checkout progress.
7. Who receives data
We do not sell personal data. We may disclose the minimum necessary information to:
- Stripe, for checkout, payment processing, fraud prevention and payment records;
- hosting, infrastructure, security and domain providers used to operate the site and customer services;
- SMTP and email providers used to deliver enquiry, order and support messages;
- professional advisers or authorities where reasonably necessary for legal, accounting, security or claims purposes; and
- a successor in a genuine sale or reorganisation, subject to appropriate confidentiality and data-protection safeguards.
Providers must handle information for the agreed purpose and under applicable data-protection obligations. We do not disclose enquiry data to unrelated third parties for their own direct marketing.
8. International transfers
Some providers, including payment, hosting or email providers, may process data outside the UK. Where UK data-protection law requires a transfer safeguard, we will rely on an applicable UK adequacy regulation, the UK International Data Transfer Agreement or Addendum, or another lawful safeguard, together with supplementary measures where appropriate. You may ask us for more information about safeguards relevant to your data.
9. How long data is kept
We keep personal data only for as long as reasonably needed for the relevant purpose, including:
- unsuccessful or preliminary enquiries for a limited follow-up period, then deletion or anonymisation unless a longer period is justified;
- customer, project and support records for the service relationship and a reasonable period afterwards to provide continuity and handle queries or claims;
- contracts, invoices, transaction and tax records for the period required by applicable UK tax, accounting and limitation rules, commonly up to six years after the relevant financial period or relationship;
- uploads for active delivery, transition and backup cycles, after which they are deleted or anonymised unless needed for an ongoing service, legal obligation or dispute; and
- consent and suppression records for as long as needed to demonstrate and respect the choice.
Exact periods can vary with the nature of a project, legal duties, disputes and technical backup cycles. We review data when services end and do not keep it indefinitely merely because storage is available.
10. Security
We use proportionate technical and organisational measures intended to protect personal data, including access controls, transport encryption where supported, server-generated upload names, file validation and restricted administrative access. No internet service is completely secure, so please tell us promptly if you suspect misuse or send something in error.
11. Your rights
Depending on the circumstances, UK data-protection law may give you rights to:
- ask for a copy of your personal data;
- correct inaccurate or incomplete data;
- ask for deletion or restriction;
- object to processing based on legitimate interests or to direct marketing;
- receive certain data in a portable format;
- withdraw consent at any time for future processing; and
- complain to a supervisory authority.
These rights are not absolute. We may need to verify identity and may keep information where the law requires or permits it. To make a request, email support@millwards.shop. We normally respond within one month, subject to lawful extensions for complex or multiple requests.
12. Contact and complaints
For a privacy question or rights request, contact support@millwards.shop. You also have the right to complain to the UK Information Commissioner’s Office at ico.org.uk/make-a-complaint/. We would appreciate the opportunity to address your concern first, but you do not have to contact us before the ICO.
We may update this notice when the service, providers or legal requirements change. We will update the date above and provide an appropriate notice for a material change.