Privacy Policy

Last updated: 28 April 2026

This policy explains how Memora collects, uses, and protects your personal data. We are committed to handling your information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

The data controller is Memora. You can contact us at hello@memora.co.uk.

2. What data we collect

• Account information: your full name and email address, collected when you register.
• Delivery address: your postal address, provided in your profile and used to deliver your frame.
• Order information: details of the orders you place, including order reference, frame selection, and status.
• Uploaded files: photographs and video files you upload as part of your order.
• Payment information: payment is processed by Stripe. We do not store your card details — only a record of whether payment was completed.
• Technical information: IP address and browser details, recorded in our security and audit logs.

3. Why we collect it and our lawful basis

• To fulfil your order (lawful basis: performance of a contract) — we need your name, email, and files to deliver our service.
• To communicate with you (lawful basis: contract) — order confirmations, dispatch notifications, and account-related emails.
• To maintain security (lawful basis: legitimate interests) — audit logs help us detect and investigate suspicious activity.

4. How long we keep your data

• Uploaded files: deleted within 14 days of your order being completed and delivered.
• Gift messages: deleted as soon as your order is dispatched — they are not retained after that point.
• Account and order records: retained for 6 years for legal and accounting purposes (HMRC requirement).
• Security logs: retained for 90 days.

5. Who we share it with

We do not sell or share your personal data with third parties for marketing purposes. We use the following processors:

• Stripe — payment processing (see Stripe's Privacy Policy).
• Google — transactional email delivery via Gmail SMTP.

6. Your rights

Under UK GDPR you have the right to:

• Access — receive a copy of all personal data we hold about you. You can do this instantly via My profile → My data → Download my data, or by emailing us.
• Erasure — request deletion of your account and personal data. You can do this via My profile → My data → Delete my account, or by emailing us. Note: order and payment records must be retained for 6 years by law, but will be unlinked from your identity.
• Rectification — correct inaccurate data. Update your name and address directly in My profile, or contact us for anything else.
• Portability — receive your data in a machine-readable format via the download option above.
• Restriction or objection — restrict or object to how we process your data.
• Complaints — lodge a complaint with the ICO at ico.org.uk (helpline: 0303 123 1113).

To exercise any right, email us at hello@memora.co.uk. We will respond within one calendar month.

7. Security

We use industry-standard security measures including TLS encryption in transit, hashed passwords, and access controls. Uploaded files are stored on a private network and are not publicly accessible.

8. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of the page will reflect any changes. Continued use of the service after changes constitutes acceptance of the updated policy.