Privacy Policy

This Privacy Policy describes how Kira Mei ("we", "us", "our") collects, uses, stores, and protects your personal data when you visit www.kiramei.co.uk or purchase our digital products.

We are the data controller for the purposes of UK GDPR and the Data Protection Act 2018.

Contact: kiira.mei@outlook.com

When you make a purchase:

• Identity data: Name
• Contact data: Email address
• Payment data: Processed entirely by Stripe — we do not store card details. We receive confirmation of payment status and a Stripe customer reference only.

When you visit the website (analytics):

• Visitor ID: A randomly generated identifier stored in a cookie (km_v) that persists for 365 days, used to distinguish unique visitors
• Session ID: A randomly generated identifier stored in a cookie (km_s) that expires after 24 hours, used to group activity within a visit
• Pages visited: The URL path of each page you view
• Referrer: The URL of the page you came from, if your browser provides it
• UTM parameters: Campaign and source tags from marketing links (e.g. utm_source, utm_campaign)
• Scroll depth: How far down a page you scroll (recorded at 25%, 50%, 75%, 100% milestones)
• Click events: Interactions with specific buttons or links that we have explicitly tagged for tracking
• Device type: Broadly categorised from your browser's user agent (e.g. mobile, desktop)
• Country: Derived from your IP address by our hosting provider (Vercel). We receive the country code only — we do not store your IP address.

This analytics data is collected by our own first-party tracking system. No third-party analytics provider (e.g. Google Analytics) is used.

We process your personal data on the following legal bases under UK GDPR:

• Contract performance: To process your payment, deliver your purchased PDF(s) to your email, and provide order-related communications.
• Legitimate interests: To operate first-party analytics that help us understand how the website is used and improve the experience. This tracking is privacy-friendly — it uses no third-party scripts, does not profile you for advertising, and collects no sensitive personal data.
• Consent: For any optional marketing communications you opt into at checkout. You may withdraw consent at any time.
• Legal obligation: To retain payment and transaction records as required for tax and regulatory purposes.

Your data is used to:

• Process your payment and deliver your digital products
• Send order confirmation and PDF delivery emails
• Respond to your support queries
• Understand which pages and content are most useful (via analytics)
• Measure the effectiveness of our marketing campaigns (via UTM data)
• Improve the website experience based on scroll and click behaviour
• Send occasional updates about new products or content (only with your consent; opt-out at any time)

We do not use your data for automated decision-making that produces legal or similarly significant effects. We do not use your data for advertising profiling or sell it to any third party.

We use two first-party cookies for our own analytics. No third-party tracking or advertising cookies are used.

• km_v — Visitor ID
  A randomly generated anonymous identifier. Used to count unique visitors and understand return visit patterns. Expires after 365 days.
• km_s — Session ID
  A randomly generated identifier scoped to your current visit. Used to group page views and events within a single session. Expires after 24 hours.

These cookies do not contain any personally identifiable information. They are not shared with any third party and are not used for advertising.

You can block or delete cookies at any time through your browser settings. Doing so will not affect your ability to use the website or purchase our products.

We share your data with a limited number of trusted third-party processors only as necessary to operate our service:

• Stripe — payment processing (stripe.com/privacy)
• Vercel — website hosting and infrastructure (vercel.com/legal/privacy-policy)
• Supabase — database storage of order and analytics data (supabase.com/privacy)
• Resend — transactional email delivery (resend.com/privacy)

All processors are contractually obligated to handle your data securely and in accordance with applicable data protection law.

We do not sell, rent, or trade your personal data to any third party for marketing purposes. We may disclose your data if required to do so by law, court order, or regulatory authority.

We retain your personal data only for as long as necessary:

• Order and customer records: Retained for 7 years as required by HMRC for tax purposes
• Analytics event data: Retained for up to 12 months, after which it is deleted or anonymised
• Marketing consent records: Retained until you withdraw consent

Under UK GDPR, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Ask us to correct inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data, subject to legal retention obligations
• Right to restrict processing: Ask us to limit how we use your data in certain circumstances
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interests or for direct marketing
• Right to withdraw consent: Withdraw consent for marketing at any time (this does not affect processing carried out prior to withdrawal)

To exercise any of these rights, email kiira.mei@outlook.com. We will respond within 30 days. We may need to verify your identity before processing a request.

We take the security of your data seriously. Measures in place include:

• HTTPS encryption on all website traffic
• Encrypted database storage via Supabase
• No storage of payment card details
• Analytics data is anonymous — visitor and session IDs are randomly generated and not linked to your identity

No method of transmission over the internet is 100% secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the ICO as required by law.

Our products are not directed at anyone under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has submitted data to us, please contact us immediately and we will delete it.

Some of our service providers (including Stripe, Vercel, and Supabase) may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses or adequacy decisions recognised under UK law.

If you are unhappy with how we have handled your personal data, please contact us first at kiira.mei@outlook.com.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Helpline: 0303 123 1113

We may update this Privacy Policy from time to time. The current version will always be available at www.kiramei.co.uk/privacy. Significant changes will be communicated by email to customers who have purchased from us.