Version: 1.0. Effective from 1 May 2026.
This policy explains how Prodigi Group Ltd and its operating companies and affiliates ("Prodigi", "we", "us") collect, use and protect personal data when you visit our websites, register for an account, use our Services, place an order, apply for a job or otherwise interact with us.
Prodigi processes personal data in different roles depending on the context. In some contexts we are the controller of personal data (for example, account, billing, marketing, support, recruitment and corporate administration data). In other contexts we are a processor acting on behalf of a Merchant who uses our Services (for example, when we receive end-customer order data from that Merchant for fulfilment). Where we act as a processor, our processing is governed by the Prodigi Group Data Processing Addendum.
1. Who we are
Prodigi Group Ltd and its operating companies and affiliates, including Prodigi (UK) Ltd, Prodigi Global Ltd, Prodigi Platforms Ltd, Prodigi BV, Peecho BV, Prodigi USA Inc and Readymades Framing Ltd, operate the Sites, Platform, Apps and associated Services. The contracting and controlling Prodigi entity depends on which Service is used and where the user is established. Unless otherwise stated, the contracting entity for the Prodigi platform is Prodigi (UK) Ltd; customers of Peecho contract with Peecho BV; and customers of Readymades contract with Readymades Framing Ltd.
Our principal address for data protection correspondence is Unit 20, Caker Stream Road, Alton, Hampshire, GU34 2QA, UK.
EU representative
Where Prodigi (UK) Ltd, as a UK-established controller, offers Services to data subjects in the European Economic Area, Prodigi (UK) Ltd has appointed Prodigi BV (Venlo, Netherlands) as its representative under Article 27 of the EU GDPR. Prodigi BV may be contacted in that capacity at Peecho, Herengracht 340, 1016 CG, Amsterdam, Netherlands or by email at dpo@prodigi.com. Prodigi BV and Peecho BV are themselves EU-established Prodigi entities and act as controllers in respect of the services they provide; that role is separate from the Article 27 representative function.
2. Personal data we process and why
2.1 Visitors to our websites
When you visit prodigi.com or another Prodigi Group website, we and our service providers collect technical information through cookies and similar technologies, including IP address, device and browser type, pages visited, referring URLs and approximate location. This is described in section 8 (Cookies).
2.2 Merchants and account holders
If you register for an account or contract with us as a Merchant, we process information you provide and information generated through your use of the Services, including:
- identification and contact data (company name, contact name, role, email address, phone number, business address);
- account credentials and authentication data;
- billing, payment and tax data;
- communications data (records of correspondence, support tickets and account notes);
- usage data relating to your use of the Services.
In this context, the relevant Prodigi entity is the controller. We process this data to operate your account, provide the Services, take payment, comply with our legal and regulatory obligations, prevent fraud, and run and improve our business.
2.3 Users (consumer orders)
If you use the Services to place personal orders without processing the data of third parties, we collect the information needed to fulfil your order and provide the Services to you, including name, shipping and billing address, email address, phone number, payment details, IP address and device data, and any other information you share with us. In this context, the relevant Prodigi entity is the controller.
2.4 Merchant Customer Data
When a Merchant uses the Services to fulfil an order placed by a customer of that Merchant, we receive personal data relating to that customer, including recipient name, delivery address, contact details where supplied or required, order details, product configuration, image and artwork files and support information.
This is what we call "Merchant Customer Data". In this context, the Merchant is the controller and Prodigi acts as the processor. We process Merchant Customer Data on the Merchant's documented instructions and only for the purposes of providing the Services. The terms governing this processing are set out in the Prodigi Group Data Processing Addendum, which forms part of our agreement with each Merchant.
2.5 Job applicants
If you apply for a job with us, your application data is processed in accordance with our Job Applicant Privacy Statement.
2.6 Other contacts
If you contact us through our websites, by email or by phone (for example with a sales enquiry, partnership enquiry or general question), we process the personal data you provide for the purpose of responding.
3. Legal bases (UK and EEA)
Where UK GDPR or EU GDPR applies, we rely on the following legal bases for our processing as controller:
- Performance of a contract with you, or to take steps at your request before entering into a contract (for example, operating your account and fulfilling your orders);
- Compliance with our legal obligations (for example, accounting and tax records, fraud prevention, responding to lawful requests from authorities);
- Our legitimate interests (for example, securing and improving the Services, business administration, direct marketing of similar B2B services to existing Merchants, debt recovery and the establishment, exercise or defence of legal claims), provided those interests are not overridden by your interests, rights and freedoms;
- Consent, where we expressly ask for it (for example, certain non-essential cookies, and marketing communications to prospective Merchants where required).
4. Sharing personal data
We share personal data with the following categories of recipients:
- Other Prodigi Group entities, for the purposes described in this policy;
- Subprocessors and fulfilment network recipients who act on our instructions, including production and fulfilment partners, cloud hosting providers, technology providers, customer service tools, payment and fraud providers and shipping carriers. Categories are described in our Subprocessor and Fulfilment Network Notice;
- Independent third parties acting as their own controllers, including shipping carriers (in respect of delivery), payment service providers (in respect of payments), tax authorities and our professional advisers (in respect of compliance and legal matters);
- Acquirers and their advisers in connection with a corporate transaction (such as a sale of part or all of the Prodigi Group);
- Law enforcement, regulators and other authorities where we are required or permitted to do so by law.
We do not sell personal data, and we do not share Merchant Customer Data received from Merchants for those Merchants' or our own marketing purposes.
5. International transfers
The Prodigi Group operates in the United Kingdom, the Netherlands and the United States, and uses production and fulfilment partners and service providers in a range of countries. We therefore transfer personal data internationally.
Where personal data is transferred from the United Kingdom or the EEA to a country that does not benefit from an applicable adequacy decision, we put appropriate safeguards in place. These may include the EU Standard Contractual Clauses, the UK International Data Transfer Addendum to the EU SCCs, the UK International Data Transfer Agreement, an applicable adequacy decision, or another lawful transfer mechanism.
Further detail on the transfer mechanisms applicable to data we process as a processor is set out in the Data Processing Addendum and the Subprocessor and Fulfilment Network Notice. You can request further information by contacting dpo@prodigi.com.
6. Retention
We retain personal data only for as long as is necessary for the purposes for which it was collected, including to satisfy any legal, accounting, tax or reporting requirements, and to resolve disputes.
As a general guide:
- Account and contractual data is retained for the duration of the Merchant or User relationship and for a period after termination as required by our accounting, tax and audit obligations and to resolve disputes;
- Order and customer data we process on behalf of Merchants is retained for the period set out in the Data Processing Addendum and as required by law;
- Marketing data is retained until you opt out, or until we determine the data is no longer accurate or relevant;
- Records relating to legal claims may be retained for as long as such claims could be brought.
Backups are retained in line with our standard backup cycles and are then overwritten.
7. Security
We use a combination of technical and organisational measures to protect personal data, including access controls, encryption in transit, network security, logging and monitoring, personnel training, supplier controls and incident response procedures. A summary applicable to Merchant Customer Data is set out in Schedule 2 of the Data Processing Addendum.
All of Prodigi's authorised personnel involved in the processing of your and your customers' personal data have committed themselves to confidentiality obligations and shall not access or otherwise process personal data without authorisation if it is not for the purposes of providing the Services.
No system can be guaranteed to be entirely secure. If you believe your account or personal data has been compromised, please contact us at dpo@prodigi.com.
8. Cookies
Our websites use cookies and similar technologies. Cookies are small text files placed on your device that allow us to recognise you and remember information about your visit.
Categories of cookies we use
| Category | Purpose |
|---|---|
| Strictly necessary | Required for the website and dashboard to function (such as maintaining your session, recording your cookie preferences and securing logged-in sessions). |
| Functional | Remember choices you make, such as language and region, to provide a more personalised experience. |
| Analytics | Help us understand how visitors use our websites so we can improve them. We rely on first-party analytics where possible and aggregate data wherever practicable. |
| Marketing | Used by us and our advertising partners to deliver relevant advertising and to measure the effectiveness of campaigns. |
You can manage your cookie preferences at any time using the cookie banner on our websites or your browser settings. Strictly necessary cookies cannot be disabled because they are required for the website to function.
Information on deleting or controlling cookies generally is available at www.aboutcookies.org. Please note that by deleting our cookies or disabling future cookies you may not be able to access certain areas or features of our site.
9. Your rights
Depending on the law that applies to you, you may have some or all of the following rights in relation to personal data we hold about you as controller:
- Access: to obtain a copy of the personal data we hold about you;
- Rectification: to correct inaccurate or incomplete personal data;
- Erasure: to ask us to delete personal data, subject to certain exceptions;
- Restriction: to ask us to restrict processing in certain circumstances;
- Objection: to object to processing based on our legitimate interests, and to direct marketing;
- Portability: to receive personal data you provided to us in a structured, commonly used and machine-readable format;
- Withdraw consent: where processing is based on your consent, to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal;
- Complain: to lodge a complaint with a supervisory authority.
You can exercise these rights by contacting dpo@prodigi.com. We may need to verify your identity before responding.
If you are a customer of a Merchant who uses the Services, your relationship is with that Merchant and they are the controller of your data. Please direct rights requests to the Merchant in the first instance. We will assist the Merchant in responding.
Where to complain
If you are in the United Kingdom, or your concern relates to processing by Prodigi (UK) Ltd, you can complain to the Information Commissioner's Office at ico.org.uk.
If your concern relates to processing by Prodigi BV or Peecho BV, the lead supervisory authority is the Dutch Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
If you are in the European Economic Area and your concern relates to processing by Prodigi (UK) Ltd as a non-EEA controller, you may complain to the data protection authority in your country of residence.
Residents of other jurisdictions, including the United States, may have additional rights under applicable local laws. Please contact dpo@prodigi.com for further information about how those rights apply to your data.
10. Children
The Services are intended for commercial users and adult consumers and are not directed at children. We do not knowingly collect personal data from children. If you believe we have collected personal data from a child, please contact us so we can delete it.
11. Personal data breaches
We maintain processes for identifying, escalating, investigating and responding to security incidents and personal data breaches. In the event that we experience a personal data breach affecting your personal data, we will notify you in accordance with applicable Data Protection Laws and our Data Breach and Security Incident Policy.
12. Changes to this policy
We may update this policy from time to time. The current version, with its effective date, is always published on our websites. Material changes will be notified to Merchants by email or via the dashboard.
13. Contact
Data protection enquiries, security incidents and vulnerability reports: dpo@prodigi.com
Postal: Data Protection, Prodigi, Unit 20, Caker Stream Road, Alton, Hampshire, GU34 2QA, UK.