top of page

Global Privacy Notice

Last updated: March 2026  |  Version 1.0

 

This Privacy Notice has been prepared to comply with the following legislation and regulations:

  • UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018

  • EU General Data Protection Regulation (EU GDPR) 2016/679

  • California Online Privacy Protection Act (CalOPPA)

  • California Consumer Privacy Act (CCPA) 2018, as amended by the California Privacy Rights Act (CPRA) 2020

  • Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial equivalents

  • Australia's Privacy Act 1988 and the Australian Privacy Principles (APPs)

  • Brazil's Lei Geral de Protecao de Dados (LGPD)

  • Japan's Act on the Protection of Personal Information (APPI)

1. Introduction and Who We Are

Welcome to Ink & Leaf ("we", "us", "our"), a blog dedicated to vintage and second-hand books, accessible at inkandleaf.co.uk. This Privacy Notice explains how we collect, use, store, and protect your personal information when you visit our website, regardless of where in the world you are based.

Ink & Leaf is operated by an individual based in the United Kingdom. For the purposes of data protection law, we act as the data controller for personal data collected through this website.

We take your privacy seriously and are committed to being transparent about how we handle your personal data. If you have questions at any time, please contact us via the contact form on our website.

2. Scope of This Notice

This Privacy Notice applies to all personal data collected through the Ink & Leaf website and any related communications (such as emails or contact form submissions). It applies to all visitors regardless of their country of residence.

Where different legal obligations apply to visitors from specific countries or regions, we have set out those requirements separately in the jurisdiction-specific sections of this notice (Sections 12 onwards).

This notice does not apply to third-party websites that may be linked to from our blog. We encourage you to review the privacy policies of any external sites you visit.

3. What Personal Information We Collect

3.1 Information You Provide Directly

When you interact with us, you may provide:

  • Your name and email address when you contact us via our contact form.

  • The content of any message or enquiry you submit.

  • Any other personal information you choose to share with us voluntarily.

We do not require you to register an account or provide personal information simply to read our blog.

3.2 Information Collected Automatically

When you visit our website, certain technical information is collected automatically. This may include:

  • IP address and general geographic location (country/city level).

  • Browser type, version, and language settings.

  • Device type and operating system.

  • Pages visited, time spent on pages, and navigation paths.

  • Referring website (the site that brought you to ours).

  • Date and time of visits.

This information is collected through our website platform (Wix) and any analytics tools we use, and may involve the use of cookies and similar technologies (see Section 6).

3.3 Information We Do Not Collect

We do not knowingly collect any of the following:

  • Special category (sensitive) personal data, such as health, race, religion, or political opinions.

  • Financial information such as payment card details.

  • Personal data from children under the age of 16 (see Section 9).

  • Precise geolocation data.

4. How We Use Your Personal Information

We use the personal data we c.ollect only for the following purposes:

  • To respond to your enquiries and contact form messages

  • To analyse website traffic and understand how visitors use our blog, so we can improve it.

  • To ensure the security and proper functioning of our website.

  • To comply with our legal obligations under applicable data protection law.

We do not use your personal data for automated decision-making or profiling. We do not sell your personal data to any third party under any circumstances.

5. Our Legal Basis for Processing (UK & EU GDPR)

For visitors from the UK and European Economic Area (EEA), we are required to have a lawful basis for processing your personal data. We rely on the following:

Legitimate Interests

We process website analytics data on the basis of our legitimate interests in understanding how our blog is used and improving the experience for readers. We have assessed that this processing does not unduly override your rights and freedoms.

Contractual Necessity

When you contact us, we process your name and email address in order to respond to your message. This is necessary to fulfil your request.

Legal Obligation

In limited circumstances, we may be required to process your data to comply with a legal obligation, such as retaining records for tax or regulatory purposes.

Consent

Where we rely on consent (for example, for non-essential cookies), you may withdraw your consent at any time. Withdrawing consent will not affect the lawfulness of processing carried out before the withdrawal.

6. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies. A cookie is a small text file placed on your device when you visit a website.

6.1 Types of Cookies We Use

Essential Cookies

These are strictly necessary for our website to function and cannot be switched off. They do not store any personally identifiable information.

Analytics Cookies

These help us understand how visitors interact with our website by collecting anonymous data about pages visited, time spent, and traffic sources. We use this information to improve our content and site structure. These cookies are only placed with your consent (except where analytics are provided by Wix as part of core site functionality).

Third-Party Cookies

Our hosting platform Wix may set its own cookies. If we embed any third-party content (such as social media widgets or video), those providers may also set cookies. We have no direct control over these third-party cookies.

6.2 Managing Cookies

When you first visit Ink & Leaf, you will be presented with a cookie banner giving you the option to accept or decline non-essential cookies.  You can also manage cookies at any time through your browser settings. Most browsers allow you to refuse, delete, or be notified about cookies.

Please note that disabling certain cookies may affect the functionality and appearance of our website. Guidance on managing cookies in popular browsers is available at www.allaboutcookies.org.

CalOPPA Notice: In compliance with the California Online Privacy Protection Act, we honour Do Not Track (DNT) signals from your browser. If you have enabled DNT, we will not track your browsing activity across third-party websites.

7. How We Share Your Information

We do not sell, rent, or trade your personal data. We may share data only in the following limited circumstances:

Service Providers

We use trusted third-party services to operate our blog. These providers may process your data on our behalf and are contractually required to handle it securely and lawfully:

  • Wix.com Ltd — website hosting, building, and analytics platform. Wix processes data in accordance with its own Privacy Policy and maintains EU Standard Contractual Clauses for international transfers.

  • Google Analytics — web traffic analysis. Google processes analytics data on our behalf. You can opt out at tools.google.com/dlpage/gaoptout.

  • Email service provider — any email correspondence with us is processed through our email provider.

Legal Requirements

We may disclose your personal data if required to do so by law, court order, or by a regulatory or government authority. We will always try to inform you of any such disclosure where legally permitted to do so.

Business Transfers

In the unlikely event that the blog is sold or transferred, your personal data may form part of that transfer. We will notify you of any such change via a prominent notice on our website.

8. International Data Transfers

Ink & Leaf is operated from the United Kingdom. When you access our website from outside the UK, your data may be transferred to and processed in the UK or other countries where our service providers operate (including the United States, where Wix and Google have infrastructure).

Where we transfer personal data from the UK or EEA to countries that do not provide an equivalent level of data protection, we ensure that appropriate safeguards are in place, including:

  • UK International Data Transfer Agreements (IDTAs) or addenda

  • EU Standard Contractual Clauses (SCCs) for transfers from the EEA

  • Adequacy decisions made by the UK Secretary of State or the European Commission

You may request more information about the safeguards we have in place for international transfers by contacting us.

9. Children's Privacy

Ink & Leaf is not directed at children. We do not knowingly collect personal data from anyone under the age of 16 (or under 13 in the United States in accordance with COPPA — the Children's Online Privacy Protection Act).

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately using the contact form on our website and we will take steps to delete that information promptly.

10. How Long We Keep Your Data

We retain personal data only for as long as necessary for the purposes described in this notice, and in accordance with our legal obligations. Our standard retention periods are:

  • Contact form submissions and email correspondence: up to 12 months from the date of last contact, unless an ongoing relationship requires longer retention

  • Website analytics data: retained in accordance with the relevant analytics provider's retention settings (typically 14 to 26 months)

  • Cookie consent records: retained for the duration required to demonstrate compliance (typically up to 36 months)

At the end of the applicable retention period, personal data is securely deleted or irreversibly anonymised.

11. Data Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. These include:

  • Hosting on Wix, which maintains industry-standard security, including SSL/TLS encryption for data in transit

  • Limiting access to personal data to those who need it to operate and maintain the blog

  • Regularly reviewing our data handling practices

Despite these measures, no method of electronic transmission or storage is completely secure. We cannot guarantee the absolute security of data transmitted to our website. If you have reason to believe your interaction with us is no longer secure, please contact us immediately.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (as required under UK/EU GDPR), and will inform affected individuals where required.

12. Your Privacy Rights

Depending on where you are located, you may have specific rights regarding your personal data. These are set out below. To exercise any of these rights, please contact us via the contact form on our website. We will respond within the timeframe required by applicable law and will not charge a fee for reasonable requests.

12.1 Rights for UK and EEA Residents (UK GDPR / EU GDPR)

If you are based in the UK or EEA, you have the following rights:

  • Right of access: obtain a copy of the personal data we hold about you.

  • Right to rectification: ask us to correct inaccurate or incomplete data.

  • Right to erasure ('right to be forgotten'): ask us to delete your data in certain circumstances.

  • Right to restrict processing: ask us to limit how we process your data.

  • Right to data portability: receive your data in a structured, machine-readable format.

  • Right to object: object to processing based on legitimate interests or for direct marketing.

  • Rights related to automated decision-making: we do not carry out any automated decision-making, but you have the right not to be subject to it.

  • Right to withdraw consent: where we process data based on consent, you may withdraw it at any time.

We will respond to requests within one calendar month. If your request is complex, we may extend this by a further two months and will notify you accordingly.

You also have the right to lodge a complaint with a supervisory authority:

  • UK residents: Information Commissioner's Office (ICO) — www.ico.org.uk | 0303 123 1113.

  • EEA residents: your national data protection authority (a list is available at edpb.europa.eu).

12.2 Rights for California Residents (CCPA / CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to know: request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, our purposes for collecting it, and any third parties with whom it is shared.

  • Right to delete: request that we delete your personal information, subject to certain exceptions.

  • Right to correct: request that we correct inaccurate personal information we hold about you.

  • Right to opt out of sale or sharing: we do not sell or share personal information for cross-context behavioural advertising. If this changes, we will provide a clear "Do Not Sell or Share My Personal Information" link on our homepage.

  • Right to limit use of sensitive personal information: we do not collect sensitive personal information as defined under CPRA.

  • Right to non-discrimination: we will not discriminate against you for exercising any of your CCPA/CPRA rights.

To submit a CCPA/CPRA request, please contact us via our website contact form. We may need to verify your identity before processing your request. You may designate an authorised agent to submit a request on your behalf.

CalOPPA Disclosure: In compliance with CalOPPA, we disclose that: (a) this Privacy Notice is accessible from our homepage; (b) we will notify you of any material changes to this policy; (c) you can update information you have provided us by contacting us directly; and (d) we honour Do Not Track signals.

12.3 Rights for Canadian Residents (PIPEDA)

If you are located in Canada, your personal information is handled in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and applicable provincial privacy legislation.

Under PIPEDA, you have the right to:

  • Know why we collect, use, or disclose your personal information.

  • Access your personal information held by us.

  • Challenge the accuracy and completeness of your information and request corrections.

  • Withdraw consent to the collection, use, or disclosure of your personal information (subject to legal and contractual restrictions).

Our Privacy Officer can be contacted via the contact form on our website. If you are unsatisfied with our response, you may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

12.4 Rights for Australian Residents (Privacy Act 1988)

If you are located in Australia, we handle your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

You have the right to:

  • Request access to personal information we hold about you.

  • Request correction of personal information that is inaccurate, out of date, incomplete, or misleading.

  • Make a complaint about how we have handled your personal information

To exercise your rights or make a complaint, please contact us via our website. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

12.5 Rights for Brazilian Residents (LGPD)

If you are located in Brazil, your personal data is processed in accordance with Lei Geral de Protecao de Dados (LGPD) No. 13,709/2018. You have the right to:

  • Confirmation of whether we process your personal data

  • Access your personal data

  • Correct incomplete, inaccurate, or out-of-date data

  • Anonymisation, blocking, or deletion of unnecessary or excessive data

  • Portability of your data to another service provider

  • Information about third parties with whom we share your data

  • Information about the possibility of denying consent and the consequences of doing so

  • Revocation of consent

Please contact us via our website contact form to exercise any of these rights.

13. Changes to This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the version number and "Last updated" date at the top of this notice, and post a prominent notice on our website.

We encourage you to review this Privacy Notice periodically. Continued use of Ink & Leaf after any changes take effect constitutes your acknowledgement of the updated notice.

14. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Notice or how we handle your personal data, please contact us using the contact form on our website at inkandleaf.co.uk.

We will endeavour to respond to all enquiries promptly and within any timeframe required by applicable law.

15. Supervisory Authorities

If you are not satisfied with our response to a privacy concern, you have the right to contact the relevant supervisory authority for your region:

  • United Kingdom: Information Commissioner's Office (ICO) — www.ico.org.uk | 0303 123 1113

  • European Union: Your national data protection authority — edpb.europa.eu

  • United States (California): California Privacy Protection Agency (CPPA) — cppa.ca.gov

  • Canada: Office of the Privacy Commissioner — www.priv.gc.ca

  • Australia: Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au

  • Brazil: Autoridade Nacional de Protecao de Dados (ANPD) — www.gov.br/anpd

bottom of page