PRIVACY POLICY

How we handle your personal data.

Last updated: 27 March 2026 | Effective: 27 March 2026

This Privacy Policy explains how Dandi Studio (“we”, “us”, “our”) collects, uses, and protects personal data when you visit dandistudio.com.

We are committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. DATA CONTROLLER

The data controller responsible for your personal data is:

Dandi Studio
Contact: please write to us via our Contact page
Website: dandistudio.com

As we are a small creative studio, we do not have a formal Data Protection Officer (DPO). All data protection enquiries can be directed to us via the Contact page.

2. PERSONAL DATA WE COLLECT

We collect only the minimum data necessary to operate this site. The table below summarises what we collect, why, and how long we keep it.

Activity	Data collected	Purpose	Legal basis	Retention
Contact form	Name, email address, message text	To respond to your enquiry. Data is emailed to us and is NOT stored on the server.	Legitimate interest (responding to your direct communication)	Until your enquiry is resolved; we retain email correspondence in our inbox for up to 2 years.
Pixel Library — Gallery submission	Villain name (required), author handle (optional, max 40 chars), pixel grid data, colour palette, IP address (rate-limiting only)	To display your submitted villain in the public Pixel Library. IP address is used solely to enforce the rate limit (max 3 submissions per IP per hour) and is not used for any other purpose.	Consent (you voluntarily submit content for public display)	Gallery entries are stored indefinitely while the gallery is active. You may request removal at any time via the Contact page. IP addresses in the submission record are retained for 30 days for rate-limit purposes, then deleted.
Pixel Library — Voting	IP address only	To enforce the voting rate limit (1 vote per IP per villain per 24 hours). No other use.	Legitimate interest (preventing vote manipulation)	Vote log entries are retained for 30 days, then deleted.
Homepage A/B test (5–19 April 2026 only)	Anonymous session ID (randomly generated 12-character string, not linked to your identity), event type (e.g. “formula drawn”, “mascot hovered”), version assigned (A or B), timestamp	To measure which homepage design performs better. No personal data is collected. The session ID is generated client-side and cannot be used to identify you.	Consent (functional cookies accepted in the cookie banner)	Event log retained for 90 days after the test ends (until 18 July 2026), then deleted.

DATA WE DO NOT COLLECT

We do not collect or process:

Payment or financial information
Special category data (health, ethnicity, religion, etc.)
Children’s data (this site is not directed at under-13s)
Location data beyond country-level (we do not log IP addresses for visitors who only browse)
Third-party advertising or cross-site tracking data

3. COOKIES AND LOCAL STORAGE

Full details of the cookies and local storage items this site sets are in our Cookie Policy.

4. THIRD-PARTY SERVICES

HOSTING — SPACESHIP.COM

This site is hosted by Spaceship Inc. Your requests reach our server via Spaceship’s infrastructure. Spaceship may retain standard server access logs (IP address, request path, timestamp) as part of their hosting service. Please refer to Spaceship’s Privacy Policy for details.

GOOGLE FONTS

We load fonts from Google Fonts (fonts.googleapis.com / fonts.gstatic.com). This causes your browser to make a request to Google’s servers. Google may process your IP address in accordance with their privacy policy. We use a preconnect approach to minimise data sharing. See Google’s Privacy Policy.

EMAIL DELIVERY

Contact form messages are sent via the server’s native PHP mail function. No third-party email service provider is used. Your name and email address are included in the email we receive so we can respond to you.

5. WHO WE SHARE YOUR DATA WITH

We do not sell, rent, or trade your personal data to any third party. We share data only in the following limited circumstances:

Legal obligation: if required by law, court order, or regulatory authority.
Hosting provider: Spaceship Inc. processes data as a data processor on our behalf.

6. INTERNATIONAL DATA TRANSFERS

Our hosting is based in the United States (Spaceship Inc.). Where data is transferred outside the UK, we rely on appropriate safeguards in accordance with UK GDPR Article 46 (standard contractual clauses or adequacy decisions). Google Fonts data may also be processed in the US.

7. YOUR RIGHTS

Under UK GDPR you have the following rights regarding your personal data:

ACCESS Request a copy of the personal data we hold about you.

RECTIFICATION Ask us to correct inaccurate or incomplete data.

ERASURE Request deletion of your personal data (“right to be forgotten”), subject to legal obligations.

RESTRICTION Ask us to restrict processing of your data in certain circumstances.

PORTABILITY Receive your data in a structured, machine-readable format where processing is based on consent or contract.

OBJECTION Object to processing based on legitimate interest. We will comply unless we have compelling grounds to continue.

WITHDRAW CONSENT Where processing is based on consent, withdraw it at any time without affecting prior processing.

COMPLAINTS Lodge a complaint with the Information Commissioner’s Office (ICO).

To exercise any of these rights, please contact us via our Contact page. We will respond within one calendar month.

8. DATA SECURITY

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or alteration. These include:

HTTPS encryption for all data in transit
Server-side input validation and sanitisation on all form submissions
Rate limiting on gallery submissions and votes to prevent abuse
No plain-text password storage (no user accounts exist on this site)

No method of transmission or storage is 100% secure. If you believe your data has been compromised, please contact us immediately.

9. CHILDREN’S PRIVACY

This site is not directed at children under 13 years of age. We do not knowingly collect personal data from children. If you believe a child has submitted personal data, please contact us and we will delete it promptly.

10. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Any changes will be posted on this page with a revised “Last updated” date. We encourage you to review this page periodically.

11. CONTACT AND COMPLAINTS

For any privacy-related questions or to exercise your rights, contact us via our Contact page.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection:

Website: ico.org.uk
Helpline: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF