1. Who We Are
DadLink Technologies Limited is the data controller responsible for your personal data. We are registered in England and Wales (company number 14396553) with our registered office at 7 Chelford Road, Handforth, SK9 3SQ.
If you have any questions about this policy or your data, contact us at support@stitchfast.co.uk.
2. What Data We Collect
We collect the following categories of personal data:
| Data | When Collected | Purpose |
|---|---|---|
| First name, last name | Account registration | Identify your account |
| Email address | Account registration | Account login, email verification, purchase receipts, service communications |
| Contact number | Account registration | Account recovery, service support |
| Password (hashed) | Account registration | Account authentication — stored securely by Firebase Auth, not accessible in plaintext |
| Payment information | Credit/subscription purchase | Process payments — handled entirely by Stripe, we do not store card details |
| Uploaded images | When using the digitizer | Processed for digitizing only — not stored after processing is complete |
| Usage data | Automatically | Credits used, designs downloaded, plan type — to operate the service and billing |
| Device and browser info | Automatically via analytics | Improve the service, fix bugs, understand usage patterns |
3. Legal Basis for Processing
Under the UK GDPR, we process your personal data on the following legal bases:
- Contract — processing your account data, credits, and subscriptions is necessary to provide the Service you have signed up for
- Legitimate interests — usage analytics and service improvement, fraud prevention, and maintaining the security of our systems
- Consent — where we send marketing communications, we do so only with your explicit consent, which you can withdraw at any time
- Legal obligation — we may retain certain data where required by law (e.g., financial records for HMRC)
4. How We Use Your Data
We use your personal data to:
- Create and manage your account
- Process payments and manage credits and subscriptions
- Provide the embroidery digitizing service
- Send transactional emails (account verification, purchase confirmations, password resets)
- Provide customer support
- Improve the Service through anonymised usage analytics
- Prevent fraud and abuse
We do not use your data for automated decision-making or profiling. We do not sell your personal data to third parties.
5. Third-Party Services
We use the following third-party services to operate StitchFast. Each has its own privacy policy:
- Firebase (Google) — authentication, database, and hosting. Data processed in the EU/UK. Firebase Privacy
- Stripe — payment processing. Stripe is PCI DSS Level 1 certified. We never see or store your full card number. Stripe Privacy
- Anthropic (Claude AI) — AI design analysis. Uploaded images are sent to Claude Vision for analysis. Anthropic does not use API inputs for training. Anthropic Privacy
- Google Analytics — anonymised usage statistics. No personally identifiable information is shared. Google Privacy
6. Uploaded Images
When you upload an image to the digitizer, it is processed in your browser and temporarily sent to our Cloud Functions for AI analysis and embroidery file generation. We do not permanently store your uploaded images. Images are processed in memory, used to generate your stitch file, and discarded immediately after. No copies are retained on our servers.
We do not use your uploaded designs for training AI models, marketing materials, or any purpose other than fulfilling your immediate digitizing request.
7. Data Retention
- Account data — retained for as long as your account is active. If you delete your account, personal data is removed within 30 days.
- Purchase records — retained for 7 years to comply with UK tax and accounting requirements.
- Design history — metadata (file format, stitch count, date) is retained in your account for your reference. The actual image and stitch file are not stored.
- Uploaded images — not retained. Processed in memory and discarded immediately.
8. Data Security
We take appropriate technical and organisational measures to protect your personal data, including:
- Passwords are hashed and managed by Firebase Authentication — we cannot see your password
- All data in transit is encrypted via HTTPS/TLS
- Payment data is handled by Stripe (PCI DSS Level 1 certified) and never touches our servers
- Firestore database access is controlled by security rules that ensure users can only access their own data
- Cloud Functions operate in isolated environments with no persistent storage of user content
No system is 100% secure. If we become aware of a data breach that affects your personal data, we will notify you and the Information Commissioner's Office (ICO) as required by UK GDPR.
9. Your Rights
Under UK GDPR, you have the following rights:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate or incomplete data
- Erasure — request deletion of your personal data ("right to be forgotten")
- Restriction — request that we limit how we use your data
- Portability — request your data in a machine-readable format
- Objection — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent, withdraw it at any time
To exercise any of these rights, email support@stitchfast.co.uk. We will respond within 30 days. There is no fee for most requests.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
10. Cookies
We use essential cookies to operate the Service (authentication session, preferences). We may also use analytics cookies to understand how the site is used. For full details, see our Cookie Policy.
You can control cookies through your browser settings. Disabling essential cookies may prevent you from using the Service.
11. International Transfers
Your data may be processed by third-party services (Firebase, Stripe, Anthropic) that operate servers outside the UK. Where data is transferred outside the UK, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or adequacy decisions, as required by UK GDPR.
12. Children
The Service is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that a child under 18 has created an account, we will delete the account and associated data promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the website. The date at the top indicates when this policy was last updated.
14. Contact
For any questions, data requests, or complaints:
DadLink Technologies Limited
Data Controller
7 Chelford Road, Handforth, SK9 3SQ
Email: support@stitchfast.co.uk
Company number: 14396553