Your Information and Privacy (Updated)

This is an updated version of a previous article. You can read the old version here.

Jump to:

GDPR

The General Data Protection Regulations (GDPR) came into effect on 25 May 2018. As an individual, if you’re dealing with a business, website, or organisation within the EU then these regulations protect you. Not only that, if you’re dealing with a non-EU business or website but you are an EU citizen, then these regulations still protect you.

The UK left the EU on 31 January 2020 but the regulations continued to apply to UK businesses (now known as the UK GDPR).

Your rights

As an individual, you have rights when it comes to your personal information:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

The right to be informed

You need to be told about who is collecting your personal data, why they are doing it, what they will do with it, who it will be shared with, and for how long it will be kept.

You must be told this at the point your data is collected.

On my website I have a Privacy Policy that is available at the bottom of every page. This tells you what personal data I might collect while you are visiting my website. There is additional information further down this article about what sorts of things I collect via this website.

If you choose to do business with me, I will send you an Acceptance of Commission document at the start of each project (whether that be a book cover, character art, map, or any other kind of project). Within that document there will be a specific section letting you know what information I will be collecting from you in order for us to carry out that project.

The right of access

You have to be allowed access to your personal data so that you are aware of what is held by any business or organisation, and so you can verify the lawfulness of the processing.

This has to be provided free-of-charge, within one month of you requesting it.

If you want to know what data I hold about you, please email me at jon@jonstubbington.com, requesting a report on your personal data. Alternative contact options are available here.

The right to rectification

If any of the personal data I hold about you is wrong, or is incomplete, you have the right to ask for this to be corrected.

Generally, this should be corrected free-of-charge, within one month of you requesting it.

If you think I have any of your details wrong and you need them to be corrected, please email me at jon@jonstubbington.com. Alternative contact options are available here.

The right to erasure

You have the right to have your personal data removed (erased). This is also known as “The right to be forgotten”.

In reality, businesses may refuse to delete your data if there is a valid reason for keeping it. For example, I need to keep certain records for up to 7 years in order to meet my tax reporting requirements. As such, I cannot delete it even if you ask me to. You still have the right to make this request and businesses must comply if there is no reason for them to keep your personal data any longer.

If you would like to make a request to have your personal data deleted, please email me at jon@jonstubbington.com. Alternative contact options are available here.

The right to restrict processing

This is an alternative to erasing your data. You can request that a business retains your personal data but stops processing it.

“Processing” means whatever it is that the business does with your data. This will vary from business to business and should have been laid out clearly for you under your right to be informed about why your personal data is being held and how a business plans to use it.

Restrictions are usually put in place for a temporary period.

If you would like to make a request to have your personal data restricted, please email me at jon@jonstubbington.com. Alternative contact options are available here.

The right to data portability

This one doesn’t really apply to me or my services.

It does apply where you have given a business or organisation your permission for them to process your information and they do this in an automated way. This right allows you to request that all your personal data be downloaded so that you can give it to another organisation. Or, if it’s technically possible, for that data to be transferred straight to the other organisation.

This could apply, perhaps, if you were switching mobile phone providers and you wanted all your data downloaded so it could be passed to your new phone provider.

The right to object

Even after you have given your permission for a business or organisation to start collecting and using your personal data, you still have the right to object at any time.

This is particularly relevant when it comes to direct marketing. If you have given your permission for a business to contact you with marketing material, you can object to this at any time in the future. That business must comply with your request straightaway.

I do not currently send out any direct marketing and I don’t maintain any mailing lists, however that may change in the future. If it does and if you are in receipt of marketing material from me and would like to be removed from my mailing lists, please email me at jon@jonstubbington.com or follow the “unsubscribe” instructions included in the mailing. Alternative contact options are available here.

Automated decision making

This one doesn’t really apply to me or my services.

It applies where a business is making automated decisions about you (approving or declining something, for example) or is using the data it holds about you to profile you in some way.

Data I hold because you visited my website

By visiting my website you are potentially allowing certain personal information to be collected. This is true of most websites you visit.

My website is hosted by IONOS and is located on one of their UK servers. I periodically make backup copies of the website and these are stored on an AWS server located in the UK.

Cookies

Cookies consist of portions of code installed in your browser to help make the website work and to provide services. All websites are required to warn you about these when you first visit and you have the option to not allow non-essential cookies to be stored on your computer.

My Cookie Policy is available at the bottom of every page. This includes information about how you can set your browser preferences to help control whether cookies are stored or not.

You can update your preferences at any time by clicking on the small keyhole icon at the bottom right of every page.

Google Analytics

Many websites use Google Analytics to monitor and analyse the visitors that access their website. I do not use Google Analytics on this website, although I have done so in the past.

All historical data captured from this website by Google Analytics has been deleted and I have no access to any Google analytics about visitors to this website.

Other tools on my website

In order to give you a better experience when using my website, I have various tools installed. Wherever possible I have limited the use of these so that, for example, it is not possible to log in to my site as a visitor and you cannot leave comments. This means that there are fewer occasions where you need to submit personal information to me through this website. However, please be aware that any time you do submit personal information, such as when filling out the contact form, then any data you submit is being collected and will be stored by me.

Payment processing

I offer the opportunity for users to make purchases through this website. For example, you can purchase a premade book cover from my website. To complete the online purchase you will need to submit personal information to me, such as your name and email address, and you will need to complete the online payment process.

Payments are processed using either Paypal or Stripe (card payments). Additional payment options may be available to you, such as Apple Pay or Google Pay. The payment processing will be completed by either Stripe or Paypal, depending on which option you select, and your personal data will then be stored by that company in line with their privacy policies.

Stripe is a multinational company and may transfer or store your personal information in locations outside of the UK. Stripe complies with the U.S. Data Privacy Framework (“EU-U.S. DPF”) and the UK Extension to the EU-U.S. DPF. meaning that personal information captured in the UK can be transferred to the US and is protected in a way that is consistent with UK and EU law.

I have access to certain transactional information so that I can complete your order, but I do not have access to your full payment details. I cannot see your full credit card number or security code, for example, but I can see the last four digits of your card number.

Privacy Policy

My website Privacy Policy is available at the bottom of every page on www.jonstubbington.com.

These policies lay out in more detail the different tools that are used on my website and how they can collect information from you. If you continue to interact with my website then please be aware that some personal information about you may be being collected and used, as explained in the Privacy Policy.

Data I have access to through other websites

I do not control the data that is entered into or collected through other websites.

If we communicate via Facebook, for example, then our use of the Facebook website and app is governed by Facebook’s Privacy Policy.

Where I am provided with your information through a third party website or app, I am required to keep it safe and secure and to use it in accordance with the UK GDPR rules. I am also only allowed to use your personal information to carry out that particular transaction. This means that I cannot take your address and use it to send you marketing material about me and my products.

Data I hold because we are working together

If I am working on an illustration or design project with you or for you, then I will collect and hold some information about you.

This is to allow me to complete the work for you, and to allow me to meet my obligations as far as holding appropriate business records. As a minimum I will record your name and email address so that we can communicate about the work.

This information is gathered using the “lawful basis for processing contracts”. This means that you have asked me to provide a quote for work or we have entered into an agreement for me to do work for you, and I need this information in order to fulfil that agreement.

It also means that I will only use your information in order to fulfil that agreement. I will not use your information for other purposes, such as signing you up to a mailing list.

How long will I keep information about you?

In most cases, I will keep hold of your information for six years after the end of the current tax year. This is so that I can meet my obligations here in the UK for holding business records for tax purposes. After that time, your information will be removed.

Where is your information kept?

In most cases, you have to give explicit consent before your personal information can be transferred outside of the EEA. From 2021, the UK is outside of the EEA. If you are in the EEA, please bear that in mind if you choose to send me your personal data.

Most of my records are held within the UK and will not be transferred outside of the UK, with the exception of my email records and invoices.

  • My website is hosted by a company called IONOS using servers located within the UK
  • My own records are held on a computer and backup drive physically located within the UK
  • They are also backed up to an online cloud service supplied by Amazon Web Services that is located within the UK
  • Emails to jon@jonstubbington.com are processed using Proton Mail, a Swiss company which does transfer and store information outside of the UK (see below)
  • Invoices and payments are processed through Stripe, an Irish/US company which does transfer and store information outside of the UK (see below)

Proton Mail

Emails to jon@jonstubbington.com are processed using Proton Mail and stored on servers in Switzerland or Germany in accordance with Proton Mail’s privacy policy. It is possible to transfer data from the UK to Switzerland because there is an “adequacy decision” in place for Switzerland and the EU. Adequacy regulations confirm that a particular third country or international organisation has an adequate data protection regime to protect personal data. 

With that being said, please still think carefully about what information you are including when you email me, as email is not a secure form of communication.

Stripe

Stripe provide an invoicing system that requires me to enter some personal information about you, such as your name and email address. When I send you an invoice, as well as a PDF invoice you will also be provided with a payment page, hosted by Stripe, that allows you to make a card payment against that invoice. Additional payment options may be available to you, such as Apple Pay or Google Pay. The payment processing will be completed by Stripe and your personal data will then be stored by Stripe in line with their privacy policies.

Stripe is a multinational company and may transfer or store your personal information in locations outside of the UK. Stripe complies with the US Data Privacy Framework (“EU-US DPF”) and the UK Extension to the EU-US DPF meaning that personal information captured in the UK can be transferred to the US and is protected in a way that is consistent with UK and EU law.

I have access to certain transactional information but I do not have access to your full payment details.

Paypal and Gmail

In the past, I have used Google’s Gmail service to process my emails and Paypal to process invoices and payment collections. Both of these companies may transfer data outside of the UK.

Explicit consent will have been requested from you before I entered your information into Paypal’s invoicing system and, if you were not willing to provide that consent then I will not have used Paypal to process your invoice. If you have previously provided consent and I have issued you with an invoice through Paypal then your data will be retained within Paypal’s system for six years after the end of that tax year. After that time, your information will be removed.

Google’s G Suite, which includes the Gmail email service, used to be certified under the EU-US Privacy Shield framework, however, the Privacy Shield was invalidated in July 2020 by the Court of Justice of the Europe Union. From that point, it was no longer possible to rely on the framework when transferring data outside of the UK (or EEA). Instead, Google moved to rely on Standard Contractual Clauses with their users – an alternative provision for allowing transfers outside of the EEA. Subsequently, with the introduction of the US Data Privacy Framework, Google have met the requirements of that framework meaning that personal information captured in the UK can be transferred to the US and is protected in a way that is consistent with UK and EU law.

Although I have moved to using Proton Mail for emails, older email communication will still be stored in Gmail. That information will be retained for six years and will then be removed.

How is it kept secure?

  • My website data is secured using passwords and two-factor authentication, and is protected by Wordfence monitoring and safeguards
  • My website hosting company employ a range of protection measures to prevent attacks on my websites
  • My own records (including the local and cloud backups) are encrypted and password protected
  • My computer system and network is protected by the usual firewalls and virus protection software
  • My email records are protected by 2-factor authentication, as well as Proton Mail’s built-in protections and encryption
  • Paper copies of any records are held in a locked file

In conclusion

Make sure you understand your rights under the UK GDPR and use them when necessary. And if you have any questions about what I’m doing with your data, please get in touch via jon@jonstubbington.com.

This post was updated in January 2026 to remove references to Siteground hosting and replace them with IONOS hosting.

I am not a regulatory compliance expert. The information in this post is my understanding of the regulations. If you are a business, please make sure you carry out your own research and preparations. If you are an individual and would like to know more about your rights, I recommend visiting the Information Commissioner’s Office website.