Privacy Policy and Cookie/Storage Notice

Last updated: 7 May 2026

This Privacy Policy explains how Levyo collects, uses, stores and shares personal data when you visit www.levyo.co.uk, use our Shopify store, create or use a customer account, request a proof, upload files, use Levyo Maker, sign up to emails, contact us or place an order.

It is written for UK customers and visitors. It also applies to other users where relevant.

1. Who we are

The controller responsible for your personal data is:

Dominik Taux, sole proprietor trading as Levyo
c/o IP-Management #7818
Ludwig-Erhard-Str. 18
20459 Hamburg
Germany

Email: info@levyo.co.uk

VAT ID: DE456478225. No VAT is shown on invoices under the German small business regulation in section 19 UStG.

We have not appointed a UK representative. We have not appointed a Data Protection Officer. You can contact us about privacy matters using the email address above.

2. What this policy covers

This policy covers personal data processed through our Shopify storefront, cart, checkout, customer accounts, order management, product pages, contact forms, newsletter forms, proof request forms, proof uploads, avatar/profile features, Levyo Maker, Firebase Authentication, Firestore, Firebase Storage, OpenAI API services, print and fulfilment partner mockup/order flows, Cloudflare Turnstile, Google, Facebook/Meta and Apple login, Shopify apps, cookies, localStorage, sessionStorage, scripts, tags, pixels and similar technologies.

Third-party services may also process your data under their own privacy notices. This can include Shopify, payment providers, Google, OpenAI, print and fulfilment partners, Meta, Apple, Cloudflare, Trusted Shops, Recharge and other services used by the store.

3. Personal data we collect

Shopify store, checkout and orders

When you browse, add items to your cart, create or use an account, contact us or place an order, we may process your name, email address, billing and shipping address, phone number, cart contents, discount code, cart notes, customer account details, order details, payment status, fulfilment status, delivery status, return/refund/dispute information and support messages.

Payment card and payment account details are handled through Shopify and the payment methods shown at checkout. We do not intentionally store full card numbers on our own systems.

Proof requests and proof uploads

When you request a custom proof, we may collect event type, quantity, deadline, shirt colour, size status, UK postcode, email address, design brief, names, jokes, phrases, slogans, desired vibe, rights confirmations, referral URL, page URL, UTM/source data and uploaded logos, screenshots, artwork, images or photos.

Proof uploads use signed upload URLs generated by our backend at auth.levyo.co.uk. Uploaded PNG, JPG or WEBP files are processed through Firebase Storage. After validation, we may store a tokenised Firebase Storage download URL with the related proof request so that we can view the file and respond to you.

A tokenised file URL can allow access to the file by anyone who has the URL until it is deleted or the token is revoked. Do not upload highly sensitive or confidential files unless they are necessary for your request.

Customer accounts, login and avatars

We use Shopify Customer Accounts and Firebase Authentication to support account login and Levyo Maker access. We may process email address, name, Shopify customer ID, Firebase user ID, account status, authentication tokens or session information, login metadata, account preferences and profile information.

If you use Google, Facebook/Meta or Apple login, we receive information from the provider you choose, such as provider account ID, name, email address, profile image URL, Apple private relay email address if selected, and authentication claims needed to verify or link your account.

If you upload or use an avatar/profile image, we may process the original image, resized variants, avatar URLs, Shopify customer metafields and browser storage used to display the avatar.

Levyo Maker and AI generation

If you use Levyo Maker, we may process your prompt, prompt rewrite or detail instructions, generated images, generated PNG files, generated image URLs, user ID, email address, free-credit or usage information, product/session information, timestamps and service logs needed for security, debugging and abuse prevention.

Levyo Maker requests are sent to our backend service using Firebase authentication. We use OpenAI APIs to process prompts and generate images. Firestore may store your user ID, email, prompt hash or prompt preview, original prompt where needed for the service, generated image URL, model/provider metadata, free-credit usage and timestamps. Firebase Storage may store generated PNGs using tokenised URLs.

Do not include sensitive personal data, confidential information, third-party personal data or content you do not have rights to use in prompts or uploads.

Newsletter and marketing

If you sign up for emails, we process email address, Shopify marketing status, confirmation and unsubscribe status, consent or opt-in event records, timestamp, customer ID where applicable, email hash, IP prefix and user-agent. We may send confirmation and service emails using SMTP/Nodemailer-supported email infrastructure.

Technical, device and security data

We may process IP address or IP prefix, browser type and version, device and operating system information, user-agent, page URL, referral URL, UTM/source data, timestamps, request metadata, error logs, security logs, Cloudflare Turnstile tokens and verification results, authentication/upload tokens, CORS/origin checks and cookie/storage values.

4. How and why we use personal data

We use personal data for the following purposes and lawful bases:

• to operate the Shopify store, cart, checkout, customer accounts, order management and support functions: contract, pre-contract steps, legal obligation and legitimate interests;
• to process payments, detect fraud and handle disputes: contract, legal obligation and legitimate interests;
• to prepare and respond to proof requests: pre-contract steps, contract and legitimate interests;
• to process proof uploads, validate files and prepare designs: pre-contract steps, contract and legitimate interests;
• to provide account registration, login, social login and avatar/profile features: contract, pre-contract steps and legitimate interests;
• to provide Levyo Maker, manage free credits, generate images, store outputs and enforce fair usage: contract, pre-contract steps and legitimate interests;
• to moderate uploads, prevent misuse and protect rights, safety and platform integrity: legitimate interests and legal obligation where applicable;
• to send newsletters and marketing: consent, or legitimate interests with the UK soft opt-in where all legal conditions are met;
• to keep unsubscribe and suppression records: legal obligation and legitimate interests;
• to send service messages such as order, account, security, proof, fulfilment and support messages: contract, legitimate interests and legal obligation;
• to use strictly necessary cookies and storage for cart, checkout, account, security, proof upload and Levyo Maker features: contract and legitimate interests;
• to use analytics, customer event and marketing technologies: consent where required by law, and legitimate interests only where the law allows;
• to comply with tax, accounting, regulatory, legal claim and business record obligations: legal obligation and legitimate interests.

5. Legitimate interests

Where we rely on legitimate interests, our interests include running and improving the store, responding to customers, preparing proofs, managing custom product requests, preventing fraud, bots and abuse, securing accounts and backend services, debugging systems, managing disputes and chargebacks, keeping required records, enforcing our terms and protecting rights and production workflows.

You can object to processing based on legitimate interests. We will consider your objection and stop the processing unless we have compelling legitimate grounds to continue or need the data for legal claims.

6. Marketing

We only send marketing emails where you have signed up or otherwise consented, or where you are an existing customer and the UK soft opt-in rules apply for our own similar products or services.

You can unsubscribe at any time using the unsubscribe link in our emails or by contacting info@levyo.co.uk.

If you unsubscribe from marketing, we may still send service messages, such as order confirmations, payment updates, delivery updates, account/security messages, proof communications and replies to your enquiries.

7. Cookies, localStorage, sessionStorage, pixels and similar technologies

We use cookies and similar technologies, including localStorage, sessionStorage, scripts, tags, pixels, tokens and signed URLs.

Strictly necessary technologies are used for Shopify storefront, localisation, cart, checkout, payment, Shop Pay, customer account login, Firebase authentication, signed proof uploads, Levyo Maker authentication and credits, security, fraud prevention, Cloudflare Turnstile, print partner design/order flows and remembering privacy choices where applicable.

Functional technologies may remember account UI state, login return pages, newsletter confirmation notices, avatar display, design/editor state and product customisation sessions.

Analytics, customer event and marketing technologies are used to measure traffic, product views, campaign performance and store events. Live checks on 7 May 2026 showed Shopify analytics/customer event requests, Shopify Web Pixel scripts, Shopify Forms storage, Google Analytics property G-GT46T5R77N, Google Merchant Center analytics tags MC-9LRSQJ7TGF and MC-VVPZQP9J0Q, print partner app pixel requests on product pages, Trusted Shops scripts and Recharge scripts loading on the store.

Analytics and marketing technologies are not strictly necessary. Where the law requires consent, they should only be used with consent. If a separate cookie preference control is not shown to you, you can block or clear cookies and site storage in your browser, use browser privacy controls, or contact us at info@levyo.co.uk. We are reviewing the store's consent configuration and will update this notice when the setup changes.

Blocking cookies or clearing storage may stop parts of Levyo from working properly, including cart and checkout, account login, social login, proof uploads, Levyo Maker, avatar display, newsletter confirmation messages, print partner design-to-cart flows and security checks.

8. Who we share personal data with

We share personal data with service providers and other recipients where needed for the purposes described in this policy.

• Shopify, for storefront, checkout, customer accounts, order management, analytics/customer events, marketing-consent records, forms and related store functions.
• Payment providers, for payment processing, payment authentication, fraud prevention and transaction handling. Active payment methods are shown at checkout.
• Firebase and Google Cloud, for authentication, Firestore records, Firebase Storage, backend services, logging and security.
• OpenAI, for Levyo Maker prompt processing and image generation.
• Print and fulfilment partners, for mockups, print-file handling, product/order preparation, fulfilment and delivery support.
• Cloudflare Turnstile, for bot and abuse prevention where enabled.
• Google, Facebook/Meta and Apple, if you choose social login, and Google for analytics/Merchant Center measurement where enabled.
• Shopify apps and storefront services, including Shopify Forms, Shop Pay, Trusted Shops and Recharge where their scripts or app functions are active on the store.
• Email and communications providers, for confirmation emails, service messages, support replies and marketing where permitted.
• Professional advisers and authorities, such as accountants, lawyers, insurers, auditors, regulators, law enforcement, courts or public authorities where needed.

If we sell, merge, reorganise or transfer all or part of our business, personal data may be disclosed as part of that transaction, subject to appropriate legal protections.

9. International transfers

Levyo is operated from Germany and serves UK customers. Personal data may be processed in the UK, EEA, United States, Canada and other countries where our providers or their subprocessors operate.

Where UK international transfer rules apply, we rely on appropriate safeguards or lawful transfer mechanisms, such as UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, EU Standard Contractual Clauses where relevant, participation in an approved data transfer framework where applicable, or another lawful mechanism or exception.

10. How long we keep personal data

We keep personal data only for as long as needed for the purposes described in this policy, including providing services, fulfilling orders, maintaining accounts, resolving disputes, preventing fraud, complying with legal obligations and handling tax/accounting records.

• Shopify orders, invoices, payment, tax, accounting and fulfilment records: as required by law, generally up to 6 to 10 years where German tax or commercial record laws require this, and longer where needed for legal claims.
• Customer account profile data: until account deletion or closure, subject to retained order, legal, tax, fraud, security and dispute records.
• Proof request submissions and proof uploads: kept while handling the request and then deleted or retained where needed for quote, order, support, fraud, rights, production, dispute or legal reasons. Automated cleanup is being reviewed.
• Levyo Maker generation records, design/session records and generated image metadata: the backend marks many generation and design records with retention metadata, normally around 30 days by default, unless needed longer for account, support, fraud, legal, dispute or production reasons.
• Generated PNGs in Firebase Storage: retained while needed for the service, order, support, reprint, dispute or legal reasons. Tokenised URLs may remain accessible until deleted or revoked.
• Avatar originals and variants: until removal, account deletion or replacement, subject to backups and retained legal/security records.
• Newsletter consent, confirmation and event logs: normally around one year for event logs, with suppression records kept as long as needed to respect unsubscribe requests.
• AI Maker consent records: normally around 365 days unless needed longer for compliance, disputes, fraud, abuse prevention or legal claims.
• Security, bot-prevention and server logs: kept only as long as reasonably needed for security, debugging, fraud prevention and legal reasons.

11. Account deletion and deletion limits

You can request account deletion by contacting info@levyo.co.uk.

When we process an account deletion request, we may delete or deactivate your Shopify customer account profile, Firebase Authentication user, account profile data, avatar files and certain Firestore records linked to your user ID where we no longer need them.

Account deletion does not automatically delete all records. We may keep Shopify order records, payment, tax and accounting records, fulfilment/shipping records, print partner order/fulfilment records, proof submissions, AI Maker prompts or generated images not linked to the deletion workflow, service/security logs, abuse-prevention records and data needed for disputes, chargebacks, legal claims or compliance.

Data stored locally on your own device, such as localStorage or sessionStorage, is not deleted by an account deletion request. You can clear it in your browser.

12. Uploaded content, rights and sensitive information

You must only upload or provide content that you have the right to use. If your content includes personal data about another person, you must have permission to provide it to us and use it for the requested product or service.

Our services are not designed for special category data such as health information, political opinions, religious beliefs, biometric data used for identification or similar sensitive information. Please do not include sensitive personal data in prompts, briefs or uploads unless it is necessary and you have the right to provide it.

If uploaded content appears unlawful, unsafe, infringing, abusive or otherwise unsuitable, we may refuse to process it, remove it or restrict the related account or order.

13. Children

Levyo is intended for customers who are at least 18 years old or old enough to make an online purchase lawfully with any required permission.

Do not upload photos or personal data of children unless you are authorised to do so and the content is necessary for the requested product or proof. We may delete child-related content where we cannot verify appropriate permission.

14. Security

We use technical and organisational measures designed to protect personal data, including authentication controls, Shopify and Firebase access controls, file validation, signed upload URLs, token checks, origin and CORS checks, bot protection, rate limiting, logging controls and access restrictions.

No online service is completely secure. Keep account credentials confidential and avoid uploading sensitive or confidential content unless necessary.

15. Automated processing and AI

We use automated tools for authentication, file validation, bot protection, content safety checks, AI prompt processing and image generation.

Levyo Maker generates outputs from prompts and related instructions. It does not determine your legal rights.

We do not use solely automated decision-making, including profiling, that produces legal effects or similarly significant effects on you. If an automated security or moderation process blocks a feature or request, you can contact us at info@levyo.co.uk for review.

16. Your UK data protection rights

Depending on the circumstances, you may have the right to access your personal data, receive a copy, correct inaccurate or incomplete data, request deletion, restrict processing, object to processing based on legitimate interests, object to direct marketing, request data portability, withdraw consent where processing is based on consent and complain to a supervisory authority.

Your right to object to direct marketing is absolute. If you object to direct marketing, we will stop using your personal data for that purpose.

To exercise your rights, contact info@levyo.co.uk. We may need to verify your identity before responding. We normally respond within one month unless the law allows more time because the request is complex or you have made multiple requests.

17. Complaints

Please contact us first if you have a concern about how we use your personal data.

You can also complain to the UK Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
United Kingdom
Helpline: 0303 123 1113
Website: ico.org.uk/make-a-complaint

If you are in the EEA, you may also contact your local data protection supervisory authority.

18. Changes to this policy

We may update this Privacy Policy and Cookie/Storage Notice from time to time. We will publish the updated version on this page and update the Last updated date. Where required, we will notify you of material changes.