At Need It Made, accessible from www.needitmade.co.uk and associated domains, one of our main priorities is the privacy of our users. This Privacy Policy explains what information we collect, how we use it, and the rights you have in relation to your personal data.
This Privacy Policy applies to our online activities and is valid for visitors and registered users of our website. It does not apply to information collected offline or via channels other than this website.
This Privacy Policy should be read together with our Terms and Conditions and our Cookie Policy, which also govern your use of the Site.
Section 1: Who We Are (Data Controller)
Need It Made is operated by Need It Made Ltd, based in the United Kingdom (Company Number: 16676376).
For any questions about this Privacy Policy or how we handle your data, you can contact us at: privacy@needitmade.co.uk
For the purposes of UK data protection law, we are the Data Controller of your personal data.
Section 2: Consent
By using our website, you consent to this Privacy Policy and agree to its terms. Where consent is required for specific processing activities (such as marketing communications, non-essential cookies, or AI training of your content), you will be asked to provide this separately and may withdraw your consent at any time.
Section 3: Information We Collect
Information you provide directly
We may collect personal information that you voluntarily provide to us, including:
- Name
- Company name
- Email address
- Postal address
- Telephone number
- Account login details
- Design files, specifications, and messages submitted through the platform
If you contact us directly, we may also receive the contents of your message, any attachments you send, and any additional information you choose to provide.
Account registration
When you register for an account (as a Customer or Maker), we may ask for contact and business information necessary to operate the platform and facilitate quotes, communication, and transactions.
Automatically collected information
When you visit our website, we automatically collect certain information, including:
- IP address
- Browser type and version
- Device type
- Pages visited and time spent on pages
- Referring/exit pages
- Date and time of visits
This information is collected through log files, cookies, and similar technologies.
Section 4: How We Use Your Information
We use the information we collect for the following purposes:
- To provide, operate, and maintain the Need It Made platform
- To create and manage user accounts
- To facilitate quote requests, communication, and transactions between Customers and Makers
- To share necessary personal data (such as delivery addresses and contact details) with Makers for the purpose of fulfilling Projects, and with Customers for the purpose of dispute resolution, as described in Section 6 and in our Terms and Conditions
- To improve, personalise, and expand our services
- To understand and analyse how users interact with the website
- To develop new features, products, and services
- To train and improve artificial intelligence and machine learning models used to enhance the platform and services, using anonymised content where practicable (see Section 10)
- To communicate with you for customer support, service updates, and platform-related messages
- To send marketing communications where you have consented to receive them
- To prevent fraud, abuse, and security incidents
- To comply with legal and regulatory obligations
Section 5: Lawful Basis for Processing (UK GDPR)
Under the UK General Data Protection Regulation (UK GDPR), we process personal data on the following lawful bases:
- Contractual necessity: Where processing is required to provide our services, manage accounts, process quote requests, facilitate transactions, and share data between Customers and Makers as necessary for the performance of a Project.
- Legitimate interests: To improve our platform, train AI and machine learning models using anonymised data, prevent fraud, ensure security, and communicate with users about service-related matters. When relying on legitimate interests, we carry out a balancing test to ensure our interests do not override your rights and freedoms.
- Consent: For marketing communications, non-essential cookies, and the use of identifiable (non-anonymised) content for AI training purposes. You may withdraw consent at any time.
- Legal obligation: Where processing is necessary to comply with applicable laws, including tax and accounting requirements, and data breach notification obligations.
Section 6: Marketplace Data Sharing
Need It Made operates as a marketplace platform connecting Customers with independent Makers and manufacturers. Need It Made is NOT a manufacturer.
Data shared during Projects
When you submit a quote request or participate in a Project:
- Relevant personal information (such as your name and delivery address), project details, and uploaded files will be shared with selected Makers for the sole purpose of providing quotes and fulfilling orders.
- Messages exchanged through the platform are visible to the parties involved in that transaction.
- Where dispute resolution is required under Section 1.C of the Terms and Conditions, Need It Made Ltd may share contact details between the Customer and Maker to enable direct communication or external mediation.
Maker obligations
Makers who receive personal data through the platform are bound by the data protection obligations set out in Section 1.O of our Terms and Conditions. In particular, Makers are required to:
- Process Customer personal data only for the purpose of fulfilling the relevant Project
- Implement appropriate security measures
- Notify Need It Made Ltd of any data breach within 48 hours
- Securely delete Customer personal data within 30 days of Project completion
- Not transfer Customer personal data outside the United Kingdom without appropriate safeguards
Makers act as independent data controllers in relation to any personal data they process outside of the Need It Made platform and are responsible for complying with their own data protection obligations under the UK GDPR.
Section 7: Payments and Third-Party Processors
Payments made through Need It Made are processed by our trusted third-party payment processor, Stripe.
- We do not store or process full payment card details on our servers.
- Payment information is handled securely by Stripe in accordance with its own privacy policy and security standards (including PCI-DSS compliance).
- Stripe may process your payment data in countries outside the United Kingdom, including the United States. See Section 13 for details on international data transfers.
Section 8: Log Files
Need It Made follows standard procedures for using log files. These files log visitors when they visit the website. The information collected includes IP addresses, browser type, Internet Service Provider (ISP), date and time stamps, referring/exit pages, and click data. This information is not linked to personally identifiable data and is used for site administration, analytics, and security.
Section 9: Cookies and Similar Technologies
Need It Made uses cookies and similar technologies to:
- Remember user preferences
- Enable core website functionality
- Analyse website traffic and usage
Non-essential cookies (such as analytics cookies) are only used where you have provided consent via our cookie banner. You can manage or withdraw your cookie preferences at any time through your browser settings or our cookie management tools.
For full details about the cookies we use, their purposes, and how to manage them, please see our Cookie Policy.
Section 10: AI and Machine Learning
As described in Section 14.B of our Terms and Conditions, Need It Made Ltd may use anonymised versions of content uploaded to the platform to train and improve artificial intelligence and machine learning models. These models are used to enhance the platform, improve services, and develop new features.
What data is used
Where content is used for AI training purposes, Need It Made Ltd will use anonymised versions of the content where practicable. This means that personal identifiers (such as names, addresses, and contact details) will be removed or replaced before the content is used for training.
Lawful basis
Where content has been effectively anonymised, it no longer constitutes personal data under the UK GDPR and no lawful basis is required. Where content used for AI training retains personal data elements that cannot be fully anonymised, we rely on our legitimate interest in improving our platform and services, subject to a balancing test against your rights and freedoms. You may object to this processing at any time (see opt-out below).
Your right to opt out: You may opt out of having your content used for AI and machine learning training at any time by contacting us at ai-optout@needitmade.co.uk or by updating your preferences in your account settings. We will action your request within 30 days. Content that has already been incorporated into trained models prior to your opt-out cannot be retrospectively removed, but it will not be used in future training cycles. Opting out does not affect your use of the platform or any other rights under these Terms.
Section 11: Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. Our specific retention periods are as follows:
| Data type | Retention period |
|---|---|
| Account data (name, email, contact details) | Retained while your account remains active, plus 12 months after account closure to allow for reactivation and to resolve any outstanding disputes |
| Transaction and financial records | Retained for 7 years from the date of the transaction, as required by HMRC and applicable tax and accounting legislation |
| Project data (specifications, files, communications) | Retained for 12 months after Project completion or cancellation, unless a dispute is ongoing |
| Dispute and complaint records | Retained for 24 months after the final resolution of the dispute |
| Log files and analytics data | Retained for 12 months from the date of collection |
| Marketing consent records | Retained for the duration of your consent plus 12 months after withdrawal |
| Inactive accounts | Securely deleted or anonymised after 24 months of inactivity, following notice to the account holder |
At the end of the applicable retention period, personal data will be securely deleted or irreversibly anonymised. Where data has been anonymised and used for AI training purposes prior to deletion, the anonymised data within trained models is not subject to deletion requests as it no longer constitutes personal data.
Section 12: Your Data Protection Rights (UK GDPR)
You have the following rights under UK GDPR:
- The right to access your personal data
- The right to rectification of inaccurate or incomplete data
- The right to erasure (the “right to be forgotten”)
- The right to restrict processing
- The right to object to processing (including processing based on legitimate interests, such as AI training)
- The right to data portability
- The right to withdraw consent at any time, where processing is based on consent
- The right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your rights have been infringed
If you make a request, we will respond within one month. To exercise any of these rights, please contact us at privacy@needitmade.co.uk.
You may also contact the ICO directly:
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
ico.org.uk | Helpline: 0303 123 1113
Section 13: International Data Transfers
Need It Made Ltd is based in and primarily operates from the United Kingdom. However, in the course of providing our services, your personal data may be transferred to, stored in, or processed in countries outside the United Kingdom in the following circumstances:
- Payment processing: Our payment processor, Stripe, operates globally and may process payment data in the United States and other countries. Stripe maintains appropriate safeguards including Standard Contractual Clauses and certification under applicable data protection frameworks.
- Hosting and infrastructure: Some of our hosting and technology service providers may process data outside the United Kingdom.
- Maker fulfilment: If a Maker is based outside the United Kingdom (where applicable in future), Customer data necessary for Project fulfilment may be shared with that Maker. Makers are bound by the data protection obligations set out in Section 1.O of our Terms and Conditions.
Where personal data is transferred outside the United Kingdom, we ensure that appropriate safeguards are in place in accordance with the UK GDPR, including one or more of the following:
- Transfers to countries that have received an adequacy decision from the UK Secretary of State
- Standard Contractual Clauses (UK International Data Transfer Agreement or UK Addendum to the EU SCCs)
- Binding corporate rules or other approved transfer mechanisms
If you would like more information about the safeguards we use for international transfers, please contact us at privacy@needitmade.co.uk.
Section 14: Data Security and Breach Notification
Security measures
We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include encryption of data in transit, access controls, regular security assessments, and staff training.
While we take all reasonable steps to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure, and we cannot guarantee absolute security.
Bot and abuse protection (Cloudflare Turnstile)
To protect our sign-in, registration, and password-reset forms from automated abuse such as credential-stuffing and fraudulent sign-ups, we use Cloudflare Turnstile, a privacy-focused bot-detection service provided by Cloudflare, Inc. When you submit one of these forms, Turnstile assesses signals from your browser and interaction to confirm you are a genuine user, and may set strictly necessary cookies for this purpose. Turnstile is configured in a privacy-preserving mode and is not used for advertising or cross-site tracking.
We rely on our legitimate interest in preventing fraud and securing user accounts as the lawful basis for this processing (see Section 5). Because these are strictly necessary security measures, they do not require consent and are not controlled through our cookie banner. Cloudflare acts as a processor on our behalf and may process limited technical data outside the United Kingdom under appropriate safeguards (see Section 13). For more information, see Cloudflare's Turnstile Privacy Policy.
Data breach notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Need It Made Ltd will:
- Notify the Information Commissioner's Office (ICO) without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, in accordance with Article 33 of the UK GDPR
- Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with Article 34 of the UK GDPR
- Take all reasonable steps to contain the breach and mitigate any potential harm
Section 15: Third-Party Privacy Policies
This Privacy Policy does not apply to third-party websites or services linked from our platform. We encourage you to review the privacy policies of any third-party sites you visit. Key third-party services we use include:
- Stripe (payment processing): Stripe Privacy Policy
- PostHog (product analytics, hosted in the EU; used only with your consent): PostHog Privacy Policy
- Sentry (error and performance monitoring, hosted in the EU): Sentry Privacy Policy
- Cloudflare (bot and abuse protection on our sign-in forms): Cloudflare Turnstile Privacy Policy
Section 16: Children's Information
Need It Made is not intended for use by children. You must be at least 18 years old to create an account and use our Services, as set out in our Terms and Conditions (Section 1.A). We do not knowingly collect personal data from anyone under the age of 18.
If you believe that a person under 18 has provided personal data on our website, please contact us at privacy@needitmade.co.uk and we will promptly remove such information.
Section 17: Governing Law
This Privacy Policy is governed by and construed in accordance with the laws of England and Wales. Any disputes arising from this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of England and Wales, unless you are a consumer in which case you may bring proceedings in the courts of your own jurisdiction.
Section 18: Updates to This Policy
We may update this Privacy Policy from time to time. Any changes will be posted on this page, and the updated version will be effective from the date shown at the top of the policy. Where changes are material, we will notify you by email or through a notice on the Site.
Need It Made Ltd
71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Privacy enquiries: privacy@needitmade.co.uk
AI opt-out: ai-optout@needitmade.co.uk
General enquiries: info@needitmade.co.uk
END OF PRIVACY POLICY