Privacy policy
You Are The Star — Privacy Policy
Last updated: 8th December 2025
This Privacy Policy explains how You Are The Star Limited (“YATS”, “we”, “us” or “our”) collects, uses, discloses and protects personal information when you visit or make a purchase from https://youarethestarbooks.com (the “Site”) and when you use related services (including Shopify Inbox live chat and any digital or interactive services we operate).
Controller & contact details
You Are The Star Limited is the data controller for personal data collected via this Site.
Registered address: Cheribourne House, 45a Station Road, Willington MK44 3QL, United Kingdom.
Privacy / support contact: support@youarethestarbooks.com
1. Scope & key principles
We are committed to protecting your privacy. This policy describes:
- the categories of personal information we collect;
- why we collect that information and the lawful basis for processing it;
- who we share it with and why;
- how long we retain it; and
- your rights and how to exercise them.
We process personal data in accordance with applicable data protection laws, including the UK GDPR and EU GDPR where applicable.
2. What personal information we collect
A. Device & technical information (automatically)
Examples: IP address, browser and device type, operating system, time zone, cookie identifiers, pages viewed, referral URL, interaction events.
Purpose: operate and secure the Site, measure and improve performance, and prevent fraud.
B. Order & payment information
Examples: purchaser name, billing & shipping addresses, contact email and phone number, payment card or payment provider details (processed by our payment provider).
Purpose: process and fulfil orders, process payments, deliver goods, and meet legal (tax/accounting) obligations.
C. Personalisation & child data (entered by an adult purchaser)
We collect personalisation information entered by adult purchasers to create personalised books and digital experiences:
- Child’s full name (for inclusion in the personalised book)
- Child’s age or year of birth (to support age-appropriate content)
- Child’s hometown / town
- Avatar/profile choices and visual personalisation (hair, skin tone, clothing, mascot/team selection, etc.)
- Any personalised message or text supplied for the book
Important: these child data fields are collected only when entered by an adult purchaser (a parent, guardian or other buyer). We do not knowingly permit children to enter personal data directly on the Site.
D. Account & profile data
Examples: account email, password hash, order history, avatar/profile metadata.
Purpose: provide account functionality and link orders, SmartMark activity and digital services.
E. Support communications & chat transcripts (Shopify Inbox)
Examples: chat messages, attachments/screenshots, name, email, order references and technical metadata (IP, timestamps, session identifiers).
Purpose: provide customer support, resolve issues, prevent fraud and improve service.
F. Logs & telemetry (SmartMark / engagement)
Examples: SmartMark tap logs (device/tap events and timestamps), session/activity identifiers.
Purpose: operate SmartMark and any interactive features we offer and produce anonymised/aggregated engagement reporting.
3. Lawful bases for processing (EEA/UK)
Where applicable, we rely on the following lawful bases:
- Performance of a contract: to process and fulfil orders and to provide purchased services.
- Consent: for marketing communications and where local law requires parental consent for marketing directed at children. You can withdraw consent at any time.
- Legitimate interests: for fraud prevention, site analytics, product improvement and secure operation of services (we assess that these interests are not overridden by individual rights).
- Legal obligation: to retain transactional records for accounting and tax compliance.
Lawful basis by activity (summary)
| Activity | Typical lawful basis |
|---|---|
| Process orders & payments | Performance of a contract |
| Marketing emails / newsletters | Consent (or legitimate interest where permitted) |
| Fraud prevention / security | Legitimate interests |
| Store analytics | Legitimate interests |
| Child personalisation for book fulfilment | Performance of a contract / parental consent where required |
4. How we use personal information (high level)
We use personal information to:
- process and fulfil orders, handle payments and communicate with you about your purchases;
- create and deliver personalised books and digital experiences;
- operate, secure and improve the Site and related services;
- provide customer support (including Shopify Inbox transcripts);
- detect and prevent fraud and abuse;
- comply with legal obligations (tax, regulatory, law enforcement); and
- produce anonymised/aggregated reports for product analytics and sponsor reporting.
5. Customer support & Shopify Inbox
We operate live chat for customer support via Shopify Inbox. When you use chat we collect the content you provide and technical metadata. Chat transcripts and attachments are retained for support and fraud-prevention purposes for 12 months unless we are required to retain them longer for legal reasons. Chat transcripts are processed by Shopify Inbox (processor). The chat widget may set cookies and use tracking for support analytics – these cookies are listed in our Cookies section.
If automated assistants (chatbots) are used via Shopify Inbox we will make this clear in the chat. Automated routing or suggestions used for support do not produce legal or similarly significant effects for customers.
Children & chat: chat is intended for use by adult purchasers and authorised contacts. If you are contacting us on behalf of a child, please confirm you are the child’s parent or legal guardian before sharing the child’s personal information. If we reasonably believe a child has submitted personal data directly, we will treat this as a priority safeguarding matter.
6. Sharing personal information & processors
We share personal information with service providers who process data on our behalf. Key processors include, but are not limited to:
- Shopify — storefront, order management and platform services;
- Shopify Inbox — live chat & support transcripts;
- Payment providers — e.g., Stripe or Shopify Payments;
- Hosting & infrastructure — e.g., Google Cloud Platform (GCP);
- CDN and delivery partners — for performance of site content and any interactive content;
- Printers, 3PLs & fulfilment partners — production and delivery of personalised books;
- Email & marketing platforms — order confirmations and marketing communications;
- Analytics providers — site and product analytics.
We rely on processors’ standard Data Processing Agreements (DPAs) or have written agreements that impose appropriate security and data transfer protections. We require processors to assist with data subject requests and to allow us to export or delete personal data as necessary.
We may disclose personal information if compelled by law, if necessary to respond to legal process, or to protect the rights, property, or safety of YATS, our customers, or others.
7. International transfers
Personal data collected via the Site is initially processed in Ireland and may be transferred to, stored in and processed in countries outside the UK/EEA (for example Canada and the United States) by our processors. Where we transfer personal data outside the UK/EEA we rely on appropriate safeguards such as vendor-provided Standard Contractual Clauses (SCCs), or other lawful transfer mechanisms. Processor-specific transfer mechanisms are available from the processor (for example Shopify’s documentation).
If you would like details about the transfer mechanism used for a specific processor, please contact us at support@youarethestarbooks.com.
8. Retention of personal information
We retain personal information only for as long as necessary for the purposes set out in this policy or as long as required by law. The following retention summary applies unless a specific legal or contractual requirement demands otherwise:
| Data type | Retention | End-of-life action |
|---|---|---|
| SmartMark raw tap logs | 12 months | Anonymise/aggregate and delete raw logs |
| Aggregated engagement reports | 5 years | Archive/anonymise |
| Parent/carer email | 24–36 months inactivity | Delete on request; auto-delete after inactivity period |
| Avatar/profile & child personalisation PII | 36 months while account/order active | Delete/anonymise on account closure or on request |
| Orders & payment records | 7 years (accounting/legal) | Archive per legal requirements |
| Chat transcripts (Shopify Inbox) | 12 months | Delete/anonymise after retention unless needed longer for fraud/legal reasons |
| Security/audit logs | 12 months (or longer where required) | Archive/retain for security/legal needs |
| Incident investigation data | As required | Retained until incident closed then archived/removed as needed |
If you request deletion of personal data, we will erase or anonymise it in accordance with applicable law and subject to any legal or contractual retention requirements.
9. Security & access controls
We use reasonable administrative, technical and physical measures to protect personal information, including TLS for data in transit, encryption at rest where feasible, role-based access controls, and logging of access to sensitive records. Access to chat transcripts and customer data is restricted to authorised staff and logged for audit purposes.
No system is perfectly secure; if a personal data breach occurs we will take reasonable steps to contain and remediate it and will notify regulators and affected individuals where required by applicable law.
10. Data breaches & notifications
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals we will:
- Contain and investigate the breach;
- Assess the risks to affected individuals;
- Notify the relevant supervisory authority (for example the UK ICO) where required by law, typically without undue delay and where feasible within 72 hours of becoming aware; and
- Notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms, describing the nature of the breach and the steps taken in response.
We will work with our processors and partners (including Shopify and Shopify Inbox) to investigate and remediate breaches where their systems are involved.
11. Automated decision-making
We do not use automated decision-making that produces legal or similarly significant effects on customers. Some of our processors (for example Shopify) use limited automated decision-making for fraud prevention (temporary IP or card blacklists). These systems are used for fraud prevention and do not have a legal or similarly significant effect on you.
If we use automated assistants (chatbots) in Shopify Inbox, these will be clearly identified in the chat interface. Any automated assistance used for support does not have a legal or similarly significant effect.
12. Children’s privacy & safeguarding
The Site is intended to be used by adult purchasers buying personalised products for children. We collect child personalisation details (name, age, hometown, avatar choices) only when entered by an adult purchaser. We do not knowingly collect personal data directly from children nor allow children to create accounts.
Safeguarding measures we maintain:
- Parental/guardian control: purchasers must confirm they are adult purchasers when submitting child data.
- Product design: our digital products and interactive features are designed with child-safety in mind.
- Staff training: customer support personnel are trained to confirm callers are adult purchasers and to escalate any safeguarding concerns.
- Operator deployments: for any in-person/operator-run programmes we will require the operator to attest to local safeguarding controls and vetting.
If you believe we have collected a child’s personal data in error, please contact us immediately at support@youarethestarbooks.com.
13. Your rights
Depending on your jurisdiction, you may have the following rights:
- Right of access — request a copy of the personal data we hold about you;
- Right to rectification — correct inaccurate or incomplete personal data;
- Right to erasure — request deletion of personal data in certain circumstances;
- Right to restriction of processing — restrict processing in certain circumstances;
- Right to object — object to processing based on legitimate interests or direct marketing;
- Right to data portability — receive your personal data in a structured, commonly used, machine-readable format;
- Right to withdraw consent — where processing is based on consent;
- Right to lodge a complaint with a supervisory authority.
How to exercise rights & verification
To exercise your rights contact support@youarethestarbooks.com. We will:
- Acknowledge your request and provide an estimated response time.
- Take reasonable steps to verify your identity before responding (for example, by asking for proof of identity such as a government ID or verifying account details).
- Respond to requests in accordance with applicable law — generally within one month. We may extend by up to two further months where complex or numerous requests are submitted, and we will tell you the reasons for any extension.
If we refuse your request we will explain why and inform you of your right to complain to a supervisory authority (for example the UK ICO).
14. Data subject request (DSAR) process & verification
When you submit a request to access, correct or delete your data we will:
- Acknowledge receipt and provide an estimated response time.
- Verify your identity (we may request photo ID or account verification).
- Locate and export the data requested (including chat transcripts, orders, and account data) and provide it securely.
- Where deletion is requested we will remove or anonymise data subject to legal retention obligations.
If we refuse a request we will explain the reasons and provide information on how to complain to a supervisory authority.
15. Cookies
We use cookies and similar technologies. Cookies we use include:
Necessary cookies (examples and durations)
| Name | Function | Duration |
|---|---|---|
| _ab | Used in connection with access to admin. | 2 years |
| _secure_session_id | Used in connection with navigation through a storefront. | 24 hours |
| _shopify_country | Used in connection with checkout. | Session |
| _shopify_m | Used for managing customer privacy settings. | 1 year |
| _shopify_tm | Used for managing customer privacy settings. | 30 minutes |
| _shopify_tw | Used in connection with customer privacy or region. | 2 weeks |
| _storefront_u | Used to facilitate updating customer account information. | 1 minute |
| _tracking_consent | Tracking preferences. | 1 year |
| c | Used in connection with checkout. | 1 year |
| cart | Used in connection with shopping cart. | 2 weeks |
| cart_currency | Used in connection with shopping cart. | 2 weeks |
| cart_sig | Used in connection with checkout. | 2 weeks |
| cart_ts | Used in connection with checkout. | 2 weeks |
| cart_ver | Used in connection with checkout. | 2 weeks |
| checkout | Used in connection with checkout. | 4 weeks |
| checkout_token | Used in connection with checkout. | 1 year |
| dynamic_checkout_shown_on_cart | Used in connection with checkout. | 30 minutes |
| hide_shopify_pay_for_checkout | Used in connection with checkout. | Session |
| keep_alive | Used in connection with buyer localization. | 2 weeks |
| master_device_id | Used in connection with merchant login. | 2 years |
| previous_step | Used in connection with checkout. | 1 year |
| remember_me | Used in connection with checkout. | 1 year |
| secure_customer_sig | Used in connection with customer login. | 20 years |
| shopify_pay | Used in connection with checkout. | 1 year |
| shopify_pay_redirect | Used in connection with checkout. | 30 minutes, 3 weeks or 1 year depending on value |
| storefront_digest | Used in connection with customer login. | 2 years |
| tracked_start_checkout | Used in connection with checkout. | 1 year |
| checkout_one_experiment | Used in connection with checkout. | Session |
| checkout_session_lookup | Used in connection with checkout. | 3 weeks |
| checkout_session_token_<<token>> | Used in connection with checkout. | 3 weeks |
| identity-state | Used in connection with customer authentication. | 24 hours |
| identity-state-<<token>> | Used in connection with customer authentication. | 24 hours |
| identity_customer_account_number | Used in connection with customer authentication. | 12 weeks |
Reporting and analytics cookies (examples)
| Name | Function | Duration |
|---|---|---|
| _landing_page | Track landing pages. | 2 weeks |
| _orig_referrer | Track landing pages. | 2 weeks |
| _s | Shopify analytics. | 30 minutes |
| _shopify_d | Shopify analytics. | Session |
| _shopify_s | Shopify analytics. | 30 minutes |
| _shopify_sa_p | Shopify analytics relating to marketing & referrals. | 30 minutes |
| _shopify_sa_t | Shopify analytics relating to marketing & referrals. | 30 minutes |
| _shopify_y | Shopify analytics. | 1 year |
| _y | Shopify analytics. | 1 year |
| _shopify_evids | Shopify analytics. | Session |
| _shopify_ga | Shopify and Google Analytics. | Session |
| customer_auth_provider | Shopify analytics. | Session |
| customer_auth_session_created_at | Shopify analytics. | Session |
Session cookies expire at the end of the browser session; persistent cookies expire after the period stated. You can control and manage cookies via your browser settings and via our cookie controls. Blocking cookies may adversely affect Site functionality. See https://www.allaboutcookies.org for more information.
16. Third-party links
The Site may contain links to third-party websites. We are not responsible for the privacy practices or content of those sites. Please review the privacy policies of any third-party websites you visit.
17. Complaints & supervisory authority
If you are dissatisfied with our response you have the right to lodge a complaint with your local supervisory authority. In the UK, the Information Commissioner’s Office (ICO) can be contacted at https://ico.org.uk/make-a-complaint/. If you are in the EEA, you may contact the supervisory authority of your member state.
18. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will publish the revised policy on our Site with an updated “Last updated” date. For material changes we will provide more prominent notice.
19. Contact & more information
For privacy-related queries, to exercise your rights, or to request details of processors, transfer mechanisms (SCCs/IDTAs) or DPA status for a specific vendor, contact:
support@youarethestarbooks.com
You Are The Star Limited, Cheribourne House, 45a Station Road, Willington MK44 3QL, United Kingdom.
Shopify resources (useful):
Shopify Privacy
Shopify GDPR guidance
Annex: Example processor & cookie summary
On the Site we display full cookie tables (names, functions, durations). Key processors with typical roles: Shopify (platform & orders), Shopify Inbox (chat), Stripe/Shopify Payments (payments), Google Cloud Platform (hosting & backend), CDN and delivery partners, printers & 3PLs (fulfilment), email/marketing platforms and analytics. Processor DPAs and transfer mechanisms are available on request.
Last updated: 8th December 2025.