Artistic
Beaded
Box
Chunky
Colourful
Contemporary
Deep
Distressed
Elegant
Luxurious
Metallic
Minimalist
Modern
Ornate
Rustic
Scandinavian
Thin
Traditional
Weathered
Wide
Wooden
Allure
Angle I
Angle II
Baroque I
Baroque II
Baroque III
Beach House I
Beach House II
Box
Canvas Float I
Canvas Float II
Canvas stretcher bars
Chateau
Chroma
Classic I
Classic II
Classic III
Cube
Cushion
Diploma
Echo
EcoEmpire
Edge
Elegance
Empire I
Empire II
Empire III
Florenza
Flow I
Flow II
Flux
Gelato
Geo
Grace
Groove I
Groove II
Heirloom
Hermitage
Hockey I
Hockey II
Inset
Intra
Lacquer
Laurel
Legacy
Linear I
Linear II
Lined
Majestic
Metro
Milano
Monarch
Mosaic
Muse I
Muse II
Nero
Nimbus
Nordic
Palazzo
Portico
Prima
Pure
Regency
Ripple
Scoop
Solid Box
Spacer I
Spacer II
Step
Strata
Swoop
Tivoli
Tribeca
Waldorf
Beaded
Brushed
Chrome
Distressed
Gilded
Gloss
Grain
Matt
Metallic
Mirrored
Ornate
Painted
Smoked
Smooth
Stained
Veneered
Washed
Wood
Version: 1.0 · Effective from: 1 May 2026
This Policy is issued by Prodigi Group Ltd and applies to the activities of the Group, including its operating companies Prodigi (UK) Ltd, Prodigi BV, Peecho BV, Readymades Framing Ltd, Prodigi USA Inc, Prodigi Global Ltd and Prodigi Platforms Ltd. Where you have contracted with a specific operating company — for example Peecho BV through peecho.com or Readymades Framing Ltd through readymades.co — references in this document to 'Prodigi' should be read as references to your contracting operating company, acting as part of the Group, except where a specific entity is named.
'Prodigi' or 'we' means the Prodigi Group operating company providing the relevant Service to you, on behalf of itself and the wider Group as the context requires. Where the Service is provided through peecho.com, the contracting Group company is Peecho BV. Where the Service is provided through readymades.co, the contracting Group company is Readymades Framing Ltd. In all other cases, unless otherwise specified, the contracting Group company is Prodigi (UK) Ltd.
This policy explains how Prodigi Group Ltd and its operating companies and affiliates (“Prodigi”, “we”, “us”) identify, contain, investigate, notify and respond to personal data breaches and security incidents. It supports the commitments Prodigi makes in its Privacy & Cookie Policy and Data Processing Addendum and is supported by detailed internal incident-response procedures.
1. Scope and roles
1.1Prodigi processes personal data in different roles. Where Prodigi acts as controller, this policy supports Prodigi’s own breach notification obligations under applicable Data Protection Laws (including the UK GDPR, the Data Protection Act 2018 and the EU GDPR). Where Prodigi processes Merchant Customer Data as processor, this policy supports Prodigi’s obligation to notify the relevant Merchant without undue delay so that the Merchant can comply with its own controller obligations.
1.2This policy applies to all personal data processed by Prodigi, regardless of format, and to all Group personnel, contractors, consultants, suppliers and subprocessors processing personal data on behalf of Prodigi.
2. Definitions
2.1“Personal data breach” has the meaning given in applicable Data Protection Laws and includes a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
2.2“Security incident” means any event or action that may compromise the confidentiality, integrity or availability of Prodigi systems or data, whether or not it amounts to a personal data breach.
3. Reporting an incident
3.1Personal data breaches affecting Prodigi or Merchant Customer Data, security incidents and vulnerability reports should all be reported to dpo@prodigi.com.
3.2Subprocessors and fulfilment partners are required by their contracts with Prodigi to report personal data breaches affecting Merchant Customer Data without undue delay.
3.3An initial report should include, to the extent known: the nature of the incident; when it occurred or was discovered; the type and approximate volume of personal data affected; the approximate number of individuals involved; and any immediate containment steps already taken.
4. Response and investigation
4.1Prodigi will carry out an initial triage promptly and, wherever possible, within 24 hours of discovery or report. Where the incident is still in progress, immediate steps will be taken to contain it.
4.2Prodigi will assess the severity of the incident and the risk it presents to affected individuals, including the type and sensitivity of the data involved, the protections in place, what has happened to the data, and any wider consequences.
4.3Where appropriate, Prodigi will engage external advisers and notify law enforcement, regulators, banks, card schemes or insurers.
5. Notification
5.1Where Prodigi acts as controller and an incident is a personal data breach that meets the threshold for notification under applicable Data Protection Laws, Prodigi will notify the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it.
5.2Where Prodigi processes Merchant Customer Data as processor, Prodigi will notify the relevant Merchant without undue delay after becoming aware of a personal data breach affecting that Merchant’s data, in accordance with the Data Processing Addendum. The Merchant remains responsible for assessing whether and how to notify supervisory authorities and data subjects.
5.3Where required by Data Protection Laws, Prodigi will notify affected individuals without undue delay where a personal data breach is likely to result in a high risk to their rights and freedoms. Notifications will, where appropriate, include a description of how and when the breach occurred and the data involved, clear advice on what affected individuals can do to protect themselves, what action has been taken to mitigate the risks, and a way to contact Prodigi for further information.
6. Records
6.1Prodigi maintains an internal record of personal data breaches and significant security incidents in accordance with applicable Data Protection Laws, including the facts relating to the breach, its effects and the remedial action taken. The record is provided to supervisory authorities on request.
7. Review and improvement
7.1Following each incident of significance, Prodigi reviews the causes, the effectiveness of the response and any changes that should be made to systems, processes or controls. Where appropriate, recommendations are reported to the Prodigi Group board.
8. Reporting incidents to Prodigi
Personal data breach reports, security incidents and vulnerability reports: dpo@prodigi.com
Postal: Data Protection, Prodigi, Unit 20, Caker Stream Road, Alton, Hampshire, GU34 2QA, United Kingdom.