Privacy Policy

Last updated: April 2026. UK GDPR compliant.

1. Who We Are

This privacy policy explains how we collect, use, store and protect your personal data when you use our online store. We are the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. If you have any questions about this policy, please contact us using the details in Section 11.

2. What Data We Collect

We collect the following categories of personal data:

• Account information: name, email address, phone number, and delivery address when you create an account or place an order.
• Order data: details of products purchased, order history, transaction amounts, and delivery preferences.
• Payment information: payment card details are processed securely by our payment processor, Stripe. We do not store your full card number, expiry date, or CVV on our servers.
• Technical data: IP address, browser type and version, device information, operating system, and timezone setting.
• Usage data: pages visited, products viewed, search queries, and interaction patterns on our website.
• Communication data: any messages, enquiries, or feedback you send us, including customer service correspondence.
• Marketing preferences: your newsletter subscription status and communication preferences.

3. How We Use Your Data

We process your personal data on the following lawful bases under the UK GDPR:

• Contract performance: to process and fulfil your orders, manage your account, handle returns and refunds, and provide customer support.
• Legitimate interests: to improve our website and services, detect and prevent fraud, and ensure website security.
• Consent: to send marketing emails and newsletters (you can withdraw consent at any time).
• Legal obligation: to comply with tax, accounting, and regulatory requirements.

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

4. Payment Processing

All payment transactions are processed by Stripe Payments UK Ltd. When you make a purchase, your payment card details are transmitted directly to Stripe via their secure, PCI DSS Level 1 certified platform. We receive only a confirmation of payment and a truncated card reference (last four digits). For more information on how Stripe handles your data, please see Stripe's privacy policy at stripe.com/privacy.

5. Cookies

We use the following types of cookies:

• Essential cookies: required for the website to function, including session management, shopping cart functionality, and authentication. These cannot be disabled.
• Analytics cookies: help us understand how visitors use our website so we can improve it. These are only placed with your consent.
• Preference cookies: remember your settings such as recently viewed products and wishlist items.

You can manage your cookie preferences through the cookie consent banner shown on your first visit, or by adjusting your browser settings. Disabling essential cookies may affect the functionality of the website.

6. Third-Party Data Sharing

We share your data only with the following categories of third parties, all of whom are bound by data processing agreements:

• Payment processors: Stripe, for processing card payments securely.
• Delivery partners: courier and postal services, who receive your name and delivery address to fulfil orders.
• Hosting and infrastructure: our website hosting provider, who stores data on secure UK/EEA-based servers.
• Email service provider: for sending order confirmations and, where you have opted in, marketing communications.

All third-party processors are UK GDPR compliant and process data only on our documented instructions.

7. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected:

• Account data is retained for as long as your account remains active. You can request account deletion at any time.
• Order and transaction data is retained for 6 years from the date of the transaction, as required by HMRC for tax and accounting purposes.
• Marketing data is retained until you unsubscribe or withdraw consent.
• Technical and analytics data is anonymised or deleted after 26 months.

8. Your Rights Under UK GDPR

You have the following rights in relation to your personal data:

• Right of access: request a copy of the personal data we hold about you.
• Right to rectification: request correction of inaccurate or incomplete data.
• Right to erasure: request deletion of your personal data where there is no compelling reason for continued processing.
• Right to restrict processing: request that we limit how we use your data.
• Right to data portability: receive your data in a structured, commonly used, machine-readable format.
• Right to object: object to processing based on legitimate interests or for direct marketing purposes.
• Rights related to automated decision-making: we do not carry out automated decision-making or profiling that produces legal effects.

To exercise any of these rights, please contact us using the details below. We will respond to your request within one month.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption of data in transit (TLS/SSL), secure server infrastructure, access controls, and regular security assessments. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

10. International Transfers

Where your data is transferred outside the UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the Information Commissioner's Office (ICO), or transfers to countries with an adequacy decision.

11. Contact and Complaints

If you have any questions about this privacy policy or wish to exercise your data protection rights, please contact us at the email address provided on our Contact page. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been violated.

12. Changes to This Policy

We may update this privacy policy from time to time. The latest version will always be available on this page with the updated date shown above. We encourage you to review this policy periodically. Continued use of our website after changes constitutes acceptance of the revised policy.