We take your privacy seriously. This page explains what personal data we collect when you use , why we collect it, who we share it with, and the rights you have over it.
What we collect
We collect personal data in the following situations:
- When you place an order: your name, email address, billing address, delivery address, the contents of your order, and a record of the payment. Card details are handled directly by Stripe — we never see or store them.
- When you create an account: your email address (we sign you in via a one-time link, so no password is collected) and a record of your previous orders.
- When you contact us: the name, email and message content you submit through the contact form or by email.
Why we collect it (lawful basis)
- Performance of a contract (UK GDPR Article 6(1)(b)) — to take payment, send the order, send confirmation and shipping emails, and handle returns.
- Legal obligation (Article 6(1)(c)) — to keep transaction records for tax and accounting purposes for as long as the law requires (currently six years).
- Legitimate interests (Article 6(1)(f)) — to respond to your enquiries, prevent fraud and improve the service. We only rely on this basis where it doesn't override your rights.
We do not use your data for marketing without your explicit consent, and we do not sell your data to anyone, ever.
Who we share it with
We share the minimum data necessary with the following processors to run the service:
- Stripe (payment processing) — handles your payment and shipping address at checkout.
- Supabase (database and authentication) — stores your order history and signs you in.
- Resend (transactional email) — sends order confirmation and shipping emails on our behalf.
- Our delivery carrier — receives your name and delivery address to ship the order.
Each of these processors operates under a data processing agreement with us and processes your data only on our instructions.
How long we keep it
Order records are retained for six years in line with HMRC's record-keeping requirements. Account records are retained until you delete the account or ask us to. Contact-form messages are kept for as long as needed to handle your enquiry plus a short period afterwards for follow-up.
Cookies
We use a small number of strictly necessary cookies — for your sign-in session and for your shopping basket. We do not set advertising or tracking cookies. Because we only use essential cookies we are not required to show a cookie banner under the Privacy and Electronic Communications Regulations.
Stripe sets its own cookies during checkout for fraud prevention. Stripe's privacy notice covers those.
Your rights
Under UK GDPR you have the right to:
- Ask for a copy of the personal data we hold about you.
- Ask us to correct anything that's wrong.
- Ask us to delete your data, where we don't need to keep it for a legal reason.
- Ask us to restrict or object to certain processing.
- Receive your data in a portable, machine-readable format.
To exercise any of these rights, email . We'll respond within one month.
Complaints
If you're unhappy with how we've handled your data, you can complain to the UK Information Commissioner's Office at ico.org.uk. We'd appreciate the chance to put things right first — please email us before escalating.
Changes to this policy
We may update this policy from time to time. Material changes will be notified at the top of the page or by email where we hold one.