Data Protection Policy
1. Purpose
This policy outlines our approach to ensuring personal data is handled responsibly and in accordance with UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Scope
This policy applies to all employees, contractors, and third-party service providers who handle personal data on behalf of the company.
3. Data We Collect
We collect only the data that is necessary for our operational, legal, and customer service needs. This may include:
- Names
- Email addresses
- Postal addresses
- Purchase history
- Communication records
4. How Data is Used
Personal data is used for the following purposes:
- Fulfilling orders
- Providing customer service
- Marketing communications (with consent)
- Regulatory compliance
- Internal reporting and analysis
5. Data Storage & Security
We store data on secure servers and use appropriate technical and organisational measures to protect it, including password-protected systems, encryption where appropriate, and access restrictions.
6. Data Sharing
We do not sell personal data. We only share data with trusted third parties when necessary for operational reasons (e.g., couriers, payment processors), and we ensure data processing agreements are in place.
7. Data Subject Rights
Individuals have the right to:
- Access their data
- Request corrections
- Request deletion
- Object to processing
- Lodge a complaint with the Information Commissioner's Office (ICO)
8. Data Retention
We retain data only as long as necessary for the purposes for which it was collected, or as required by law. We review data retention practices annually.
9. Breach Notification
In the event of a personal data breach, we follow our Incident Response Plan, which includes reporting to the ICO within 72 hours and notifying affected individuals if necessary.
10. Policy Review
This policy is reviewed annually, or sooner if there is a significant change to our data handling practices or relevant legislation.