Privacy Policy

The data controller responsible for your personal information is:

We collect the following categories of personal data:

Identity & Contact Data

• First name, last name, and email address
• Delivery and billing address (including postcode)
• Phone number (if provided)

Account Data

• Username, encrypted password, and account preferences
• Marketing consent status and subscription preferences
• Account creation date and last login timestamp

Transaction Data

• Order history, items purchased, quantities, and order values
• Payment method type (e.g., Visa, Mastercard) — we do not store full card numbers
• Discount codes applied and refund records

Technical Data

• IP address, browser type and version, device type
• Pages visited, time on site, referral source
• Cookie identifiers and session tokens

Communications Data

• Enquiries and messages sent to our customer support team
• Responses to surveys or feedback requests (if you participate)

We collect personal data through the following means:

• Direct interactions — when you register an account, place an order, subscribe to our newsletter, or contact us
• Automated technologies — cookies, server logs, and similar tracking technologies as you browse our website
• Third parties — our payment processor (Stripe) confirms transaction status; our address lookup provider (GetAddress.io) returns address suggestions when you type your postcode

Under UK GDPR we rely on the following legal bases:

• Contract (Art. 6(1)(b)) — processing your identity, contact, and transaction data to fulfil your order, process payment, arrange delivery, and handle returns
• Legitimate interests (Art. 6(1)(f)) — fraud prevention, security monitoring, improving our website, and sending service communications related to your orders
• Consent (Art. 6(1)(a)) — sending you marketing emails and newsletters (you can withdraw consent at any time)
• Legal obligation (Art. 6(1)(c)) — retaining financial records for HMRC compliance and responding to lawful requests from public authorities

We use your personal data for the following purposes:

• Processing and fulfilling your orders, including dispatch notifications and delivery updates
• Managing your customer account and order history
• Processing payments securely via Stripe
• Handling returns, refunds, and warranty claims
• Responding to your customer service enquiries
• Sending transactional emails (order confirmation, dispatch, refund)
• Sending marketing emails and promotions only where you have given consent
• Detecting and preventing fraud or other unlawful activity
• Improving our website, products, and services through analytics
• Complying with our legal and regulatory obligations

Our website uses cookies and similar technologies. We categorise these as:

• Strictly necessary — essential for the website to function (e.g., your shopping basket, authentication session). These cannot be disabled.
• Functional — remember your preferences (e.g., currency, cookie consent choice).
• Analytical — help us understand how visitors use our site so we can improve it. We use anonymised data where possible.
• Marketing — used to show relevant advertisements. We will only set these with your explicit consent.

You can manage or withdraw your cookie consent at any time via our Cookie Policy page.

We work with a small number of trusted third-party providers who may process personal data on our behalf as data processors:

• Stripe, Inc. — payment processing. Stripe is PCI DSS Level 1 certified. Your card details are entered directly into Stripe's secure environment and are never transmitted to our servers. See Stripe's Privacy Policy.
• Cloudinary — secure cloud hosting and delivery of product images. No customer personal data is shared with Cloudinary.
• GetAddress.io — UK postcode-to-address lookup at checkout. Only your postcode is sent to this service to return address suggestions.
• SendGrid (Twilio) — transactional email delivery (order confirmations, dispatch notifications). Your email address and name are shared for this purpose only.
• Microsoft Azure / SQL Server — our website and database are hosted on secure UK-based servers.

Each provider is bound by a Data Processing Agreement and may not use your data for their own purposes.

We do not sell, rent, or trade your personal data. We may share it only in the following limited circumstances:

• Service providers — as listed in Section 7, strictly to provide the services you request
• Delivery partners — your name and delivery address are passed to our courier(s) to fulfil your order
• Legal requirements — where we are required to disclose data by law, court order, or regulatory authority (e.g., HMRC, ICO, police)
• Business transfers — in the event of a merger, acquisition, or sale of assets, personal data may be transferred to the new owner under equivalent data protection obligations

Some of our third-party providers (including Stripe and SendGrid) are based outside the UK. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including:

• UK adequacy regulations recognising an equivalent level of protection
• UK International Data Transfer Agreements (IDTAs) or equivalent contractual clauses
• Binding corporate rules approved by the ICO

You may request details of these safeguards by contacting us at privacy@evermoreoses.co.uk.

We retain personal data only as long as necessary for the purposes set out in this policy:

• Account data — held while your account is active and for 2 years after your last login or purchase, after which we will contact you before deletion
• Order & transaction records — retained for 7 years to comply with HMRC financial record-keeping requirements
• Customer support communications — 3 years from the date of the last interaction
• Marketing consent records — retained for as long as your consent is valid, plus 1 year for audit purposes
• Technical / log data — typically 90 days, used for security monitoring and debugging

When data is no longer required it is securely deleted or anonymised so it can no longer be linked to you.

You have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you (Subject Access Request)
• Right to rectification — ask us to correct inaccurate or incomplete data
• Right to erasure — request deletion of your data where we no longer have a lawful basis to retain it
• Right to restrict processing — ask us to pause processing your data while a dispute is resolved
• Right to data portability — receive your data in a structured, machine-readable format (where processing is based on consent or contract)
• Right to object — object to processing based on legitimate interests or for direct marketing at any time
• Rights related to automated decision-making — we do not use solely automated decision-making or profiling that produces legal or similarly significant effects
• Right to withdraw consent — where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing

We take the security of your personal data seriously and implement appropriate technical and organisational measures, including:

• Encrypted HTTPS connections across the entire website
• Passwords stored using strong one-way hashing (ASP.NET Core Identity with PBKDF2)
• Payment data handled exclusively by Stripe's PCI-DSS-compliant infrastructure — we never see or store your card number
• Role-based access controls limiting who can access customer data internally
• Regular security reviews and dependency updates

No method of data transmission over the internet is 100% secure. In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals without undue delay.

Our website is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected such information, please contact us immediately at privacy@evermoreoses.co.uk and we will delete it promptly.

For users aged 13–17, we encourage parental guidance when making purchases online.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Display a notice on our website for a reasonable period
• Where required by law, seek fresh consent from you

We encourage you to review this policy periodically to stay informed about how we protect your data.

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact our Data Protection contact:

Data Protection Contact
Eternal Petals Ltd
[Registered Address], [Postcode]
privacy@evermoreoses.co.uk

If you are not satisfied with how we have handled your data or your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Helpline: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF