The Little Preservatory Ltd.
Customer Privacy Notice
This privacy notice explains what personal information The Little Preservatory Ltd. collects from you, how we use it, the legal basis on which we rely, who we share it with, and how long we keep it. We are committed to handling your data responsibly and transparently.
This notice covers:
- Contact details
- What information we collect, use, and why
- Lawful bases and data protection rights
- Where we get personal information from
- How long we keep information
- Who we share information with
- International transfers
- How to complain
Contact details
The Little Preservatory Ltd.
14 Westholme Close, Woodbridge, Suffolk, IP12 4BE
[Insert ICO registration number once confirmed]
What information we collect, use, and why
Providing goods and services (including delivery)
- Names and contact details
- Delivery and billing addresses
- Order and purchase history
- Payment confirmation details (we do not store raw card numbers — these are handled securely by Square)
- Information relating to compliments or complaints
Customer accounts
- Names and contact details
- Addresses
- Account registration details
- Purchase history and marketing preferences
Marketing communications
- Name and email address
- Marketing preferences and records of consent
We only send marketing emails where you have explicitly opted in. You can withdraw your consent at any time by clicking unsubscribe in any email, or by contacting us directly.
Legal and financial compliance
- Name and address
- Financial transaction information
- Any other information required to meet our legal obligations (for example, HMRC record-keeping requirements)
Handling queries, complaints, and claims
- Names and contact details
- Order and purchase history
- Correspondence relating to the query or complaint
Website usage
- IP addresses
- Cookie and browsing data (pages visited, time on site, referring page)
- Device and browser information
We use cookies on our website. Non-essential cookies (such as analytics) are only set with your consent, which we request via our cookie banner. Please see our separate Cookie Policy for full details.
Lawful bases and data protection rights
Under UK GDPR, we must have a lawful basis for collecting and using your personal information. The table below sets out the lawful basis we rely on for each purpose.
| Purpose | Lawful basis | Your rights |
|---|---|---|
| Processing your order and delivering goods | Contract — processing is necessary to carry out our agreement with you | Access, rectification, erasure, restriction, portability |
| Operating your customer account | Contract | Access, rectification, erasure, restriction, portability |
| Sending marketing emails | Consent — you have opted in | All rights apply, including the right to withdraw consent at any time |
| Keeping financial and tax records | Legal obligation — HMRC requires retention for 6 years | Access, rectification, restriction |
| Fraud prevention and site security | Legitimate interests — protecting our business and customers from financial crime | Access, rectification, erasure, restriction, objection |
| Handling queries and complaints | Legitimate interests — resolving issues and improving our service | Access, rectification, erasure, restriction, objection |
| Website analytics (with consent) | Consent — via cookie banner | All rights apply, including right to withdraw consent |
Your data protection rights
Depending on the lawful basis we rely on, you may have the following rights:
- Right of access — you can ask us for copies of your personal information.
- Right to rectification — you can ask us to correct inaccurate or incomplete information.
- Right to erasure — you can ask us to delete your personal information in certain circumstances.
- Right to restriction of processing — you can ask us to limit how we use your information.
- Right to object — you can object to processing based on legitimate interests.
- Right to data portability — you can ask us to transfer your information to another organisation.
- Right to withdraw consent — where we rely on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us using the details at the top of this notice. We will respond within one month.
Where we get personal information from
- Directly from you — when you place an order, create an account, sign up to our mailing list, or contact us
- Automatically — via cookies and analytics tools on our website, where you have consented
How long we keep information
We only keep your personal information for as long as necessary for the purpose it was collected, or as required by law.
| Type of data | How long we keep it | Reason |
|---|---|---|
| Order and transaction records (name, address, items, payment confirmation) | 6 years from date of transaction | Legal obligation — HMRC requires retention of financial records for 6 years |
| Customer account data (registered accounts only) | Duration of account, plus 2 years after last activity | Legitimate interests — enabling returns, reorders, and customer service |
| Marketing consent records (email sign-ups and preferences) | Until consent is withdrawn, plus 1 year | Legal obligation — PECR accountability requirement |
| Complaint and query correspondence | 3 years from date of resolution | Legitimate interests — potential consumer claims window under the Limitation Act 1980 |
| Website analytics and cookie data | 13 months | ICO standard guidance on analytics retention |
| Fraud prevention records | 6 years | Legitimate interests — financial crime prevention |
When data is no longer needed, we securely delete or anonymise it.
Who we share information with
We do not sell your personal data. We share it only with the following trusted processors who act on our behalf, under written data processing agreements.
Square (Block, Inc.)
Role: Payment processing. Square handles card tokenisation and payment authorisation. We do not receive or store raw card numbers.
Data shared: Name, billing address, email address, transaction amount, and order reference.
Location: US-based. See International Transfers below.
Automattic / WooCommerce
Role: Our online store platform. Automattic powers the WooCommerce software that runs our shop.
Data shared: Order details, account information, browsing data.
Location: Servers may be located outside the UK. See International Transfers below.
IONOS
Role: Website hosting provider. IONOS hosts the server on which our website runs.
Data shared: Website traffic data and any data submitted via web forms.
Location: Data centres within the UK and EU.
Delivery and courier partners
Where we fulfil online orders requiring postage, your name and delivery address will be shared with our courier or postal service.
Mailchimp (Intuit Inc.)
Role: Email marketing platform. We use Mailchimp to manage wholesale and trade communications, and may expand its use to other marketing purposes.
Data shared: Name and email address, marketing preferences, and records of consent.
Location: US-based. See International Transfers below.
Airtable (Formagrid Inc.)
Role: Business operations database. We use Airtable to manage internal records including stockist and wholesale contact information.
Data shared: Business contact names, email addresses, and order or account information for trade customers.
Location: US-based. See International Transfers below.
Legal and regulatory authorities
We may share data with HMRC, the ICO, or other authorities where required by law.
International transfers
Some of our data processors operate outside the United Kingdom. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place as required by UK GDPR Article 46.
- Square (USA): Transfers are covered by the UK International Data Transfer Agreement (IDTA) or equivalent Standard Contractual Clauses approved for use under UK law.
- Automattic (USA/EU): Transfers are covered by Standard Contractual Clauses and/or the UK IDTA as applicable.
- Mailchimp / Intuit (USA): Transfers are covered by Standard Contractual Clauses and/or the UK IDTA as applicable.
- Airtable / Formagrid (USA): Transfers are covered by Standard Contractual Clauses and/or the UK IDTA as applicable.
You can request further information about the specific safeguards in place by contacting us.
How to complain
If you have any concerns about how we handle your personal data, please contact us first — we will do our best to resolve the matter promptly.
If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection:
0303 123 1113