Hornsey's Boutique respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, disclose, and safeguard your information when you visit our website hornseysboutique.uk (the "Site") or make a purchase, in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
Hornsey's Boutique is the data controller (responsible for your personal data).
Registered address: Hornsey's Boutique, 13 High St, Clare, Sudbury, Suffolk, CO10 8NY, United Kingdom.
Email for privacy matters: [email protected]
1. Information we collect about you
We may collect, use, store and transfer different kinds of personal data about you, which we have grouped as follows:
- Identity Data – first name, last name, title, or similar identifier.
- Contact Data – billing address, delivery address, email address, telephone number.
- Transaction Data – details about payments to and from you, order history, items purchased, returns/refund records.
- Technical Data – IP address, browser type and version, time zone setting, operating system, and platform.
- Usage Data – information about how you use our website, products and services (through cookies and analytics).
- Marketing & Communications Data – your preferences in receiving marketing from us and your communication preferences.
We do not collect any Special Categories of Personal Data (e.g., race, ethnic origin, health, biometric data). We also do not knowingly collect data from children under 16. If you are under 18, you must have parental/guardian consent to place an order.
2. How we collect your personal data
We use different methods to collect data from and about you:
- Direct interactions. You provide us with your Identity, Contact, and Transaction Data when you create an account (if any), place an order, sign up for our newsletter, request returns, or contact customer support.
- Automated technologies or interactions. As you browse our Site, we automatically collect Technical Data and Usage Data via cookies, server logs, and similar technologies. We use essential cookies for the operation of the website (e.g., basket functionality) and analytical cookies to improve our services. You can manage your cookie preferences via your browser settings.
- Third parties or publicly available sources. Payment processing is handled by Stripe; we receive limited transaction confirmation but do not store full card details on our servers. Royal Mail may provide delivery updates. We do not buy mailing lists from third parties.
3. How we use your personal data – legal bases (UK GDPR)
We will only use your personal data when the law allows us to. Most commonly, we rely on the following lawful bases:
- Performance of a contract: To process and deliver your order, manage payments, arrange delivery, handle returns/refunds, and provide customer support. (e.g., using your address for delivery).
- Legitimate interests: To improve our website and customer experience, prevent fraud, manage disputes or chargebacks, maintain records for business administration, and send service-related communications (order updates, policy changes). We ensure our legitimate interests are balanced with your rights.
- Legal obligation: To comply with tax, accounting, and consumer law (e.g., retaining transaction records for HMRC for 7 years under VAT/managing accounts).
- Consent: Where we send you direct marketing communications (e.g., newsletters, offers) via email or SMS. You can withdraw consent at any time.
• Order fulfilment, delivery notifications, returns processing.
• Managing payment disputes, chargebacks, and Royal Mail claims.
• Sending non-marketing service emails (order confirmations, shipping updates, product recall).
• Analysing trends to improve inventory and boutique services (aggregated).
• Preventing fraudulent transactions and website security monitoring.
4. Cookies and tracking technologies
Our Site uses necessary cookies to enable core functionality (shopping cart, checkout). We also use Google Analytics to understand how visitors use our website. These analytics cookies collect anonymised IP addresses. You may refuse cookies by adjusting your browser settings; however, some parts of the Site may become inaccessible. We do not use intrusive advertising cookies or share data for cross-site behavioural advertising. Under PECR, we request your consent for non-essential cookies.
5. Data sharing and third parties
We will never sell, rent, or trade your personal data to third parties for their own marketing purposes. However, we share data with trusted partners to operate our boutique:
- Stripe (payment processor): They process card payments securely. Stripe may collect transaction data according to their own privacy policy (Stripe is PCI-DSS compliant). We do not store full card numbers.
- Royal Mail (delivery services): We provide your name and delivery address to Royal Mail to ship your order. Royal Mail acts as an independent data controller for the parcel delivery.
- IT and email hosting providers: Our website platform and email support system are GDPR-compliant processors.
- Legal and regulatory authorities: If required by law, court order, or to enforce our Terms & Conditions.
All third parties are required to respect the security of your personal data and treat it in accordance with the law. We only allow them to process your data for specified purposes.
6. International transfers
We predominantly store your data within the United Kingdom or European Economic Area (EEA). Some third-party service providers (e.g., cloud backup or analytics) may have servers located outside the UK. Where any transfer occurs, we ensure adequate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or the EU standard contractual clauses (SCCs) as adopted by the UK. Stripe's processing may involve data centres in the US but they are certified under the EU-US Data Privacy Framework and comply with UK adequacy requirements. You can request more information about transfer safeguards by contacting us.
7. Data retention – how long we keep your data
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including satisfying any legal, accounting, or reporting requirements. Under UK tax law, we are required to keep basic information about our customers (including Contact, Identity, and Transaction Data) for 7 years after the end of the tax year in which you made a purchase. After this period, data will be securely anonymised or deleted. Marketing data is kept until you unsubscribe or withdraw consent. Enquiry emails are retained for up to 2 years after the last interaction.
8. Your legal rights under UK GDPR
You have the following rights in relation to your personal data:
- Right to access – request a copy of the personal data we hold about you (free of charge, with reasonable further copies charged at £10).
- Right to rectification – correct inaccurate or incomplete data.
- Right to erasure (right to be forgotten) – request deletion where there is no compelling reason for continued processing (subject to legal retention obligations).
- Right to restrict processing – suspend processing of your data in certain situations.
- Right to data portability – request transfer of your data to you or another controller (for data you provided).
- Right to object – object to processing based on legitimate interests (including direct marketing).
- Rights related to automated decision-making – we do not use automated profiling that has legal or significant effect; however, payment fraud screening is limited to rule-based checks.
To exercise any right, please contact [email protected] with the subject line "Data Privacy Request". We will respond within one month (30 calendar days). You will not have to pay a fee, but we may charge a reasonable fee if your request is clearly unfounded or excessive. We may need to verify your identity before processing the request.
9. Marketing communications and opt-out
We respect your choices: if you sign up for our newsletter or promotional emails, we will send you occasional updates about new collections, exclusive offers, and boutique news. You can withdraw consent at any time by clicking the "unsubscribe" link in any marketing email or by emailing us. Even if you opt-out of marketing, we will still send you essential service emails (order confirmations, delivery updates, recall notices, and changes to this privacy policy).
10. Security of your personal data
We have implemented appropriate technical and organisational measures to prevent your personal data from being accidentally lost, used, altered, disclosed, or accessed without authorisation. Our website uses SSL/TLS encryption, and access to your personal data is limited to employees who require it for order processing or customer support. In the event of a personal data breach, we will notify the ICO (Information Commissioner's Office) within 72 hours where required, and inform you without undue delay if the breach is likely to result in a high risk to your rights.
11. Children's privacy
Our boutique does not sell products for purchase by children. If you are under 18, you may only use our website with the involvement of a parent or guardian. We do not knowingly collect personal information from anyone under the age of 16. If we become aware that we have collected data from a child under 16 without verification of parental consent, we will delete that information promptly.
12. Changes to this privacy policy and versioning
We keep our privacy policy under regular review. Any updates will be posted on this page, and if material changes occur, we will notify you via email (if you have an account) or by means of a notice on our website. The "last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Site after any changes constitutes acceptance of the updated policy, except where consent is required.
📞 Complaints & the ICO
If you are not satisfied with our response or believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.
📧 ICO helpline: 0303 123 1113
🌐 Website: https://ico.org.uk/make-a-complaint/
📮 Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
We would, however, appreciate the chance to resolve your concern before you approach the ICO, so please contact us first.
13. Additional boutique-specific notes (in conjunction with our Terms)
As referenced in our Terms and Conditions (Section 9 – Privacy & Data Protection), this Privacy Policy forms an integral part of your relationship with Hornsey's Boutique. When you purchase from us, the data processing necessary for order fulfilment, Stripe payments, Royal Mail delivery, and customer support is handled according to this notice. We also confirm that:
- We do not use your data for any undisclosed automated decision-making; chargeback disputes may be reviewed manually.
- For returns and refunds (including Royal Mail claims), we will process your data only as necessary to fulfil those consumer rights under the Consumer Rights Act 2015.
- If we share data with legal or fraud prevention authorities, it will be strictly in line with our legitimate interest to prevent crime or fraud.
14. Contacting us about privacy
If you have any questions about this privacy policy, our data protection practices, or wish to exercise any of your legal rights, please do not hesitate to contact our Data Protection point of contact:
Hornsey's Boutique – Privacy Team
Email: [email protected]
Post: Hornsey's Boutique, 13 High St, Clare, Sudbury, Suffolk, CO10 8NY, United Kingdom.
Response time: We aim to reply within 5 business days and fully address your request within one month.
This Privacy Policy works in conjunction with our Terms and Conditions. For all legal matters, English law applies.