Privacy Policy

Last updated: 1 April 2026 | Effective date: 1 April 2026

1. Introduction

Andrea's Emporium ("we", "us", "our", or "Company") operates the website at andreasemporium.com (the "Site"). We are committed to protecting your privacy and ensuring you have a positive experience on our Site. This Privacy Policy explains how we collect, use, disclose, and otherwise handle your personal information in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable UK and EU data protection laws.

Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our Site.

2. Data Controller

Data Controller Details:

Company Name: [PLACEHOLDER: Company Name]
Company Registration Number: [PLACEHOLDER: Companies House Number]
Registered Address: [PLACEHOLDER: Full Registered Address]
Contact Email: [PLACEHOLDER: Data Protection Contact Email]
Telephone: [PLACEHOLDER: Contact Telephone Number]

For any data protection matters or to exercise your rights under the UK GDPR, you can contact our Data Protection Officer (if appointed) or our Data Protection contact at the email address listed above.

3. What Personal Data We Collect

We collect personal information you voluntarily provide and information automatically collected through your use of our Site:

3.1 Information You Provide Directly

Account Registration: Name, email address, password, postal address, telephone number
Purchase Information: Billing address, delivery address, payment card details (processed by secure third-party payment providers)
Communications: When you contact us via email, contact form, or customer support — any information you provide in your message
Newsletter Subscription: Email address when you subscribe to our newsletter
User-Generated Content: Comments, reviews, tutorial feedback, and any other content you submit to the Site
Survey Participation: Responses to surveys, questionnaires, or feedback forms

3.2 Information Collected Automatically

Device Information: Device type, operating system, browser type and version, IP address
Usage Information: Pages visited, time spent on pages, links clicked, referring URL, search terms used
Location Information: General geographical location based on IP address (not precise GPS)
Cookies and Similar Technologies: See Section 7 (Cookies and Similar Technologies)

4. Legal Basis for Processing

Under UK GDPR, we only process personal data where we have a lawful basis. Our lawful bases include:

Consent: Where you have given explicit consent (e.g., newsletter subscription, marketing communications)
Contract: Where processing is necessary to perform our contract with you (e.g., order fulfillment, account management)
Legal Obligation: Where we are required to process data by law (e.g., tax compliance, fraud prevention)
Legitimate Interests: Where we have a legitimate business interest that is not overridden by your rights (e.g., security, analytics, improving our services)

5. How We Use Your Information

We use your personal data for the following purposes:

Process and fulfil orders, including delivery and returns
Provide customer support and respond to inquiries
Send transactional emails (order confirmations, shipping updates, invoices)
Manage your account and authentication
Send marketing communications (newsletters, promotions) — only where you have opted in
Conduct analytics to improve our Site, products, and services
Detect, prevent, and address fraud and security issues
Comply with legal and regulatory obligations
Personalise your experience and recommend relevant products
Conduct customer surveys and gather feedback
Enforce our Terms of Use and other policies

6. Who We Share Your Information With

We may share your personal data with the following categories of recipients:

6.1 Service Providers

Payment Processors: [PLACEHOLDER: Payment Provider Name(s)] — to process payments securely
Shipping Partners: [PLACEHOLDER: Courier/Logistics Provider Name(s)] — to deliver orders
Email Service Providers: [PLACEHOLDER: Email Marketing Provider] — to send newsletters and communications
Analytics Providers: [PLACEHOLDER: Analytics Service Name(s)] — to measure Site performance
Cloud Hosting Providers: [PLACEHOLDER: Hosting Provider Name] — to host our Site and data

6.2 Legal and Business Transfers

Law enforcement and public authorities (when required by law)
Professional advisors (solicitors, accountants) in connection with legal matters
In the event of a merger, acquisition, or sale of assets, data may be transferred as part of that transaction (you will be notified)

6.3 Third-Party Restrictions

We do not sell or rent your personal data to third parties. We ensure all service providers are bound by confidentiality obligations and process data only for the purposes we specify. Service providers are compliant with UK GDPR and other applicable data protection laws.

7. Cookies and Similar Technologies

We use cookies and similar tracking technologies to:

Remember your preferences and login information
Understand how you use our Site (analytics)
Improve our Site's functionality
Serve personalised advertising (where you have consented)

For detailed information about cookies we use, how to manage your cookie preferences, and how to opt out, please see our Cookie Policy.

8. Data Retention

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Retention periods by data type:

Account Data: Retained for the duration of your account, plus 7 years for tax and compliance purposes
Order Data: Retained for 7 years (UK tax requirement)
Email Communications: Retained for 2 years unless you unsubscribe (then deleted within 30 days)
Marketing Consent Records: Retained for 3 years after last engagement or withdrawal of consent
Website Analytics: Aggregated, anonymised data retained indefinitely; identifiable data deleted after 26 months
Cookie Data: Typically deleted after 12 months of inactivity

9. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

Right of Access: You can request a copy of the personal data we hold about you
Right to Rectification: You can request correction of inaccurate or incomplete data
Right to Erasure: You can request deletion of your data (subject to legal exceptions)
Right to Restrict Processing: You can request we limit how we use your data
Right to Data Portability: You can request your data in a portable, machine-readable format
Right to Object: You can object to certain types of processing, including marketing communications
Right to Withdraw Consent: Where processing relies on your consent, you can withdraw it at any time
Rights Related to Automated Decision-Making: You have rights regarding decisions made solely by automated means

9.1 How to Exercise Your Rights

To exercise any of these rights, please contact us at [PLACEHOLDER: Data Protection Contact Email] with:

Your name and email address
Clear description of your request
Any relevant order or account numbers

We will respond to your request within 30 days of receipt (or up to 3 months for complex requests). You may need to provide proof of identity before we can process your request.

10. Third-Party Links and Services

Our Site may contain links to third-party websites (social media, payment processors, analytics providers). This Privacy Policy applies only to our Site. We are not responsible for the privacy practices of third-party websites. We recommend reviewing their privacy policies before providing any personal information.

11. International Data Transfers

Our Site is operated within the UK. If we transfer your data to countries outside the UK (including EU countries), we ensure appropriate safeguards are in place, such as:

Standard contractual clauses approved by the UK government
Adequacy decisions for countries with equivalent data protection laws
Your explicit consent where required

12. Children's Privacy

Our Site is not directed to children under 13 years of age. We do not knowingly collect personal data from children under 13. If we become aware that we have collected data from a child under 13 without parental consent, we will delete it immediately. If you believe we have collected data from a child under 13, please contact us immediately at [PLACEHOLDER: Data Protection Contact Email].

13. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:

Secure HTTPS encryption for data transmission
Firewalls and intrusion detection systems
Regular security audits and penetration testing
Access controls and authentication protocols
Employee data protection training

While we strive to protect your data, no security system is impenetrable. We cannot guarantee absolute security of data transmitted over the internet.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by:

Posting the updated policy on our Site
Updating the "Last updated" date at the top of this policy
Sending an email notification for significant changes (where applicable)

Your continued use of our Site after changes constitutes your acceptance of the updated Privacy Policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us at:

Email: [PLACEHOLDER: Data Protection Contact Email]
Address: [PLACEHOLDER: Full Registered Address]
Telephone: [PLACEHOLDER: Contact Telephone Number]

16. Data Protection Authority

If you are not satisfied with how we have handled your data or your data protection rights, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

Website: www.ico.org.uk
Email: casework@ico.org.uk
Telephone: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, UK