1. Data Controller
Lily Pad Home is the data controller responsible for your personal data. We are registered in England and Wales and are registered with the Information Commissioner's Office (ICO). Our registered office address, company registration number, and ICO registration number are published on our Contact page, which is permanently accessible from every page of this website. You can also contact us by emailing info@example.com.
This privacy policy explains how we collect, use, store, and protect your personal data when you use lilypadhome.co.uk (the "Website") in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data Use and Access Act 2025.
2. Data We Collect
We collect and process the following categories of personal data:
- Identity data: your name and title.
- Contact data: your email address, telephone number, delivery address, and billing address.
- Account data: your login credentials (email and encrypted password), order history, and account preferences.
- Transaction data: details of your purchases, payment method (card type and last four digits — full card numbers are never stored on our systems), purchase history, and product measurements you have specified.
- Technical data: your IP address, browser type and version, device type, operating system, and time zone setting.
- Usage data: information about how you use our Website, including pages visited, time spent on pages, click patterns, and referring website (collected via Google Analytics when you have consented to analytics cookies).
- Marketing data: your preferences for receiving marketing communications and your opt-in or opt-out status.
- Measurement data: window dimensions and product measurements you provide for made-to-measure orders, including width, drop, heading style, lining, and other product configuration details.
3. How We Collect Your Data
We collect personal data through the following means:
- Directly from you: when you create an account, place an order, contact us by email, subscribe to our newsletter, or provide feedback. This includes all identity, contact, account, transaction, marketing, and measurement data.
- Automatically: when you browse our Website, we collect technical and usage data through cookies and similar technologies. For full details of the cookies we use, please see our Cookies Policy.
- From third parties: we may receive transaction data from Stripe (our payment processor) confirming the status of your payment, and delivery data from our courier partners confirming the status of your delivery.
4. Purposes and Lawful Bases for Processing
We process your personal data for the following purposes, each with its corresponding lawful basis under Article 6(1) of the UK GDPR:
| Purpose | Lawful Basis |
|---|---|
| Processing your order, including manufacturing made-to-measure goods, taking payment via Stripe, and arranging delivery | Performance of a contract with you (Art 6(1)(b)) |
| Sending order confirmation, despatch notification, and delivery updates | Performance of a contract with you (Art 6(1)(b)) |
| Managing your customer account, including login, order history, and saved measurements | Performance of a contract with you (Art 6(1)(b)) |
| Handling complaints, returns, and refunds | Performance of a contract with you (Art 6(1)(b)) |
| Tax and accounting compliance, including maintaining records for HMRC | Legal obligation (Art 6(1)(c)) |
| Fraud prevention and detection, including monitoring transactions for unusual patterns | Legitimate interests (Art 6(1)(f)) — our interest in preventing fraudulent transactions and protecting our business and customers |
| Website analytics via Google Analytics, to understand how visitors use our Website and improve it | Consent (Art 6(1)(a)) or legitimate interests with opt-out, as permitted under the Data Use and Access Act 2025 |
| Sending marketing communications, including newsletters, promotions, and product recommendations | Consent (Art 6(1)(a)); also compliant with PECR Reg 22 |
| Website security, including protecting against cyberattacks, unauthorised access, and data breaches | Legitimate interests (Art 6(1)(f)) — our interest in maintaining the security and integrity of our Website and systems |
| Improving our products and services based on aggregated customer data and feedback | Legitimate interests (Art 6(1)(f)) — our interest in understanding customer needs and improving our offerings |
5. Data Sharing and Recipients
We may share your personal data with the following third parties:
- Stripe (payment processor): Stripe processes your payment on our behalf as a data processor under UK GDPR Art 28. Stripe is PCI DSS Level 1 certified. Your full card details are transmitted directly to Stripe over an encrypted connection and are never stored on or passed through our servers. Stripe Privacy Policy.
- Courier and delivery partners: we share your name, delivery address, and telephone number with our courier partners so they can deliver your order and contact you regarding delivery.
- Google (analytics): Google processes usage data on our behalf as a data processor when you have consented to analytics cookies. Google Privacy Policy.
- Hosting and IT service providers: our Website is hosted by infrastructure providers who may process your data as part of providing hosting services. These providers act as data processors under appropriate contractual terms.
- HM Revenue & Customs (HMRC): we are required by law to share certain transaction and financial data with HMRC for tax compliance purposes.
- Professional advisers: we may share data with our solicitors, accountants, and auditors where necessary for legal, tax, or accounting purposes.
- Law enforcement: we may disclose your data if required to do so by law, by a court order, or if we believe in good faith that disclosure is necessary to comply with a legal obligation, protect our rights, or protect the safety of our customers or the public.
6. International Data Transfers
Some of our third-party service providers, including Stripe and Google, may process your personal data outside the United Kingdom. When your data is transferred outside the UK, we ensure it is protected by appropriate safeguards in accordance with UK GDPR Articles 44-49, including:
- Transfers to countries that have received a UK adequacy decision from the Secretary of State
- The International Data Transfer Agreement (IDTA) issued by the ICO
- Standard Contractual Clauses approved by the ICO
- The EU-US Data Privacy Framework (where applicable)
You have the right to request a copy of the safeguards we have in place for international transfers. Please contact us at info@example.com.
7. Data Retention
We retain your personal data only for as long as necessary for the purposes for which it was collected, or as required by law. Specific retention periods are as follows:
- Transaction and financial records: 6 years from the end of the financial year in which the transaction took place, as required by HMRC and the Limitation Act 1980.
- VAT records: 6 years, as required by the VAT Regulations 1995.
- Customer account data: for the duration of your account plus 2 years after account closure, to allow you to reactivate your account and for us to handle any outstanding queries.
- Marketing consent records: for the duration of your consent plus a reasonable evidence period, to demonstrate that consent was obtained.
- Google Analytics data: in accordance with our configured retention period in Google Analytics (currently 14 months).
- Complaints records: 6 years from the date the complaint was resolved, in line with the limitation period for bringing legal claims.
When your data is no longer required, we will securely delete or anonymise it.
8. Your Rights
Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:
- Right of access (Art 15): you have the right to request a copy of the personal data we hold about you.
- Right to rectification (Art 16): you have the right to request that we correct any inaccurate personal data or complete any incomplete personal data.
- Right to erasure (Art 17): you have the right to request that we delete your personal data, subject to our legal obligation to retain certain data (such as financial records required by HMRC).
- Right to restriction of processing (Art 18): you have the right to request that we restrict the processing of your personal data in certain circumstances.
- Right to data portability (Art 20): you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another data controller.
- Right to object (Art 21): you have the right to object to the processing of your personal data based on legitimate interests. You have an absolute right to object to processing for direct marketing purposes at any time.
- Right not to be subject to automated decision-making (Art 22): you have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. We do not currently use automated decision-making in relation to your personal data.
- Right to withdraw consent (Art 7(3)): where we rely on your consent to process your data, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, please contact us at info@example.com. We will respond to your request within one calendar month. In certain circumstances, we may extend this by a further two months, in which case we will inform you within the first month. Under the Data Use and Access Act 2025, we are required to acknowledge your request within 30 days.
9. Right to Lodge a Complaint
If you are not satisfied with how we handle your personal data or respond to your rights request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We encourage you to contact us first at info@example.com so we have the opportunity to address your concern directly.
10. Requirement to Provide Data
The provision of your personal data (identity, contact, and measurement data) is a contractual requirement for us to process your order. If you do not provide this information, we will be unable to process your order, manufacture your goods, or arrange delivery.
The provision of marketing data (your opt-in preferences) is entirely voluntary. You can place orders without subscribing to marketing communications.
11. Children
This Website is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that data as soon as reasonably possible. If you believe we may have collected data from a child under 16, please contact us at info@example.com.
12. Security Measures
We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it, in accordance with UK GDPR Article 5(1)(f) and Article 32. These measures include:
- All data transmitted between your browser and our Website is encrypted using HTTPS/TLS.
- Payment processing is handled by Stripe, which is PCI DSS Level 1 certified. Full card details are never stored on or transmitted through our servers.
- Access to personal data is restricted to authorised personnel on a need-to-know basis.
- We conduct regular security reviews of our systems and processes.
- Customer passwords are stored using strong one-way hashing algorithms and are never stored in plain text.
No system of electronic data storage or transmission is 100% secure. While we take all reasonable steps to protect your data, we cannot guarantee absolute security.
13. Changes to This Privacy Policy
We may update this privacy policy from time to time to reflect changes in how we process your data, changes in the law, or for other operational or regulatory reasons. We will publish the updated policy on this page with a new "last updated" date. Material changes will be communicated to registered customers by email.
We encourage you to review this policy periodically to stay informed about how we protect your data.
14. Complaints Procedure
If you wish to make a complaint about how we handle your personal data, please contact us at info@example.com. We will acknowledge your complaint within 30 days, as required by the Data Use and Access Act 2025. We aim to resolve all complaints within 28 days of acknowledgement. If the matter requires further investigation, we will keep you informed of progress and provide a final response within a reasonable timeframe.
15. Contact
If you have any questions about this privacy policy or how we handle your personal data, please contact us at info@example.com.