Who We Are

The data controller responsible for your personal information is:

If you have any questions about how we handle your data, please contact us at the details above.

What Data We Collect

We collect personal data in the following categories:

• Identity data: name, username or similar identifier
• Contact data: billing address, delivery address, email address, telephone number
• Transaction data: details of products purchased, payment method (we do not store full card details)
• Technical data: IP address, browser type and version, time zone, operating system, and device information
• Usage data: information about how you use our website and products
• Marketing preferences: your preferences for receiving marketing from us

We do not collect any Special Category data (such as health, race, religion, or political opinions) and we do not collect data from children under the age of 16.

How We Collect Your Data

• Direct interactions: when you place an order, create an account, sign up to our newsletter, or contact us
• Automated technologies: cookies and similar tracking technologies as you browse our website (see Section 7)
• Third parties: analytics providers (e.g. Google Analytics), advertising partners (e.g. Meta/Facebook), and payment processors

How We Use Your Data & Our Legal Basis

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason compatible with the original purpose.

Marketing

We may send you marketing communications about our products, offers, and news if you have opted in to receive them. You can unsubscribe at any time by clicking the "unsubscribe" link in any marketing email, or by contacting us at info@henleymayfairbeds.com.

We will never share your data with third parties for their own marketing purposes without your explicit consent.

Who We Share Your Data With

We may share your personal data with the following categories of third parties, strictly for the purposes described in this policy:

• Shopify Inc. — our e-commerce platform and data processor
• Payment processors (e.g. Stripe, Klarna) — to process your payment securely
• Delivery partners — to fulfil and track your order
• Google LLC — for Google Analytics and Google Ads (subject to your cookie consent)
• Meta Platforms Inc. — for Facebook/Instagram advertising (subject to your cookie consent)
• Trustpilot — for review invitations (if applicable)

All third parties are required to respect the security of your personal data and to treat it in accordance with the law. We do not sell your data.

Cookies

We use cookies and similar tracking technologies to improve your browsing experience, analyse site traffic, and deliver relevant advertising. We require your consent before placing non-essential cookies.

You can manage your cookie preferences at any time using our cookie consent tool, or by adjusting your browser settings. Please note that disabling certain cookies may affect the functionality of our website.

Data Retention

We retain your personal data only for as long as necessary for the purposes set out in this policy, or as required by law. Our standard retention periods are:

• Order and transaction records: 7 years (for HMRC / accounting purposes)
• Customer account data: retained while your account is active, then deleted within 2 years of last activity
• Marketing consent records: retained until you withdraw consent
• Website usage data (analytics): typically 26 months

International Transfers

Some of our third-party service providers (such as Shopify, Google, and Meta) may process your data outside the UK. Where this occurs, we ensure that appropriate safeguards are in place — such as UK adequacy decisions, Standard Contractual Clauses (SCCs), or equivalent mechanisms — to protect your data to the same standard as required under UK GDPR.

Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

• Right to access — request a copy of the data we hold about you
• Right to rectification — ask us to correct inaccurate or incomplete data
• Right to erasure — request deletion of your data ("right to be forgotten"), subject to legal obligations
• Right to restrict processing — ask us to limit how we use your data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests or for direct marketing
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, please contact us at info@henleymayfairbeds.com. We will respond within 30 days. We may need to verify your identity before processing your request.

You also have the right to lodge a complaint with the UK's data protection authority, the Information Commissioner's Office (ICO), at www.ico.org.uk or by calling 0303 123 1113.

Security

We take the security of your personal data seriously. Our website is protected by SSL/TLS encryption (HTTPS). We use Shopify's PCI-compliant infrastructure for all payment processing, meaning we never store your full card details on our servers.

We have appropriate technical and organisational measures in place to protect against unauthorised access, loss, or disclosure of your data. In the event of a data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform you without undue delay where required.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.