# Privacy Policy

**Effective Date:** [Date]
**Identity of Data Controller:** [Your Business Name]
**Jurisdiction:** Scotland & United Kingdom

## 1. Introduction

Welcome to **[Your Website Name]** ("we," "our," or "us"). We take your data protection seriously. This document details how we collect, store, and transfer your data in strict compliance with the **UK General Data Protection Regulation (UK GDPR)** and the **Data Protection Act 2018**.

We operate this website using enterprise-grade infrastructure provided by **Cloudflare** and **Stripe** to ensure maximum security and payment compliance.

## 2. Who is Responsible for Your Data?

**[Your Business Name]** is the "Data Controller" for your account information and order details. This means we decide *why* and *how* your data is used.

However, for specific technical and financial operations, we partner with third parties who act as either **Processors** (acting on our instructions) or **Independent Controllers** (acting under their own legal obligations):

* **Cloudflare, Inc. (Security & Hosting):** Acts as a **Data Processor**. They sit between you and our website to protect against attacks, deliver content faster, and ensure site reliability.
* **Stripe (Payments):** Acts as an **Independent Data Controller** for financial transactions. They collect your payment data directly to process payments and prevent fraud.

## 3. The Data We Collect & How We Use It

| Data Type | What We Collect | Why We Collect It (Lawful Basis) |
| --- | --- | --- |
| **Identity Data** | Name, Username | Performance of Contract (To ship your order) |
| **Contact Data** | Billing Address, Delivery Address, Email, Phone | Performance of Contract (To deliver goods) |
| **Financial Data** | Partial credit card info (last 4 digits), payment method | Performance of Contract (To verify payment) |
| **Technical Data** | IP Address, Browser Type, Device Operating System | Legitimate Interest (Network security via Cloudflare) |
| **Transaction Data** | Purchase history, Order IDs | Legal Obligation (Tax & HMRC reporting) |

> **Important Note on Credit Card Data:** We **do not** store or view your full credit card number, expiry date, or CVC. This information is entered directly into **Stripe's** encrypted inputs and never touches our servers.

## 4. Third-Party Infrastructure & Data Sharing

To operate this website securely and legally, we share specific data with the following partners. By using our site, you acknowledge these transfers:

### A. Cloudflare (Web Infrastructure & Security)

We use Cloudflare to host our website and protect it from cyberattacks (DDoS).

* **What they process:** Your IP address, system configuration information, and other traffic data needed to deliver the website to your device.
* **Why:** To ensure the security and reliability of our service (Legitimate Interest).
* **Cookies:** Cloudflare may place a strictly necessary cookie (`__cf_bm`) on your device to detect bots. This does not track your identity across other sites and cannot be disabled without breaking the site.

### B. Stripe (Payment Processing)

We use Stripe to process all financial transactions.

* **What they process:** Your name, email, billing address, and full payment details. Stripe also collects device signals (like typing speed or screen size) to detect fraudulent transactions.
* **Role:** Stripe acts as an independent **Data Controller** for the purposes of fraud monitoring and compliance with financial regulations (Know Your Customer / Anti-Money Laundering).
* **More Info:** You can read Stripe’s own Privacy Policy here: [https://stripe.com/gb/privacy](https://stripe.com/gb/privacy)

## 5. International Data Transfers

Both Cloudflare and Stripe are headquartered in the United States. This means your personal data may be transferred outside the UK.
We ensure your data is protected during these transfers through the **UK Extension to the EU-US Data Privacy Framework (UK Data Bridge)**, to which both Cloudflare and Stripe participate. This ensures they treat your data with the same high standards required by UK law.

## 6. Data Retention

* **Order Information:** We retain your order details for **6 years** to comply with UK tax laws (HMRC).
* **Marketing Data:** If you subscribe to our newsletter, we keep your email until you unsubscribe.
* **Stripe Data:** Stripe retains financial transaction data according to their own banking regulatory requirements (often up to 7-10 years).

## 7. Your Rights Under Scottish Law

You have the right to:

1. **Request access** to the personal data we hold about you.
2. **Request correction** of incorrect data.
3. **Request deletion** (Right to be Forgotten), provided we do not need the data for tax or legal reasons.
4. **Object to processing** (e.g., unsubscribe from marketing).

To exercise any of these rights, contact us at **[Your Email Address]**.

## 8. Complaints

You have the right to make a complaint at any time to the **Information Commissioner's Office (ICO)** (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO.

**Contact Us:**

* **Name:** [Your Business Name]
* **Email:** [Your Support Email]
* **Address:** [Your Scottish Address]