Privacy Policy

BACKGROUND:

Furniture.Style Ltd understands that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of everyone who visits this website, https://www.furniture.style (“Our Site”) and will only collect and use personal data in ways that are described in this policy, and in a way that is consistent with our obligations and your rights under UK law.

Please read this Privacy Policy carefully and ensure that you understand it. Your acceptance of this Privacy Policy is confirmed when you register or make a purchase on our website. If you do not accept and agree with this Privacy Policy, you must not use Our Site or submit any personal data.


1. Information About Us

This website is owned and operated by:

Business Name: Furniture.Style Ltd (Replace with your actual company name if different)
Business Type: A private limited company registered in England and Wales.
Company Registration Number: [Insert company number]
Trading Address: [Insert full trading address, e.g., Unit X, Industrial Estate, Essex, UK]
VAT Number: [Insert VAT number]

Data Protection Officer: [Insert name if appointed, or state “We currently do not have a designated DPO, but all privacy-related matters are handled by our management team.”]

Contact Information for Data Protection Queries:

  • Email: privacy@furniture.style (Replace with your actual contact email)
  • Phone: [Insert telephone number]
  • Postal Address: [Insert postal address for legal correspondence]

2. What Does This Policy Cover?

This Privacy Policy applies solely to your use of our website, https://furniture.style (“Our Site”). We take your privacy seriously and aim to be transparent about how your data is collected, used, stored, and protected.

Please note that Our Site may contain links to other third-party websites. These external websites operate independently and may have their own privacy policies, which we strongly advise you to read. We accept no responsibility or liability for the privacy practices of any third-party websites and your use of such sites is at your own risk.

This policy does not cover any data collected offline or through any other means, including telephone, email communications, or in-person meetings unless otherwise stated. It applies only to the data collected through your interactions with Our Site, including account registration, browsing, order placement, and contact forms.

3. What is Personal Data?

Personal data is defined under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 as:

“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier.”

In simpler terms, personal data is any information that can be used to identify you, either on its own or when combined with other data.

This includes (but is not limited to):

  • Your full name
  • Email address
  • Postal address
  • Contact telephone number(s)
  • Payment or billing information
  • IP address
  • Location data
  • Order history and preferences
  • Any other information that identifies you directly or indirectly

Some data types are considered special category data (e.g. health or biometric data), but our website does not collect or process any special category data under normal circumstances.

We treat all personal data with strict confidentiality and handle it in accordance with applicable data protection laws, including the UK GDPR and the Privacy and Electronic Communications Regulations (PECR).

4. What Are My Rights?

Under the UK General Data Protection Regulation (UK GDPR), you have the following rights, which we are fully committed to upholding:

  • The right to be informed

You have the right to be informed about the collection and use of your personal data. This Privacy Policy is intended to provide you with clear and transparent details on how we collect, store, and process your information.

  • The right of access

You have the right to request access to the personal data we hold about you. This includes the right to receive a copy of the data, how it is being used, who it has been shared with, and how long it will be retained. To make a request, please refer to Section 12.

  • The right to rectification

If you believe that any personal data we hold about you is inaccurate or incomplete, you can request that it be corrected or completed. You can also log in to your account and make changes directly.

  • The right to erasure (also known as the ‘right to be forgotten’)

You can request that we delete your personal data when there is no compelling reason for its continued processing. This may apply if:

  • You no longer wish to use our services.
  • You withdraw consent where it was the basis for processing.
  • Data was unlawfully processed.

Please note: some data may be retained for legal, tax, or accounting purposes (e.g., invoices and purchase records for HMRC).

  • The right to restrict processing

You may request that we limit how we use your personal data. For example, you can request temporary restriction while we investigate a correction request.

  • The right to data portability

You can request a copy of the personal data you have provided to us in a structured, commonly used, and machine-readable format, and request that it be transferred to another data controller.

  • The right to object

You have the right to object to:

  • Processing based on legitimate interests.
  • Direct marketing.
  • Processing for research/statistics.

We will stop processing your data unless we can demonstrate legitimate grounds to continue.

  • Rights related to automated decision-making and profiling

We do not use your data for automated decision-making or profiling.

If you would like to exercise any of the rights above, or if you have any concerns about how we are using your personal data, you can contact us using the details found in Section 15.

You also have the right to lodge a complaint with the UK’s supervisory authority for data protection:

The Information Commissioner’s Office (ICO)
Website: https://www.ico.org.uk
Telephone: 0303 123 1113

ChatGPT said:

Here is Section 5 in full, detailed form — tailored for your furniture website (drop shipping from Heartlands), and aligned closely with the original document:

5. What Data Do You Collect on Our Website?

When you visit or interact with our website, we may collect and process the following categories of personal and non-personal data, depending on your usage and level of engagement with our services:

Personal Information You Provide Directly

This includes information you provide when creating an account, placing an order, contacting us through forms or emails, or uploading verification documents. Such data may include:

  • Full Name
  • Business Name (if applicable)
  • Company Number (if applicable)
  • Billing Address
  • Shipping / Drop Shipping Address (including postcode and recipient contact name)
  • Email Address
  • Telephone Number
  • Mobile Number
  • Account Username and Password
  • Congestion Zone Confirmation (we ask this to help avoid unnecessary congestion charges when fulfilling orders)
  • Proof of Trade Address (e.g., utility bill or business registration document)

Payment Details

We collect payment-related information as part of order processing, however:

  • We do not store full payment details on our servers.
  • All payments are securely processed via third-party platforms (e.g., card payment providers or PayPal).
  • Your payment information is encrypted and transmitted via SSL during checkout.

Order and Transaction Data

We retain order history and related invoice data as part of fulfilling legal obligations (such as HMRC compliance), including:

  • Products purchased
  • Dates and times of purchase
  • Order values
  • Shipping information

Technical and Usage Data

When browsing our site, we may collect anonymised data including:

  • IP Address
  • Browser Type
  • Operating System
  • Device Type
  • Referring Site or URL
  • Pages viewed and time spent on the site

This information is used to improve the performance, usability, and security of our website, but is not linked to any personally identifiable user profile.

Marketing Preferences

If you subscribe to our newsletter or opt-in during checkout or registration, we store your marketing consent and preferences. You can opt out at any time via your account settings or the unsubscribe link in emails.

6. How Do You Use My Personal Data?

Under the UK GDPR and Data Protection Act 2018, we must always have a valid lawful basis for using your personal data. This may be because the data is necessary for us to fulfil a contract with you, because you have given your consent, or because it is in our legitimate business interests.

We collect, store and process personal data for the following purposes:

a) Fulfilling Orders & Providing Services

  • To process and deliver the furniture products or services you have requested or purchased.
  • To manage payments and issue invoices, delivery documents, and receipts.
  • To confirm and process delivery information, including drop shipping where applicable.
  • To manage your account, including verifying identity and ownership.

b) Customer Support & Communication

  • To respond to your enquiries or complaints via email, telephone or web chat.
  • To send service-related messages such as order confirmations, delivery bookings, returns authorisations, or account updates.
  • To log and review calls for training and quality purposes.

c) Account Management & Site Access

  • To provide and manage access to your account on our website.
  • To allow you to view past orders and manage shipping preferences or payment details.
  • To help personalise your experience when visiting the site (e.g., remembering your preferred delivery addresses or saving items to a wishlist).

d) Marketing & Service Updates

  • To send optional newsletters, product updates, special offers, and industry news if you have opted in.
  • You can manage your communication preferences by logging into your account and changing your subscription settings.
  • We do not sell or share your personal data with third-party marketers.

e) Legal, Tax and Regulatory Compliance

  • To meet our obligations with HMRC and other tax authorities (e.g. invoice records).
  • To comply with health and safety regulations or product recall procedures where necessary.
  • To cooperate with legitimate legal requests, court orders, or government authorities.

f) Fraud Prevention & Security

  • To prevent fraudulent transactions or account misuse.
  • To monitor and protect against unauthorised access to our systems or data breaches.
  • To ensure that data is processed securely and not accessible by unauthorised users.

Automated Decision-Making and Profiling

We do not use automated decision-making or profiling tools to make decisions about you.

We will always aim to protect your rights and privacy and will never use your personal data in a way that is incompatible with the original reason it was collected. Your data is never sold or passed on without your consent unless legally required.

7. How Long Will You Keep My Personal Data?

We will not retain your personal data for any longer than is necessary for the purposes for which it was originally collected, as outlined in this Privacy Policy. The specific length of time will depend on various factors, including legal, tax, accounting, and regulatory requirements.

We will retain personal data under the following guidelines:

a) Customer Accounts and Order Records

  • If you register an account with us, we will retain your data until you request account closure or if your account becomes inactive for a significant period (e.g. 6 years).
  • Order history, billing, and shipping data will be retained for at least 6 years in compliance with HMRC and accounting obligations.
  • Even if you request your account be deleted, we may retain certain data for legal or regulatory purposes (see below).

b) Financial Transactions and Invoices

  • All transaction records, including receipts, order confirmations, and payment logs, will be retained for 6 years from the end of the financial year they relate to, as required by tax law and auditing obligations.

c) Proof of Trade Documentation

  • If you provide utility bills or other verification documents as part of our trade registration process, we retain this only for as long as is necessary to validate your status—typically no more than 12 months unless ongoing validation is required.

d) Customer Service Communications

  • Communications such as emails, messages, or telephone recordings may be kept for up to 2 years for training, quality assurance, and dispute resolution purposes.

e) Marketing Preferences

  • Your opt-in preferences for receiving marketing emails or offers are retained until you choose to unsubscribe or update your preferences through your account settings.

f) Data Retention after Account Closure

If you close your account:

  • We will retain only essential records required for legal and compliance reasons.
  • All non-essential or optional data will be deleted within 60 days of your request.

g) Website Usage Logs

  • Any system logs, error reports, and session data for analytical or troubleshooting purposes will be anonymised and retained for no longer than 12 months, unless required for resolving ongoing issues.

We regularly review the data we store to ensure it is not kept for longer than necessary. Where personal data is no longer required, we securely delete or anonymise it in accordance with best practices and data protection regulations.

8. How and Where Do You Store or Transfer My Personal Data?

We take the security of your personal data extremely seriously. All personal data collected via our website is stored and processed in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

a) Where Your Data Is Stored

Your data is stored and processed within the United Kingdom. We do not store or transfer your personal data outside of the UK or European Economic Area (EEA) unless it is absolutely necessary and adequate safeguards are in place.

This ensures your data receives the same level of protection as required under UK law.

b) Hosting and Infrastructure

  • Our website is hosted on secure UK-based servers managed by a GDPR-compliant hosting provider.
  • The infrastructure we use includes:
    • SSL encryption (Secure Socket Layer) for all data transmitted through our website, including account login and checkout pages.
    • Firewall protection and intrusion detection systems on all servers.
    • Regular malware scans and penetration testing to ensure ongoing data security.

c) Email and Communication Security

  • All email communications are encrypted using Transport Layer Security (TLS).
  • We monitor all incoming and outgoing emails for viruses, phishing attempts, and other malicious content.
  • Our internal systems are protected with commercial-grade antivirus and endpoint protection tools, updated daily.

d) Access Restrictions

  • Access to your personal data is limited to authorised personnel only.
  • Employees who handle personal data receive data protection training and are bound by confidentiality agreements.

e) Third-Party Services

  • Where third-party service providers are involved (such as couriers or payment gateways), we only work with partners who meet strict data protection standards.
  • If any data is processed outside the UK/EEA, we will ensure the transfer is protected using legally approved mechanisms such as:
    • Standard Contractual Clauses (SCCs)
    • Binding Corporate Rules (BCRs)
    • Or verification of the third party’s adequacy status by the UK government.

f) Backups and Redundancy

  • Regular encrypted backups of our website and order data are taken to ensure business continuity and data recovery in case of unexpected outages or incidents.
  • Backups are stored securely and are automatically purged after 30 days, unless longer retention is necessary due to system recovery events.

We are committed to continuous improvement and regularly review our systems, hosting, and data protection procedures to keep your information secure.

9. Do You Share My Personal Data?

We respect your privacy and only share your personal data when necessary to provide our services or meet legal obligations. Below is a breakdown of the situations where data may be shared:

a) Delivery and Drop-Shipping Services

In order to fulfil your orders efficiently and accurately, we may share relevant delivery details with third-party couriers or drop-shipping partners. These details may include:

  • Full name
  • Delivery address
  • Contact telephone number
  • Specific delivery instructions (if provided)

Examples of third-party delivery services we may use include:

  • Direct-to-door couriers appointed by our supply partners
  • National courier networks (e.g., XDP, DPD, DHL, or similar)

We only share the information required for them to perform their duties.

b) Payment Processing

We work with secure and trusted payment service providers. While we may collect your payment information during the checkout process, we do not store your card details on our servers. All payment data is handled by:

  • [Insert payment gateway name, e.g. Stripe, PayPal, or Worldpay]
  • These providers are fully PCI-DSS compliant (Payment Card Industry Data Security Standard)

c) Business Operations and IT Providers

We may engage certain service providers to help with:

  • Website hosting
  • Technical support
  • Data backups
  • System maintenance
    These providers may have access to some data in the course of their service delivery but are contractually bound to protect it.

d) Legal Obligations

We may disclose personal data where required:

  • To comply with legal requirements
  • In response to lawful requests by public authorities (e.g., law enforcement, tax authorities)
  • In connection with ongoing or prospective legal proceedings
  • To establish, exercise or defend our legal rights

e) Safeguards with Third Parties

Whenever we share your data:

  • We ensure that only the minimum necessary information is disclosed
  • We require all third parties to handle your data securely and in compliance with the UK GDPR
  • We enter into data processing agreements where appropriate

f) No Selling of Data

We do not sell, rent, or trade your personal information to any third parties for marketing or commercial purposes.

g) International Transfers

At present, your data is stored and processed within the UK. If any third-party service providers process your data outside of the UK or EEA:

  • We will ensure that appropriate safeguards are in place
  • This includes Standard Contractual Clauses or other legally recognised data protection mechanisms

10. How Can I Control My Personal Data?

We believe in transparency and giving you full control over your personal information. Below are the ways in which you can manage how your data is collected, stored, and used on our site:

a) Managing Your Account

When you register on our website, you can:

  • View and edit your contact and delivery information
  • Change communication preferences (e.g., opt in or out of newsletters)
  • Update your password and security details

You may log in at any time to update this information through the “My Account” section of the website.

b) Marketing Preferences

You can choose to:

  • Opt-in to receive updates, promotions, or new product announcements
  • Opt-out at any time by:
    • Unchecking the relevant box in your account settings
    • Clicking the “Unsubscribe” link at the bottom of any marketing email
    • Contacting us directly using the information in Section 15

We will never send you marketing emails unless you have explicitly opted in.

c) Limiting Data Usage

You may also:

  • Request that we restrict or suspend processing of your data (e.g., during a dispute or verification period)
  • Object to our use of your data for certain purposes (such as direct marketing)

To do so, contact us using the details in Section 15.

d) Third-Party Preference Services

If you want to reduce unsolicited contact in general, you can also register with:

  • The Telephone Preference Service (TPS)
  • The Mailing Preference Service (MPS)
  • The Corporate Telephone Preference Service (CTPS) for businesses

These services will help limit marketing calls and mail from third parties. However, they do not affect communications you’ve opted into on our website.

11. Can I Withhold Information?

Yes, you can browse and access the majority of our website without submitting any personal information.

We do not currently require customers to create accounts in order to use our services. You are free to view products, browse categories, and access general content anonymously.

When Information Is Required

You will only be asked to provide personal or business information if you:

  • Place an order
  • Request a delivery
  • Enquire about a product or service
  • Submit a contact form
  • Require dropshipping arrangements

In those cases, we may require:

  • Full name or business name
  • Delivery address
  • Contact details
  • Billing details
  • Proof of trade (if applicable)

Without this information, we may not be able to process your enquiry or complete your order.

Cookies

We use minimal cookies strictly necessary for the operation of the website (see Section 14). You can choose to decline cookies in your browser settings, but doing so may affect the functionality of features such as:

  • Shopping cart
  • Form submission
  • Session retention

12. How Can I Access My Personal Data?

If you want to know what personal data we hold about you, you have the right to request access to it. This is called a “subject access request.”

We are committed to transparency and will provide full details wherever legally required.

How to Make a Request

All subject access requests should be made in writing and sent to the contact details listed in Section 15.

You can write to us via:

  • Email: [your support email]
  • Post: [your business address]

For clarity and speed, please include:

  • Your full name
  • The type of information you want to access
  • Any specific dates or interactions that may help us locate your data

Is There a Cost?

There is no charge for a subject access request.
However, if your request is repetitive, unfounded, or excessive, we may charge a small fee to cover administrative costs.

Response Time

We aim to respond to all valid data access requests:

  • Within 14 working days, and
  • No later than one calendar month

If your request is complex or requires extra time, we will inform you of the delay and explain why.

What You’ll Receive

We will provide:

  • A copy of the personal data we hold about you
  • The reasons we process it
  • How long we’ll store it
  • Your rights concerning that data

13. Data Breach Notification

We take data security seriously. If there is ever a personal data breach that could pose a risk to you, we have a clear process in place to act quickly and transparently.

Immediate Reporting

All suspected or confirmed data breaches must be reported immediately to our designated Data Protection Contact.

We will then assess the breach and determine the severity and potential impact on individuals’ data.

When We Notify the Authorities

If the breach is likely to result in a risk to your rights and freedoms—for example, financial loss, identity theft, reputational damage, or exposure of sensitive data—we will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it.

When We Notify You

If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly and without undue delay, outlining the nature of the breach and how it may affect you.

What We Will Include in a Notification

All breach notifications will clearly include:

  • The nature of the breach
  • The number and types of individuals and records affected
  • Contact details for further information
  • The likely consequences of the breach
  • Steps we have taken (or plan to take) to deal with the breach and mitigate harm

We have internal security protocols to minimise risks, and we are committed to handling any breach swiftly, lawfully, and with full transparency.


14. How We Use Cookies

A cookie is a small text file that is stored on your device (computer, phone, or tablet) when you visit a website. Cookies help websites remember your actions and preferences (such as login, language, font size, and other display preferences) so you don’t have to re-enter them whenever you return.

How We Use Cookies on Our Website

We use cookies strictly for functionality related to your interaction with the site. This includes:

  • Session-based login cookies, which allow secure access during your visit
  • Preserving shopping cart contents (if applicable)
  • Saving simple user preferences

We do not use cookies for:

  • Advertising or behavioural tracking
  • Analytics tracking (e.g., Google Analytics)
  • Third-party marketing or remarketing

We do not collect personal information through cookies beyond what is required to provide the service you’ve requested.

Your Control Over Cookies

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can modify your browser setting to decline them if you prefer. However, this may prevent you from taking full advantage of the website, such as staying logged in or remembering your cart.

We only use essential cookies, and no tracking or analytical tools are active on the site. If this changes in the future, this section of the Privacy Policy will be updated to reflect those changes in full.

15. How Do I Contact You?

If you have any questions about this Privacy Policy, your personal data, or you would like to exercise any of your rights under data protection law, please get in touch using the contact details below:

  • Email address: info@furniture.style
  • Telephone number: [01234 567 890] (Replace with your actual number)
  • Postal address: [Your Business Name], [Your Trading Address], [Town/City], [Postcode], United Kingdom

We aim to respond to all data protection enquiries and Subject Access Requests promptly and in accordance with applicable data protection regulations.

16. Age Consent

You must be 18 years of age or older to place orders or engage in transactions through our website.

By using our website, you confirm that you meet the minimum age requirement. We do not knowingly collect or store personal data from individuals under the age of 18. If we become aware that we have inadvertently collected personal data from anyone under 18, we will take steps to delete it immediately.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, relevant laws, our business operations, or website functionality.

Any such changes will be published on this page. You are advised to review this Privacy Policy regularly to ensure you remain informed about how we are protecting your data.

Your continued use of our website after changes are posted constitutes your acceptance of those changes.

Last updated: [02/07/2025]