Data Controller: The controller determines the purposes and means of processing data.
Data Processor: The processor is responsible for processing the data on behalf of the controller.
Data Subject: A person whose data is processed by a controller or processor.

Data Controller Information
Fife Resource Base
Unit 1, Faraday Road

Data Retention

Invoices: Data will be stored for 6 years (from the end of the last financial year) in the form of invoices and will be processed solely for archiving purposes in the public interest (HMRC requirements).
These invoices will be destroyed after the minimum time required to comply with HMRC regulations. Organisational methods will be employed to protect the data from unauthorised or unlawful processing and against accidental loss or theft.

Email data: Emails from data subjects to email addresses will be deleted from the servers that we use after one month unless the email is part of an ongoing conversation.
In this case, once the email conversation is complete / resolved, the email conversation will be deleted from the email servers.

Online content management system data: Other data stored will be on the online shop's content management system if a data subject creates a registered account. This data includes:

  • Order history
  • Order details
  • Shipping / billing addresses
  • Name and title
  • Email address
  • Vouchers and loyalty points
  • Registration date
  • Date of last visit
  • Age (if given upon registration)
  • Phone number
  • IP addresses
  • Messages
  • Cart details
  • Method of payment
  • Language

Only the registered user and the data controller has access to this data.

Registered user accounts will be deleted if the user has not placed an order within 2 years of creating an account or if they have not placed an order within the previous 2 years. Due to the right to erasure, a registered user can choose to have their account deleted at any time by contacting the data controller (

The data processes and the lawful basis for processing

All data will be processed on the basis of consent.

The data controller deems the processing of data as necessary for the following reasons:

  • Names, addresses and phone numbers are required to fulfil customer orders. Names and addresses are required for shipping, a phone number is required so that couriers can contact the customer if necessary (please see the 3rd party section for more information).
  • Age data is given voluntarily by the data subject / registered user. reserve the right to not send out products to registered users that have volunteered data that indicates that they are aged under 18.
  • Vouchers and loyalty point data is stored on the system (Prestashop CMS) to enable data subjects / registered users to make use of discounts.
  • Date of registration, last visit data and IP address information is data that is processed as default with Prestashop's CMS system. IP addresses may be useful and sometimes viewed if it is suspected that the registered user's account has been compromised. The user's last visit can also help the data controller and the data subject determine whether the data subject / registered user's account may have experienced an unauthorised login. The date of registration assists the data controller in determining which accounts are inactive and require deletion after 2 year's of inactive use (please refer to the data retention section for more information).
  • A billing address is required for accounting purposes and invoices. This is for both the records of the data controller and the data subject who may also require invoices for filing and accounting.
  • Past orders and customer carts are stored so that the data subject / registered user can view past carts / orders for accounting purposes or to assist with future purchasing. Data of orders also assist the data controller in fulfilling those orders.
  • The messaging system within the Prestashop admin is in place so that customers / data subjects can be updated on order status' and so that the data subject can contact should they wish to. Messages will be deleted after 3 months.
  • Method of payment used is stored so that the data controller can use this information for accounting purposes. No payment details are stored on the online store or the server that uses. All payments are processed by external data processors (please see data processor section).
  • Language is stored so that the data controller is better able to communicate with the data subject if necessary.
  • Email addresses are required for the following purposes:
    To ensure that data subjects receive important information regarding their orders as well as having a point of contact with the data subject incase the data controller needs to contact the data subject in the event of a problem with the order.
    The email address also helps verify if the data subject is indeed the registered user as the recipient of the emails will become aware that an account has been registered using their email address. If they have not created the account, this will help alert them to this.
    The only other reason that email address data would be processed is if the email address is on the newsletter list. The data subject has to explicitly and voluntarily give consent to receive a newsletter from and have their data stored on the newsletter list.


The data subject will have to clearly give consent to the processing of their data by agreeing to this privacy notice when registering with
If a data subject withdraws their consent, the data of that individual will no longer be processed. However, as stated in the 'data retention' section, financial records such as invoices need to be stored for the appropriate period designated by HMRC. By giving consent, the data subject understands that this data will be solely used for archiving purposes in the public interest and will be destroyed once the minimum retention period stated by HMRC has passed.

Consent must be given via a positive opt in. The data subject will need to voluntarily tick a checkbox to provide consent. No pre-ticked boxes will be used.

The data subject must agree to both the privacy notice and terms and conditions separately via two separate checkboxes.

If the data subject refuses consent, will not be able to process the data subject's data and therefore an account with cannot be setup for the data subject and orders cannot be placed by the data subject. Orders and registered accounts cannot be created without data processing and therefore consent is required before either of these can be actioned. Consent is a precondition of signing up to the service as data processing is necessary for the service.

No consent is required to browse the online catalogue as only 'essential' cookies are used (please see the 'cookies' section for more information).

Consent can be withdrawn at any time (please see data subject's rights). No personal data will be processed without consent.

Third Parties

By agreeing to this privacy notice, in the event that the data subject places an order with, they agree that their name, address and contact details will be passed onto couriers / postal services so that their orders can be fulfilled. Depending on the courier (all of which are GDPR compliant), they may contact the data subject with delivery status updates via email or text.

In some cases, where items are not in stock at the facility, drop shipping may be required to ensure a quick and efficient fulfilment of the order. In the rare cases that this may occur, the data subject's name, billing / delivery address and contact details such as a phone number or email address may be passed onto suppliers and their couriers in order for them to fulfil the order. The drop shippers are:

Lynd Products Ltd
Dimanco Ltd
Hydrosense / Albagaia

The accountancy firm that use have access to accounting data via Xero software. Xero stores invoices and data such as name, billing address, shipping address, email address and telephone number. The accountancy firm is:

James Hair & Co

Other than the data processors that we use (see data processors section for more information), the above are the only instances in which a data subject's data would be accessed / processed by a third party.

Data Subject's Rights

A data subject has the following rights:

The right to be informed: A data subject has a right to be informed about the collection and use of their data.

The right of access: A data subject has the right to access their personal data and be aware of and verify the lawfulness of processing. If a data subject uses their right to access, will provide a copy of the information free of charge. The information will be provided within 1 month of the request. In order to supply the data subject with the requested information, must verify the identity of the data subject. The data subject will already have access to most of their personal data via the secure online registered user dashboard. If the data subject clicks on 'My Personal Data' in their dashboard, they can download their data to a PDF or CSV file.

The right to rectification: A data subject has a right to make a request for rectification and have inaccurate data rectified or completed if it is incomplete. has one calendar month after the request to respond to and rectify the specified information.

The right to erasure: A data subject has a right to have their data erased. A data subject can make a request for erasure and has 1 calendar month to respond. The data subject requests to have the data erased in the knowledge that once this has been completed, they will no longer have a registered account with and will be unable to place future orders. may need to verify the identity of the data subject before erasing data. This may be in the format of a phone call to the phone number on the registered account details. This method removes the need for requests for additional personal data (e.g photo ID) from the data subject.

The right to restrict processing: A data subject has the right to request restriction of the processing of their data. This right gives the data subject more control over how their data is used and they can limit the way in which a data controller uses their data. When processing is restricted, can still store the data but not use it. has 1 calendar month to respond to a right of restriction request.

The right to data portability: A data subject has a right to obtain, move, copy or transfer data easily from one online service to another. Once a data subject utilises their right to portability by communicating the request to, a response will be made within 1 calendar month. Data will be provided to the data subject in a machine readable format.

The right to object: A data subject has a right to object to processing based on legitimate interests, direct marketing, profiling and processing for purposes of research and statistics. As soon as a right to object request is received by, processing of the data subject's data by the data controller will be stopped. The request will also be communicated to third parties and data processors if applicable.

Rights in relation to automated decision making and profiling: This is a right under GDPR regulation but is not applicable to as does not use automated decision making or profiling.

The right to withdraw consent: A data subject can withdraw consent at any time and consent withdrawals will be acted upon as promptly as possible.

Data Processors (data controller) uses the services of data processors that provide sufficient guarantees that their data protection policies meet GDPR requirements. Each processor has its own policies in relation to GDPR regulation. The owners of have checked to the best of their ability that all data processors comply with GDPR regulation. uses the services of five data processors that handle user data:

LiveChat, Inc software:
LiveChat's compliance statement can be viewed here:

Stripe Payments Europe Ltd payment processor: have entered into a formal agreement with Stripe Payments Europe Ltd by accepting their Data Processing Agreement. This agreement is a contract between and Stripe Payments Europe Ltd that covers the requirements of Article 28 of GDPR regulation.

Regarding international data transfers, the Data Processing Agreement outlines that it may be necessary for Stripe Payments Europe Ltd to transfer data outside of the European Economic Area. If personal data is transferred to a location that has not been issued an adequacy decision by the European Commission, Stripe Payments Europe Ltd will ensure that appropriate safeguards have been implemented in accordance with applicable law.

Examples of appropriate safeguards mentioned in Stripe's privacy policy are:  EU Standard Contractual Clauses with a data recipient outside the EEA, verification that the recipient has implemented Binding Corporate Rules, or verification that the recipient adheres to the EU-US and Swiss-US Privacy Shield Framework. Full privacy policy can be viewed here:

Stripe has privacy shield certification. Their Privacy Shield policy can be viewed here:

Data processed by Stripe Payments Europe Ltd includes:

  • Cardholder name
  • Email address
  • Unique customer identifier
  • Order ID
  • Bank account details
  • Payment card details
  • Card expiration date
  • CVC code
  • Date/time/amount of transaction
  • Merchant name/ID
  • Location

To read more about Stripe and GDPR, you can view the 'Stripe Privacy Center' page by clicking here:

Nochex payment processor:
Nochex have added a GDPR statement to their privacy policy:

Paypal payment processor: has received a statement from Paypal that confirms that Paypal will be GDPR compliant by the 25th May 2018.

Krystal Hosting:
Krystal have confirmed in a statement that they are GDPR compliant:
'We have updated our Privacy Notice to meet the requirements of the new framework and have also implemented the required internal procedures to ensure that as a business we are fully GDPR compliant.' compliance statement can be found here:

Xero bookkeeping software:
Information regarding Xero's GDPR policies can be found here:

A data processing addendum that covers the requirements of Article 28 of GDPR regulation has been agreed and signed by both parties (Xero managers / directors and owner).

Within the addendum, it states the following regarding international data transfers:

Xero shall not transfer the Data outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data (e.g., New Zealand), to a recipient in the United States that has certified its compliance with the EU-US Privacy Shield, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.

So although, xero may transfer data outside of the EU, they will only do so to locations where appropriate safeguards have been ensured.

Xero is also regularly audited against SOC 2 standards by an independent third-party auditor. The SOC 2 report covers the Trust Services Principles and Criteria for Security, Availability, and Confidentiality. 

Data Breaches

In the unlikely event of a data breach (security measures / procedures are regularly assessed and adhered to), will contact the Information Commissioner's Office and will report the breach if advised to.
This will be reported within 72 hours of becoming aware of the breach.
If the breach is likely to affect individual's rights and freedoms, the affected individuals will be informed without undue delay.

Records will be kept of any personal data breaches. Personal data breaches can include:

Access by an unauthorised third party.
Sending personal data to an incorrect recipient.
Computing devices containing data being lost or stolen.
Malicious sources deleting or stealing data.
Alteration of personal data without permission.
Loss of availability to personal data.


The cookies on have been separated into 'essential' and 'extras'. In order for the website to function e.g the shopping cart or DDOS protection, the 'essential' cookies are installed by default when a user navigates the website. The 'extra' cookies are required for the following services to function:

  • Google analytics
  • LiveChat software (LiveChat, Inc)
  • Google Adwords
  • Bing Ads

In order for the above 'extra' cookies services to function, the user must choose to agree to the cookie notification popup. If the user does not agree, they can still browse the site but the 'extra' cookies services will not function and these 'extra' cookies will not be installed.

Data subjects that are also registered users can also revoke their consent to cookies within their customer account.

Social Media have a account. If a data subject contacts via direct message, the message will be stored for 30 days and will not be shared with other organisations.

Phone Customer Service

This is a helpline service to assist callers that require information regarding products and orders. No payments will be taken over the phone. Any notes taken of phone numbers, names or other personal information will be shredded immediately after use.


Newsletters will only be sent to data subjects that have opted in by voluntarily signing up for the newsletter. Data subjects will be able to unsubscribe from newsletters whenever they like. Data subjects can either click 'unsubscribe' at the bottom of newsletters received or they can contact directly. Please note that any data subjects that signed up to the newsletter prior to the 25th May 2018 will need to re-sign up to the newsletter for their email addresses to be included on the list.

Live Chat

Consent: All data subjects will need to give pre chat consent (by agreeing to the terms of the privacy notice) before a live chat can commence.

Data Retention: All chat data older than 30 days old will be deleted.

What data is processed: Every time a live chat commences, the live chat agent ( can view the following information:

  • Date and time of chat
  • Location
  • Local time of visitor
  • Cart items plus value
  • Pages visited
  • Previous visit and last visit (if within the previous 30 days)
  • Referral URL
  • Browser
  • Platform (e.g Windows 10)
  • Device
  • IP address
  • User agent
  • Name of data subject (if they have volunteered this information or if they are a registered user)
  • Email address of data subject (if they have volunteered this info or if they are a registered user)
  • Data subject's rating of the chat service.
  • Any data that is typed into the chat field.

Chat data hosting

LiveChat have confirmed that the chat service data is hosted in Europe.

Data use

The data will only be used to assist the data subject immediately or very soon thereafter. The data will solely be used to help the data subject with their enquiry.
Email addresses may be used to help the data subject with their enquiry.
Email addresses may be used if the data subject has indicated during the chat that they wish to receive an email from
The same applies to any phone number data voluntarily supplied by the data subject.

Data subjects may request a copy of the chat transcript during the chat.

The information in this privacy policy was correct (to the best of the data controller's knowledge) at the time of publication: May 24th 2018
Last update: Jan 4th 2024