Privacy Policy

Last updated: [INSERT DATE]

Plain-English overview

We collect the details needed to run our store (orders, shipping, customer support) and to keep the site secure. Payments and shipping address collection are handled through Stripe Checkout. You have privacy rights and can contact us to exercise them.

1. Who is responsible for your data?

The data controller for this Site is:

Business name: complexfour
Legal entity: [INSERT LEGAL ENTITY NAME]
Registered address: [INSERT ADDRESS]
Contact email: [INSERT PRIVACY EMAIL]

2. What data we collect

Depending on how you use the Site, we may collect:

Order and checkout data: name, email, phone number, billing/shipping address, order contents, and transaction identifiers.
Payment data: payment method details are processed by Stripe; we do not receive full card numbers.
Customer support data: messages you send us and any attachments you provide.
Technical data: IP address, device/browser info, basic logs used for security and fraud prevention.
Cookies/analytics data: if enabled, information about how you navigate the Site (see Cookies section).

3. Why we use your data (purposes)

To process orders, payments, and deliver products.
To provide customer service and manage returns/refunds.
To prevent fraud, secure the Site, and enforce our Terms.
To comply with legal obligations (e.g., accounting and tax records).
To send service messages (order confirmations, shipping updates).
With your consent (where required), to send marketing communications.

4. Our lawful bases (UK GDPR)

Where the UK GDPR applies, we rely on one or more lawful bases, such as:

Contract: processing necessary to fulfil your order and provide customer support.
Legal obligation: maintaining records required by law (e.g., tax/accounting).
Legitimate interests: securing the Site, preventing fraud, improving reliability (balanced against your rights).
Consent: where required for certain cookies or marketing (you can withdraw consent at any time).

ICO guidance explains what a privacy notice should include and when it must be provided. :contentReference[oaicite:5]{index=5}

5. Who we share data with

We share data only as needed to run the store, including:

Stripe (payments): Stripe processes payments and may collect shipping/billing information during checkout.
Shipping and logistics providers: to deliver your order (name, address, phone/email where necessary).
Service providers: hosting, security, analytics (if enabled), and customer support tooling.
Professional advisers: accountants, auditors, lawyers where needed.
Authorities: where required by law or to prevent fraud/abuse.

Stripe explains that it can act as a data controller and/or processor depending on the activity. :contentReference[oaicite:6]{index=6}

6. International transfers

If we or our providers transfer your personal data outside the UK (and, where relevant, the EEA), we use appropriate safeguards such as contractual protections and other lawful transfer mechanisms as required by applicable law.

7. How long we keep your data (retention)

We keep personal data only as long as necessary for the purposes described above, including:

Order records: typically kept for accounting/tax and customer support purposes (often several years, depending on legal requirements).
Support messages: kept as long as needed to resolve your issue and maintain records.
Security logs: retained for a limited period for monitoring and incident response.

Replace this section with your actual retention schedule once you decide it.

8. Your rights

Depending on your location and applicable law (including UK GDPR and DPA 2018), you may have rights to:

Request access to your personal data.
Request correction of inaccurate data.
Request deletion (in certain circumstances).
Object to or restrict processing (in certain circumstances).
Data portability (in certain circumstances).
Withdraw consent (where we rely on consent).

To exercise your rights, email [INSERT PRIVACY EMAIL]. We may need to verify your identity.

The UK’s data protection framework includes the UK GDPR and Data Protection Act 2018. :contentReference[oaicite:7]{index=7}

9. Complaints

If you have a concern, please contact us first at [INSERT PRIVACY EMAIL] and we’ll try to resolve it. You also have the right to complain to the UK supervisory authority, the Information Commissioner’s Office (ICO).

The DUAA 2025 amends (but does not replace) UK GDPR, DPA 2018 and PECR. :contentReference[oaicite:8]{index=8}

10. Cookies and similar technologies

We may use cookies and similar technologies for essential site functionality and, if enabled, analytics and marketing. You can control cookies through your browser settings. If we use non-essential cookies, we will request consent where required.

If you later add analytics (e.g., Google Analytics), we should add specifics here (cookies used, purposes, retention).

11. Marketing

If you opt in to marketing communications, you can unsubscribe at any time using the link in our emails or by contacting us. We send service messages (like order confirmations) regardless of marketing preferences.

12. Children

The Site is not intended for children. We do not knowingly collect personal data from children.

13. Security

We use reasonable technical and organisational measures to protect personal data. However, no method of transmission or storage is completely secure. Payments are handled via Stripe, and we do not store full card details on our servers.

14. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date indicates when changes take effect.

15. Contact

Privacy questions: [INSERT PRIVACY EMAIL]