Marylebone Flowers Privacy Policy

Scope of This Privacy Policy

This Privacy Policy applies to all customers who place flower orders with Marylebone Flowers, whether directly or through our website, for delivery to Marylebone and surrounding districts. We are committed to protecting your personal data and being transparent about how we use it, in full accordance with the General Data Protection Regulation (GDPR).

What Personal Data We Collect

To provide our products and services, we may collect and process the following types of personal data:

  • Contact Information: Your name, billing and delivery address, and contact phone number.
  • Order Details: Products ordered, delivery instructions, and order history.
  • Recipient Information: Name and address of the recipient of the flowers (when different from the customer).
  • Payment Information: Payment card details (which are processed securely by third-party payment processors and not stored by us).
  • Communications: Any correspondence you have with us, including special requests and feedback.
  • Technical Data: IP address and browser type when using our website, for security and performance optimization.

Purpose and Lawful Basis for Processing

We process your personal data only where we have a valid legal basis under GDPR:

  • Performance of Contract: To fulfill your flower order, including processing payment, arranging delivery, and providing customer support.
  • Compliance with Legal Obligations: To meet legal requirements such as bookkeeping, tax, and recordkeeping duties.
  • Legitimate Interests: To improve our services, prevent fraud, and manage business operations, provided these interests do not override your rights.
  • Consent: Where required, such as when subscribing to a marketing or promotional list (note: you may withdraw consent at any time).

How We Use Your Information

Your data is used exclusively for the following purposes:

  • Processing orders, payments, and arranging delivery
  • Communicating with you regarding your order or inquiries
  • Improving our ordering and delivery processes
  • Complying with legal obligations and auditing requirements
  • Sending marketing communications (with your explicit consent only)

Retention of Personal Data

We retain your data only for as long as necessary to fulfill the purposes for which it was collected. Generally:

  • Order and delivery records: kept for up to 7 years to comply with legal and accounting requirements
  • Customer communications: retained for up to 2 years from your last interaction
  • Marketing preferences: kept until you withdraw consent or unsubscribe
  • Payment information: not stored by Marylebone Flowers, only processed securely by our payment processors

Upon expiry of the retention period or fulfillment of its purpose, your data is securely deleted or anonymized.

Who Processes Your Data (Processors and Sub-Processors)

To fulfill your orders efficiently, Marylebone Flowers may engage trusted third-party service providers to process your data, including:

  • Payment Processors: Securely handle card payment information and transactions
  • Delivery and Logistics Partners: Deliver your order to the specified address
  • IT and Hosting Providers: Host our website and safeguard data security
  • Marketing Service Providers: Only with your express consent for promotional messages

We ensure all processors act in accordance with GDPR, maintain adequate security, and never use your data for their own purposes.

Your GDPR Rights

You have the following rights regarding your personal data:

  • Right to Access: Request a copy of the personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data under certain circumstances
  • Right to Restrict Processing: Ask us to limit how we use your data
  • Right to Data Portability: Receive your data in a structured, commonly used format
  • Right to Object: Object to our use of your data for certain purposes, including direct marketing
  • Right to Withdraw Consent: Where we process your data based on consent, you may withdraw it at any time
  • Right to Lodge a Complaint: Submit a complaint to the relevant data protection authority if you believe your rights have been infringed

Data Security

We maintain security measures appropriate to the risks, including encryption, access controls, secure hosting, and staff training, to prevent unauthorized access, disclosure, alteration, or destruction of your personal data.

International Data Transfers

Your data may occasionally be processed outside of the United Kingdom or European Economic Area by our IT providers. Where this occurs, we ensure appropriate safeguards, such as contractual clauses, are in place in line with GDPR requirements.

Policy Updates

We may update this Privacy Policy from time to time. Changes will be noted by updating the revision date at the top of this page. Please review this policy periodically to remain informed about how we handle your personal data.

Contacting Us

If you have any questions regarding this Privacy Policy or your personal data, or wish to exercise any of your GDPR rights, please contact us using the contact details on our website or in your order confirmation.