PRIVACY POLICY

PRIVACY POLICY

Ardenwood Old Gloucester Street, London, England, United Kingdom, WC1N 3AX

E-mail: hello@ardenwood.co.uk

Website: www.ardenwood.co.uk

Last updated: 18 March 2026

INTRODUCTION AND DATA CONTROLLER

This Privacy Policy explains how Ardenwood ("we", "us", "our"), collects, uses, stores, shares, and protects the personal data of users of the website www.ardenwood.co.uk ("Website").

Ardenwood acts as the data controller in respect of personal data collected through the Website, as defined under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This Policy has been prepared in compliance with the UK GDPR (as retained in UK domestic law by virtue of the European Union (Withdrawal) Act 2018), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR), as amended.

For any questions regarding this Privacy Policy or our data processing activities, please contact us at hello@ardenwood.co.uk.

PERSONAL DATA WE COLLECT

We collect the following categories of personal data:

● Identity and contact data: name, email address, and delivery address, provided by you during account registration and at checkout.

● Transaction data: details of products purchased, order value, payment method used (excluding full card details), and order history.

● Demographic data: estimated age range and gender, as inferred and reported by analytics platforms including Google Analytics 4 (GA4) based on your online activity and device signals.

● Behavioural and usage data: pages visited on the Website, products viewed, links and buttons clicked, time spent on pages, search queries made within the Website, and navigation patterns, collected via analytics and advertising tools as described in Section 5.

● Technical data: IP address, browser type and version, device type, operating system, screen resolution, referring URLs, and other technical identifiers collected automatically when you access the Website. 

● Marketing preferences: your preferences in respect of receiving marketing communications from us and your interactions with such communications, including email open rates and click-through data.

We do not intentionally collect special category personal data as defined under Article 9 of the UK GDPR (such as data relating to health, racial or ethnic origin, biometric data, or religious beliefs). You should not submit such information through the Website.

We do not knowingly collect personal data from individuals under the age of 18. If you believe that a minor has provided personal data to us, please contact us immediately at hello@ardenwood.co.uk and we will take prompt steps to delete the relevant data.

LEGAL BASIS FOR PROCESSING

We process your personal data on the following legal bases, as set out in Article 6 of the UK GDPR:

● Performance of a contract (Article 6(1)(b) UK GDPR): Processing that is necessary for the performance of a contract to which you are party, including the fulfilment of your order, management of your Account, processing of your payment, and arrangement of delivery.

● Compliance with a legal obligation (Article 6(1)(c) UK GDPR): Processing that is necessary for compliance with applicable legal obligations, including those arising under the Consumer Rights Act 2015, the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013, and HMRC record-keeping requirements under the Value Added Tax Act 1994.

● Legitimate interests (Article 6(1)(f) UK GDPR): Processing that is necessary for the purposes of our legitimate interests, including fraud prevention, Website security, improvement of our products and services, and analytics-based performance optimisation, provided that such interests are not overridden by your fundamental rights and interests.

● Consent (Article 6(1)(a) UK GDPR): Processing carried out on the basis of your explicit prior consent, including the placement of non-essential analytics and marketing cookies, and the sending of email marketing communications in cases where the soft opt-in basis under PECR does not apply.

PURPOSES OF PROCESSING

We use your personal data for the following purposes:

● To process and fulfil your orders, including arranging dispatch and delivery through our logistics partners;

● To manage your Account and provide customer support;

● To process payments securely and to prevent fraudulent transactions;

● To comply with legal and regulatory obligations applicable to our business;

● To send you marketing communications by email, where you have provided consent or where we rely on the soft opt-in basis under Regulation 22 of PECR, being an existing customer whose contact details were obtained in connection with a prior sale of similar products and who has been given the opportunity to opt out;

● To analyse Website traffic and user behaviour for the purpose of improving our services and the user experience, using Google Analytics 4 (GA4);

● To deliver targeted advertising through Google Ads, Meta (Facebook) Ads, and TikTok Ads, where you have provided consent through our cookie consent mechanism.

SHARING YOUR DATA WITH THIRD PARTIES

We share your personal data with third parties only where necessary and as described in this Policy. The categories of third-party recipients are as follows:

● E-commerce and hosting platform: Shopify Inc., which hosts the Website and processes data on our behalf pursuant to a data processing agreement. Shopify acts as a data processor in respect of personal data stored on its platform.

● Payment processor: Shopify Payments, operated by Shopify Inc., which processes payment transactions on our behalf in accordance with PCI-DSS requirements. We do not receive or retain full payment card details.

● Logistics and delivery providers: JS and YunExpress, who process personal data solely for the purpose of fulfilling and delivering your orders. Only the personal data strictly necessary for delivery purposes (name, delivery address, and contact details) is shared with these providers.

● Analytics provider: Google LLC, via Google Analytics 4 (GA4), for the purpose of analysing Website usage and user behaviour patterns.

● Advertising platforms: Google LLC (Google Ads), Meta Platforms Ireland Limited (Facebook/Instagram Ads), and TikTok Technology Limited (TikTok Ads), for the purpose of delivering targeted advertising to you on third-party platforms, where you have provided consent.

● Email marketing provider: our email marketing service provider, engaged solely for the purpose of sending marketing communications to you where you have provided consent or where we rely on the soft opt-in basis under PECR.

We do not sell, rent, or trade your personal data to or with any third party for their own marketing purposes.

We may disclose your personal data to law enforcement authorities, regulatory bodies, or courts where we are required to do so by applicable law, court order, or legal process.

INTERNATIONAL TRANSFERS OF PERSONAL DATA

Some of the third-party recipients described in Section 5 are located outside the United Kingdom, including in the United States of America. The transfer of your personal data to these countries constitutes an international transfer of personal data for the purposes of Chapter V of the UK GDPR.

Personal data may be transferred to the following recipients located in the United States of America:

● Shopify Inc. — e-commerce platform infrastructure and data hosting;

● Google LLC — Google Analytics 4 (GA4) and Google Ads;

● Meta Platforms, Inc. — Facebook Ads and related advertising services;

● TikTok Inc. — TikTok advertising and pixel services.

We ensure that all such international transfers are subject to appropriate safeguards in accordance with Article 46 of the UK GDPR. Each of the recipients identified above operates under Standard Contractual Clauses (SCCs) as recognised by the Information Commissioner's Office (ICO) under the UK GDPR, or under equivalent transfer mechanisms approved under UK law.

You may request further information about the specific safeguards in place for international transfers of your personal data by contacting us at hello@ardenwood.co.uk.

YOUR RIGHTS AS A DATA SUBJECT

Under the UK GDPR and the Data Protection Act 2018, you have the following rights in respect of your personal data held by us:

● Right of access (Article 15 UK GDPR): You have the right to request a copy of the personal data we hold about you, together with information about how it is processed.

● Right to rectification (Article 16 UK GDPR): You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.

● Right to erasure (Article 17 UK GDPR): You have the right to request that we delete your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent (and no other lawful basis applies), or where the processing is unlawful.

● Right to restriction of processing (Article 18 UK GDPR): You have the right to request that we restrict the processing of your personal data in specified circumstances, including where you contest its accuracy or object to its processing.

● Right to data portability (Article 20 UK GDPR): Where processing is based on your consent or on the performance of a contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to have it transmitted to another controller where technically feasible.

● Right to object (Article 21 UK GDPR): You have the right to object at any time to the processing of your personal data where such processing is based on legitimate interests, including for the purposes of direct marketing.

● Right to withdraw consent (Article 7(3) UK GDPR): Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

● Right to lodge a complaint: You have the right to lodge a complaint with the Information Commissioner's Office (ICO), which is the supervisory authority for data protection in the United Kingdom, at www.ico.org.uk or by telephone on 0303 123 1113.

HOW TO EXERCISE YOUR RIGHTS

To exercise any of the rights set out in Section 7, please submit a written request to us at hello@ardenwood.co.uk, identifying yourself and clearly specifying the right you wish to exercise.

We will respond to your request within one calendar month of receipt, in accordance with Article 12 of the UK GDPR. Where requests are complex or numerous, we may extend this period by a further two months, in which case we will inform you of the extension within the initial one-month period.

We will not charge a fee for responding to your request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or decline to act on the request, providing written reasons for doing so.

SECURITY MEASURES

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, disclosure, or destruction.

Personal data is stored on Shopify's cloud infrastructure, which operates industry-standard security protocols including data encryption in transit and at rest.

Payment data is processed exclusively by Shopify Payments in accordance with PCI-DSS requirements. Ardenwood does not store full payment card numbers, expiry dates, or card verification values (CVVs) on its own systems.

Notwithstanding the measures described above, no method of transmission over the internet or electronic storage is entirely secure. We cannot guarantee the absolute security of your data and shall not be held responsible for breaches that result from circumstances beyond our reasonable control.

DATA RETENTION

We retain your personal data only for as long as necessary for the purposes for which it was collected, subject to any obligation to retain data for a longer period under applicable law.

Applicable retention periods are as follows:

● Transaction and order data: retained for a minimum of six years from the date of the relevant transaction, in compliance with HMRC record-keeping requirements under the Value Added Tax Act 1994;

● Account data: retained for the duration of your active Account and deleted within 30 days of a verified account deletion request, subject to any overriding legal obligation to retain such data;

● Marketing communications data: retained until you withdraw your consent or exercise your right to object to processing for direct marketing purposes;

● Analytics and behavioural data: retained in accordance with the data retention settings of the applicable platform. Google Analytics 4 data is retained for a default period of up to 14 months, subject to your account settings and consent preferences.

COOKIES

We use cookies and similar tracking technologies on the Website. Full information about the cookies we use, their purposes, legal bases, and how you may manage your preferences is set out in our Cookie Policy, available on the Website.

DATA PROTECTION OFFICER

Based on the nature and scale of our data processing activities, we have assessed that the appointment of a Data Protection Officer (DPO) is not mandatory under Article 37 of the UK GDPR at this time.

For all data protection enquiries, please contact us directly at hello@ardenwood.co.uk.

CHANGES TO THIS POLICY

We reserve the right to update this Privacy Policy at any time. The current version will always be available on the Website, identified by the date of last update shown at the top of this document.

Where changes are material, we will endeavour to notify you by email or by a prominent notice on the Website prior to the changes taking effect.

CONTACT AND DATA CONTROLLER DETAILS

Ardenwood CNPJ: 57.766.375/0001-84

E-mail: hello@ardenwood.co.uk

Address: 27 Old Gloucester Street, London, England, United Kingdom, WC1N 3AX Website: www.ardenwood.co.uk.