Privacy policy

Last updated: 29 April 2026

What we collect

• Order details — name, email, shipping address (for physical orders only). Stored encrypted in our database.
• Payment — handled entirely by Stripe. We never see or store your card details.
• Contact messages — name, email, and message content if you write to us.

What we do not collect

• No analytics, tracking, or advertising cookies.
• No third-party trackers, no Google Analytics, no Meta pixel.
• No marketing emails unless you explicitly opt in.

Cookies

This site uses one essential session cookie used for security (CSRF protection on forms and admin sign-in). The cart is stored in your browser's local storage and never sent to us until you check out.

Your rights

Under UK GDPR you may request a copy of, correction to, or deletion of any personal data we hold. Email us.

Payments

Payments are processed by Stripe. Their privacy policy applies to data they collect during checkout: stripe.com/privacy.

Security

Sensitive data (Stripe API keys, shipping addresses, customer details) is encrypted at rest using AES-256-GCM. Admin passwords are hashed with Argon2id (or bcrypt) and never stored in plaintext. Card numbers never touch our servers.

Retention

Order records are retained for 6 years for tax purposes (UK requirement). Contact messages are kept for as long as needed to resolve your enquiry, then deleted.