Privacy Policy

PRIVACY POLICY

(UK GDPR & Data Protection Act 2018 Compliant)

Last updated: February 2026

1. Who We Are

Flower & White Ltd (“we”, “us”, “our”) is committed to protecting your personal data and respecting your privacy.

We are the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Company details:
Flower & White Ltd
Company number: 07487296
Registered office: Unit D3, Tweedale South Industrial Estate, Madeley, Telford, TF7 4JR
Email: hello@flowerandwhite.co.uk
Telephone: 01952 684626

2. The Personal Data We Collect

2.1 Information You Provide Directly

  • Name

  • Billing and delivery address

  • Email address

  • Telephone number

  • Order details and purchase history

  • Communications with us (email, social media, reviews, complaints)

  • Marketing preferences

2.2 Information Collected Automatically

When you visit our website, we collect certain information automatically via cookies and similar technologies, including:

  • IP address

  • Device type and browser

  • Pages viewed and interactions

  • Referral source

  • Advertising identifiers

This includes data collected via:

  • Google Analytics (GA4)

  • Meta Pixel

  • TikTok Pixel

  • Triple Whale analytics

Please see our Cookie Policy for further information.

3. Payment Information

Payments are processed securely by third-party providers including:

  • Shopify Payments

  • PayPal

  • Klarna

We do not store full card details.

Klarna may independently assess your eligibility for payment options in accordance with its own privacy policy.

4. How and Why We Use Your Data (Lawful Bases)

We process your personal data under the following lawful bases:

Contract

To:

  • Process and fulfil your orders

  • Deliver products

  • Process payments

  • Provide customer service relating to your purchase

If you do not provide required information (e.g. name and address), we will be unable to process your order.

Consent

To:

  • Send email marketing communications

  • Send SMS marketing messages

  • Place non-essential cookies (analytics and advertising)

You may withdraw consent at any time.

Legitimate Interests

We process certain data where necessary for our legitimate business interests, including:

  • Fraud prevention and security monitoring

  • Improving website functionality and performance

  • Analysing campaign effectiveness

  • Creating custom and lookalike audiences on advertising platforms

Where we rely on legitimate interests, we ensure our interests do not override your rights and freedoms.

Legal Obligation

To:

  • Maintain accounting and tax records

  • Comply with legal or regulatory requirements

5. Marketing Communications

Email & SMS Marketing

We only send marketing communications where you have actively opted in.

You can:

  • Click “unsubscribe” in any email

  • Reply STOP to SMS

  • Contact us directly to withdraw consent

We use Klaviyo to manage email and SMS communications.

Advertising & Custom Audiences

We may use customer data (such as email address) to create custom or lookalike audiences via:

  • Meta advertising platforms

  • Google Ads

  • TikTok Ads

This helps us show relevant advertisements to potential new customers.

These platforms process data in accordance with their own privacy policies.

6. Who We Share Your Data With

We share personal data only where necessary with trusted service providers, including:

  • Shopify (ecommerce platform & hosting)

  • Payment providers (Shopify Payments, PayPal, Klarna)

  • Delivery partners (e.g. Royal Mail and couriers)

  • Klaviyo (email & SMS marketing)

  • Google (analytics and advertising services)

  • Meta (advertising services)

  • TikTok (advertising services)

  • Triple Whale (analytics platform)

All third parties are required to process data securely and only for specified purposes.

7. International Transfers

Some of our service providers are located outside the UK.

Where personal data is transferred internationally, we rely on:

  • UK adequacy regulations

  • The UK Extension to the EU–US Data Privacy Framework (where applicable)

  • UK-approved Standard Contractual Clauses

to ensure appropriate safeguards are in place.

8. Data Retention

We retain personal data only as long as necessary:

Data Type Retention Period
Order & transaction data 6 years (legal obligation)
Marketing data Until consent withdrawn
Customer service records Up to 6 years
Analytics data Up to 26 months

We securely delete or anonymise data when no longer required.

9. Automated Decision-Making

We do not carry out automated decision-making that produces legal or similarly significant effects.

Some advertising platforms may use automated processing to optimise ad delivery.

10. Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data

  • Correct inaccurate data

  • Request erasure

  • Restrict processing

  • Object to processing (including marketing)

  • Data portability

  • Withdraw consent at any time

To exercise your rights, contact hello@flowerandwhite.co.uk.

You also have the right to complain to the Information Commissioner’s Office (ICO):
https://www.ico.org.uk

11. Security

We use appropriate technical and organisational measures including:

  • HTTPS encryption

  • Secure Shopify infrastructure

  • Access controls

  • Password protection and internal access limitation

12. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will always be available on our website.