Penge Florist Customer Privacy Policy

Introduction

This Privacy Policy explains how Penge Florist collects, uses, stores, and protects the personal data of individuals placing orders with us in Penge and the surrounding districts. Your privacy is important to us, and we are committed to complying with the General Data Protection Regulation (GDPR) and other relevant data protection laws.

What Data We Collect

Penge Florist collects and processes various types of personal data to provide our products and services. This data includes:

  • Identity Data: Name of the customer placing the order.
  • Contact Data: Delivery address, billing address, and contact phone number of both the customer and the recipient (where a gift is delivered).
  • Order Data: Details about products ordered, delivery notes, messages to recipients, and chosen delivery dates.
  • Payment Data: Payment information such as transaction details, but not full credit or debit card details (these are processed securely by third-party processors).
  • Technical Data: IP address and browser information collected through our website’s standard analytics tools.

Lawful Basis for Processing Data

Under GDPR, Penge Florist relies on the following lawful bases to process your personal data:

  • Consent: When you actively provide us with information (such as optional marketing preferences).
  • Contract: Processing necessary for us to fulfil your order or provide customer service relating to your floral purchase.
  • Legal Obligation: When processing is necessary for compliance with legal or regulatory requirements.
  • Legitimate Interests: For purposes such as fraud prevention, network security, or improving our services, provided these interests do not override your rights.

How We Use Your Data

Your personal information is used to:

  • Process and deliver your floral orders accurately and punctually.
  • Communicate with you about your purchase or respond to your queries.
  • Tailor our services and enhance your customer experience.
  • Handle payment processes through our secure third-party providers.
  • Comply with legal requirements.
  • Send direct marketing communications if you have opted in (you can opt out at any time).

Data Retention

We retain your personal data only as long as necessary for the purposes for which the data was collected. This generally means:

  • Order Information: Retained for up to six years to comply with tax, accounting, and legal obligations.
  • Marketing Consent: Retained until you withdraw your consent or request deletion.
  • Technical Data: Anonymised and retained for analytics and service improvement for up to two years.

After these periods, your personal information is securely deleted or anonymised in a manner that does not allow for re-identification.

Data Processors and Third Parties

Penge Florist engages certain trusted third-party service providers ("processors") who process personal data on our behalf to facilitate:

  • Payment processing (e.g., card payment providers).
  • Delivery services (e.g., local courier companies for fulfilling deliveries within Penge and nearby areas).
  • IT and technical support (e.g., website hosting, analytics, and security services).

We ensure all processors comply with GDPR requirements, process data only according to our instructions, and apply suitable security measures. Your data is never sold or used for unrelated purposes by these third parties.

User Rights

Subject to applicable law, you have the following rights regarding your personal data:

  • Access: Request confirmation and a copy of your personal data that we hold.
  • Rectification: Request correction of incomplete or inaccurate data.
  • Erasure: Request deletion of your data where there is no longer a legal basis for retention.
  • Restriction: Request to limit processing of your data in certain circumstances.
  • Objection: Object to processing based on our legitimate interests or direct marketing.
  • Portability: Request transfer of your data to another provider in a machine-readable format.
  • Withdraw Consent: Where we rely on your consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.

Requests regarding your rights can be made directly to us, and we will respond within the timelines required by law. In some cases, we may need to request specific information to confirm your identity before fulfilling these requests. Where a request is particularly complex or numerous, we may need extra time and will explain the reasons for any delay.

Data Security Measures

Penge Florist has implemented appropriate technical and organisational measures to secure your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include secure website connections (SSL), restricted access to personal data, regular system reviews, and processor contracts requiring strict data protection standards.

Transfers Outside the UK or EEA

Your personal data will not be transferred outside the United Kingdom or European Economic Area except where necessary service providers are located or store data abroad. In such cases, we ensure that appropriate safeguards, such as the UK GDPR standard contractual clauses, are in place to protect your privacy and rights.

Policy Scope

This Privacy Policy applies to all customers and recipients placing or receiving orders through Penge Florist for delivery in Penge and the surrounding districts. Our policy applies whether you place orders directly in-store, by phone, or via our website.

Policy Updates

Penge Florist may update this Privacy Policy from time to time. The most current version will always be available on our website. We encourage customers to review the policy periodically to stay informed of how we protect your personal information.

Contact and Complaints

If you have any questions or concerns regarding this Privacy Policy or how we handle your personal data, please contact us using the details provided on our website or contact page. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) or your local supervisory authority if you are concerned about how we process your personal information.