Privacy Policy

Effective date: 19 May 2025

Penny’s Arte is committed to protecting your privacy and handling your personal data in accordance with the UK GDPR and Data Protection Act 2018.

1. Data Controller

Penny Nanton trading as Penny’s Arte, penny@pennysarte.com.

2. What We Collect

We may collect:

  • Identity & contact data: name, email address when you sign up for newsletters or contact us.

  • Technical data: IP address, browser type, pages visited (via cookies – see below).

  • Order data: shipping and billing information submitted during checkout.

3. Lawful Basis for Processing

We process your data because:

  • You have given consent (e.g. subscribing to our newsletter).

  • It is in our legitimate interests to maintain and improve our website and services.

  • We have a legal obligation (e.g. record-keeping).

  • We need to perform a contract with you (fulfilling your orders).

4. How We Use Your Data

  • To process orders and deliver products.

  • To provide and personalise our services (responding to enquiries, sending updates).

  • To improve our Site (analytics on usage).

  • To comply with legal obligations (accounting or regulatory records).

5. Cookies & Tracking

We use cookies to ensure website functionality and to understand how users navigate our site. You can manage your cookie settings through your browser.

6. Payment Data

We do not store your full card details. All payments are processed via Stripe, a PCI-DSS compliant payment provider. We receive only transaction confirmations and limited metadata (e.g. card brand, last four digits) for order processing and record-keeping.

7. Data Sharing

We do not sell or rent your personal data. We may share data with:

  • Service providers (such as hosting platforms and email delivery services).

  • WooCommerce, to facilitate order management and processing.

  • Stripe, to securely handle payment transactions.

  • Regulatory authorities, if required by law.

8. Data Retention

We retain your data only as long as necessary for the purposes above, typically:

  • Order records: 6 years (for tax and legal compliance).

  • Newsletter subscribers: until you unsubscribe.

  • Analytics data: anonymised or deleted after 12 months.

9. Your Rights

Under UK GDPR you have the right to:

  • Access your data.

  • Rectify inaccuracies.

  • Erase your data (“right to be forgotten”).

  • Restrict or object to processing.

  • Request data portability.

  • Withdraw consent at any time.

To exercise your rights, contact penny@pennysarte.com.

10. International Transfers

If personal data is transferred outside the UK/EU, we ensure adequate safeguards are in place (e.g., standard contractual clauses).

11. Changes to This Privacy Statement

We may update this notice. The “Effective date” will reflect the latest version. Please review it regularly.