Our GDPR Privacy Policy for Flowers Welling Customers

Introduction

This Privacy Policy outlines how Flowers Welling collects, uses, stores, and protects your personal data in accordance with the EU General Data Protection Regulation (GDPR). This policy applies to all customers placing an order with Flowers Welling from Welling and its surrounding districts.

What Data We Collect

When you place an order with Flowers Welling, we may collect the following types of personal data:

  • Identification Information: Full name of the customer and recipient.
  • Contact Information: Delivery address, billing address, and telephone number.
  • Order Details: Specific products ordered, delivery preferences, and card messages.
  • Payment Information: Payment method details (such as card type and payment status; actual card numbers are handled securely by our payment processor).
  • Communication Records: Details of any correspondence with us, including enquiries, order modifications, and complaints.

We do not intentionally collect special categories of data except where you provide it explicitly (such as custom messages containing sensitive information). You are responsible for ensuring any personal information regarding a delivery recipient (including card messages) is lawfully provided.

Our Lawful Basis for Processing

Flowers Welling only processes your personal data where there is a valid legal basis under GDPR. These include:

  • Contractual Necessity: Most of the data we collect is necessary for us to fulfil our contract with you — namely, to process and deliver your order.
  • Legal Obligation: Some information must be retained for tax and accounting purposes as required by law.
  • Legitimate Interests: We may use certain data to improve our services, resolve disputes, or respond to your queries, provided that these interests are not overridden by your rights.
  • Consent: On occasion, we may rely on your explicit consent (for example, where you request marketing materials). You may withdraw consent at any time, and this will not affect the lawfulness of processing before consent was withdrawn.

How We Use Your Data

Your personal data is used for the following purposes:

  • Processing and fulfilling your flower order
  • Arranging and confirming delivery details
  • Handling payment transactions and issuing receipts
  • Providing customer support and resolving enquiries
  • Meeting our record-keeping and legal obligations
  • Improvements to our products and services (on a non-identifiable basis)

Data Retention

Your personal data will be retained only for as long as necessary for the purposes described above, as follows:

  • Order and delivery details: Kept for a minimum of six years to comply with legal, tax, and accounting regulations.
  • Correspondence and enquiries: Retained for up to two years after resolution of your query, for quality and training purposes.
  • Payment information: Actual card payment details are not stored by us, only records of transactions as provided by our payment processor.

After the relevant retention period, personal data is securely deleted or anonymised so it can no longer be associated with you.

Our Data Processors

To efficiently process your orders and operate our business, we engage the following categories of GDPR-compliant processors who handle your data strictly under our instruction:

  • Payment Processing Services: Securely process your payment details and transactions.
  • Order Management Systems: Facilitate the management and timely delivery of your orders.
  • IT & Web Hosting Providers: Store transaction and account data securely on servers located within the United Kingdom or European Union.

We ensure all processors implement appropriate security standards to protect your data. Data transfers outside of the UK or EU, if any, are protected by standard contractual clauses or equivalent safeguards.

Your Rights as a Data Subject

Under GDPR, you have various rights with respect to your personal data. You may exercise these rights at any time, subject to applicable law:

  • Right to Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your data where it is no longer necessary for the purposes collected.
  • Right to Restrict Processing: Request restriction of how we process your information under certain circumstances.
  • Right to Data Portability: Receive your data in a structured, commonly used, and machine-readable format.
  • Right to Object: Object to the processing of your data on grounds relating to your particular situation.
  • Right to Withdraw Consent: Withdraw any consent given for processing at any time.

We will respond to legitimate requests promptly and in accordance with legal requirements. To protect your privacy, we will verify your identity before fulfilling any request.

Data Security

Your privacy is important to us. We implement appropriate technical and organisational measures to protect your data, including secure servers, access controls, and encryption, where possible. Although we take all reasonable steps to safeguard your personal information, we cannot guarantee absolute security, particularly regarding data in transit over the internet.

Children’s Privacy

Our services are not directed to children under the age of 16, and we do not knowingly collect data relating to minors. If you believe a child has provided us with personal data, please contact us so we can take appropriate action.

Changes to This Privacy Policy

This Privacy Policy may be updated periodically to reflect changes in our practices, legal requirements, or technical developments. Updates will take effect immediately once published to this policy page. We encourage you to review this policy regularly to remain informed about how we protect your personal data.

Contact and Complaints

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us using the available channels on our website or by writing to us at our business address. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) if you believe your data has not been processed in accordance with the GDPR.