1. About this policy
This Privacy Policy explains how The Retro Kit collects, uses, and protects your personal information when you use our website at theretrokit.com, shop with us, sign up for our emails, or get in touch.
We’ve written it in plain English. If anything is unclear, email us at info@theretrokit.com — we’ll be glad to explain.
This policy was last updated on the date shown above. We may revise it from time to time; significant changes will be flagged at the top of this page.
2. Who we are (Data Controller)
The Retro Kit is operated by [LEGAL ENTITY NAME], a company registered in England and Wales with company number [COMPANIES HOUSE NUMBER] and registered office at [REGISTERED OFFICE ADDRESS].
We are the data controller for the personal information described in this policy. That means we decide why and how your data is processed.
We are registered with the UK Information Commissioner’s Office (ICO) under registration number [ICO REGISTRATION NUMBER].
For privacy enquiries, contact us at info@theretrokit.com or write to the registered address above.
3. What data we collect
Different actions on the Site involve different data:
When you place an order
- Name, email, phone, billing address, shipping address
- Order details (items, customisation choices, total)
- Payment information — card details are processed directly by Stripe; we never see or store your full card number
When you create an account
- Email and a password (hashed, never stored in plain text)
- Order history and saved addresses
- Wishlist items
When you contact us
- Name, email, the content of your message
- Order number, if relevant
When you sign up for marketing emails
- Email address and your communication preferences
When you browse the Site
- Pages visited, items viewed, time spent
- Device and browser information (type, operating system, screen size)
- IP address and approximate location (city / country level)
- Cookie data — see our Cookies Policy
We do not knowingly collect personal data from children under 16. If you believe a child has provided us data without consent, contact us and we’ll delete it.
4. Why we collect it (lawful basis)
Under UK GDPR we can only process your data for specific purposes, each tied to a “lawful basis.” Here’s what applies:
| What we use data for | Lawful basis |
|---|---|
| Processing and shipping your order | Contract — necessary to fulfil what you bought |
| Creating and managing your account | Contract + your consent at signup |
| Responding to your messages | Legitimate interest in customer service |
| Sending order confirmations and shipping updates | Contract |
| Sending marketing emails | Consent — opt-in, can be withdrawn anytime |
| Analytics (understanding site usage) | Consent for non-essential analytics cookies |
| Marketing pixels (Meta, Google Ads) | Consent for marketing / tracking cookies |
| Keeping accounting records | Legal obligation — required by UK tax law |
| Preventing fraud and protecting the Site | Legitimate interest in security |
You can withdraw any consent-based processing at any time using the controls described in section 10, or by emailing us.
5. Who we share data with
We never sell or rent your data. To run the shop, we work with a small number of carefully selected service providers (“data processors”) who help us deliver the service:
| Service | Purpose | Where data is processed |
|---|---|---|
| Stripe | Payment processing | EU / USA (UK adequacy) |
| Royal Mail | UK delivery | UK |
| DHL, UPS | International delivery | UK / destination country |
| Google Analytics | Anonymous traffic statistics | USA (UK adequacy) |
| Meta (Facebook) Pixel | Conversion tracking and retargeting | USA (UK adequacy) |
| [EMAIL MARKETING PLATFORM] | Sending newsletters and order emails | USA (UK adequacy) |
| [HOSTING PROVIDER] | Website hosting and security | UK / EU |
Each of these is bound by a Data Processing Agreement under Article 28 of UK GDPR. They use your data only to perform the service we contract them for, and cannot use it for their own purposes.
We may also share your data:
- With law enforcement if required by a valid legal request
- With our advisors (accountants, lawyers) bound by professional confidentiality
- In the event of a business sale or merger, where your data may transfer to the new owner subject to this policy continuing to apply
6. International transfers
Some of our service providers (Stripe, Google Analytics, Meta, [EMAIL MARKETING PLATFORM]) are based in the United States or process data globally. The UK government has determined that the USA provides an “adequate level of protection” for personal data when transferred to organisations certified under the EU–US Data Privacy Framework and the UK Extension to it.
For transfers to other countries without an adequacy decision, we use Standard Contractual Clauses (SCCs) approved by the ICO, which contractually require the recipient to apply UK GDPR-equivalent protections.
You can request copies of the safeguards that apply to any specific transfer by emailing us.
7. How long we keep data
We keep your data only as long as needed:
- Order data and invoices: 7 years from the order date — required by UK accounting law (Companies Act 2006)
- Account data: as long as your account is active. After 3 years of inactivity we’ll email you and, if there’s no response, anonymise the account
- Marketing email lists: until you unsubscribe, or after 3 years of no engagement
- Customer service messages: 2 years from the last contact
- Analytics data: 14 months (per Google Analytics default), after which it’s aggregated and individual visitors are no longer identifiable
When data is no longer needed, we securely delete or anonymise it.
8. Cookies and similar technologies
We use cookies and similar technologies to:
- Keep your shopping basket working as you browse
- Remember if you’ve logged in
- Understand how the Site is used (analytics)
- Show you relevant marketing on other websites you visit
Some cookies are strictly necessary; others (analytics, marketing) are only set if you opt in via our cookie banner.
For full details — what cookies we use, what they do, how long they last, and how to opt out — see our Cookies Policy.
9. Marketing communications
If you’ve opted in to marketing emails, you’ll hear from us occasionally about new arrivals, restocked kits, sales, and the odd story from the warehouse. We don’t spam.
You can unsubscribe at any time:
- Click the unsubscribe link at the bottom of any marketing email
- Email us at info@theretrokit.com to be removed manually
- Update your preferences from your account settings if you have an account
Unsubscribing only stops marketing emails. We’ll still send transactional emails (order confirmations, shipping updates, password resets) because those are necessary to fulfil your order.
10. Your rights under UK GDPR
Under UK GDPR you have the following rights:
- Right of access — Request a copy of the personal data we hold about you
- Right to rectification — Ask us to correct inaccurate or incomplete data
- Right to erasure (“right to be forgotten”) — Ask us to delete your data, subject to legal retention requirements
- Right to restriction — Ask us to stop processing your data while we resolve a dispute
- Right to data portability — Receive your data in a machine-readable format, or have it transferred to another provider
- Right to object — Object to processing based on legitimate interest, or to direct marketing (always honoured)
- Right to withdraw consent — For any processing based on consent (e.g., marketing, analytics cookies)
- Rights related to automated decision-making — We don’t use automated decision-making or profiling that produces legal effects, so this rarely applies
To exercise any right, email info@theretrokit.com with your request and we’ll respond within one calendar month. We may need to verify your identity before processing the request.
We do not charge for handling requests, except where they are manifestly unfounded or repetitive (for example, the same request made multiple times).
11. How to complain
If you’re concerned about how we handle your data, please contact us first — we’d much rather resolve any issue directly. Email info@theretrokit.com and we’ll come back to you within one business day.
If we can’t resolve it together, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection:
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
You also have the right to seek judicial remedy if you think your rights under UK GDPR have been infringed.
12. Contact us
Questions about this policy or how we handle your data:
- Email: info@theretrokit.com
- Post: [LEGAL ENTITY NAME], [REGISTERED OFFICE ADDRESS]
We aim to respond to every privacy enquiry within one business day.