Privacy & Cookie Policy

Who we are

This policy explains how Penelopetom Direct Limited ("we", "our", "us") collects, uses, and protects your personal data. We are the data controller for penelopetom.com and can be contacted at office@penelopetom.com.

We are committed to protecting your privacy and complying with all relevant data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Cookies and similar technologies

We use cookies and similar tools to:

  • Ensure the website works correctly
  • Understand how people use our site
  • Show you relevant content and ads

Types of cookies we use include:

  • Essential cookies – required for site functionality, like adding to basket or checking out
  • Analytics cookies – to measure website performance (e.g. Google Analytics)
  • Marketing cookies – to deliver ads based on your browsing behaviour (e.g. Meta Pixel, Google Ads)

We obtain your consent before using any non-essential cookies. You can manage your cookie preferences through our cookie banner or by changing your browser settings.

What personal data we collect

We may collect and process the following types of personal data:

  • Your name, email address, phone number, billing and delivery address
  • Your order history and transaction details (not including full payment card details)
  • Your preferences and interactions with marketing communications
  • Technical data such as your IP address, browser type, and device type
  • Information about how you browse and interact with our website
  • Information you provide via forms, email, phone, or in-store conversations

How we collect your data

We collect personal data when you:

  • Place an order on our website
  • Sign up for our emails or newsletter
  • Contact us by email, phone, or in-store
  • Enter a competition or promotion
  • Browse our website or interact with advertising
  • Click on links in our emails or social media

Why we use your data and our legal basis

We only use your personal data when we have a lawful basis to do so. These include:

  • To process and deliver your orders (contractual necessity)
  • To provide customer service and respond to enquiries (legitimate interest)
  • To send you marketing emails and promotions (your consent)
  • To show you relevant adverts via platforms like Facebook and Google (your consent)
  • To analyse and improve our website and services (legitimate interest)
  • To comply with legal or regulatory obligations (legal obligation)

You can withdraw your consent for marketing at any time by clicking "unsubscribe" in our emails or by contacting us.

Marketing and advertising

If you’ve opted in, we may use your data to:

  • Send you email newsletters and special offers
  • Share anonymised, hashed data with platforms like Google or Facebook to show you relevant ads
  • Work with marketing agencies to understand our customers and tailor what we offer

We only share your personal data with advertisers or marketing agencies if you’ve given your clear consent.

Who we share your data with

We do not sell your data. We only share it with trusted third parties who help us run our business, such as:

  • IT and hosting service providers
  • Our email marketing provider
  • Couriers and warehousing partners
  • Payment processing providers
  • Analytics and advertising platforms (e.g. Google, Meta, Klaviyo)

We also use a range of trusted third-party apps within our Shopify store to support product personalisation, product discovery, customer service, customer reviews, invoicing, and marketing. These apps may process data such as order details, customer information (like names and email addresses), and browsing behaviour. We only use apps that meet Shopify’s strict data security standards, and we ensure they process your data in accordance with UK data protection law.

If we ever need to share your data beyond these providers, we will only do so if required by law or if you have given your consent.

International transfers

Some of our service providers operate outside the UK. Where this is the case, we ensure that your data is protected through appropriate safeguards, such as standard contractual clauses approved by the UK Information Commissioner’s Office.

How long we keep your data

We only retain your data for as long as necessary. For example:

  • Order and transaction data is kept for up to 6 years for accounting and legal reasons
  • Marketing data is kept until you withdraw consent or after 2 years of inactivity
  • Website analytics data is retained according to the provider’s settings (e.g. 26 months for Google Analytics)

Your rights under UK GDPR

You have the right to:

  • Be informed about how your data is used
  • Access the personal data we hold about you
  • Correct any incorrect or outdated information
  • Request deletion of your data, where legally possible
  • Restrict or object to certain types of processing
  • Withdraw your consent at any time
  • Request a copy of your data in a reusable format
  • Complain to the Information Commissioner’s Office if you're unhappy with how we handle your data

To exercise your rights, please contact us at office@penelopetom.com.

Links to other websites

Our website may contain links to third-party sites. We are not responsible for their privacy practices, so we recommend reviewing their privacy policies before submitting any data.

Changes to this policy

We may update this policy from time to time. Any significant changes will be communicated on our website or by email where appropriate.