Home/Privacy Policy
Legal

Privacy Policy

Last updated: 21 April 2026

This Privacy Policy explains how Abisabis Services Ltd (registered at Leeward Hale, Trelissick Road, Paignton, Devon, TQ3 3GU) collects, uses, and protects the personal information you share with us. We are the data controller for the personal data described here, and we comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. What information we collect

We follow the principle of data minimisation — we only collect information we genuinely need to fulfil your order and provide good customer service. This includes:

  • Account information — your name, email address, and password (stored securely as a cryptographic hash) when you create an account.
  • Order information — delivery address, phone number, order details, and any gift message you include with your order.
  • Payment information — handled entirely by Stripe. We receive confirmation of payment but never see or store your full card number, expiry date, or CVV.
  • Communication data — messages you send via our contact form, WhatsApp, or email; your email address if you subscribe to our newsletter.
  • Reviews and feedback — your name, rating, and comments when you submit a product review.
  • Wholesale enquiries — business name, contact details, and order requirements submitted through our wholesale form.
  • Stock notifications — your email address if you sign up to be notified when a product comes back in stock.
  • Loyalty programme data — points earned, redeemed, and transaction history linked to your account.
  • Usage data — limited information about how you interact with our site, such as pages visited and basic device information. See our Cookie Policy for detail.

Some data is stored locally on your device using your browser's localStorage (e.g., shopping basket, wishlist, and browsing history). This data never leaves your device unless you place an order.

2. How we use your information

We process your information for specific, clearly defined purposes. For each purpose we identify the lawful basis under UK GDPR:

  • To process and fulfil your orders, arrange delivery or local pickup, and issue receipts — contractual necessity.
  • To manage your account, loyalty points, and order history — contractual necessity.
  • To respond to your enquiries, wholesale requests, and customer support queries — legitimate interests.
  • To send you order confirmations, dispatch notifications, and tracking updates — contractual necessity.
  • To notify you when an out-of-stock product is available again — consent (you may unsubscribe at any time).
  • To send newsletters and promotional offers, only if you have opted in — consent.
  • To keep accounting, tax, and financial records as required by HMRC — legal obligation.
  • To improve our website, detect fraud, and protect the security of our systems — legitimate interests.

3. Who we share your information with

We never sell your personal data. We share it only with trusted service providers who help us run our business, and only to the extent necessary:

  • Stripe — to process card payments securely. Stripe acts as an independent data controller for payment data. See Stripe's Privacy Policy.
  • Delivery partners (such as Royal Mail or couriers) — your name, address, and order reference to deliver your parcel.
  • Email service providers — to send transactional emails (order confirmations, tracking updates) and marketing newsletters if you opted in.
  • Hosting and infrastructure providers — to securely host our website and store order data.
  • WhatsApp (Meta) — if you contact us via WhatsApp, your messages and phone number are processed by Meta under their terms.
  • HMRC and UK authorities — where we are legally required to disclose information, such as for tax reporting or a lawful court order.

All third-party providers processing data on our behalf are bound by data processing agreements that meet UK GDPR requirements.

4. How long we keep your data

We retain data only as long as necessary for the purpose it was collected:

  • Order and invoicing records — at least 6 years, as required by HMRC for tax and accounting purposes.
  • Account data — retained while your account is active. You may request deletion at any time.
  • Newsletter subscriptions — kept for as long as you remain subscribed. Unsubscribe at any time.
  • Product reviews — displayed on the website until you ask us to remove them.
  • Contact and wholesale enquiries — typically retained for up to 2 years.
  • Stock notifications — your email is kept until we send the notification or you unsubscribe, whichever comes first.
  • Loyalty points — retained while your account is active and for 6 years after closure for audit purposes.

5. Your rights

Under UK data protection law, you have the following rights over your personal data:

  • The right to access a copy of the information we hold about you.
  • The right to rectify inaccurate or incomplete data.
  • The right to erasure (“right to be forgotten”), where there is no overriding legal reason to keep it.
  • The right to restrict or object to certain types of processing.
  • The right to data portability — to receive your data in a commonly used, machine-readable format.
  • The right to withdraw consent at any time, for processing based on consent (e.g., newsletters, stock notifications).

To exercise any of these rights, email us at [email protected]. We will respond within 30 days as required by law. We may ask you to verify your identity before processing your request.

If you believe we have mishandled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

6. Security

We take reasonable technical and organisational measures to protect your data, including:

  • Encryption of all data in transit using HTTPS/TLS.
  • Passwords stored as one-way cryptographic hashes (bcrypt) — we never store plaintext passwords.
  • Secure payment processing entirely handled by PCI DSS-compliant Stripe.
  • Access controls limiting who within our team can view customer data.
  • Regular review of our security practices.

No system is perfectly secure, but we work to reduce risk at every step. In the unlikely event of a data breach that poses a high risk to your rights, we will notify the ICO within 72 hours and inform affected individuals without undue delay.

7. International transfers

Some of our service providers (such as Stripe and hosting providers) may process data outside the United Kingdom. Where this happens, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (UK IDTA) or Standard Contractual Clauses approved by the ICO.

8. Children's data

Our website and products are not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

9. Marketing communications

We only send marketing emails to people who have given clear, affirmative consent (no pre-ticked boxes). You can unsubscribe at any time by:

Unsubscribing from marketing will not affect transactional emails related to your orders.

10. Changes to this policy

We may update this policy from time to time to reflect changes in our practices or legal requirements. The most current version is always available on this page, and we will update the “last updated” date at the top. For material changes, we will make reasonable efforts to notify you (e.g., via email or a notice on our website).

11. Contact us

For any questions about this Privacy Policy, to exercise your data rights, or to raise a concern about how we handle your data, please contact us:

  • Email: [email protected]
  • WhatsApp: +44 7576 397556
  • Post: Abisabis Services Ltd, Leeward Hale, Trelissick Road, Paignton, Devon, TQ3 3GU