Privacy Policy

The purpose of this notice is to explain your privacy rights and to inform you how and why we collect and look after your personal data when you visit our website and online store (regardless of where you visit it from).

Please read this notice together with any other privacy or fair-processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This Privacy Policy supplements those notices and is not intended to override them.

1. Important information and who we are

Controller

Everleaf Herbal Ltd is the controller responsible for your personal data (referred to as “Everleaf Herbal”, “Everleaf”, “we”, “us” or “our” in this privacy notice). We are licensed by the Information Commissioner’s Office (ICO) under the Data Protection Act (as amended), registration number ZB598889.

If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact our data privacy manager using the details below.

Contact details

Name: Andrew Moorcroft

Postal address: 38 High Street, Cheshunt, Hertfordshire, EN8 0AQ

Telephone number: 01992 631 414

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection and UK GDPR compliance (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please

2. The data we collect about you

Personal data means any information about an individual from which that person can be identified.

- We may collect, use, store and transfer different kinds of personal data:

- Identity Data (name, title, date of birth, gender, etc.)

- Contact Data (billing address, delivery address, email, phone number)

- Financial Data (payment card, bank details)

- Transaction Data (payments, orders, purchase history)

- Technical Data (IP address, browser type, login data, time zone, cookies, device info)

- Profile Data (username/password, preferences, survey responses).

- Usage Data (how you use the website, products, services)

- Marketing & Communications Data (marketing preferences)

- We also use Aggregated Data for reporting and analytics (this is not personal unless it can identify you).

- We may also collect Special Category Data (e.g., health information) only when necessary and lawful.

3. How your personal data is collected

We collect data in the following ways:

Direct interactions

When you:

- purchase a product

- create an account

- contact us via email, phone, post or online form

- subscribe to updates

- enter a competition or survey

- provide feedback

- Automated technologies

We collect Technical Data using:

- cookies

- server logs

- analytics tools

- See our Cookie Policy for details.

- Third-party sources

- We may receive data from:

- analytics providers

- advertising networks

- payment providers

- delivery partners

- public sources

4. How we use your personal data

We will only use your personal data when the law allows us to.

Most commonly we use it:

- to perform a contract (e.g., fulfil an order)

- where it is necessary for our legitimate interests

- to comply with a legal obligation

- where you have given consent

Examples of how your data is used:

- registering you as a customer

- processing orders, payments, refunds

- sending service updates

- asking for reviews

- providing customer support

- running promotions and competitions

- improving our website

- recommending products

- marketing communications (only when you opt-in)

Marketing

You can opt out at any time.

Cookies

You can disable cookies in your browser, but some functionality may stop working.

Change of purpose

We will only use your data for the purposes for which it was collected unless we reasonably consider another use compatible.

5. Disclosures of your personal data

We may share your personal data with:

- trusted third-party service providers

- payment processors

- professional advisors (lawyers, accountants)

- regulators (e.g., HMRC)

- referral partners where appropriate

- organisations involved in a merger, sale or restructuring

All third parties are required to respect your data and process it only according to our instructions.

6. International transfers

Some providers may operate outside the UK/EEA.

Where this occurs, we ensure adequate protection under:

- Adequacy decisions

- Standard Contractual Clauses

- Binding Corporate Rules

- Other lawful safeguards

7. Data security

We have implemented appropriate security measures to prevent your data from being:

- lost

- used improperly

- accessed without authorisation

- altered

- disclosed

We limit access to your data to those who need it and require confidentiality from all third parties.

We have procedures to respond to any suspected data breach and will notify you and the ICO if legally required.

8. Data retention

We will only retain your personal data for as long as necessary, including:

- 7 years for tax and accounting records

- indefinitely for anonymised statistical data

You may request deletion in certain circumstances (see Section 9).

9. Your legal rights

You have rights under data protection law, including the right to:

- Access your data

- Correct your data

- Erase your data

- Object to processing

- Restrict processing

- Transfer your data

- Withdraw consent

We may need to verify your identity when you exercise these rights.

We aim to respond within one month, but complex requests may take longer.

10. Glossary

Legitimate Interest

Our interest in operating our business effectively and providing the best service, balanced against your rights.

Performance of Contract

Processing necessary to deliver products/services to you.

Legal Obligation

Processing required by UK law.

Third Parties include:

- IT service providers

- Payment processors (e.g., PayPal)

- Professional advisers

- Regulators (e.g., HMRC)

- Cloud computing providers