Privacy Policy

Privacy Policy for Carp Royal UK
Last updated: 24 July 2025

1. Data Controller
Carp Royal UK is operated by Damian Markland (sole trader), Middlefarm Barns Lane, Goosnargh, Preston, Lancashire PR3 2NJ

2. Personal Data We Collect
We collect:

• Identity & Contact Data: name, billing & delivery address, email, telephone

• Payment Data: transaction details processed by Stripe (we do not store full card numbers)

• Technical & Usage Data: IP address, browser type/version, time zone, cookie identifiers, pages viewed, basket contents

• Analytics Data: anonymised site‑use statistics

3. Legal Basis for Processing

• Contract Performance: to fulfil orders you place with us

• Legitimate Interests: to secure, maintain and improve our site

4. Sharing Your Data
We do not sell personal data. We share only as required to:

• Stripe: process payments (see Stripe’s privacy policy: https://stripe.com/gb/privacy)

• Couriers: arrange delivery (name, address, contact number)

• Analytics Providers: review anonymised usage for improvements

5. Data Retention
We retain personal data only as long as needed to:

• Complete orders and handle queries (up to 7 years to satisfy UK VAT/accounting requirements)

• Comply with legal obligations

• Keep anonymised analytics data indefinitely

6. Cookies & Tracking
Our WordPress site uses:

• Essential Session Cookies (e.g. PHPSESSID, wordpress_logged_in_*): keep you logged in and maintain basket contents; deleted when you close your browser

• Functional Cookies (e.g. wp-settings-*, wishlist plugin cookies): remember site preferences; persist for up to 1 year

• Analytics Cookies (e.g. _ga, _gid, _gat): measure visit frequency and behaviour; persist for up to 2 years

For a full list of cookie names, purposes and lifespans, see our Cookie Policy. You can control or block cookies via your browser settings—note this may affect functionality.

7. Security Measures
To protect your data we use:

• SSL/TLS encryption on all pages collecting personal data

• Wordfence firewall and malware scanning for WordPress

• Server‑level firewalls on our UK‑based dedicated host (Quicklaunch Ltd., Manchester)

• Regular software updates and strict access controls

8. International Transfers
Your data is stored on our UK‑based server. Stripe may process payment data outside the UK/EU under GDPR‑approved safeguards (e.g. Standard Contractual Clauses).

9. Your Rights & How to Exercise Them
Under UK GDPR, you may:

• Access your personal data

• Rectify inaccuracies

• Erase data in certain circumstances

• Restrict or object to processing

• Port your data

Procedure:

1. Email your request to info@carproyaluk.com with “GDPR Request” in the subject

2. Include your name, email and order reference

3. We may ask for a copy of photo ID to verify your identity

4. We will respond within 1 month (or 2 months for complex requests)

10. Complaints
If you’re unhappy with our response, you have the right to lodge a complaint with the Information Commissioner’s Office:

• Website: https://ico.org.uk/make-a-complaint

• Helpline: 0303 123 1113

11. Policy Change Notifications
We may update this policy to reflect changes in law or our practices. Whenever we make a material change, we will post the revised version here with an updated “Last updated” date and, where appropriate, notify you by email if you’ve opted in to communications.

Contact
Email: info@carproyaluk.com
Phone: 01772 863029