Privacy Policy for Aromacraft Ltd
1. Introduction
This privacy policy explains how Aromacraft Ltd (we, us, our) collects, uses, and shares your personal data when you visit our website www.aromacraft.uk or purchase our products. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
Please read this privacy policy carefully and contact us if you have any questions or concerns about our privacy practices. You can contact us by email at [email protected], by phone at +44 7916260399, or by mail at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.
2. What Personal Data Do We Collect and Why?
We collect different types of personal data from you for various purposes, depending on how you interact with us and our website. We collect personal data that you provide to us directly, such as when you create an account, subscribe to our newsletter, place an order, or contact us. We also collect personal data that is generated automatically when you use our website, such as your IP address, browsing activity, device information, and cookies.
The table below summarizes the categories of personal data we collect, the sources from which we collect them, the purposes for which we use them, and the legal basis for processing them.
| Category of personal data | Source | Purpose | Legal basis |
|---|---|---|---|
| Contact name | You | To identify you, communicate with you, and deliver your order | Contractual necessity |
| Billing address | You | To process your payment and issue invoices | Contractual necessity and legal obligation |
| Email address | You | To send you order confirmation, shipping notification, and marketing communications (with your consent) | Contractual necessity and consent |
| Delivery address | You | To deliver your order | Contractual necessity |
| Username and password | You | To create and manage your account | Contractual necessity |
| IP address | Your device | To monitor and secure our website, and provide you with personalized content and offers | Legitimate interest and consent |
| Browsing activity | Your device | To analyze and improve our website performance and user experience, and provide you with personalized content and offers | Legitimate interest and consent |
| Device information | Your device | To optimize our website for your device and browser | Legitimate interest and consent |
| Cookies | Your device | To remember your preferences, enhance your user experience, and provide you with personalized content and offers | Legitimate interest and consent |
3. How Do We Use Payment Processors?
We use third-party payment processors to handle payment transactions between you and us. When you make a purchase on our website, you will be redirected to the payment processor’s website, where you will be asked to provide your payment details, such as your card number, expiry date, and security code. The payment processor will collect, store, and process your payment data on our behalf, and will share some of your payment data with us, such as your name, email address, and payment status. We do not store or have access to your full payment details.
The payment processors we use are Stripe and PayPal. Both are based in the United States. We rely on the UK Adequacy Decision for the EU-US Data Privacy Framework (DPF) as the legal basis for transferring your personal data to these US service providers for payment processing purposes. Both Stripe and PayPal are certified under the DPF, which ensures an adequate level of protection for your personal data when transferred to the US. You can find more information about their privacy practices and policies on their websites: Stripe Privacy Policy and PayPal Privacy Statement.
The legal basis for processing your payment data through payment processors is contractual necessity, as we need to process your payment to fulfill our contract with you. We may also process your payment data to comply with a legal obligation, such as tax or accounting laws, or to pursue our legitimate interest, such as preventing fraud or ensuring the security of your payment data.
4. How Do We Use Cookies and Other Tracking Technologies?
Cookies are small files that are stored on your device when you visit our website. They may contain personal data, such as your preferences, browsing history, or device information. Some cookies are essential for the functionality of our website, such as remembering your login details, your shopping cart, or your language settings. Other cookies are used for analytics, personalization, or marketing purposes, such as measuring the performance of our website, providing you with tailored updates, or enabling social media features.
We use different types of cookies on our website, some of which are set by us (first-party cookies) and some of which are set by third parties (third-party cookies). The table below lists the cookies we use, their purpose, duration, and whether they are essential or optional.
| Name | Purpose | Duration | Essential or Optional |
|---|---|---|---|
| woocommerce_cart_hash | To store your shopping cart items | Session | Essential |
| woocommerce_items_in_cart | To store the number of items in your shopping cart | Session | Essential |
| wp_woocommerce_session | To identify your session on our website | 2 days | Essential |
| wordpress_logged_in | To remember your login details | Session | Essential |
| wordpress_sec | To secure your login details | Session | Essential |
| wordpress_test_cookie | To test if your browser accepts cookies | Session | Essential |
| wp-settings | To remember your preferences and settings | 1 year | Essential |
| wp-settings-time | To remember the time you set your preferences and settings | 1 year | Essential |
| _ga | To measure and analyze how you use our website (Google Analytics) | 2 years | Optional |
| _gid | To distinguish you from other users on our website (Google Analytics) | 24 hours | Optional |
| _gat | To limit the number of requests to our website (Google Analytics) | 1 minute | Optional |
| _stripe_mid | To facilitate payment transactions and prevent fraud (Stripe) | 1 year | Optional |
| _stripe_sid | To facilitate payment transactions and prevent fraud (Stripe) | 30 minutes | Optional |
| tk_ai | To store a randomly-generated anonymous ID (Jetpack) | Session | Optional |
| tk_lr | To collect metrics about the pages you visit (Jetpack) | 1 year | Optional |
| tk_or | To collect metrics about the pages you visit (Jetpack) | 5 years | Optional |
| tk_r3d | To collect metrics about the pages you visit (Jetpack) | 3 days | Optional |
| tk_tc | To collect metrics about the pages you visit (Jetpack) | Session | Optional |
| PYPF | To provide you with PayPal services and offers (PayPal) | 27 days | Optional |
You can manage your cookie preferences at any time by clicking on the cookie banner or the cookie settings link on our website. You can also disable or delete cookies in your browser settings, but this may affect the functionality and performance of our website.
Some of the third parties that set cookies on our website may also use other tracking technologies, such as web beacons, pixels, or scripts, to monitor and analyze your behavior on our website and other websites. These third parties include:
- Google Analytics: A web analytics service that helps us understand how you use our website and improve your user experience. You can find more information about how Google Analytics uses your personal data and how you can opt out of it on their website: Google Analytics Privacy Policy.
- Stripe: A payment processor that handles payment transactions and prevents fraud. You can find more information about how Stripe uses your personal data and how you can opt out of it on their website: Stripe Privacy Policy.
- PayPal: A payment processor that handles payment transactions and provides you with PayPal services and offers. You can find more information about how PayPal uses your personal data and how you can opt out of it on their website: PayPal Privacy Statement.
- Jetpack: A WordPress plugin that provides various features and functionalities, such as analytics, social media integration, security, and performance optimization. You can find more information about how Jetpack uses your personal data and how you can opt out of it on their website: Jetpack Privacy Policy.
The legal basis for using cookies and other tracking technologies on our website is your consent, which you can give or withdraw at any time by managing your cookie preferences. We may also use cookies and other tracking technologies to pursue our legitimate interest, such as ensuring the functionality and security of our website, or providing you with relevant content and offers.
The provision of personal data is neither contractually required nor necessary for the conclusion of a contract. You are not obliged to provide the personal data. If you do not provide the personal data, we will not be able to manage your consents.
5. How Do We Share Your Personal Data with Third Parties?
We may share your personal data with third parties for various purposes, such as:
- Payment processors: We share your personal data with payment processors to process your payment and complete your order. The payment processors we use are Stripe and PayPal. You can find more information about how they use your personal data and how you can opt out of it on their websites: Stripe Privacy Policy and PayPal Privacy Statement.
- Analytics and marketing tools: We share your personal data with analytics and marketing tools to measure and improve our website performance and user experience, and to provide you with personalized content and offers. The analytics and marketing tools we use include Google Analytics. You can find more information about how they use your personal data and how you can opt out of it on their website: Google Analytics Privacy Policy.
- Shipping partner: We share your personal data with our shipping partner, Royal Mail Group Limited, to deliver your order. You can find more information about how they use your personal data on their website: Royal Mail Privacy Notice.
- Social media platforms: We share your personal data with social media platforms, such as Instagram, Facebook, TikTok, Pinterest, and YouTube, to enable social media features on our website, such as liking, sharing, or commenting on our products. You can find more information about how they use your personal data on their respective websites: Instagram Data Policy, Facebook Data Policy, TikTok Privacy Policy, Pinterest Privacy Policy, and YouTube Privacy Policy.
We only share your data with third parties that respect your privacy and comply with the GDPR and other applicable data protection laws. We do not sell, rent, or trade your personal data with any other parties for marketing or advertising purposes.
6. How Do We Protect Your Personal Data?
We understand the importance of protecting your personal data, and we have implemented a comprehensive security program to keep it safe. This program includes technical measures such as data encryption, secure servers, and regular software updates. We also have organizational measures in place, such as access controls, staff training, and regular security reviews, to ensure that your data is only accessed by authorized personnel and for authorized purposes.
To ensure the protection of your data, we take the following measures:
- Advanced Data Encryption: We encrypt your data both in transit and at rest using industry-standard encryption methods.
- Security Audits: Our systems undergo regular security audits to identify and rectify potential vulnerabilities.
- Intrusion Detection Systems: We only work with partners that deploy state-of-the-art intrusion detection systems to monitor and protect their networks.
- Firewalls: Robust firewalls are in place to prevent unauthorized access and data breaches.
- Access Control: We limit access to your data to authorized personnel only.
- Staff Training: Our staff receives regular training in data protection and privacy best practices, ensuring they are aware of the latest methods to safeguard your information.
- Policy Reviews: We conduct periodic reviews and updates of our security policies and practices to stay abreast of evolving threats.
7. How Long Do We Keep Your Personal Data?
We only keep your personal data for as long as necessary to fulfill the purposes for which we collected it, or to comply with legal, regulatory, or internal policy requirements. The retention periods for different categories of personal data may vary depending on the nature and scope of the processing, the legal basis for the processing, and the applicable legal obligations.
The table below summarizes the retention periods for the categories of personal data we collect:
| Category of personal data | Retention period |
| Contact name | Until you delete your account or request us to delete it |
| Billing address | Until you delete your account or request us to delete it, or as required by tax or accounting laws |
| Email address | Until you delete your account or request us to delete it, or until you unsubscribe from our newsletter |
| Delivery address | Until you delete your account or request us to delete it |
| Username and password | Until you delete your account or request us to delete it |
| IP address | For the duration of your session on our website, or as long as necessary for analytics or security purposes |
| Browsing activity | For the duration of your session on our website, or as long as necessary for analytics or personalization purposes |
| Device information | For the duration of your session on our website, or as long as necessary for optimization or security purposes |
| Cookies | Depending on the type and duration of the cookie, as specified in the cookie table |
When we no longer need your personal data, we will securely delete or anonymize it, or, if this is not possible, we will securely store your personal data and isolate it from any further processing until deletion is possible.
8. Customer Service via WhatsApp
For customer support through WhatsApp, the following data processing applies:
- Collection of your phone number, chat history, and any personal data shared during the conversation.
- Data processing in accordance with WhatsApp’s privacy policy and GDPR compliance.
- Implementation of adequate data protection measures in line with GDPR and UK GDPR.
For customer support through WhatsApp, your data usage and protection are subject to WhatsApp’s privacy policy. We recommend reviewing WhatsApp’s Privacy Policy to understand how they manage your personal data.
9. Marketing Communications
In our efforts to keep you informed about our latest products and services, we may send communications that we believe may be of interest to you. However, we prioritize your choice and control over the receipt of such marketing materials:
- Opt-Out Options: At any point, you have the option to opt-out of receiving marketing communications from us.
- User-Controlled Marketing: Our approach to marketing is user-centric, offering you choices about the type of content you wish to receive.
- Transparency in Advertising: We are committed to transparent marketing practices, ensuring that any communication is clearly identifiable as such.
We respect your privacy and are dedicated to providing you with options to manage your preferences regarding marketing communications.
10. What Are Your Rights Under the GDPR?
The GDPR grants you certain rights over your personal data, such as:
- The right to access: You have the right to request a copy of the personal data we hold about you, along with information on how and why we process it.
- The right to rectification: You have the right to request the correction or completion of any inaccurate or incomplete personal data we hold about you.
- The right to erasure: You have the right to request the deletion of your personal data, unless we have a legal obligation or legitimate interest to keep it.
- The right to restriction: You have the right to request the limitation of the processing of your personal data, if you contest its accuracy, legality, or necessity.
- The right to data portability: You have the right to request the transfer of your personal data to another controller, or to receive it in a structured, commonly used, and machine-readable format, where technically feasible.
- The right to object: You have the right to object to the processing of your personal data for direct marketing purposes, or for any other processing based on our legitimate interest, unless we have compelling grounds to continue it.
- The right to withdraw consent: You have the right to withdraw your consent for any processing based on your consent at any time, without affecting the lawfulness of the processing before the withdrawal.
- The right to lodge a complaint: You have the right to lodge a complaint with the supervisory authority of your country, if you believe that we have violated your data protection rights.
To exercise any of your rights, you can contact us by email at [email protected], by phone at +44 7916260399, or by mail at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. You can also use the privacy contact form on our website.
We will respond to your request within one month, unless your request is complex or we receive a large number of requests, in which case we may extend the response time by another two months. We will inform you of any extension and the reasons for it. We may also ask you to verify your identity before fulfilling your request, to ensure the security of your personal data.
11. How Do We Update Our Privacy Policy?
We may update our privacy policy from time to time to reflect changes in our data processing practices, legal obligations, or customer feedback. We will notify you of any significant changes by email, or by posting a notice on our website. We encourage you to review our privacy policy periodically to stay informed about how we protect your personal data.
12. How to Contact Us?
If you have any questions or concerns about our privacy policy or data processing practices, please do not hesitate to contact us. You can reach us in the following ways:
- Email: [email protected]
- Phone: +44 7916260399
- Mail: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.
- Online Privacy Contact Form: Available on our website for direct inquiries.
We are dedicated to addressing all queries and concerns promptly and comprehensively.
13. International Data Transfers
In addition to the safeguards mentioned earlier, we also adhere to guidelines set by the UK Information Commissioner’s Office (ICO) for international data transfers. We rely on the UK Adequacy Decision for the EU-US DPF for transferring personal data to US service providers certified under the DPF, such as Stripe and PayPal, for payment processing purposes. For more information, you can visit the ICO website.
14. Use of Automated Decision-Making and Profiling
We do not use automated decision-making processes, including profiling, that have a legal or similarly significant effect on you, without your explicit consent or where it is necessary for entering into, or the performance of, a contract.
15. Data Breach Protocol
In the unlikely event of a data breach, we will take the following steps:
- Identify and investigate the breach: We will immediately investigate the breach to determine the nature and scope of the incident.
- Notify affected individuals: We will promptly notify you and any other affected individuals by email or other appropriate means. The notification will describe the nature of the breach, the types of personal data affected, and the steps we are taking to address the situation.
- Mitigate potential harm: We will take steps to mitigate any potential harm that may result from the breach, such as by resetting passwords or implementing additional security measures.
- Report the breach to authorities: If required by law, we will report the breach to the relevant data protection authorities.
- Review and improve: We will review our security procedures and take steps to prevent similar incidents from happening in the future.
We are committed to protecting your personal data and will handle any data breach with the utmost transparency and seriousness.
16. Changes to This Privacy Policy
Our privacy policy may be updated to reflect changes in our data processing activities, legal requirements, or other relevant developments. Any significant updates will be communicated through our website or via email. We encourage you to review this policy periodically to stay informed about how we protect your personal data.
17. Legal Basis for Processing
Our processing of your personal data is based on various legal grounds:
- Consent: Particularly for sending marketing communications or for non-essential cookies.
- Contractual Necessity: For processing necessary to fulfill a contract or to take steps at your request before entering a contract.
- Legal Obligation: Where processing is necessary for compliance with a legal obligation.
- Legitimate Interests: For purposes such as ensuring network security, conducting business analytics, or preventing fraud.
- UK Adequacy Decision for the EU-US DPF: For transferring personal data to US service providers certified under the DPF, such as Stripe and PayPal, for payment processing purposes.
18. Privacy Policy Effective Date and Changes
This privacy policy is effective as of November 17, 2024. We may occasionally update this policy to reflect changes in our practices, legal requirements, or other factors. Please review this policy periodically to stay informed about how we are protecting your personal data.
Additional Information:
- Third-Party Privacy Policies: For information on how third parties handle your data, please refer to their privacy policies: