Legal

Privacy Policy

Last updated 2 May 2026.

This policy explains how {Brand Legal Name Ltd} (“we”) collects, uses, and protects your personal data when you use DIVOUR. We are the data controller. Our registered office is at dd, dd 876, United Kingdom (Companies House dd).

⚠ This is a placeholder policy generated as a starting point. Have your privacy policy reviewed by qualified legal counsel before launch. Specific details below (retention periods, processors, cookies, transfer mechanisms) need to be confirmed against your actual processing activities.

1. Data we collect

Account data: name, email, hashed password, phone number, saved addresses.
Order data: what you bought, billing and shipping address, payment method (card last 4 digits — full card details are processed by Stripe and never reach us).
Usage data: pages viewed, items added to cart, sign-in events, IP address, browser user agent (only with your consent for analytics cookies).
Communications: emails to/from our support team, contact-form submissions.

2. How we use it

To process and fulfil your orders (UK GDPR Art. 6(1)(b) — contract performance).
To meet legal obligations, including HMRC accounting records (Art. 6(1)(c) — legal obligation).
To send order confirmations, shipping updates, and refund notices (Art. 6(1)(b) — contract).
To send marketing emails — only if you opt in. Unsubscribe at any time (Art. 6(1)(a) — consent).
To investigate fraud and abuse (Art. 6(1)(f) — legitimate interests, balanced against your rights).
To improve the site through aggregated, anonymous analytics — only with consent (Art. 6(1)(a)).

3. Who we share it with

Stripe (payment processing) — UK / EU / US (Standard Contractual Clauses).
SendGrid (transactional email) — US (Standard Contractual Clauses).
Cloudflare R2 (image + invoice storage) — EU.
Vercel (hosting) — EU edge.
Royal Mail / DPD / Ferrari Logistics (delivery) — UK.
HMRC (tax records, on legal request).

We do not sell your personal data. We do not share it for third-party marketing.

4. How long we keep it

Account data: until you delete your account (30-day grace period applies).
Order records and invoices: 7 years from order date (HMRC requirement).
Audit logs (security): 5 years.
Analytics data: 26 months (GA4 default).

When you delete your account, identifying personal data is removed and orders are pseudonymised — your name and email are replaced with a deletion key, but financial line-item records are retained for HMRC compliance.

5. Your rights

Under UK GDPR you have the right to:

Access the personal data we hold about you (Subject Access Request).
Correct inaccurate data.
Delete your account and have your data anonymised (subject to retention exceptions above).
Object to or restrict our processing.
Receive your data in a portable format.
Withdraw consent for marketing emails or analytics cookies at any time.

To exercise any of these rights, email privacy@example.com. You can also lodge a complaint with the UK Information Commissioner's Office at ico.org.uk.

6. Cookies

We use a Cookiebot consent banner. You can adjust your cookie preferences at any time via the banner. Our cookie categories:

Necessary: session cookies, cart, sign-in, CSRF protection.
Statistics (consent only): Google Analytics 4 for aggregate traffic measurement.
Functional (consent only): Tawk.to live chat.

7. Security

We hash passwords with bcrypt (cost 12). Card details are tokenised by Stripe and never reach our servers. All admin actions are recorded in an audit log. Two-factor authentication is mandatory for super-admin accounts. Connections are TLS 1.2+.

8. Children

This site is not intended for anyone under 18. We do not knowingly collect data from children.

9. Changes to this policy

We'll post material changes here and notify account holders by email at least 14 days before the change takes effect.