Privacy Policy

1. Information We Collect

We collect the following categories of personal information, depending on how you interact with our Service:

1.1 Information You Provide Directly

• Account and Order Information: When you create an account or place an order, we collect your name, billing address, shipping address, email address, phone number, and payment information (credit/debit card details processed securely through our payment provider).
• Customer Support Communications: When you contact us for support, we collect the content of your messages and any additional information you choose to provide to resolve your enquiry.
• Account Credentials: If you create an account, we store your login credentials in encrypted form.

1.2 Information Collected Automatically

When you access our website or app, we automatically collect certain technical and usage information:

• Device information: type of device, operating system and version, unique device identifiers, and mobile network information.
• Log data: IP address, browser type and version, time zone, pages visited, time spent on pages, and referring URLs.
• Usage data: features used, search terms entered, products viewed, and how you interact with the Service.
• Cookies and similar tracking technologies: we use cookies, web beacons, pixels, and local storage to recognise you, remember your preferences, and understand how the Service is used. See Section 11 (Cookies) for full details.

1.3 Device Permissions (Mobile App)

Our mobile application may request the following device permissions. We only request permissions that are necessary for the features described below, and you can revoke any permission at any time through your device settings:

• Camera: used to allow you to photograph plants or upload images of your garden for product identification or customer support purposes. We do not access your camera without your explicit action.
• Photo Library / Storage: used to allow you to select and upload images from your device. We access only the images you choose to share with us.
• Location (approximate): used, if you opt in, to personalise product recommendations based on your climate zone or to find local delivery options. Precise location is never collected without a separate, explicit opt-in.
• Notifications: used to send you order updates, dispatch confirmations, and (if you opt in) marketing messages. You can disable notifications at any time in your device settings.

We do not request access to your microphone, contacts, or any other device feature not listed above.

2. How We Use Information

We use the personal information we collect for the following purposes:

2.1 To Provide and Fulfil the Service

• Process and fulfil your orders, including payment processing, shipping, and delivery.
• Send order confirmations, invoices, dispatch notifications, and delivery updates.
• Manage your account and respond to your enquiries and customer support requests.
• Enable features that require device permissions (e.g., image upload, location-based recommendations).

2.2 To Improve the Service

• Analyse how users interact with the Service to identify and fix issues, and to develop new features.
• Conduct internal research and analytics to understand usage patterns and optimise performance.
• Detect and prevent fraudulent transactions, unauthorised access, and other harmful activity.

2.3 To Communicate With You

• Send transactional communications (order updates, receipts, security alerts) which are necessary to our contract with you.
• Send marketing communications about products, offers, and news — but only where you have given us your consent or where we have a legitimate interest and you have not opted out.
• Respond to your questions, feedback, or complaints.

2.4 Legal Basis for Processing (UK & EEA Users)

If you are located in the United Kingdom or the European Economic Area, we process your personal information under the following lawful bases:

• Contract performance: processing necessary to fulfil your order or manage your account.
• Consent: where you have explicitly opted in (e.g., marketing emails, location access, push notifications).
• Legitimate interests: improving the Service, fraud prevention, and internal analytics, where these do not override your rights.
• Legal obligation: where processing is required to comply with applicable law.

3. Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the limited circumstances described below:

3.1 Service Providers and Processors

We share personal information with trusted third-party service providers who perform services on our behalf. These providers are contractually required to protect your data and may only use it for the purposes we specify:

• E-commerce platform: Shopify Inc. powers our online store and processes payments and orders. See Shopify's privacy policy at https://www.shopify.com/legal/privacy.
• Payment processors: your payment card details are processed securely by our payment provider(s) and are never stored on our servers.
• Shipping and fulfilment partners: your name and delivery address are shared with carriers to fulfil your order.
• Analytics providers: we use tools such as Google Analytics to understand how users interact with our Service. See Section 10 (Third-Party Services) for details.
• Customer support tools: if we use a helpdesk or live-chat platform, your support communications may be processed by that provider.
• Cloud infrastructure: our data is hosted on secure cloud servers. AWS.

3.2 Legal Requirements

We may disclose your personal information if we believe in good faith that doing so is necessary to: (a) comply with a legal obligation, court order, or government request; (b) enforce our Terms of Service; (c) protect the safety, rights, or property of Rosslyn Gardens, our users, or the public; or (d) detect, investigate, or prevent fraud or security issues.

3.3 Business Transfers

If Rosslyn Gardens is involved in a merger, acquisition, restructuring, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you before your information is transferred and becomes subject to a different privacy policy.

3.4 Aggregated or De-identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you. For example, we may publish statistics about overall website traffic or purchase trends.

4. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, including to meet legal, accounting, or reporting obligations.

• Order and transaction records: retained for 7 years to comply with UK tax and accounting regulations.
• Account information: retained for as long as your account is active, and for a reasonable period thereafter to resolve disputes or enforce agreements. You may request deletion at any time (see Section 6).
• Marketing preferences and consent records: retained until you withdraw consent or opt out, plus a short period to evidence that consent was properly obtained.
• Customer support communications: retained for up to 3 years after the matter is resolved.
• Technical logs (IP addresses, session data): retained for up to 90 days for security and debugging purposes.
• Cookies: see Section 12 for individual cookie durations.

When your data is no longer required, we securely delete or anonymise it.

5. User Rights and Choices

5.1 Your Rights Under UK GDPR / GDPR

If you are located in the United Kingdom or the European Economic Area, you have the following rights regarding your personal information:

• Right of access: you can request a copy of the personal information we hold about you.
• Right to rectification: you can ask us to correct inaccurate or incomplete information.
• Right to erasure (“right to be forgotten”): you can ask us to delete your personal information, subject to certain legal exceptions.
• Right to restriction: you can ask us to stop actively processing your data while a dispute is resolved.
• Right to data portability: you can request your data in a structured, machine-readable format.
• Right to object: you can object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent: where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
• Right not to be subject to automated decision-making: you have the right to request human review of any decision made solely by automated means that significantly affects you.

To exercise any of these rights, please contact us at joleen@rosslyngardens.co.uk. We will respond within 30 days. We may need to verify your identity before processing your request.

5.2 California Residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, including the right to know what personal information we collect, use, disclose, and sell; the right to delete your personal information; the right to opt out of the sale or sharing of your personal information; and the right to non-discrimination for exercising your rights.

We do not sell your personal information as defined under the CCPA. To submit a request, contact us at joleen@rosslyngardens.co.uk or by post at the address in Section 14.

5.3 Marketing Opt-Out

You may opt out of marketing communications at any time by clicking the “Unsubscribe” link in any marketing email, by adjusting your notification settings in the app, or by contacting us directly. You will continue to receive transactional communications (e.g., order confirmations) as these are necessary to our contract with you.

5.4 Push Notifications

If you have enabled push notifications on our mobile app, you can disable them at any time through your device settings (iOS: Settings → Notifications; Android: Settings → Apps → Notifications).

6. Children's Privacy

Our Service is not directed at children under the age of 13 (or under 16 where required by applicable law, including UK GDPR). We do not knowingly collect personal information from children. If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us immediately at joleen@rosslyngardens.co.uk. We will take prompt steps to delete such information from our systems.

If we discover that we have inadvertently collected personal information from a child under the applicable age threshold, we will delete that information as soon as possible.

7. Security Measures

We take the security of your personal information seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, accidental loss, alteration, or disclosure. Our security measures include:

• Encryption: all data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security). Payment card data is processed via PCI-DSS compliant payment processors.
• Access controls: access to personal data is restricted to employees and contractors who need it to perform their job functions, and is subject to strict confidentiality obligations.
• Secure infrastructure: our Service is hosted on industry-standard cloud infrastructure with regular security monitoring.
• Account security: passwords are stored in hashed form and are never stored or transmitted in plain text.
• Regular reviews: we periodically review our security practices to identify and address potential vulnerabilities.

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security. In the event of a data breach that is likely to result in a high risk to your rights, we will notify you and the relevant supervisory authority as required by law.

8. Third-Party Services (Analytics, Advertising & SDKs)

Our Service integrates with the following third-party tools and SDKs. Each third party operates under its own privacy policy, and we encourage you to review them:

8.1 Shopify

Our online store is powered by Shopify Inc. Shopify processes your order, payment, and account data on our behalf as a data processor. For details, see: https://www.shopify.com/legal/privacy.

8.2 Google Analytics

We use Google Analytics (provided by Google LLC) to analyse how users interact with our website and app. Google Analytics collects information such as pages visited, time on site, device type, and approximate location derived from your IP address. This data is aggregated and anonymised where possible. You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on at https://tools.google.com/dlpage/gaoptout.

Google's privacy policy is available at https://policies.google.com/privacy.

8.3 Behavioural Advertising

We may use advertising services (such as Google Ads or Meta Ads) to show you relevant advertisements on other websites based on your interactions with our Service. This involves placing cookies or pixels that track your browsing activity across websites. Where required, we will seek your consent before enabling such tracking.

You can opt out of interest-based advertising at any time:

• Google Ads: https://www.google.com/settings/ads
• Meta (Facebook/Instagram): https://www.facebook.com/settings/?tab=ads
• Digital Advertising Alliance (multiple providers): https://optout.aboutads.info/
• Network Advertising Initiative: https://optout.networkadvertising.org/

8.4 Other Third-Party SDKs

Our mobile application may include third-party SDKs for features such as crash reporting, performance monitoring, or payment processing. A current list of SDKs used in the app is available on request at joleen@rosslyngardens.co.uk. Firebase, Stripe

We are responsible for ensuring that any SDK we integrate complies with applicable data protection laws and the data policies of the Google Play Store and Apple App Store.

9. International Data Transfers

Rosslyn Gardens is based in the United Kingdom. However, some of our third-party service providers — including Shopify, Google, and our hosting provider — are located in or operate infrastructure in countries outside the UK and EEA, including the United States and Canada.

When we transfer personal information outside the UK or EEA, we ensure that appropriate safeguards are in place to protect your data, including:

• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO) or the European Commission;
• Transfers to countries deemed by the ICO or European Commission to provide an adequate level of data protection; or
• Other lawful transfer mechanisms as permitted under UK GDPR or GDPR.

For more information about Shopify's approach to international data transfers, see: https://help.shopify.com/en/manual/your-account/privacy/GDPR.

You may request further information about the specific safeguards in place for international transfers by contacting us at joleen@rosslyngardens.co.uk.

10. Automated Decision-Making

We do not make decisions about you that have a legal or similarly significant effect using solely automated means without human review.

Our payment processor, Shopify, uses limited automated decision-making to prevent fraud. This includes:

• Temporary blocking of IP addresses associated with repeated failed transactions (lasting a few hours).
• Temporary blocking of payment cards associated with flagged IP addresses (lasting a few days).

These automated measures do not have a legal or otherwise significant effect on you beyond preventing a fraudulent transaction. If you believe a decision has been made in error, please contact us and we will arrange a manual review.

11. Cookies and Tracking Technologies

Cookies are small text files placed on your device when you visit our website. We use cookies to make the Service work correctly, to remember your preferences, and to understand how users interact with our site.

11.1 Types of Cookies We Use

• Strictly necessary cookies: essential for core functions such as checkout, login, and shopping cart. These cannot be disabled without breaking the Service.
• Functional cookies: remember your preferences (e.g., region, currency) to improve your experience.
• Analytics cookies: collect aggregated information about how users interact with the Service to help us improve it.
• Advertising/targeting cookies: used to deliver relevant ads and measure their effectiveness. We will request your consent before placing these cookies where required.

11.2 Specific Cookies Used

The tables below list the cookies currently used on our Service. Cookies from Shopify's current list are included; you can also review Shopify's cookie list at https://www.shopify.com/legal/cookies.

Strictly Necessary Cookies:

Analytics & Reporting Cookies:

11.3 Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to view, block, or delete cookies. Please note that blocking essential cookies will prevent parts of the Service from working correctly.

For guidance on managing cookies in your browser, visit www.allaboutcookies.org. To opt out of advertising cookies, see Section 8.3.

11.4 Do Not Track

Our Service does not currently alter its behaviour in response to “Do Not Track” signals from browsers, as there is no consistent industry standard for how such signals should be interpreted. If this changes, we will update this policy accordingly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

• Update the “Last Updated” date at the top of this policy;
• Post the revised policy on our website and within the app; and
• Where required by law or where the changes are significant, notify you directly by email or via an in-app notification.

Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes. We encourage you to review this policy periodically to stay informed about how we protect your information.

13. Complaints

If you have a concern about how we handle your personal information, please contact us in the first instance at joleen@rosslyngardens.co.uk. We take all complaints seriously and will endeavour to respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. For users in the United Kingdom, this is the Information Commissioner's Office (ICO):

• Website: https://ico.org.uk/make-a-complaint/
• Telephone: 0303 123 1113

For users in the EEA, you may contact the data protection authority in your country of residence.

14. Contact Information

If you have any questions, requests, or concerns about this Privacy Policy or our data practices, please contact us: