Privacy Policy
By Jay — Privacy Policy
Last updated: 7.09.2025
Controller: By Jay (trading as By Jay)
Contact: Email: jaylanyusuf670@gmail.com — Address: 18 Como Road, Forest Hill, SE23 2JJ— Data Protection Lead:
1. Quick summary
We collect the personal data we need to process orders and keep customers informed. This includes names, delivery addresses, phone numbers and email addresses. We use this information to fulfil orders, handle returns, answer questions, and (only with your consent) send marketing. For more detail, see below. ICO
2. What personal data we collect
We may collect the following personal data when you place an order or contact us:
-
Name.
-
Postal address (for delivery).
-
Telephone number (for delivery updates or if we need to contact you about your order).
-
Email address (order confirmations, receipts, support).
-
Payment information is processed by our payment provider (we do not store full card details).
-
Order and transaction history, and any messages you send us.
We also may collect (with consent) marketing preferences and opt-in for SMS or email. ICO
3. Where we get your data
Mostly directly from you when you:
-
Place an order on our website.
-
Contact us by phone, email or social media.
We may also receive limited information from our payment and fulfilment providers (e.g., Shopify, Royal Mail) necessary to fulfil orders. ICO
4. Why we process your data (purposes) and lawful bases
We rely on the following lawful bases under UK GDPR:
-
Contract — to process and deliver your orders, manage returns and refunds, and communicate about your purchases. (necessary for performance of a contract). ICO
-
Legal obligation — to keep transaction records for tax and accounting purposes. Legislation.gov.uk
-
Consent — for marketing by email or SMS: we only send marketing messages if you’ve opted in. You can withdraw consent at any time. (If you want to send SMS marketing, record and store explicit consent.) ICO
-
Legitimate interests — for limited business administration tasks (e.g., preventing fraud, improving our service). We will balance this with your rights and freedoms. ICO
5. Who we share data with
We may share personal data with:
-
Payment processors (e.g., Shopify Payments, Stripe) to take payments.
-
Fulfilment and delivery partners (e.g., Royal Mail) to dispatch and track orders.
-
Professional advisors (accountants, legal advisers) where necessary.
-
Law enforcement or regulatory bodies if required by law.
We make sure any third party we share your data with only processes it for the purposes we set out and has appropriate security measures. If a third party acts as a processor on our behalf, we have a contract in place requiring them to protect your data. ICO
6. International transfers
If we or our providers transfer your personal data outside the UK, we will ensure appropriate safeguards are in place (for example, standard contractual clauses or transfers to providers who operate under an adequacy decision). If you use services that involve international transfers (e.g., third-party marketing platforms), we will note that where it applies. GOV.UK
7. How long we keep your data
We keep personal data only as long as necessary to fulfil the purposes described:
-
Order information and records for tax/accounting purposes — typically 6 years (or as required by law).
-
Marketing consent and preferences — until you withdraw consent.
-
Customer service enquiries — kept for a limited period to ensure we can respond to follow-ups, then deleted or archived.
We regularly review retention periods and securely delete or anonymise data when no longer needed. Data Protection Network
8. Your rights
Under UK GDPR you have the right to:
-
Be informed about how your personal data is used.
-
Access the personal data we hold (Subject Access Request).
-
Rectify inaccurate or incomplete data.
-
Request erasure (in some circumstances).
-
Restrict or object to processing (in some circumstances).
-
Data portability (receive a copy in a common format).
-
Withdraw consent at any time for processing based on consent.
To exercise any right, contact us at [your-email@byjay.co.uk]. We will respond within the statutory timeframe. If you are unhappy with our response you can complain to the Information Commissioner’s Office (ICO). ICO+1
9. Security
We take reasonable technical and organisational measures to protect your personal data from loss, misuse, unauthorised access and disclosure. These measures include secure hosting, access controls, and keeping software up to date. However, no internet transmission is 100% secure — if you have concerns, contact us. ICO
10. Automated decision-making and profiling
We do not use automated decision-making that has legal or similarly significant effects on you. If this changes, we will update this policy and obtain any required consents.
11. Cookies and tracking
We use cookies and similar technologies to operate the website and provide analytics. See our [Cookie Policy] (or the cookies section of this page) for details and how to opt out.
12. Changes to this policy
We may update this policy from time to time. The “Last updated” date at the top will show when it was last changed. Material changes will be notified where appropriate.
13. Contact & ICO
If you have questions, want to exercise your rights, or wish to complain, contact: jaylanyusuf670@gmail.com.
You can also contact the UK Information Commissioner’s Office: https://ico.org.uk. ICO
Quick notes for you (action items)
-
Replace placeholders: email, business address, Data Protection Lead.
-
Decide whether you will send SMS marketing. If yes, collect and store explicit consent and include an opt-in checkbox at checkout. (SMS marketing has extra rules — keep records). ICO
-
Add your cookie banner and a short layered privacy notice (short summary + link to this full policy). The ICO recommends a layered approach. ICO
-
If you use Shopify, note that Shopify and apps are processors — add them to your list of processors and keep contracts/terms for accountability.