Your Cart

My Account

 

Privacy Policy

1. Who We Are (Data Controller)

StoryBay
321–323 High Road,
Chadwell Heath, Essex
RM6 6AX
UK

Email: info@storybay.uk
Phone: +44 20 3996 0969

We are the data controller for the personal data processed in connection with this website and our services.

2. What Data We Collect

We may collect and process the following types of personal data:

2.1 Information You Provide to Us

  • Contact details – name, email address, phone number, billing and shipping addresses
  • Account information – username, password (stored in encrypted form)
  • Order information – products purchased, order history, payment method (type only), delivery preferences
  • Communication data – messages sent via email, contact forms, or phone
  • Reviews and feedback – ratings, comments, or other content you submit

2.2 Information Collected Automatically

When you visit our website, we may automatically collect:

  • Technical data – IP address, browser type/version, device type, operating system
  • Usage data – pages visited, time spent on pages, clickstream, referring sites
  • Cookie data – as described in Section 8

2.3 Payment Information

Payments are processed by third-party payment providers (e.g. for Apple Pay, GPay, Visa, Mastercard, Maestro, Discover).
We do not store full card numbers or full payment details on our servers. We receive limited information (e.g. payment status, last 4 digits of card, payment method) to confirm and manage your order.

3. How We Use Your Data (Purposes & Legal Bases)

We use your personal data for the following purposes and legal bases:

  1. To process and fulfil your orders
    • Including payment processing, shipping, order confirmations, and updates
    • Legal basis: Contract (necessary to perform a contract with you)
  2. To manage your account (if you create one)
    • Allowing you to log in, view order history, and save details
    • Legal basis: ContractLegitimate interests (to provide a convenient service)
  3. To communicate with you
    • Responding to enquiries, support requests, and complaints
    • Legal basis: ContractLegitimate interests (to respond and provide support)
  4. To send marketing communications (if you opt in)
    • Newsletters, promotions, and updates about our products
    • Legal basis: Consent (you can withdraw at any time)
  5. To improve our website and services
    • Analysing usage, troubleshooting issues, and enhancing user experience
    • Legal basis: Legitimate interests (to operate and improve our business)
  6. To comply with legal obligations
    • Record-keeping, tax, and accounting requirements
    • Legal basis: Legal obligation
  7. To prevent fraud and ensure security
    • Monitoring suspicious activity and protecting our site and customers
    • Legal basis: Legitimate interests (to protect our business and users)

4. Cookies & Similar Technologies

We use cookies and similar technologies to:

  • Operate and secure the website (e.g. session cookies, security cookies)
  • Remember your preferences (e.g. language, login details where chosen)
  • Analyse website traffic and performance (e.g. analytics cookies)

Where required by law, we will ask for your consent before placing non-essential cookies (such as analytics or marketing cookies). You can manage or disable cookies via your browser settings; note that some features of the site may not function properly without certain cookies.

If you want, I can provide a separate, more detailed Cookie Policy to complement this section.

5. How We Share Your Data

We may share your personal data with:

  • Payment processors – to securely process your payments
  • Delivery and logistics providers – to deliver your physical orders
  • IT and hosting providers – to host our website, email, and databases
  • Analytics and service providers – to help us understand how our site is used and improve it
  • Professional advisers – such as accountants or legal advisers, where necessary
  • Authorities or law enforcement – where required by law or to protect our rights or those of others

We do not sell your personal data to third parties.

All third-party service providers are required to handle your data securely and process it only in accordance with our instructions and applicable data protection laws.

6. International Transfers

If any of our service providers are located outside the UK or EEA, we will ensure that appropriate safeguards are in place (such as standard contractual clauses or equivalent mechanisms) to protect your personal data in accordance with UK data protection law.

7. Data Retention

We keep your personal data only for as long as necessary for the purposes for which it was collected, including:

  • Orders and billing records: typically retained for 6 years (or longer if required by tax and accounting laws)
  • Account data: kept while your account is active; if you close your account, we may retain limited information as required by law or for legitimate business purposes
  • Marketing data: kept until you unsubscribe or withdraw consent, or after a reasonable period of inactivity

When data is no longer needed, we will delete or anonymise it.

8. Your Rights

Under the UK GDPR, you have the following rights (subject to certain conditions):

  • Right of access – request a copy of the personal data we hold about you
  • Right to rectification – ask us to correct inaccurate or incomplete data
  • Right to erasure – ask us to delete your data in certain circumstances
  • Right to restriction – ask us to restrict processing of your data in certain circumstances
  • Right to data portability – receive your data in a structured, commonly used format and transfer it to another controller (where technically feasible)
  • Right to object – object to processing based on our legitimate interests or for direct marketing
  • Right to withdraw consent – where we rely on consent (e.g. marketing emails), you can withdraw it at any time

To exercise any of these rights, contact us using the details in Section 1.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) if you believe your data has not been handled correctly:

Information Commissioner’s Office (ICO)
Website: https://ico.org.uk/

9. Children’s Privacy

Our website and services are not intended for children under 16. We do not knowingly collect personal data from children under this age. If you believe a child has provided us with personal data, please contact us so we can delete it.

10. Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, misuse, or alteration, including:

  • Use of secure (HTTPS) connections
  • Restricted access to personal data on a need-to-know basis
  • Use of reputable, secure third-party payment processors

No system is completely secure, but we work to protect your data to the best of our ability.

11. Third-Party Sites

Our website may contain links to third-party websites (e.g. payment providers, social media, external resources). We are not responsible for the privacy practices or content of those sites. You should review their own privacy policies before providing any personal data.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated “Last updated” date. We encourage you to review this policy periodically.