Privacy Policy

Last updated: January 2026

Who we are

This website is operated by Gerwyn Price Merchandise Ltd ("we", "us", "our"), the operator of the official Gerwyn Price merchandise store at gerwynpricedarts.co.uk. We are registered in England and Wales (Companies House No. 16885739). For all data protection enquiries, contact us at support@gerwynpricedarts.co.uk.

What personal data we collect

We collect the following categories of personal data:

  • Account data: your email address, first name, last name, and password (hashed — never stored in plain text).
  • Order data: shipping address (recipient name, address lines, city, postcode, country, phone number), billing name and address, order number, items purchased, payment amounts, and the email address used at checkout.
  • Saved addresses: delivery address book entries you choose to save in your account.
  • Marketing preferences: a record of whether you have opted in to or out of marketing emails, along with a timestamp and the source of that consent.
  • Inner Circle waitlist: if you have signed up to the early-access waitlist, we hold your email address and, if provided, a display name.
  • Technical data: IP address captured at checkout (used for fraud prevention), session tokens, and data-protection keys used to encrypt cookies.
  • Communications: records of transactional emails sent to you (dispatch confirmations, password resets, etc.).

How we use your data

Purpose Legal basis (UK GDPR)
Processing and fulfilling your orders Contract (Article 6(1)(b))
Sending order dispatch and account notifications Contract (Article 6(1)(b))
Fraud prevention and security Legitimate interests (Article 6(1)(f))
Sending marketing emails (if you have opted in) Consent (Article 6(1)(a))
Retaining financial and transaction records Legal obligation (Article 6(1)(c)) — Companies Act 2006 / HMRC
Improving our website and services Legitimate interests (Article 6(1)(f))

Who we share your data with

  • Stripe Inc. — payment processing. Your card details are held by Stripe and never touch our servers. Stripe is certified PCI-DSS Level 1. See Stripe's privacy policy.
  • Royal Mail / our courier partners — your name and delivery address are passed to the carrier to fulfil your order.
  • Postmark (Wildbit LLC) — transactional and marketing email delivery. Only your email address and the content of the email are shared.
  • Hosting UK — our platform is hosted on physical servers located in the United Kingdom. Your data does not leave the UK unless stated otherwise.

We do not sell your personal data to any third party.

How long we keep your data

  • Account data: retained for the lifetime of your account and deleted (or anonymised) within 30 days of a verified account closure request, subject to the legal retention obligations below.
  • Order and financial records: retained for 6 years from the end of the relevant tax year as required by HMRC and the Companies Act 2006. This data cannot be erased before that period expires.
  • Marketing consent records: retained for as long as your account exists, plus 3 years after closure, to demonstrate compliance with our consent obligations.
  • Inner Circle waitlist: retained until you unsubscribe or the programme launches, whichever is earlier.
  • IP addresses (checkout fraud): retained for 12 months.

Cookies

We use strictly necessary cookies to keep you signed in and to protect your session. We do not currently use analytics or advertising cookies. If this changes, we will update this policy and request your consent before placing any non-essential cookies.

Your rights under UK GDPR

You have the following rights regarding your personal data:

  • Right of access — you can download a copy of all personal data we hold about you from your account settings.
  • Right to rectification — you can update your name, email address, and saved addresses in your account at any time.
  • Right to erasure — you can submit an account closure request from your account settings. Note that financial records are subject to the 6-year legal retention obligation described above.
  • Right to restrict processing — you can opt out of marketing emails at any time via your Preferences page.
  • Right to data portability — the data download described under the right of access is provided in machine-readable JSON format.
  • Right to object — you may object to processing based on legitimate interests by contacting us at support@gerwynpricedarts.co.uk.

We will respond to all data subject requests within 30 days as required by law. If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO).

Data security

We take the security of your personal data seriously. Passwords are hashed using a strong one-way algorithm and are never stored in plain text. All traffic to this website is encrypted in transit using TLS. Access to production systems is restricted to authorised personnel only.

Changes to this policy

We may update this privacy policy from time to time. The "Last updated" date at the top of this page will reflect any changes. Where changes are material, we will notify registered customers by email before the change takes effect.

Contact us

For any data protection queries, to exercise your rights, or to make a complaint, contact us at:
support@gerwynpricedarts.co.uk