Privacy Policy
How TrueMart collects, uses and protects your personal data — in plain English.
This Privacy Policy explains how TrueMart (trading as TrueMart.co.uk) collects, uses, stores and shares your personal data. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Please read this policy carefully. By using our website or placing an order, you acknowledge you have read and understood this policy.
1Who We Are
For the purposes of data protection law, the Data Controller is:
TrueMart — a sole-trader business operated by Shilpi Singh, based in the United Kingdom
Email (general): [email protected]
Email (data protection / GDPR queries): [email protected]
Phone: +44 7442 020454
Geographic address: a postal address is available on request — please email [email protected]
As Data Controller, we determine the purposes and means of processing your personal data. If you have any questions about how we handle your data, please contact us using the details above.
2Data We Collect
We collect the following categories of personal data:
Identity & Contact Data
- •Full name
- •Email address
- •Phone number
- •Delivery and billing address
Transaction Data
- •Order details, products purchased, and order history
- •Payment confirmation references (we do not store card numbers — payments are handled by Stripe)
Account Data
- •Username and encrypted password (if you create an account)
- •Saved addresses and preferences
Technical & Usage Data
- •IP address and browser type
- •Pages visited and time spent on site
- •Referring URLs
- •Device type and operating system
Marketing & Communication Data
- •Your preference to receive or not receive marketing communications
- •Email open and click data (where consent is given)
We do not collect any special category data (such as racial or ethnic origin, health data, or biometric data).
3Lawful Basis for Processing
Under UK GDPR Article 6, we must have a lawful basis for each type of processing. The table below sets out our lawful bases:
| Purpose | Lawful Basis |
|---|---|
| Processing and fulfilling your order | Contract (Article 6(1)(b)) — necessary to perform our contract with you |
| Creating and managing your account | Contract (Article 6(1)(b)) |
| Processing payment | Contract (Article 6(1)(b)) |
| Sending order confirmations and dispatch notifications | Contract (Article 6(1)(b)) |
| Responding to customer service enquiries | Legitimate interests (Article 6(1)(f)) — to resolve queries effectively |
| Sending marketing emails and promotions | Consent (Article 6(1)(a)) — only where you have opted in |
| Improving our website and user experience | Legitimate interests (Article 6(1)(f)) — to develop and grow our business |
| Preventing fraud and ensuring security | Legitimate interests (Article 6(1)(f)) |
| Complying with legal obligations (e.g. tax records) | Legal obligation (Article 6(1)(c)) |
| Cookie analytics and tracking (non-essential) | Consent (Article 6(1)(a)) |
4How We Use Your Data
We use your personal data for the following purposes:
- •To process, fulfil and deliver your orders
- •To send order confirmations, dispatch notifications and tracking updates
- •To manage your account and preferences
- •To respond to your enquiries and provide customer support
- •To send you marketing emails, promotions and festival updates — only where you have given your consent
- •To personalise your shopping experience
- •To detect and prevent fraud or abuse of our website
- •To comply with our legal and regulatory obligations
- •To improve our website, product range, and services
We will never use your data for any purpose incompatible with those stated above without first obtaining your consent.
5Sharing Your Data
We do not sell, rent or trade your personal data. We share your data only where necessary, with the following categories of recipients:
Royal Mail
To deliver your order. We share your name and delivery address only.
Stripe
To process your payment securely. Stripe is PCI-DSS compliant. We do not store your card details.
Resend
To send transactional emails (order confirmations, dispatch notifications).
Cloudinary
To store and serve product images.
Supabase
Our database provider, hosted in the EU (London region). Stores your account and order data securely.
PostHog (hosted in EU — Frankfurt, Germany)
Product analytics — page views, feature usage, conversion funnels. No personally identifiable information is sent (no email, name, phone, address). Data retained for 1 year.
Sentry
Error monitoring and performance tracking to ensure site reliability. May capture technical data (browser, OS, error stack traces). No payment or personal data sent.
Marketplace Vendors (Phase 2 — not currently active)
This applies to a future TrueMart feature. We are planning to expand TrueMart into a multi-vendor marketplace. When that feature launches, we will update this Privacy Policy to specify which categories of personal data are shared with vendors and on what lawful basis. Until then, all orders are fulfilled directly by TrueMart and no customer data is shared with third-party vendors.
Legal & regulatory authorities
Where required by law, court order, or to protect the rights and safety of TrueMart or others.
All third-party processors are bound by data processing agreements and are required to handle your data securely and only for the purposes we specify.
6How Long We Keep Your Data
We retain personal data only for as long as necessary for the purpose it was collected, or as required by law:
| Data Type | Retention Period | Reason |
|---|---|---|
| Order records (financial) | 6 years from order date | HMRC tax and accounting obligations (legal obligation) |
| Order PII (name, address, phone) | Until account deleted + 30-day window, then anonymised | Contract performance |
| Account data (profile, addresses) | Until account deleted + 30-day recovery window, then erased | Consent / contract |
| Marketing / newsletter subscribers | Until unsubscribed; inactive after 2 years | Consent |
| PostHog analytics events | 1 year | Consent (analytics cookies) |
| Sentry error logs | 30 days | Legitimate interest (security) |
| Vendor agreement records | 7 years post-termination | Legal / regulatory |
| Rate-limit data (anti-abuse) | 24 hours (auto-cleaned nightly) | Legitimate interest |
| Deleted accounts (soft-delete) | 30 days from request, then erased | Consent withdrawal |
After the applicable retention period, your data will be securely deleted or anonymised.
7Cookies
We use cookies and similar tracking technologies on our website. Cookies are small text files stored on your device. We use the following categories:
Strictly Necessary
Always onEssential for the website to function. These include session cookies, cart data, and login state. These cannot be disabled.
Analytics & Performance
Consent requiredHelp us understand how visitors use our site (pages visited, time on site, errors encountered). Used to improve performance.
Functional
Consent requiredRemember your preferences such as language and region to provide a more personalised experience.
Marketing
Consent requiredUsed to track visits and build a profile of your interests to show relevant advertising. We do not currently run retargeting ads but may do so in future.
You can manage your cookie preferences at any time via the cookie banner on our website, or through your browser settings. Please note that disabling certain cookies may affect website functionality.
For full details, see our Cookie Policy.
8Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
Right of Access
Request a copy of all personal data we hold about you (Subject Access Request).
Right to Rectification
Ask us to correct inaccurate or incomplete data.
Right to Erasure
Ask us to delete your data ('right to be forgotten') where there is no legitimate reason to continue holding it.
Right to Restrict Processing
Ask us to pause processing your data in certain circumstances.
Right to Data Portability
Receive your data in a structured, machine-readable format to transfer to another service.
Right to Object
Object to processing based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent
Where processing is based on consent, you can withdraw it at any time without affecting prior processing.
Rights re: Automated Decisions
We do not make solely automated decisions that significantly affect you. All material decisions involve human review.
To exercise any of these rights, contact us at [email protected]. We will respond within one calendar month as required by UK GDPR. We may ask you to verify your identity before processing your request.
How to delete your account
You can request deletion of your TrueMart account at any time from your account page by clicking Delete my account. This is the fastest way to exercise your right to erasure under UK GDPR Article 17.
The 30-day grace period
When you request deletion, we schedule your account for permanent erasure 30 days later. This gives you a window to change your mind — simply sign back in within those 30 days and click Cancel deletion. We send you an email confirming the request and another if you cancel.
What gets erased on day 30
- Your profile, login, name, email and phone number
- Your saved addresses
- Your shopping cart and wishlist
- Your newsletter subscription
What is kept (anonymised)
- Order financial records — kept for 6 years to satisfy HMRC's record-keeping requirement (UK tax law). Your name, address and phone are replaced with placeholders; the order amounts and dates remain.
- Any product reviews you wrote — the review text and rating remain visible to other customers, but no longer show your name (displayed as "Anonymous"). This protects other buyers who relied on your review.
Download your data first
Before deleting, you can download a full export of your data from the same page (Download my data button). After deletion this is no longer possible.
Audit log
For compliance with UK GDPR Article 30, we keep a minimal record that an account was requested for deletion, scheduled, and completed (dates only — no identifying data, no name, no email). This proves we honoured your request and is the only thing that survives the erasure.
If you'd prefer help with deletion or have questions, contact [email protected].
9International Transfers
Some of our third-party service providers may process your data outside the UK. Where this occurs, we ensure appropriate safeguards are in place:
- •Supabase (database) — hosts our data in London (eu-west-2 region). Data stays in the UK. No international transfer occurs.
- •PostHog (product analytics) — hosted in the EU (Frankfurt, Germany). Covered by the UK adequacy decision for the EU/EEA. No additional safeguard is required.
- •Sentry (error monitoring) — hosted in the EU on Sentry's European data region. Covered by the UK adequacy decision for the EU/EEA. No additional safeguard is required.
- •Stripe (payments) — transfers data to the United States. We rely on Stripe's UK Addendum to the EU Standard Contractual Clauses for the lawful basis of this transfer.
- •Cloudinary (image hosting) — transfers data to the United States. We rely on Cloudinary's UK Addendum to the EU Standard Contractual Clauses.
- •Resend (transactional email) — transfers data to the United States. We rely on Resend's UK Addendum to the EU Standard Contractual Clauses.
You can request details of the specific safeguards in place for any international transfer by contacting us.
10Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- •SSL/TLS encryption on all data transmitted between your browser and our servers
- •Encrypted storage of passwords using industry-standard hashing
- •Access controls restricting who can access personal data within our team
- •Payment processing via Stripe — we never see or store your full card details
- •Regular review of our security practices
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify you directly without undue delay.
11Children's Privacy
Our website is intended for use by people aged 16 or over (see our Terms of Service). Although the UK GDPR sets the minimum age for data processing consent at 13, we do not knowingly collect personal data from anyone under 16.
If you believe we have inadvertently collected data from a child, please contact us immediately at [email protected] and we will delete it promptly.
12Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email. We encourage you to review this policy periodically.
13Contact & Complaints
If you have any questions, concerns or requests regarding this Privacy Policy or how we handle your personal data, please contact us:
TrueMart (sole trader, operated by Shilpi Singh)
General: [email protected]
Data protection / GDPR: [email protected]
Phone: +44 7442 020454
Right to Complain to the ICO
You have the right to lodge a complaint with the Information Commissioner's Office (ICO) — the UK's independent data protection authority — if you believe we have not handled your personal data in accordance with the law.
ICO website: ico.org.uk
ICO helpline: 0303 123 1113
We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.