Carrol Boyes — Privacy Notice (United Kingdom)

Carrol Boyes — Privacy Notice (United Kingdom)

This Privacy Notice explains how Carrol Boyes (‘we’, ‘us’) collects, uses, shares and protects personal data of customers in the United Kingdom and visitors to our UK website or online services. It has been prepared to meet the transparency requirements of the UK GDPR and the Data Protection Act 2018, and to reflect PECR rules for cookies and similar technologies. Nothing in this notice limits your statutory rights.

1. Who we are (data controller)

Carrol Boyes UK Limited (Company No. 16463382) is the data controller for your personal data when you shop with us online, create an account, subscribe to marketing, interact with our customer services, or otherwise engage with our UK website.

  • Email: customercare@carrolboyes.com
  • Postal contact: Our registered office address is available on the UK Companies House register for Carrol Boyes UK Limited (Company No. 16463382).

Data Protection Officer: Matt McDonald (privacy@carrolboyes.com)

2. What personal data we collect

  • Identity and contact data (e.g., name, billing/delivery addresses, email, phone).
  • Account credentials and preferences (if you create an account).
  • Order and payment data (order contents, totals, masked card/payment tokens via our payment providers).
  • Delivery and returns data (delivery address, tracking and fulfilment status, return requests).
  • Communications and customer service interactions (emails, chat transcripts, phone logs).
  • Marketing preferences (opt-ins/opt-outs, engagement with emails).
  • Online identifiers and device data (IP address, device/browser info, cookie IDs, approximate location), and website usage information (pages viewed, links clicked).
  • User-generated content (reviews, survey responses, competition entries).
  • Age-verification data where required for age-restricted items (e.g., knives), including verification outcome and limited ID attributes as necessary to meet legal obligations.

3. Where we get your data

  • Directly from you (checkout, account creation, customer care, forms).
  • Automatically via our website and apps (cookies and similar technologies — see Cookies & Tracking below).
  • From our service providers (e.g., payment, delivery, analytics, marketing).
  • From publicly available sources or social media interactions (where you interact with our official pages).

4. How we use your data and our lawful bases

We use your personal data for the purposes below. For each purpose we rely on one or more lawful bases under UK GDPR (contract, legal obligation, legitimate interests, or consent).

If you do not provide certain information needed to place and deliver an order (such as your name, address and payment details), we may not be able to process your purchase. Other information (such as marketing preferences) is optional.

Process orders and take payment Shopify / Shopify Payments
Purpose

Take payment, fulfil orders, provide order updates, deliver products and manage checkout.

Examples of data

Name, contact details, billing/delivery address, order details, payment status/transaction references.

Lawful basis

Contract

Key recipients/processors

Shopify; Shopify Payments; delivery/warehouse partners

Customer service and returns Queries, refunds & complaints
Purpose

Respond to queries, manage returns/refunds, handle complaints.

Examples of data

Contact details, order history, correspondence and support interactions.

Lawful basis

Contract; Legitimate interests

Key recipients/processors

Shopify; logistics partners; customer support tooling

Fraud prevention and security Protecting customers and the business
Purpose

Protect customers and the business, detect/prevent fraud and misuse.

Examples of data

Device info, IP address, order/payment signals, account activity.

Lawful basis

Legitimate interests; (sometimes) Legal obligation

Key recipients/processors

Shopify/Shopify Payments; fraud-prevention and security providers

Marketing emails Dotdigital
Purpose

Send newsletters/offers and measure engagement.

Examples of data

Email, name, marketing preferences, email engagement (opens/clicks), purchase history where used for targeting.

Lawful basis

Consent (and 'soft opt-in' where permitted by PECR)

Key recipients/processors

Dotdigital

Analytics and performance GA4
Purpose

Measure website performance and improve user experience.

Examples of data

Online identifiers (cookie IDs), device/browser info, usage events.

Lawful basis

Consent for non-essential cookies

Key recipients/processors

Google Analytics 4 (Google)

Business reporting Power BI
Purpose

Internal reporting, forecasting and performance analysis.

Examples of data

Aggregated sales/traffic metrics; in limited cases user-level data if imported.

Lawful basis

Legitimate interests

Key recipients/processors

Microsoft Power BI (Microsoft)

Legal compliance and claims Legal requirements & disputes
Purpose

Comply with law and manage legal claims.

Examples of data

Order/payment records, correspondence, account details.

Lawful basis

Legal obligation; Legitimate interests

Key recipients/processors

Professional advisers; authorities where required

Group operational support Carrol Boyes South Africa
Purpose

Operational support for the UK business (including Shopify/Dotdigital/admin analytics access).

Examples of data

Customer/order/marketing/analytics data as above.

Lawful basis

Legitimate interests and/or Contract (service provision to Carrol Boyes UK Limited)

Key recipients/processors

Carrol Boyes South Africa (group support services)

Where we rely on legitimate interests, these include operating our business, providing customer service, improving our services, and keeping our website and transactions secure. We balance these interests against your rights and expectations.

5. Cookies & tracking (PECR)

We use cookies and similar technologies to make our website work and to measure performance and personalise marketing. Our cookie banner and settings are provided through Shopify’s customer privacy tools. We will obtain your consent for non-essential cookies and provide a way to withdraw consent at any time through our cookie banner/settings. See our Cookie Policy for details of categories, purposes, retention, and third parties involved (e.g., analytics and advertising pixels).

6. Sharing your data (recipients)

We share personal data with trusted service providers who act on our instructions and under contract, including:

  • Shopify (e-commerce platform) and Shopify Payments (payment processing) and related fraud-prevention services.
  • Warehousing/fulfilment providers and DHL (and other couriers) for delivery and returns logistics.
  • Dotdigital (email service provider for marketing communications).
  • Google Analytics 4 (analytics, where you consent) and Microsoft Power BI (business reporting/analytics).
  • Professional advisers (legal, accounting) and authorities where required by law.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law.

7. International transfers

We and our service providers may process personal data outside the UK. This includes operational access by our group company, Carrol Boyes South Africa, which supports Carrol Boyes UK Limited with administration of our Shopify store, email marketing operations, and analytics/reporting. Where transfers are made to a country not covered by UK adequacy regulations (including South Africa), we implement appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, together with technical and organisational measures, and we carry out a transfer risk assessment where required.

8. How long we keep your data

We retain personal data only for as long as necessary for the purposes described above, including to satisfy legal, accounting, or reporting requirements. For example:

  • Order records: generally up to 6 years for tax and accounting.
  • Customer service records: typically up to 3 years after resolution.
  • Marketing preferences and email engagement: retained while you remain opted-in; we remove you sooner if you opt-out.
  • Cookie identifiers: per our Cookie Policy and your consent settings.

9. Your rights

Under UK data protection law you have rights to:

  • Access your personal data and receive a copy.
  • Rectify inaccurate or incomplete data.
  • Erase data (‘right to be forgotten’) in certain circumstances.
  • Restrict or object to processing in certain circumstances, including direct marketing (you can always opt out of marketing).
  • Data portability for information you provided to us with consent or under a contract.
  • Withdraw consent at any time where we rely on consent (e.g., marketing or non-essential cookies).
  • Complain to the UK Information Commissioner’s Office (ICO).

9.1 Data Collection, Offers & Consent

  • 9.1.1 We may present you with special offers, newsletters, or other communications for which you can sign up (an “Offer”). If you choose to subscribe, we will collect your personal information and process it in accordance with our Privacy Policy.
  • 9.1.2 By subscribing to an Offer, you consent to us adding your details to our designated audience list and to receive related communications from us. You may withdraw your consent at any time by using the “unsubscribe” link in any email or by contacting our Data Officer (details below).
  • 9.1.3 For any queries or requests relating to the processing of your personal data, you may contact our Data Protection Officer:
  • 9.1.4 We will only process your personal data for the purpose of managing the Offer and communications related to it, and we will not share your personal data with third parties except as set out in our Privacy Policy.
  • 9.1.5 If you do not provide the required data when signing up for an Offer, we may not be able to include you in that Offer or deliver the communications related to it.

To exercise your rights, contact us at privacy@carrolboyes.com. We may need to verify your identity before responding.

10. Children’s data

Our website and services are not directed to children and we do not knowingly collect personal data from children under 13. For age-restricted items we perform age verification to comply with UK law.

11. Automated decision-making and profiling

We do not make decisions that produce legal effects about you solely by automated means. We may use limited profiling (such as purchase segments or email engagement) to tailor marketing where you have consented, and you can opt out at any time.

12. Security

We use appropriate technical and organisational measures to protect personal data, including encryption, access controls and staff training. We also expect our processors to maintain robust security.

13. Changes to this notice

We may update this notice from time to time. We will post the latest version on our website. The effective date will appear below.

14. Contact and complaints

If you have questions or concerns about this notice or your personal data, contact customercare@carrolboyes.com. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113.

Carrol Boyes ICO reference number: ZC095254

Effective date: October 2025