Skip to main content
Back to Home

Privacy Policy

Last Updated: November 2025

At Keep It What, we take your privacy seriously. This policy explains how we collect, use, and protect your personal information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Controller: Keep It What Limited
Company Registration Number: 16299426
Registered Office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
ICO Registration Number: [TO BE ADDED - You must register with the ICO]
Contact: hello@keepitwhat.com

1. Information We Collect

Information You Provide to Us

When you use our Website, we collect information you provide directly, including:

  • Name, email address, phone number, and delivery address
  • Payment information (processed securely by Stripe)
  • Personalization details and custom content
  • Communication preferences
  • Any other information you choose to provide

Information Collected Automatically

When you visit our Website, we automatically collect:

  • Device information (browser type, operating system)
  • IP address and location data
  • Pages visited and time spent on pages
  • Referring website or source
  • Cookies and similar technologies

2. Legal Basis for Processing & How We Use Your Information

We process your personal data under the following legal bases as defined by UK GDPR:

Contract Performance

Processing necessary to fulfill our contract with you:

  • Process and fulfill your orders
  • Process payments through Stripe
  • Arrange delivery and shipping
  • Provide customer support
  • Send order confirmations and shipping updates

Legitimate Interests

Processing necessary for our legitimate business interests:

  • Fraud prevention and security
  • Improving our website and services
  • Analyzing usage patterns and customer preferences
  • Internal record keeping and business operations
  • Displaying anonymized social proof notifications (showing first name and city only from recent purchases to build trust)

Consent

Processing based on your explicit consent:

  • Marketing emails and promotional communications (you can withdraw consent anytime)
  • Non-essential cookies

Legal Obligation

Processing required to comply with legal requirements:

  • Tax and accounting records (HMRC requirements)
  • Responding to legal requests and court orders
  • Compliance with consumer protection laws

3. Third-Party Data Processors & Sharing

We do not sell your personal information to third parties.

We share your data with the following trusted third-party processors who help us operate our business:

  • Stripe (Payment Processing): Processes card payments securely. Stripe is PCI-DSS Level 1 certified. Data may be transferred to the USA under adequate safeguards (Standard Contractual Clauses).
  • Supabase (Database & Authentication): Stores customer data and manages user accounts. Data is stored in EU/UK data centers where possible.
  • Resend (Email Communications): Sends transactional and marketing emails on our behalf.
  • Vercel (Website Hosting): Hosts our website infrastructure. Data may be processed in the USA and EU.
  • Shipping Carriers: Delivery companies who need your name and address to deliver your order (e.g., Royal Mail, DPD, etc.).

We also share information when:

  • Required by Law: To comply with legal obligations, court orders, or regulatory requirements
  • Business Transfers: In connection with a merger, acquisition, or sale of assets (you will be notified)
  • With Your Consent: When you've given explicit permission

All third-party processors are carefully selected and required to provide appropriate security measures and comply with UK data protection laws.

4. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

  • SSL encryption for data transmission
  • Secure payment processing through Stripe (PCI-DSS compliant)
  • Regular security assessments and updates
  • Restricted access to personal data
  • Secure data storage and backup procedures

While we strive to protect your information, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

5. Cookies and Tracking Technologies

We use cookies and similar technologies in compliance with the Privacy and Electronic Communications Regulations (PECR).

Essential Cookies (No Consent Required)

These cookies are necessary for the website to function:

  • Authentication and session management
  • Shopping cart functionality
  • Security and fraud prevention
  • Load balancing and performance

Non-Essential Cookies (Consent Required)

We only use these with your consent:

  • Analytics Cookies: Google Analytics 4 (_ga, _gid, _gat) - Help us understand how visitors use our site and improve user experience
  • Marketing Cookies: Track effectiveness of marketing campaigns (not currently implemented)
  • Preference Cookies: Remember your settings and preferences

Managing Cookies: You can control and delete cookies through your browser settings. Please note that disabling essential cookies may affect the functionality of our website.

For more information about cookies and how to manage them, visit www.aboutcookies.org or www.allaboutcookies.org.

6. Your Rights Under UK GDPR

Under UK data protection law (UK GDPR and Data Protection Act 2018), you have the following rights:

  • Right of Access (Subject Access Request): Request a copy of the personal data we hold about you. We will respond within one month.
  • Right to Rectification: Ask us to correct inaccurate or incomplete personal data.
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data in certain circumstances (e.g., when no longer needed for original purpose). Note: We may need to retain some data for legal/accounting obligations.
  • Right to Restriction of Processing: Request that we limit how we use your data in certain circumstances.
  • Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format and transfer it to another controller.
  • Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent: Withdraw consent for data processing at any time (where processing is based on consent). This does not affect the lawfulness of processing before withdrawal.
  • Right Not to be Subject to Automated Decision-Making: Not be subject to decisions based solely on automated processing, including profiling, which produces legal or similarly significant effects.

How to Exercise Your Rights:

To exercise any of these rights, please contact us at hello@keepitwhat.com with:

  • Your full name and email address
  • Details of your request
  • Proof of identity (for security purposes)

We will respond to your request within one month. In complex cases, we may extend this by two additional months and will inform you.

Right to Complain: If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

ICO Website: ico.org.uk/make-a-complaint
ICO Helpline: 0303 123 1113

7. Data Retention Periods

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this policy or as required by law:

  • Order and Transaction Records: 7 years from date of transaction (HMRC requirement for tax purposes)
  • Customer Account Information: As long as your account is active, plus 7 years after account closure
  • Marketing Consent Records: Until consent is withdrawn, plus 3 years to demonstrate compliance
  • Website Analytics Data: 26 months maximum
  • Communication Records: 3 years from last contact
  • CCTV or Security Footage (if applicable): 30 days maximum

After the retention period expires, we will securely delete or anonymize your personal data. Some data may be retained longer if required by law or for legitimate business purposes (e.g., ongoing legal claims).

8. International Data Transfers

Some of our third-party service providers are located outside the United Kingdom and European Economic Area (EEA), which means your personal data may be transferred to and processed in other countries, including the United States.

When we transfer your data internationally, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office
  • Adequacy decisions where the destination country provides adequate data protection
  • Certification schemes (e.g., EU-US Data Privacy Framework where applicable)

For more information about the safeguards we use for international transfers, please contact us at hello@keepitwhat.com.

9. Third-Party Links

Our Website may contain links to third-party websites. We are not responsible for the privacy practices of these websites. We encourage you to review their privacy policies before providing any personal information.

10. Children's Privacy

Our Website is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe we have collected information from your child, please contact us immediately at hello@keepitwhat.com and we will take steps to delete such information.

11. Marketing Communications

We will only send you marketing communications if you have given us your consent or where we have a legitimate interest (and you have not opted out).

You can opt-out of marketing communications at any time by:

  • Clicking the "unsubscribe" link in any marketing email
  • Contacting us at hello@keepitwhat.com
  • Updating your preferences in your account settings

Note: Opting out of marketing does not affect transactional emails (e.g., order confirmations, shipping updates) which are necessary for the service.

12. Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons. We will notify you of any significant changes by posting the new policy on this page and updating the "Last Updated" date. For material changes, we may also notify you by email. We encourage you to review this policy periodically.

14. Contact Us & Data Protection Officer

If you have questions about this Privacy Policy, how we handle your data, or wish to exercise your data protection rights, please contact us:

Company: Keep It What Limited

Company Registration Number: 16299426

Registered Office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ

Email: hello@keepitwhat.com

Website: www.keepitwhat.com

Data Protection Contact: hello@keepitwhat.com

We aim to respond to all legitimate requests within one month. Occasionally it may take us longer if your request is particularly complex or you have made multiple requests.

Your Privacy Matters

We are committed to protecting your privacy and handling your data responsibly. If you have any concerns or questions, we're here to help.