Privacy Policy
Last updated: [30/05/2025]
1. Introduction
Welcome to Nassy Ltd (“we”, “us”, “our”). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you interact with our websites, services, products, and any other channels operated by us (collectively, the “Services”).
We are committed to respecting your privacy and handling your personal information transparently and securely in accordance with applicable laws, including the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.
Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our Services.
2. Who We Are
Nassy Ltd is a company registered in England and Wales, with its registered office at:
71-75 SHELTON STREET LONDON GREATER LONDON WC2H 9JQ
Email: nassyLondon@gmail.com
Company registration number: [Insert Company Number]
We are the data controller for the purposes of data protection law. This means we are responsible for deciding how we hold and use personal data about you.
3. Who This Policy Applies To
This Privacy Policy applies to the personal data we collect and process from:
- Visitors to our website(s)
- Customers who make purchases via our website
- Individuals who contact us via email, forms, or other means
- Individuals who sign up for newsletters or marketing communications
- Individuals interacting with us through social media or advertising platforms
This policy does not apply to anonymised or aggregated data that does not (and cannot) identify you as an individual.
4. What Is Personal Data?
Under data protection law, “personal data” means any information relating to an identified or identifiable natural person (also known as a “data subject”). This includes, for example:
- Name, email, or delivery address
- Online identifiers such as your IP address
- Purchase history
- Payment information (to the extent it’s collected directly)
- Your preferences, account data, or browsing behaviour
We do not intentionally collect or process any special category data (e.g., health information, political opinions, religious beliefs, etc.) unless specifically required and permitted under applicable law.
5. Our Commitment to You
We promise to:
- Collect only the data we need to provide and improve our services
- Be transparent about how your data is used
- Not sell your data to third parties
- Keep your data secure and confidential
- Allow you to exercise your rights under data protection law
6. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in the law or in our practices. When we make changes, we will:
- Update the “Last updated” date at the top of this policy
- Where appropriate, notify you via email or website banner
- Provide access to the previous version upon request
We encourage you to regularly review this Privacy Policy to stay informed about how we are protecting your personal data.
7. How to Contact Us
If you have any questions or concerns about this Privacy Policy or our data practices, you can contact us at:
Data Protection Officer (DPO)
Nassy Ltd
Email: nassyLondon@gmail.com
Address: 71-75 SHELTON STREET LONDON GREATER LONDON WC2H 9JQ
Personal Data Collection & Use
1. Types of Personal Data We Collect
We may collect and process the following categories of personal data:
Identity and Contact Data
- Full name
- Billing and shipping address
- Email address
- Phone number
- Social media handle (if you interact with us through those platforms)
Account and Profile Data
- Username and password
- Preferences
- Past orders or wish lists
Transaction Data
- Details of products you’ve purchased from us
- Payment method used (we do not store full credit/debit card details)
- Delivery tracking and history
Technical Data
- IP address
- Browser type and version
- Device identifiers
- Time zone setting and location
- Operating system and platform
- Other technology on the devices you use to access our Services
Usage Data
- How you use our website and services
- Clickstream data (e.g. pages viewed, links clicked, bounce rates)
- Session durations
Marketing and Communications Data
- Preferences for receiving marketing from us and third parties
- Your communication preferences
- Responses to promotions or surveys
User-Generated Content
- Product reviews
- Comments or feedback submitted via forms or email
2. How We Collect Your Data
We collect personal data through a range of interactions:
Direct Interactions
You provide us data directly when you:
- Make a purchase on our website
- Create an account
- Subscribe to newsletters or marketing communications
- Contact us via email, phone, or contact form
- Enter a competition, promotion, or survey
Automated Technologies or Interactions
As you interact with our website, we automatically collect technical data about your device and browsing behaviour via cookies and similar technologies (see our Cookie Policy for more details).
Third Parties or Publicly Available Sources
We may receive personal data about you from third parties, including:
- Analytics providers such as Google Analytics
- Advertising networks such as Facebook (Meta), Instagram, Twitter
- Email marketing platforms such as Klaviyo or Mailchimp
- Ecommerce platforms such as WooCommerce
- Payment processors such as Stripe or PayPal
- Delivery and logistics providers
3. Purposes and Legal Bases for Processing
We only process your personal data where we have a lawful basis to do so. This includes:
| Purpose | Types of Data | Lawful Basis |
| To process and fulfill your orders | Identity, Contact, Transaction | Contractual necessity |
| To manage your account | Identity, Profile, Contact | Contractual necessity |
| To provide customer service and support | Identity, Contact, Communications | Legitimate interests; Contract |
| To send marketing communications | Identity, Contact, Preferences | Consent (opt-in); Legitimate interests |
| To administer promotions and surveys | Identity, Contact, Usage | Consent; Legitimate interests |
| To improve our website and user experience | Technical, Usage, Analytics | Legitimate interests |
| To prevent fraud or misuse | Identity, Technical, Transaction | Legal obligation; Legitimate interests |
| To comply with legal and regulatory obligations | All necessary data types | Legal obligation |
4. Sharing Your Data with Third Parties
We may share your data with selected third parties in the following categories and for the following purposes:
a. Service Providers and Partners
We share necessary data with trusted partners to operate our business and deliver your orders:
- WooCommerce – the e-commerce platform powering our website
- Mailchimp / Klaviyo – for targeted email campaigns and marketing communications
- Delivery partners – to ship and deliver your orders
- Payment processors (e.g. PayPal, Stripe) – to securely handle your transactions
- IT and security providers – to maintain the safety and functionality of our website
b. Advertising and Analytics Partners
Including:
- Facebook Pixel (Meta) – for targeted social media advertising
- Google Analytics – for website usage tracking
- Twitter Pixel – for advertising on Twitter
- YouTube embeds – for content hosted on our channel
We ensure that these partners process data only in accordance with our instructions and applicable data protection laws.
c. Legal and Business Transfers
We may also disclose your personal data:
- If we sell, transfer, or merge parts of our business or assets
- If we are under a duty to disclose or share your personal data in order to comply with legal obligations
- To enforce or apply our terms and conditions or defend against legal claims
5. International Transfers
Some of our partners and processors are based outside the European Economic Area (EEA). Whenever we transfer your personal data out of the EEA, we ensure that a similar degree of protection is afforded by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- Where we use certain service providers based outside the EEA (e.g., in the United States), we ensure appropriate safeguards are in place, such as:
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- Binding Corporate Rules (BCRs);
- Privacy Shield certification (where applicable), although this is subject to legal developments.
- Standard Contractual Clauses (SCCs) approved by the European Commission;
If you want more information about the specific mechanism we use when transferring your personal data outside the EEA, please contact us at nassyLondon@gmail.com.
6. Data Security
We have implemented technical and organizational security measures designed to protect your personal data from unauthorized access, disclosure, alteration, or destruction. These measures include:
- Encryption of sensitive data;
- Secure servers with firewalls and access controls;
- Limiting access to your personal data to authorized personnel who need it to perform their job functions;
- Regular security audits and reviews.
If we discover a data breach that affects your personal data, we will notify you and the relevant data protection authorities as required by law.
7. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to meet legal, accounting, or reporting obligations. Retention periods may vary depending on the type of data:
- Order and transaction data: Retained for as long as necessary to fulfill our contractual and legal obligations (e.g., tax and accounting). In certain cases—such as ongoing disputes or complaints—we may retain this data for longer.
- Marketing data and preferences: Retained until you unsubscribe or opt out of marketing communications.
- Data related to disputes or legal claims: Retained until the issue is resolved or the applicable limitation period has expired.
We regularly review our retention periods to ensure that personal data is not kept longer than necessary.
If you wish to request deletion of your personal data, please contact us (see contact details below). Please note that we may need to retain certain information for legal or legitimate business reasons.
8. Your Legal Rights
Under applicable data protection laws, you may have the following rights regarding your personal data:
- Right to Access: Obtain a copy of your personal data we hold;
- Right to Rectification: Correct inaccurate or incomplete data;
- Right to Erasure (“Right to be forgotten”): Request deletion of your data under certain conditions;
- Right to Restrict Processing: Limit how we use your data in certain cases;
- Right to Data Portability: Receive your data in a structured, commonly used format and transmit it to another controller;
- Right to Object: Object to our processing of your data, including for direct marketing;
- Right not to be subject to automated decision-making: Including profiling, unless legally permitted.
To exercise any of these rights, please contact us at nassyLondon@gmail.com. We may request proof of identity before processing your request to protect your privacy.
9. Contact Us
If you have any questions about this Privacy Policy or our data practices, or to exercise your rights, please contact:
Nassy Ltd
71-75 SHELTON STREET LONDON GREATER LONDON WC2H 9JQ
Official company registration number:[ __________
Email: nassyLondon@gmail.com
Phone: +44 7912564128
10. Where We Store Your Personal Information
Our online store is hosted by Fasthosts, and we use WooCommerce to manage our e-commerce platform. Your personal data is stored securely on Fasthosts’ servers, and WooCommerce processes this data in accordance with applicable data protection laws and regulations. You can view Fasthosts’ privacy policy here: https://www.fasthosts.co.uk/terms/privacy-policy.
We use Mailchimp to manage our email marketing and customer communications. This may include sharing limited personal information such as your name and email address to help us deliver relevant emails and advertisements. Mailchimp’s privacy policy is available here: https://www.intuit.com/privacy/statement/
For payments, we currently use PayPal, a secure, PCI-DSS-compliant payment gateway. Your payment details are processed directly by PayPal and are not stored on our servers. You can read PayPal’s privacy policy here: https://www.paypal.com/privacy
We may update this section in the future if we integrate with additional platforms such as Stripe. Any changes will be clearly stated in our Privacy Policy.
11. Data Transfers and Processing Outside the EEA
Your personal data may be transferred to and stored at destinations outside the European Economic Area (“EEA”). This may involve processing by staff located outside the EEA, including employees or service providers who assist with order fulfillment, payment processing, and customer support.
By providing your personal data, you consent to such transfers, storage, and processing. We ensure your data receives appropriate protection consistent with this Privacy Policy and applicable laws.
12. Password Security
If you create an account or receive a password to access parts of our website, you are responsible for keeping your password confidential and secure. Please do not share your password with anyone.
13. Internet Security & Data Protection
While we use strict security measures to protect your personal data, transmission over the internet is never completely secure. Upon receipt, we take appropriate precautions and require third parties who process your data to maintain adequate safeguards to prevent unauthorized access or disclosure.
14. International Data Transfers
When transferring your personal data outside the EEA, we implement safeguards to ensure your data is adequately protected. These include:
- Transferring only to countries recognized by the European Commission as providing an adequate level of data protection;
- Using Standard Contractual Clauses (SCCs) approved by the European Commission;
- Applying Binding Corporate Rules (BCRs) where relevant;
- Utilizing the EU-US Privacy Shield framework where applicable (subject to current legal status).
If you want detailed information about the safeguards we use for transfers, please contact us.
15. Your Legal Rights
You have rights under applicable data protection laws concerning your personal data, including:
- Right to Rectification: Correct any inaccurate or incomplete personal data.
- Right of Access: Request confirmation of processing and obtain a copy of your personal data along with details of how it’s processed.
- Right to be Informed: Know how your data is processed, the retention period, legal basis, recipients, and consequences of not providing data.
- Right to Restrict Processing: Limit processing in cases such as contested accuracy or unlawful processing.
- Right to Data Portability: Receive your personal data in a portable format and transfer it to another party.
- Right not to be Subject to Automated Decision-Making: Object to decisions made solely by automated means that significantly affect you.
- Right to Object: Object to processing for direct marketing or where based on legitimate interests, subject to overriding grounds.
16. Exercising Your Rights
To exercise any of these rights, please contact us at nassyLondon@gmail.com. We may need to verify your identity before fulfilling your request to protect your privacy.
You typically will not have to pay a fee to exercise your rights. However, we may charge a reasonable fee or refuse requests that are excessive or unfounded.
We aim to respond to all legitimate requests within one month. Complex or multiple requests may take longer, and we will notify you if this is the case.
17. Glossary
- Comply with a Legal Obligation: Processing your data to meet a legal requirement.
- Legitimate Interest: Our business interests in managing and improving our services balanced against your rights.
- Performance of Contract: Processing necessary for fulfilling a contract with you.
- External Third Parties: Service providers and professional advisers who process your data on our behalf. This includes platforms and tools we use to operate our online store and marketing, such as:
- Mailchimp, for email marketing communications;
- Payment processors like PayPal (and Stripe, if applicable);
- WooCommerce, which is the e-commerce platform powering our website.
18. Contact Information
For questions, concerns, or to exercise your data protection rights, please contact:Nassy Ltd
71-75 SHELTON STREET LONDON GREATER LONDON WC2H 9JQ
Email: nassyLondon@gmail.com
Phone: +44 7912564128 sive interfaces.