Privacy Policy

Our approach: we don't keep your data

This shop is built to collect as little as possible and to delete your personal details once they are no longer needed. We do not require an account, we do not use advertising or analytics trackers, and we do not store payment instruments.

Your data is encrypted in transit (TLS 1.3) and personal fields are encrypted at rest. This is a privacy-by-design service.

What we collect, and why

• Delivery name and address — to ship your order.
• A phone number — so we can call to verify your age and take payment.
• Cart contents and totals — to fulfil and for tax records.

Lawful basis: performance of a contract (UK GDPR Art. 6(1)(b)).

How long we keep it

We keep your personal details only for a limited window after dispatch, then permanently erase your name, address and contact details. We retain an anonymised financial record (order id, items, totals, VAT, dates) with no personal data, for about 6 years as HMRC requires.

Your rights

You can ask us to erase your details early — email privacy@42online.shop. You also have rights of access, rectification, and to complain to the ICO (ico.org.uk).