Privacy Policy

This Privacy Policy describes in detail how Thunmareueythea ("we", "us", "our") collects, uses, stores, shares, and protects your personal data when you access or use the website thunmareueythea.world, when you purchase or enquire about our indoor plants and related services, when you contact us by any means, or when you interact with our business in any way. We are committed to handling your data fairly, lawfully, and transparently in accordance with the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Privacy and Electronic Communications Regulations (PECR) where applicable. This policy applies to all visitors to our website, customers who purchase indoor plants from us, and anyone who provides their personal data to Thunmareueythea.

Data Controller and Contact Details

The data controller responsible for determining the purposes and means of processing your personal data is Thunmareueythea. Our registered or principal place of business is 270 Cambridge Heath Rd, London E2 9DA, United Kingdom. For any questions about this policy, your personal data, or to exercise your rights, you may contact us by post at the address above, by using the contact form available on thunmareueythea.world, or by telephone on +44 20 8880 7080. We will respond to your request without undue delay and in any event within one month of receipt, subject to any extension permitted by UK law where requests are complex or numerous.

Personal Data We Collect

We may collect and process the following categories of personal data in connection with our indoor plant sales, website, and related services. The exact data we collect depends on how you interact with us.

• Identity and contact data: your full name, title (if provided), email address, telephone number, and delivery or billing address when you place an order, request a quote, create an enquiry, subscribe to communications, or contact us about our plants, delivery, care advice, or any other matter. We may also collect your address when you choose to collect an order from our premises.
• Transaction and order data: details of the indoor plants you have ordered or enquired about (including product names, quantities, and prices), order history, payment status, delivery preferences (e.g. delivery instructions or preferred time windows where offered), and any special requests you have made in relation to your order.
• Financial and payment data: we do not store your full credit or debit card number on our own systems. Payment card details are collected and processed by our secure payment service providers in accordance with industry standards (e.g. PCI DSS). We may receive and retain limited payment information such as the last four digits of your card, the card type, and the transaction reference for the purposes of order verification, customer support, and fraud prevention.
• Communication data: copies of your messages to us (whether sent via the contact form, email, post, or telephone), our replies to you, and any feedback, reviews, or complaints you provide about our products or services. We may also record or log telephone calls where we have informed you and where permitted by law.
• Technical and usage data: when you visit our website, we may collect your IP address, browser type and version, operating system, device type, unique device identifiers, time zone setting, referring website, pages visited on our site, time and date of access, and length of visit. This data may be collected through cookies and similar technologies as described in our Cookies Policy. We use this data for the operation and security of our website, to improve user experience, and to analyse how our site is used.
• Marketing and preference data: where you have given your consent or where we are otherwise permitted by law, we may use your contact details to send you information about new plants, seasonal offers, care tips, or other promotional material. We may also record your marketing preferences (e.g. whether you have opted in or out of newsletters) and any preferences you have expressed regarding the types of communications you wish to receive.

We do not knowingly collect special category data (such as data concerning health, race, or political opinions) unless you voluntarily provide it in the course of communication and we have a lawful basis to process it. We do not collect personal data relating to children under 16 for the purpose of selling indoor plants unless the order is placed by a parent or guardian.

Lawful Basis and How We Use Your Data

We process your personal data only where we have a lawful basis under UK GDPR. The main lawful bases we rely on are: (a) performance of a contract with you; (b) compliance with a legal obligation; (c) our legitimate interests (provided these are not overridden by your rights); and (d) your consent. Below we set out the purposes for which we use your data and the lawful basis applicable to each.

• Fulfilling and managing orders: we use your identity, contact, and transaction data to process your order for indoor plants, arrange delivery or collection, send order confirmations and delivery updates, and manage any follow-up (e.g. failed delivery attempts). Lawful basis: performance of a contract.
• Processing payments: we use your payment and contact data (via our payment providers) to take payment for your orders and to process refunds where applicable. Lawful basis: performance of a contract.
• Customer service and enquiries: we use your contact and communication data to respond to your enquiries about our plants, care advice, delivery, returns, or any other request. Lawful basis: performance of a contract (where the enquiry relates to an order), legitimate interests (to run and improve our business), or consent where you have contacted us without an existing contract.
• Returns and refunds: we use your order and contact data to process returns, exchanges, and refunds in accordance with our Return Policy and your statutory rights. Lawful basis: performance of a contract and compliance with legal obligations.
• Legal and regulatory compliance: we may use and retain your data to comply with applicable laws, including tax and accounting requirements, consumer law, and to respond to lawful requests from regulators or law enforcement. Lawful basis: legal obligation.
• Establishing or defending legal claims: we may use your data where necessary to establish, exercise, or defend legal claims (e.g. in the event of a dispute). Lawful basis: legitimate interests.
• Website operation and security: we use technical and usage data to ensure our website functions correctly, to detect and prevent fraud or abuse, and to protect our systems and users. Lawful basis: legitimate interests.
• Improving our services: we may use aggregated or anonymised data, and in some cases identifiable usage data, to analyse how our website and services are used and to improve our offerings. Lawful basis: legitimate interests.
• Marketing: where you have given consent, we use your contact details to send you marketing communications about our indoor plants and related offers. You may withdraw consent at any time by contacting us or using the unsubscribe link in any marketing email. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Lawful basis: consent.

Sharing Your Data

We may share your personal data with the following categories of recipients, only to the extent necessary for the purposes described in this policy.

• Courier and logistics providers: we share your name, delivery address, and telephone number (and optionally email) with third-party delivery companies so that your indoor plants can be delivered to you. These providers may use your data in accordance with their own privacy policies for the purpose of fulfilling the delivery.
• Payment processors: when you pay by card or other electronic means, your payment details are processed by our chosen payment service providers. We do not store full card details on our systems. These providers are contractually bound to process data securely and in line with applicable law.
• IT and hosting providers: we may use third-party service providers for website hosting, email delivery, or other technical services. Where these providers process personal data on our behalf, they do so as processors under contract and only in accordance with our instructions.
• Professional advisers: we may share your data with lawyers, accountants, or other professional advisers where necessary for our business (e.g. in connection with a legal or regulatory matter).
• Regulators and authorities: we may disclose your data to the Information Commissioner's Office, HM Revenue and Customs, the police, or other public authorities when required by law or when we reasonably believe disclosure is necessary to protect our rights or the rights of others.

We do not sell, rent, or trade your personal data to third parties for their marketing purposes. We require all processors and recipients who handle your data on our behalf to keep it secure and to use it only in accordance with our instructions and applicable data protection law. If we transfer personal data outside the United Kingdom, we will ensure that appropriate safeguards (such as approved standard contractual clauses or adequacy decisions) are in place as required by UK law.

Data Retention

We keep your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements. Our retention periods are determined by the nature of the data and the purpose of processing. For example: order and transaction data are typically retained for at least six years from the end of the financial year in which the transaction occurred, in order to comply with tax and accounting obligations; contact form and enquiry data may be retained for a period of several years to deal with follow-up enquiries, returns, or complaints; technical and usage data may be retained for a shorter period (e.g. 12 to 24 months) unless we have a specific reason to retain it longer (e.g. for security or legal purposes). When data is no longer required, we will securely delete or anonymise it so that it can no longer be associated with you. You may request erasure of your data in certain circumstances (see Your Rights below); we will comply where we are not required or permitted to retain the data by law.

Your Rights Under UK Data Protection Law

Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data. These rights are subject to certain conditions and exceptions set out in the legislation.

• Right of access: you have the right to obtain confirmation as to whether we process your personal data and, where that is the case, to receive a copy of your data and certain information about how we process it (subject to the rights of others and other exceptions).
• Right to rectification: you have the right to have inaccurate personal data corrected and, taking into account the purposes of processing, to have incomplete personal data completed.
• Right to erasure: in certain circumstances (e.g. where the data is no longer necessary, where you withdraw consent, or where the data has been unlawfully processed), you have the right to request that we erase your personal data. This right is not absolute and may not apply where we are required to retain the data by law or for the establishment, exercise, or defence of legal claims.
• Right to restrict processing: in certain circumstances you have the right to request that we restrict the processing of your data (e.g. where you contest the accuracy of the data or the lawfulness of the processing).
• Right to data portability: where we process your data by automated means and the processing is based on your consent or on a contract with you, you have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where technically feasible.
• Right to object: you have the right to object at any time to processing of your data carried out on the basis of our legitimate interests, including profiling. Where you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or for the establishment, exercise, or defence of legal claims. You also have the right to object at any time to processing of your data for direct marketing; in that case we will cease processing for that purpose.
• Rights in relation to automated decision-making: we do not currently make decisions based solely on automated processing that significantly affect you. If we did, you would have the right to obtain human intervention, to express your point of view, and to contest the decision.

To exercise any of these rights, please contact us using the details given in the Data Controller section above. We will respond to your request within one month of receipt, subject to any extension where permitted by law. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection. You can contact the ICO at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, or via ico.org.uk. We would encourage you to contact us first so that we can try to resolve any concern.

Security of Your Personal Data

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include: use of secure connections (HTTPS) when you access our website; restricted access to personal data on a need-to-know basis; secure storage of data; and careful selection and oversight of third-party processors. Despite our efforts, no method of transmission over the internet or electronic storage is completely secure; we cannot guarantee absolute security but we will notify you and the ICO of a personal data breach where we are required to do so by law.

Cookies and Similar Technologies

Our website uses cookies and similar technologies. For detailed information about the cookies we use, the purposes for which we use them, and how you can control them, please see our Cookies Policy.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our services, or in legal or regulatory requirements. The current version will always be available on this page. We will indicate the date of the last update at the bottom of the policy where appropriate. If we make material changes that affect how we use your personal data, we may notify you by email or by a prominent notice on our website. We encourage you to review this policy periodically. Your continued use of our website or services after the posting of changes constitutes your acceptance of the updated policy where applicable. Where we have a contract with you and a change affects your rights, we will comply with any notice or consent requirements under that contract or under law.

Contact Us

For any questions, comments, or requests regarding this Privacy Policy or your personal data, please contact Thunmareueythea at 270 Cambridge Heath Rd, London E2 9DA, United Kingdom, or via the contact form on thunmareueythea.ddd. We will endeavour to respond as quickly as possible.