Privacy Policy

1. Who We Are & Data Controller

YCBD Ltd ("we", "us", "our") is the data controller responsible for your personal data. We are registered with the Information Commissioner's Office (ICO), Registration No. [XXXXXXXX].

Contact: privacy@ycbd.uk · YCBD Ltd, [Address], England, United Kingdom

2. What Data We Collect

Information you provide: Name, email address, delivery address, phone number, date of birth (for age verification), account password (hashed), and order history. Payment card details are processed by our PCI-DSS Level 1 compliant payment processor (Stripe); we never see or store your full card number.

Automatically collected data: IP address, browser type and version, pages visited, time spent, referring URLs, and device information — collected via cookies and server logs.

Communications: Content of emails, chat messages, or correspondence you send us.

3. Legal Basis for Processing

• Contract performance (Article 6(1)(b) UK GDPR): Processing your order, arranging delivery, managing returns and refunds.
• Legal obligation (Article 6(1)(c)): HMRC record-keeping (7 years), fraud prevention, age verification.
• Legitimate interests (Article 6(1)(f)): Website security, preventing fraud, improving our products and service, analytics.
• Consent (Article 6(1)(a)): Marketing emails and non-essential cookies. Consent is freely given and can be withdrawn at any time.

4. How We Use Your Data

• Process and fulfil your orders and manage your account
• Send order confirmation, dispatch, and delivery emails
• Handle returns, refunds, and customer service enquiries
• Send marketing emails and offers (consent-based only)
• Improve our website, products, and customer experience
• Comply with legal obligations (tax, fraud prevention, age verification)
• Detect and prevent fraudulent transactions

5. Data Sharing

We share your data only with trusted third parties necessary to operate our business:

• Payment processors: Stripe, PayPal — for secure payment processing
• Shipping partners: Royal Mail, DPD — for order delivery
• Email service provider: Klaviyo — for transactional and marketing emails
• Analytics: Google Analytics (anonymised) — for website analytics
• Fraud prevention: Stripe Radar — for fraud detection

All third-party processors are bound by GDPR-compliant data processing agreements. We never sell, rent, or trade your personal data to third parties for their own marketing purposes.

6. International Data Transfers

Some third-party providers (e.g., Google, Stripe) may transfer data outside the UK/EEA. Where this occurs, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs).

7. Data Retention

• Order and transaction records: 7 years (HMRC legal requirement)
• Customer accounts: Active period + 2 years after last login
• Marketing data: Until you unsubscribe or withdraw consent
• Cookie data: As set out in our Cookie Policy
• CCTV/security logs: 30 days

8. Your Rights Under UK GDPR

You have the following rights, which you can exercise by contacting privacy@ycbd.uk:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Correct inaccurate or incomplete data
• Right to erasure: Request deletion of your data ("right to be forgotten"), subject to legal obligations
• Right to restrict processing: Limit how we use your data in certain circumstances
• Right to data portability: Receive your data in a machine-readable format
• Right to object: Object to processing based on legitimate interests or for direct marketing
• Right to withdraw consent: Withdraw any consent previously given, at any time

We will respond to data rights requests within one calendar month. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk / 0303 123 1113.

9. Security

We implement appropriate technical and organisational security measures to protect your data including: SSL/TLS encryption, PCI-DSS compliant payment processing, access controls, and regular security reviews. In the event of a data breach, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by UK GDPR.

10. Children's Privacy

Our website and products are not directed at persons under 18. We do not knowingly collect personal data from minors. If we discover we have inadvertently collected data from a person under 18, it will be promptly deleted.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes will be communicated via email or a prominent notice on our website. The date of the last update is shown above.

12. Contact

Data protection enquiries: privacy@ycbd.uk · YCBD Ltd, [Address], England, UK