Legal

Privacy Policy

Last updated: June 2026 · Effective from: June 2026

Plain-English summary: We collect only what we need to process your order. We do not sell your data. We do not use it for advertising. We use Stripe to handle payments — they never share your card details with us. You have the right to access, correct, or delete your data at any time.

1. Who we are

This website is operated by Headorn London Headorn London ("we", "us", "our"). Our registered address is Unavailable. You can contact us at customer.service@headorn.com.

We are the data controller for personal data collected through this website. We are registered with the Information Commissioner's Office (ICO). ICO registration number: Unavailable.

This policy is written in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Data (Use and Access) Act 2025, and the Privacy and Electronic Communications Regulations (PECR).

2. What data we collect and why

We collect personal data only when it is necessary to provide you with a service or to meet a legal obligation.

Data collected	Why we collect it	Legal basis (UK GDPR)
Name, delivery address, email address	To process and fulfil your order; to send you an order confirmation and receipt	Contract performance (Article 6(1)(b))
Payment details	To take payment for your order. We never see or store your full card details. Payment is handled directly by Stripe, Inc., our payment processor. See Stripe's privacy policy.	Contract performance (Article 6(1)(b))
IP address, browser type, pages visited	Analytics — to understand how the site is used and improve it. Only collected if you accept analytics cookies.	Consent (Article 6(1)(a))
Transaction records	To meet our legal obligations under UK tax law (HMRC). Kept for 6 years.	Legal obligation (Article 6(1)(c))

We do not collect sensitive personal data (known as "special category data" under UK GDPR), such as health, biometric, or financial profile data.

3. Cookies and tracking technologies

We use cookies and similar technologies on this site. Full details are in our Cookie Policy. In summary:

Essential cookies are necessary for the site to work. They do not require your consent.
Analytics cookies (Google Analytics) are only placed with your explicit consent. You can withdraw consent at any time via the cookie preferences link in our footer.

This is compliant with the ICO's updated guidance on storage and access technologies (April 2026) and the Data (Use and Access) Act 2025.

4. How we share your data

We do not sell, rent, or trade your personal data to any third party. We share data only where it is necessary to provide the service:

Stripe, Inc. — our payment processor. Stripe acts as an independent data controller for payment data. See Stripe's privacy policy. Stripe is certified under the EU-US Data Privacy Framework and operates under standard contractual clauses for any international transfers.
Google LLC — if you consent to analytics cookies, anonymised usage data is shared with Google Analytics. IP addresses are anonymised. Google operates under standard contractual clauses. See Google's privacy policy.
Delivery carriers — for physical orders, we share your name and delivery address with our delivery provider to fulfil your order.
HMRC — we may be required to share transaction data with HMRC if required by UK tax law.

5. International data transfers

Stripe and Google are US-based companies. When they process your data, it may be transferred outside the UK. Both companies use appropriate safeguards, including the UK International Data Transfer Agreement (IDTA) or standard contractual clauses, as required by the UK GDPR. You can request details of these safeguards by contacting us.

6. How long we keep your data

Data type	Retention period	Reason
Order and transaction records	6 years from the end of the tax year	UK tax law (HMRC)
Delivery address	Until the order is fulfilled and any return/dispute period expires (90 days)	Contract performance
Analytics data	26 months (Google Analytics default)	Consent — deletable on request
Cookie consent records	12 months	Compliance records (PECR)

After these periods, data is securely deleted or anonymised.

7. Your rights under UK GDPR

You have the following rights over your personal data:

Right of access — you can request a copy of all personal data we hold about you (a Subject Access Request, or SAR). We will respond within one calendar month.
Right to rectification — you can ask us to correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten") — you can ask us to delete your data. Note: we may be unable to delete data we are legally required to retain (e.g. financial records).
Right to restrict processing — you can ask us to pause how we use your data in certain circumstances.
Right to data portability — where processing is based on consent or contract and carried out by automated means, you can ask for your data in a machine-readable format.
Right to object — you can object to processing based on legitimate interests.
Right to withdraw consent — where we process data based on your consent (e.g. analytics cookies), you can withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at customer.service@headorn.com. We will not charge a fee for reasonable requests. We will respond within one calendar month.

8. How we keep your data secure

We take appropriate technical and organisational measures to protect your personal data, including:

HTTPS encryption on all pages of this website
Payment data processed entirely by Stripe — we never store card details on our systems
Access to customer order data restricted to authorised personnel only
Regular review of data held and deletion of data no longer needed

If we become aware of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and contact you directly if required.

9. Children's data

Our shop is not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately and we will delete it.

10. ICO registration and complaints

We are registered with the Information Commissioner's Office. ICO registration number: Unavailable.

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the ICO:

Website: ico.org.uk/make-a-complaint
Telephone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

We would appreciate the opportunity to address your concerns directly before you contact the ICO, so please contact us first at customer.service@headorn.com.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will update the "Last updated" date at the top of this page. For significant changes, we will take reasonable steps to notify you (for example, by displaying a prominent notice on the site). We recommend checking this page periodically.

This policy was prepared with reference to the UK GDPR (retained from EU GDPR), the Data Protection Act 2018, the Data (Use and Access) Act 2025, the Privacy and Electronic Communications Regulations 2003, and ICO guidance current as of June 2026.