Peacocks & Petals · peacocksandpetals.uk
Privacy Policy
Contents
1. Who We Are
Peacocks & Petals is the operator of www.peacocksandpetals.uk. For the purposes of the UK GDPR and the Data Protection Act 2018, we are the data controller — meaning we determine the purposes and means of processing personal data collected through this website.
Our full identity and contact details are available on our website www.peacocksandpetals.uk.
Our website is built and hosted on the Squarespace platform (Squarespace, Inc., 225 Varick Street, New York, NY 10014, USA). Squarespace acts as a data processor on our behalf in accordance with their Data Processing Addendum and Privacy Policy.
2. Personal Data We Collect
We only collect personal data that is necessary for a specific, legitimate purpose. The types of data we may collect are set out below.
2.1 Data You Give Us Directly
- Contact information — name, email address, phone number, and any message content submitted via contact forms on our website.
- Enquiry details — information about your event, requirements, or project that you choose to share when contacting us.
- Marketing preferences — whether you have opted in to receive emails, newsletters, or updates from us.
2.2 Data Collected Automatically
When you visit our website, Squarespace and our analytics tools may automatically collect technical data about your visit, including:
- IP address (which may indicate your approximate location)
- Browser type and version
- Operating system and device type
- Pages visited, time spent on pages, and navigation paths
- Referring URL (the page you visited before arriving on our site)
- Date and time of your visit
This data is collected via cookies and Squarespace's built-in analytics. For full details, see our Cookie Policy.
2.3 Data We Do Not Collect
We do not knowingly collect special category data (such as health information, racial or ethnic origin, religious beliefs, or biometric data) through this website. Please do not submit such information via our contact forms.
We do not collect payment card details directly — any payments are processed through Squarespace's secure commerce tools or third-party payment processors, which have their own privacy policies.
3. How We Collect Your Data
We collect personal data through the following means:
- Contact forms — when you complete and submit a form on our website (e.g. an enquiry or booking request form).
- Email correspondence — when you email us directly.
- Cookies and analytics — automatically when you browse our website, subject to your consent preferences. See our Cookie Policy for details.
- Newsletter sign-up — if you subscribe to receive updates or news from us.
- Squarespace platform — Squarespace collects certain technical data as part of hosting and operating our website. For details of what Squarespace collects, see their Privacy Policy.
4. Why We Use Your Data & Our Legal Basis
Under UK GDPR, we must have a lawful basis for every type of processing. The table below sets out what we use your data for and the legal basis we rely on.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Responding to enquiries and messages you send us | Name, email, phone number, message content | Contract / Pre-contract Art. 6(1)(b) UK GDPR — necessary to take steps at your request |
| Sending marketing emails or newsletters (only where you have opted in) | Name, email address, marketing preferences | Art. 6(1)(a) UK GDPR — you can withdraw consent at any time |
| Analysing how visitors use our website so we can improve it | IP address, browser/device data, pages visited, session data (via Squarespace Analytics and/or Google Analytics) | Art. 6(1)(a) UK GDPR — analytics cookies require your consent |
| Operating and maintaining our website securely (essential cookies, security tokens) | Session data, CSRF tokens, redirect data | Legitimate Interests Art. 6(1)(f) UK GDPR — necessary for secure and functional website operation |
| Complying with our legal obligations (e.g. responding to regulatory or law enforcement requests) | Any relevant personal data | Legal Obligation Art. 6(1)(c) UK GDPR |
| Preventing fraud and protecting the security of our website and users | IP address, technical data | Legitimate Interests Art. 6(1)(f) UK GDPR — we have a legitimate interest in maintaining site security |
Marketing Communications
We will only send you marketing emails or newsletters if you have explicitly opted in to receive them. Every marketing email we send will include a clear and easy way to unsubscribe. Once you unsubscribe, we will stop sending marketing communications promptly and will not send further messages without fresh consent.
We do not carry out automated decision-making or profiling that produces legal or similarly significant effects.
6. International Data Transfers
Our website is hosted by Squarespace, Inc., which is based in the United States. As a result, personal data submitted through our website — including contact form submissions and analytics data — may be transferred to and stored on servers in the USA.
Similarly, if Google Analytics is in use, data is processed by Google LLC, also based in the United States.
These transfers are made lawfully using one or more of the following safeguards:
- UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses — as referenced in Squarespace's Data Processing Addendum
- Adequacy decisions — where the UK Secretary of State has determined the recipient country provides an adequate level of protection
- Data Privacy Framework — where applicable under the UK Extension to the EU-US Data Privacy Framework
You can find further details about the safeguards Squarespace uses for international transfers in their Privacy Policy and Data Processing Addendum.
7. How Long We Keep Your Data
We keep personal data only for as long as necessary for the purpose it was collected, or as required by law. The table below sets out our standard retention periods.
| Data Type | Retention Period | Reason |
|---|---|---|
| Contact form enquiries | 2 years from last contact | To follow up on your enquiry and for business records |
| Email correspondence | 2 years from last contact | To maintain a record of communications |
| Marketing consent and email list | Until you withdraw consent or unsubscribe, then deleted promptly | Consent-based processing — must stop when consent is withdrawn |
| Website analytics data (Squarespace) | Up to 2 years (controlled by Squarespace) | Website performance monitoring |
| Financial/transaction records (if applicable) | 6 years | HMRC and legal requirements |
After the applicable retention period, we will securely delete or anonymise your personal data. If you would like us to delete your data sooner, please see your rights in Section 9.
9. Your Rights Under UK GDPR
Under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to exemptions, but we will always respond to your request within one calendar month.
Request a copy of the personal data we hold about you (a Subject Access Request / SAR). We will provide this free of charge in most circumstances.
Ask us to correct personal data that is inaccurate or incomplete. We will act on valid requests promptly.
Request deletion of your personal data ("right to be forgotten") where there is no compelling reason for us to continue holding it.
Ask us to limit how we use your data — for example, while you contest its accuracy or object to our use of it.
Receive personal data you provided to us in a structured, commonly used, machine-readable format, where processing is based on consent or contract.
Object to processing based on legitimate interests, or to direct marketing at any time. We will stop processing for marketing purposes immediately upon request.
Where we rely on consent, you may withdraw it at any time. This will not affect the lawfulness of processing carried out before withdrawal.
Lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been infringed. See ico.org.uk/make-a-complaint.
To exercise any of the above rights, please contact us using the details in Section 14. We will respond within one calendar month. In complex cases or where we receive a high volume of requests, we may extend this by a further two months — in which case we will inform you.
We will not charge a fee for most requests. However, we may charge a reasonable fee or refuse requests that are manifestly unfounded or excessive.
10. Children's Privacy
Our website and services are not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has submitted personal data to us, please contact us immediately using the details in Section 14 and we will delete it promptly.
11. Security
We take the security of your personal data seriously and take appropriate technical and organisational measures to protect it against unauthorised access, loss, or alteration. These measures include:
- SSL encryption — our website uses HTTPS (SSL/TLS encryption) for all data transmitted between your browser and our site. Squarespace provides SSL certificates as standard on all sites.
- Access controls — access to form submissions and customer data within Squarespace is restricted to authorised personnel only.
- Squarespace security — as our hosting provider, Squarespace maintains industry-standard security measures including data encryption at rest and in transit. For details, see Squarespace's security documentation.
While we take all reasonable steps to protect your data, no method of transmission over the internet is 100% secure. If you suspect a security incident involving your data, please contact us immediately.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours in accordance with Article 33 UK GDPR, and will notify affected individuals where required.
12. External Links
Our website may contain links to third-party websites — for example, social media profiles or partner sites. These websites have their own privacy policies, and we are not responsible for their content or data practices. We recommend reviewing the privacy policy of any third-party site you visit via a link from our website.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in law, technology, or our business practices. The "Last updated" date at the top of this page will always show when the policy was last revised.
Where we make material changes that affect your rights or how we handle your data, we will notify you via a prominent notice on our website or by email (where we hold a valid email address for you) before the changes take effect.
We encourage you to review this policy periodically. Your continued use of our website following any changes constitutes your acknowledgement of the updated policy.
14. Contact Us & How to Make a Request
Peacocks & Petals is the data controller for personal data collected through this website. If you have any questions about this Privacy Policy, wish to exercise your data rights, or have a concern about how we handle your data, please get in touch.
Business: Peacocks & Petals
Website: www.peacocksandpetals.uk
Email: peacockspetals@gmail.com
We aim to respond to all data rights requests and privacy queries within 5 working days of receipt, and no later than one calendar month as required by UK GDPR.
Complaints to the ICO
If you are unhappy with how we have handled your personal data or a data rights request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent data protection regulator:
- Website: ico.org.uk/make-a-complaint
- Telephone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would, however, appreciate the opportunity to address your concerns before you contact the ICO, so please contact us first.