Privacy policy

HaythereHorseArt.com

Privacy Policy — Version 2

Last updated: March 2026



Version 2 Note: This Privacy Policy has been revised from the Shopify default template to address UK GDPR / Data Protection Act 2018 requirements (including the Data (Use and Access) Act 2025), CCPA/CPRA obligations for California residents, ICO transparency standards, and cross-border data transfer requirements for a UK business selling to US customers.

WHO WE ARE AND HOW TO CONTACT US

Haytherehorseart.com is operated by Miss S.E.Mansfield.  .

The named person is the data controller for the personal information collected through this website. As a UK-based business, we are regulated by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as updated by the Data (Use and Access) Act 2025.

Our registered address is: Kenilworth House, West Drove North, Walton Highway, Wisbech, PE14 7DP, United Kingdom.

For all privacy-related enquiries, please contact us at: Miss S.E Mansfield:  info@haytherehorseArt.com

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at www.ico.org.uk or by calling 0303 123 1113.



OVERVIEW

This Privacy Policy explains how HaythereHorseArt.com collects, uses, shares, and protects your personal information when you visit, use, or make a purchase through our website, or when you otherwise communicate with us. Our store is powered by Shopify.

Please read this policy carefully. By using our Services, you confirm that you have read and understood how we use your personal data. If you do not agree with our practices, please do not use our website.

If there is any conflict between our Terms of Service and this Privacy Policy, this Privacy Policy controls with respect to the collection, processing, and disclosure of your personal information.



PERSONAL INFORMATION WE COLLECT

When we use the term 'personal information', we mean information that identifies you or can reasonably be linked to you. We collect the following categories of personal data:



Category

Examples

Contact details

Name, email address, phone number, billing and shipping address

Financial information

Payment card details, transaction history, payment confirmation (note: full card numbers are processed by Shopify/payment providers, not stored by us)

Account information

Username, password, preferences and settings

Transaction information

Items viewed, added to cart, purchased, returned or cancelled

Communications

Content of messages sent to us, customer support enquiries

Device & usage data

IP address, browser type, device identifiers, pages visited, how you interact with our website



We collect only the personal data that is necessary for the purposes described in this policy. We do not collect special category data (such as health, racial or ethnic origin, or biometric data).



HOW WE COLLECT YOUR PERSONAL INFORMATION

We collect personal information from the following sources:

  • Directly from you — when you create an account, place an order, contact us, or submit a review.

  • Automatically through our website — via cookies and similar tracking technologies when you browse our store. See our Cookie Policy for full details.

  • From Shopify — as our platform provider, Shopify collects and shares certain data with us to enable the Services. See the Relationship with Shopify section below.

  • From our service providers — such as payment processors, fulfilment partners, and analytics providers.



OUR LAWFUL BASIS FOR PROCESSING YOUR DATA (UK GDPR)

Why this matters: Under UK GDPR Article 6, we must have a lawful basis for every type of personal data processing we carry out. We are required to tell you which basis applies. The ICO requires this to be clearly stated in our privacy notice.



Processing Purpose

Lawful Basis

Processing your order and payment

Contract — necessary to perform our contract with you

Shipping and fulfilment

Contract — necessary to deliver what you have ordered

Customer service and support

Contract and Legitimate Interests — responding to your enquiries

Sending order and account notifications

Contract — necessary for order management

Fraud prevention and security

Legitimate Interests — protecting our business and customers from fraud

Improving our website and services

Legitimate Interests — understanding how our site is used

Marketing emails (if opted in)

Consent — we only send marketing communications with your explicit opt-in

Complying with legal obligations

Legal Obligation — e.g. tax, accounting, responding to lawful requests

Personalised advertising via Shopify

Consent / Legitimate Interests — see Shopify section below



Where we rely on Legitimate Interests as our lawful basis, we have carried out a balancing test to confirm that our interests do not override your rights and freedoms. You may request information about these assessments by contacting us.

Where we rely on Consent (e.g. for marketing emails or non-essential cookies), you have the right to withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of processing carried out before the withdrawal.



HOW WE USE YOUR PERSONAL INFORMATION

We use your personal information for the following purposes:

  • To process and fulfil your orders, including payment processing, production, and shipping.

  • To manage your account and maintain our business relationship with you.

  • To send you transactional communications relating to your orders (e.g. confirmations, dispatch notifications, return updates).

  • To send you marketing and promotional communications by email, but only where you have opted in. You may unsubscribe at any time using the link in any marketing email.

  • To detect, investigate and prevent fraudulent transactions and other illegal activity.

  • To improve and personalise the Services, including recommending products based on your browsing and purchase history.

  • To comply with our legal and regulatory obligations.

  • To respond to legal processes or requests from law enforcement or government agencies, where required by law.



We will not use your personal data for purposes that are incompatible with those described above without first notifying you and, where required, obtaining your consent.



HOW WE SHARE YOUR PERSONAL INFORMATION

We do not sell your personal information to third parties. We may share your personal data with the following categories of recipients, and only to the extent necessary:

  • Shopify Inc. — as our ecommerce platform provider. See the Relationship with Shopify section below.

  • Payment processors (e.g. Stripe, PayPal) — to process your payment securely. These providers process card data on our behalf and are bound by their own PCI-DSS and data protection obligations.

  • Print-on-demand fulfilment partners — to produce and ship your order. We share your name, delivery address, and order details with our production and fulfilment partners as necessary.

  • Shipping carriers — your name, address, and contact details are shared with carriers to arrange delivery.

  • Analytics providers — we use tools such as Google Analytics to understand website usage. These tools may collect anonymised or pseudonymised data.

  • Marketing and advertising partners — where you have consented to marketing, we may share limited data with advertising platforms. See the Cookies section.

  • Legal and regulatory authorities — where required by law, court order, or to protect our legal rights.

  • Business transfers — in the event of a merger, acquisition or sale of assets, your data may be transferred to the new entity, subject to the same protections described in this policy.



All third parties who process personal data on our behalf are required to handle it in accordance with data protection law and our instructions.



OUR RELATIONSHIP WITH SHOPIFY

Our store is hosted by Shopify Inc., a Canadian company. Shopify collects and processes personal data about your use of the Services to provide and improve the platform. Information you submit may be transmitted to and shared with Shopify and its sub-processors, who may be located outside the UK or EEA.

Shopify uses certain data from interactions across its merchant network (including ours) for its own enhanced features and services. Where Shopify is acting as a data controller in its own right for these purposes, Shopify is responsible for responding to your rights requests relating to that processing.

To learn more about how Shopify processes your personal data, please review the Shopify Consumer Privacy Policy at https://www.shopify.com/legal/privacy and the Shopify Privacy Portal at https://privacy.shopify.com/en.



INTERNATIONAL DATA TRANSFERS

As a UK-based business selling to US customers and using US-based service providers (including Shopify, payment processors, and fulfilment partners), your personal data will be transferred to and processed in countries outside the United Kingdom.

Where we transfer personal data outside the UK, we ensure that appropriate safeguards are in place in accordance with UK GDPR Article 46, including:

  • Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements (IDTAs) approved by the UK Secretary of State.

  • Transfers to countries or organisations covered by UK adequacy regulations (currently including countries in the EEA, and US organisations certified under the UK Extension to the EU-US Data Privacy Framework).

The United States is considered adequate for data transfers from the UK for organisations certified under the UK Extension to the EU-US Data Privacy Framework. Where our US service providers are certified under this framework, we rely on that adequacy finding. Where they are not, we rely on appropriate contractual safeguards.

You may request further information about the international transfer safeguards we rely on by contacting us.



COOKIES AND TRACKING TECHNOLOGIES

Legal requirement: Under the UK Privacy and Electronic Communications Regulations (PECR), as updated by the Data (Use and Access) Act 2025, we are required to obtain your consent before placing non-essential cookies on your device. We use a cookie consent banner on our website for this purpose.



We use cookies and similar tracking technologies on our website. These include:

  • Essential cookies — strictly necessary for the website to function (e.g. shopping cart, checkout). These do not require your consent.

  • Analytics cookies — help us understand how visitors use our site (e.g. Google Analytics). These require your consent.

  • Marketing/advertising cookies — used to show you relevant advertisements on other websites based on your browsing activity. These require your consent.

  • Preference cookies — remember your settings and preferences. These require your consent.



You can manage your cookie preferences at any time via our cookie consent tool on the website. You may also control cookies through your browser settings, though disabling all cookies may affect site functionality.

For full details of the cookies we use, please see our Cookie Policy.



HOW LONG WE KEEP YOUR DATA

We retain your personal data only for as long as is necessary for the purposes for which it was collected, or as required by law. Our general retention principles are:

  • Order and transaction data — retained for 7 years to comply with UK tax and accounting obligations (HMRC requirements).

  • Account data — retained for the duration of your account, plus a reasonable period thereafter in case of disputes or follow-up queries.

  • Marketing consent records — retained for the period during which you are subscribed, plus sufficient time to demonstrate compliance.

  • Customer service communications — retained for up to 3 years.

  • Website usage and analytics data — typically retained for 26 months in anonymised form.



When data is no longer required, it is securely deleted or anonymised. You may request deletion of your data at any time (see Your Rights section below), subject to legal retention requirements.



YOUR RIGHTS UNDER UK GDPR

As a UK resident (or any individual whose data we process), you have the following rights under the UK General Data Protection Regulation and Data Protection Act 2018:

  • Right to be Informed — the right to know how your personal data is being used (this Privacy Policy fulfils this obligation).

  • Right of Access — you can request a copy of the personal data we hold about you (a Subject Access Request or SAR). We will respond within one month.

  • Right to Rectification — you can ask us to correct inaccurate or incomplete personal data.

  • Right to Erasure ('Right to be Forgotten') — you can ask us to delete your personal data, subject to certain legal exceptions (e.g. where we must retain data for tax purposes).

  • Right to Restrict Processing — you can ask us to pause processing of your data in certain circumstances.

  • Right to Data Portability — you can request a copy of your data in a structured, commonly used format to transfer to another provider, where technically feasible.

  • Right to Object — you can object to processing based on Legitimate Interests, and you have an absolute right to object to direct marketing at any time.

  • Rights related to Automated Decision-Making — we do not currently use solely automated decision-making that produces legal or similarly significant effects. If this changes, we will update this policy.



To exercise any of these rights, please contact us at info@haytherehorseart.com. We will respond within one month and will not charge a fee for reasonable requests. We may need to verify your identity before processing your request.

If you are unhappy with our response or believe we are not handling your data lawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at www.ico.org.uk.


<div id="california-rights"></div>

ADDITIONAL RIGHTS FOR CALIFORNIA RESIDENTS (CCPA/CPRA)

Note for California residents: If you are a resident of California, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and updated regulations effective January 1, 2026, give you additional rights over your personal information.



California residents have the following rights:

  • Right to Know — you may request disclosure of the categories and specific pieces of personal information we have collected about you in the preceding 12 months, including the sources, purposes, and third parties with whom it was shared.

  • Right to Delete — you may request deletion of your personal information, subject to certain exceptions.

  • Right to Correct — you may request that we correct inaccurate personal information we hold about you.

  • Right to Opt Out of Sale or Sharing — we do not sell your personal information. We may share certain data with advertising partners for cross-context behavioural advertising. You may opt out of this sharing at any time by using the *'Your Privacy Choices' link in the footer of our website, or by enabling the Global Privacy Control (GPC) signal in your browser.

  • Right to Limit Use of Sensitive Personal Information — we do not collect sensitive personal information beyond what is necessary for order fulfilment.

  • Right to Non-Discrimination — we will not discriminate against you for exercising any of your CCPA rights.



To exercise your California rights, you may contact us at info@haytherehorseart.com with your request. We will respond within 45 days. You may also designate an authorised agent to make requests on your behalf.

In the preceding 12 months, we have collected the following categories of personal information from California consumers: identifiers (name, address, email, IP address); commercial information (purchase history); internet activity (browsing behaviour on our site); and financial data (payment information processed via Shopify and payment processors).

We have not sold personal information of California consumers in the preceding 12 months.



CHILDREN'S PRIVACY

Our Services are not directed at children under the age of 13 (or under 16 where applicable under UK GDPR for online services). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us immediately at info@haytherehorseart.com and we will take steps to delete the information.

As of the date of this policy, we do not have actual knowledge that we sell or share the personal information of individuals under 16 years of age.



SECURITY OF YOUR PERSONAL INFORMATION

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction, or alteration. These include:

  • Use of Shopify's PCI-DSS compliant payment infrastructure — we do not store full payment card numbers ourselves.

  • SSL/TLS encryption for data transmitted through our website.

  • Access controls limiting who within our business can access personal data.

  • Regular review of our security practices.



However, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security. In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the ICO as required by law (within 72 hours of becoming aware of the breach, where feasible).



MARKETING COMMUNICATIONS

We may send you promotional emails and marketing communications if you have opted in to receive them. You may opt out at any time by:

  • Clicking the 'unsubscribe' link in any marketing email.

  • Contacting us at info@haytherehorseart.com.



If you opt out of marketing communications, we may still send you transactional emails relating to your orders and account (e.g. order confirmations, shipping notifications). These are not marketing communications and cannot be opted out of while your account is active.



THIRD-PARTY WEBSITES AND LINKS

Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of those websites. If you follow a link to a third-party site, please review their privacy policy. Our Privacy Policy applies only to information collected by Haytherehorseart.com.



COMPLAINTS

If you have a complaint about how we handle your personal data, please contact us first at info@haytherehorseart.com. We will investigate and respond within 30 days.

If you remain unsatisfied, you have the right to escalate your complaint to:

  • In the UK: the Information Commissioner's Office (ICO) — www.ico.org.uk — 0303 123 1113.

  • In the USA: you may have rights under applicable state law. California residents may contact the California Privacy Protection Agency (CPPA) at cppa.ca.gov.



CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. We will post the revised policy on this page and update the 'Last updated' date. Where changes are material, we will notify you by email or by a prominent notice on our website prior to the change taking effect. Your continued use of the Services after any changes constitutes your acceptance of the updated policy.



CONTACT US

For any questions about this Privacy Policy, to exercise your data rights, or to make a complaint, please contact us:



Business Name: Haytherehorseart.com 

Email: info@haytherehorseart.com

Address: Kenilworth House, West Drove North, Walton Highway, Wisbech, PE14 7DP, United Kingdom

ICO Registration Number: C1908978

Legal Notice

This Privacy Policy has been prepared to address the requirements of: the UK General Data Protection Regulation (UK GDPR); the Data Protection Act 2018; the Data (Use and Access) Act 2025; the Privacy and Electronic Communications Regulations (PECR); the California Consumer Privacy Act (CCPA) as amended by the CPRA and 2026 regulations; and general US FTC transparency requirements. It does not constitute legal advice. We strongly recommend periodic review by a qualified data protection solicitor, particularly as UK and US privacy laws continue to evolve.



HaythereHorseArt.com — Privacy Policy Version 2 — March 2026