Privacy Policy

Scope and Scope of This Policy

This policy applies to personal data collected through our website and other interactions as controller, including when you:

• browse or purchase products,
• create an account or use account services,
• sign up for marketing communications,
• contact customer support,
• apply for jobs or otherwise provide personal data to us.

Categories of Personal Data We Collect

Depending on your interaction with us, we may collect:

• Identity and contact data: name, billing and delivery addresses, email, phone;
• Account data: username, password (hashed), order history;
• Transaction data: payment and order details (processed by our payment processor);
• Technical data: IP address, device/browser information, cookies and usage data;
• Marketing and communications: preferences and consent records;
• Other data you choose to provide (support messages, CVs for job applications).

Legal Bases for Processing

We process personal data only where we have a valid legal basis, including:

• Performance of a contract: necessary to fulfil orders, provide products or services, manage your account;
• Consent: for marketing communications, cookies and other optional processing (you may withdraw consent at any time);
• Legitimate interests: for fraud prevention, site security, improving services and direct marketing where your interests do not override your privacy rights (we will inform you where we rely on this basis);
• Legal obligation: to comply with tax, accounting and other statutory duties.

Purposes of Processing

We use personal data for purposes including but not limited to:

• processing and delivering orders and handling returns;
• managing user accounts and authentication;
• providing customer support;
• marketing communications (when consented or permitted by law);
• analytics and site improvement; and
• fraud detection and ensuring the security of our services.

Recipients and Third Parties

We may share personal data with the following categories of recipients:

• Payment processors and banks (to complete transactions);
• Delivery and logistics providers;
• Hosting providers and IT service providers who act as processors under contract;
• Analytics and advertising providers (e.g., Google) when enabled by consent;
• Legal and professional advisors where required for compliance or dispute resolution.

We require contracts with processors that implement appropriate safeguards and limit use of data to our instructions.

International Transfers

Some processors we use may transfer or store data outside the European Economic Area (EEA). Where transfers occur, we rely on adequacy decisions, Standard Contractual Clauses (SCCs), or other lawful safeguards. Contact the DPO for details of specific transfers and safeguards.

Data Retention

We retain personal data only as long as necessary for the purposes described and to comply with legal obligations. Typical retention periods (subject to change):

• Order and transaction records: up to 7 years for accounting and tax;
• Account information: while the account exists and for up to 2 years after inactivity, unless otherwise required;
• Marketing consent: until you unsubscribe;
• Support and correspondence: generally 2 years after last contact unless required longer for legal reasons.

If you require a copy of personal data retained for a specific purpose, contact the DPO (see details below).

Your Rights

Under the GDPR you have the right to:

• request access to your personal data;
• request correction of inaccurate data;
• request erasure (in certain circumstances);
• request restriction of processing;
• object to processing (including for direct marketing);
• request data portability where applicable;
• withdraw consent at any time (where processing is based on consent).

To exercise any right, contact dpo@byswans.com with sufficient information to identify you. We may require identity verification for requests. We will respond without undue delay and within one month where possible (extensions may apply for complex requests).

Supervisory Authority

If you consider that our processing infringes applicable data protection law, you have the right to lodge a complaint with a supervisory authority.

Cookies and Analytics

We use cookies and similar technologies to provide site functionality, remember preferences, and to analyse site usage. Where required by law, we obtain consent before setting non-essential cookies. You can manage cookie preferences via the cookie banner or your browser settings.

Examples of cookies we use:

• Essential cookies: to enable shopping cart and account features;
• Performance/analytics cookies: to measure site usage (e.g., Google Analytics);
• Advertising cookies: for personalised advertising (where consented).

Security Measures

We implement reasonable technical and organisational measures to protect personal data, including TLS/SSL encryption in transit, access controls, and regular security reviews. However, no method of transmission or storage is completely secure — contact us immediately if you suspect a security incident.

Automated Decision-Making and Profiling

We do not use automated decision-making that produces legal or similarly significant effects without explicit notice. Where profiling is used (for example, to personalise offers), we will provide information and the right to object where required by law.

Children

Our services are not directed to children under 16. We do not knowingly collect personal data from children under this age. If you become aware that a child has provided us with personal data, please contact the DPO and we will take appropriate steps to delete the information.

Changes to This Policy

We may update this policy from time to time. The “Last modified” date at the top of this page will indicate when changes were last made. Significant changes will be communicated where appropriate.

Contact and How to Exercise Your Rights

For subject access requests, corrections or to object to processing, contact the DPO. We will respond in accordance with applicable law.