Privacy Policy

Who We Are

Vienne Attire is a UK-based online retailer of handmade Ghanaian dresses. We are the data controller for your personal information. Our registered contact email is contact@vienneattire.com. If you have any questions about how we handle your data, please contact us at the email above.

What Data We Collect

We collect only the personal data necessary to fulfill orders and operate our store:

• Contact information: name, email address, phone number (optionally provided during checkout, contact form, or newsletter signup)
• Delivery address: shipping and billing address (required for order fulfillment)
• Order information: purchase history, product selections, order notes, and transaction amounts
• Account credentials: hashed email and password (if you create an account)
• Communications: messages sent via our contact form, newsletter preference data, and marketing opt-in status with timestamp and IP

Why We Collect Your Data & Lawful Basis

We process your personal data on the following legal bases under UK GDPR:

• Contract performance (Article 6(1)(b)): to fulfill orders, process payments, arrange delivery, and handle returns
• Consent (Article 6(1)(a)): to send marketing emails — you can withdraw at any time via the unsubscribe link in every email or your account settings
• Legitimate interest (Article 6(1)(f)): for fraud prevention, website security, and service improvement — we have balanced our interests against your rights and concluded these are justified
• Legal obligation (Article 6(1)(c)): to retain order records for UK tax and accounting purposes (6 years)

How We Store Your Data

Your data is stored with industry-standard encryption and access controls. Access to personal data is restricted to the business owner only through role-based access controls. Encryption in transit (TLS 1.3) is enforced for all website traffic, and data is encrypted at rest by our hosting provider.

Data Retention

We retain your data only as long as necessary:

• Order data: 6 years after the order date (UK tax and accounting obligations)
• Marketing preferences: until you unsubscribe or request removal
• Contact form inquiries: 2 years after the last communication
• Account data: until you request account deletion via your settings page

Your Rights

Under UK GDPR, you have the following rights. To exercise any of them, contact us at contact@vienneattire.com. We will respond typically within 5 working days.

• Right of access (Article 15): request a copy of your personal data — use the Download My Data button in your account settings
• Right to rectification (Article 16): correct inaccurate or incomplete data via your account settings
• Right to erasure (Article 17): delete your account and anonymize your data — use the Delete Account option in settings
• Right to restrict processing (Article 18): ask us to limit how we use your data in specific circumstances
• Right to data portability (Article 20): request a machine-readable copy of your account data
• Right to object (Article 21): object to processing for direct marketing — unsubscribe via email link or account settings

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority: www.ico.org.uk.

Cookies

Our website uses only essential cookies that are strictly necessary for the website to function. These include session cookies for your shopping cart and login session, security cookies for fraud protection, and functional cookies for preferences like your wishlist. Under UK GDPR, essential cookies do not require prior consent as they are necessary for the service to function. We do not use advertising, tracking, analytics, or third-party cookies.

Third-Party Services

We use the following data processors who are contractually bound to protect your data:

• Supabase (US-based): database hosting and authentication — stores customer data, order records, and audience contacts. Supabase is certified under the UK-US Data Bridge framework. Data transfer governed by UK International Data Transfer Agreement.
• Stripe (US-based): payment processing — handles all payment card information. Stripe is PCI DSS Level 1 compliant. We never store full card numbers on our servers.
• Cloudinary (US-based): image hosting and CDN — stores product images. No personal data is shared beyond IP addresses for CDN delivery.
• Resend (US-based): email delivery — sends order confirmations, shipping updates, and marketing emails. We share recipient email addresses and names solely for message delivery.

International Data Transfers

Some of our service providers are based outside of the United Kingdom. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including the UK International Data Transfer Agreement or the UK-US Data Bridge framework, as applicable. By using our services, you acknowledge that your data may be processed outside the UK.

Security

We implement appropriate technical and organisational measures: encryption in transit (TLS 1.3), encryption at rest for stored data, restricted access controls (the business owner only), and regular security reviews of our infrastructure. In the unlikely event of a data breach, we will notify the ICO within 72 hours and inform affected individuals as required by law.

Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects concerning you.

Changes to This Policy

We may update this privacy policy to reflect changes in our practices or legal obligations. The latest revision date is shown at the top. We encourage you to review this page periodically.

Contact & Complaints

If you have any questions about this policy or wish to exercise your rights:

• Email: contact@vienneattire.com
• Response time: typically within 5 working days
• ICO: www.ico.org.uk (if you are unsatisfied with our response)