Privacy Policy
Last updated: April 2026 · UK GDPR Compliant
01 · Who Is Responsible for Your Data
RYE APOTHECARY LTD, trading as Rye Apothecary, is the data controller responsible for your personal data. We are registered with the Information Commissioner’s Office (ICO) under registration number [ICO REGISTRATION NUMBER — required].
Contact us regarding data matters at: orders@ryeapothecary.com or by post at 14 Menotti Street, London E26JH.
02 · What Data We Collect and Why
| Data | Purpose | Legal basis |
|---|---|---|
| Name, email, delivery address | Processing and fulfilling your order | Contract performance |
| Payment information | Processing payment via Stripe. We do not store card details. | Contract performance |
| Order history | Customer service, returns, and legal compliance | Legal obligation / Legitimate interests |
| Email address (waitlist) | Notifying you about product availability | Consent |
| Email address (marketing) | New products and brand news, if opted in | Consent |
| Session data | Keeping you signed in to your account via a session cookie | Legitimate interests |
| IP address, device type, browser | Fraud prevention and security | Legitimate interests |
We do not collect sensitive personal data (health, biometric, or financial data beyond what Stripe handles directly).
03 · How We Store Your Data
Customer and order data is stored in a PostgreSQL database hosted on Supabase, running on AWS EU West (Ireland). Your data is held within the European Economic Area.
Order confirmation and transactional emails are sent via Resend. This website is hosted on Vercel.
04 · Who We Share Your Data With
We share your data only as necessary to operate the business. Our third-party processors are:
- Stripe, Inc. — payment processing. Stripe is certified PCI-DSS Level 1. Data may be processed in the US under Standard Contractual Clauses. See stripe.com/gb/privacy.
- Supabase, Inc. — database hosting on AWS EU West. See supabase.com/privacy.
- Resend, Inc. — transactional email delivery. See resend.com/privacy.
- Vercel, Inc. — website hosting and infrastructure. See vercel.com/legal/privacy-policy.
- Shipping providers — your name and delivery address are shared with our carrier (Royal Mail or equivalent) solely for delivery.
We do not sell your personal data to any third party. We do not share your data for third-party marketing.
International transfers
Some processors (Stripe, Resend, Vercel) are based outside the UK and EEA. Where data is transferred internationally, appropriate safeguards are in place including Standard Contractual Clauses. Supabase stores your data within the EEA on AWS EU West.
05 · How Long We Keep Your Data
| Data type | Retention period |
|---|---|
| Order data | 7 years (HMRC tax requirement) |
| Customer account data | Duration of account + 2 years after last activity |
| Marketing email list | Until you unsubscribe or withdraw consent |
| Waitlist data | Until product launches or you request removal |
| Session data | 30 days (cookie expiry) |
06 · Your Rights
Under UK GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate or incomplete data
- Erasure — ask us to delete your data (subject to legal retention obligations)
- Restriction — ask us to stop processing your data in certain circumstances
- Portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interests or for direct marketing
- Withdraw consent — at any time, where processing is based on consent
To exercise any right, email orders@ryeapothecary.com. We will respond within one month. We may need to verify your identity before acting on a request.
If you believe we have mishandled your data, you have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk or call 0303 123 1113.
07 · Security
We take reasonable technical and organisational measures to protect your data. This website uses SSL/TLS encryption. Payment data is handled exclusively by Stripe and never stored on our servers. Our database on Supabase uses encryption at rest and in transit.
No method of transmission over the internet is 100% secure. We take our obligations seriously but cannot guarantee absolute security.
08 · Changes to This Policy
We may update this policy from time to time. Changes are effective from the date of publication. If we make material changes, we will notify active customers by email.
Data Controller: RYE APOTHECARY LTD, trading as Rye Apothecary
14 Menotti Street, London, E26JH
ICO Registration: [ICO NUMBER — required]