Skip to main content
Privacy policy
Last updated: June 2026
Petra Palumbo Ltd is committed to protecting and respecting your privacy. This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read it carefully.
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller is:
Petra Palumbo Ltd
Kirkton Steadings, Kirkton Farm, IV3 8RH
Email: info@petrapalumbo.com
This policy applies only to https://petrapalumbo.com and not to any third-party sites linked from our site.
1. Information we collect from you
We may collect and process the following categories of personal data:
Identity & contact data
Name, address, email address, phone number, personal description and photograph — provided when you register, place an order, subscribe to communications, enter a competition, or contact us.
Lawful basis: Contract performance; Consent (for photographs)
Transaction data
Details of purchases you make through our site, including payment and order fulfilment information. We do not store full card details — payment processing is handled by our payment provider.
Lawful basis: Contract performance; Legal obligation
Technical & usage data
IP address, browser type and version, time zone, operating system, pages visited, traffic and location data, and other communication data collected automatically when you visit our site.
Lawful basis: Legitimate interests (site security and improvement)
Marketing & communications data
Your preferences for receiving marketing communications from us, and your responses to surveys or promotions.
Lawful basis: Consent
We do not intentionally collect sensitive (special category) personal data. If you share any such data with us, we will handle it in accordance with UK GDPR Article 9 and will seek your explicit consent where required.
How long we keep your data
|
Data Type |
Retention Period |
|---|---|
|
Customer account & order data |
7 years (legal/tax obligation) |
|
Marketing consent records |
Until consent withdrawn + 1 year |
|
Website analytics data |
Up to 26 months |
|
Correspondence & enquiries |
3 years from last contact |
|
Cookie data |
As per cookie expiry dates in Section 2 |
2. IP addresses and cookies
2.1 We may collect information about your device, including your IP address, operating system and browser type, for system administration and to report aggregate information. This data does not identify any individual.
2.2 Our website uses cookies — small text files stored on your device — to help us provide and improve our services, personalise your experience, and support our marketing activities. By continuing to use our site, you consent to our use of cookies as described below. You may withdraw consent at any time via your browser settings.
2.3 We use the following categories of cookies:
Strictly necessary cookies
Essential for the website to function. Cannot be switched off.
|
Cookie |
Purpose |
|---|---|
|
_shopify_essential |
Core session & checkout |
|
cart, cart_currency |
Basket contents & currency |
|
localization |
Region preference |
|
shopify_client_id |
Client instance identifier |
|
privacy_signal |
Records your consent (GDPR) |
|
datadome |
Bot & fraud protection |
Performance & analytics cookies
Help us understand how visitors use our site. Data is aggregated and anonymised where possible.
|
Cookie |
Purpose |
|---|---|
|
_ga, _ga_* |
Visitor & session tracking |
|
_merchant_analytics |
Merchant-side analytics |
|
ahoy_visit, ahoy_visitor, ahoy_track |
Visit & event analytics |
|
FPID |
First-party analytics identity |
Marketing & advertising cookies
Used to deliver relevant ads and measure their effectiveness.
|
Cookie |
Purpose |
|---|---|
|
_fbp |
Ad targeting & conversion |
|
_gcl_au |
Ad conversion measurement |
|
_pin_unauth |
Pinterest tag |
|
_merchant_marketing |
Marketing attribution |
Functional cookies
Enable enhanced functionality including email marketing and international checkout.
|
Cookie |
Purpose |
|---|---|
|
__kla_id, kl_csrftoken, apt.uid |
Email marketing & form security |
|
__cf_bm |
International checkout & bot management |
|
v:a:3 |
A/B test variant assignment |
2.4 Some cookies are set by third parties whose services appear on our pages. We do not control these cookies. Third parties including Google, Meta, Pinterest, Klaviyo, DataDome, AddSauce and Global-e may use cookies to collect information about your online activity. Please refer to their privacy policies.
2.5 You may refuse or withdraw consent to non-essential cookies at any time by adjusting your browser settings. Disabling certain cookies may affect website functionality including checkout.
3. Where we store your personal data
3.1 Petra Palumbo Ltd is based in the United Kingdom and processes personal data in accordance with UK GDPR and the Data Protection Act 2018.
3.2 Personal data we collect may be transferred to and stored at destinations outside the UK, for example where we use third-party service providers — including Shopify, Google, Meta, Klaviyo, Pinterest, DataDome, AddSauce and Global-e — whose infrastructure or staff are located outside the UK.
3.3 Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including one or more of the following:
- Transfer to a country covered by UK adequacy regulations;
- Use of International Data Transfer Agreements (IDTAs) or UK Addenda to EU Standard Contractual Clauses approved by the ICO; or
- Another lawful transfer mechanism recognised under UK GDPR.
3.4 To request details of the specific safeguards we use for any international transfer, please contact us at info@petrapalumbo.com.
3.5 Where you have chosen a password to access parts of our site, you are responsible for keeping it confidential. Please do not share it with anyone.
3.6 While we implement strict security measures, transmission of information via the internet is not completely secure. Any transmission is at your own risk; once received, we use strict procedures to prevent unauthorised access.
4. How we use your information
4.1 We process your personal data only where we have a valid lawful basis under UK GDPR. The table below sets out our purposes and the lawful basis for each:
|
Purpose |
Lawful Basis |
|---|---|
|
Processing and fulfilling your orders |
Contract (Article 6(1)(b)) |
|
Managing your account and providing customer service |
Contract (Article 6(1)(b)) |
|
Sending marketing emails (where you have opted in) |
Consent (Article 6(1)(a)) |
|
Personalising your experience on our site |
Legitimate interests (Article 6(1)(f)) |
|
Site analytics and performance improvement |
Legitimate interests (Article 6(1)(f)) |
|
Fraud prevention and security |
Legitimate interests (Article 6(1)(f)) |
|
Complying with legal and tax obligations |
Legal obligation (Article 6(1)(c)) |
|
Notifying you of changes to our services |
Contract / legitimate interests |
4.2 Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights and freedoms. You may request details of this assessment by contacting us.
4.3 We will not use your data for any purpose incompatible with the purposes listed above without notifying you and, where required, obtaining your consent.
4.4 We will not share identifiable personal data with third-party partners for their own marketing purposes without your explicit consent.
5. Disclosure of your information
5.1 We may share your personal data with the following categories of recipients:
- Service providers and data processors — including Shopify (e-commerce platform), payment processors, email marketing providers (Klaviyo), analytics providers (Google, AddSauce), advertising networks (Meta, Pinterest, Google Ads), fraud prevention services (DataDome) and international checkout providers (Global-e). These parties act as data processors under Article 28 UK GDPR and are bound by written data processing agreements.
- Business transfers — if we sell or acquire a business or assets, personal data may be transferred to the prospective buyer or seller as part of due diligence.
- Legal obligations — where required by law, court order, or regulatory authority, or to protect the rights, property or safety of our staff, customers or others.
5.2 We do not sell personal data to third parties.
6. Your rights
Under UK GDPR, you have the following rights in relation to your personal data:
|
Right |
What It Means |
|---|---|
|
Right of access |
Request a copy of the personal data we hold about you (subject access request). |
|
Right to rectification |
Ask us to correct inaccurate or incomplete personal data. |
|
Right to erasure |
Ask us to delete your data where there is no longer a lawful reason to process it. |
|
Right to restriction |
Ask us to restrict processing of your data in certain circumstances. |
|
Right to portability |
Receive your data in a structured, machine-readable format and transfer it to another controller. |
|
Right to object |
Object to processing based on legitimate interests, including direct marketing. |
|
Rights re. automated decisions |
Not to be subject to solely automated decisions that significantly affect you. |
|
Right to withdraw consent |
Where processing is based on consent, withdraw it at any time without affecting prior processing. |
6.1 To exercise any of these rights, please contact us at info@petrapalumbo.com. We will respond within one calendar month of receiving your request. We may ask you to verify your identity before processing your request.
6.2 To unsubscribe from marketing emails, click the unsubscribe link in any email we send you, or contact us directly.
6.3 Our site may contain links to third-party websites. Those sites have their own privacy policies and we are not responsible for them. Please review their policies before submitting personal data.
6.4 You have the right to lodge a complaint with the UK supervisory authority, the Information Commissioner’s Office (ICO), if you believe we have not handled your personal data in accordance with the law:
https://ico.org.uk/make-a-complaint/
ICO helpline: 0303 123 1113
We would, however, appreciate the opportunity to address your concerns directly before you contact the ICO.
7. Changes to this policy
We may update this policy from time to time. Any changes will be posted on this page with an updated version date. Where changes are material, we will notify you by email where we hold your contact details. Please check back periodically.
8. Contact
Questions, comments and requests regarding this privacy policy should be addressed to:
Petra Palumbo Ltd
Kirkton Steadings, Kirkton Farm, IV3 8RH
