Privacy Policy for Sofamakercouk,

(GDPR/DUAA Compliant)

Introduction

Welcome to our bespoke furniture website (the “Site”), proudly based in the United Kingdom and powered by WordPress with the latest 2025 default theme. Protecting your privacy is very important to us. This Privacy Policy explains-clearly and in plain language-how we collect, use, disclose, and safeguard your personal data in line with the requirements of the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, the Data (Use and Access) Act 2025 (“DUAA”), and other applicable laws¹. Please read this policy carefully; by using our Site, you acknowledge and agree to its terms.

Who We Are

We are an independent retailer of bespoke furniture, registered in the United Kingdom. Our website address is: [insert website URL]. For questions or to exercise your data rights, you can contact us at: [insert contact email/address]. For all data protection matters, we act as the ‘data controller’-this means we decide how and why your personal data is used².

Key Principles

We comply with the following data protection principles:

We process your data lawfully, fairly, and in a transparent manner.
We collect data only for specified, explicit, and legitimate purposes.
Data collection is adequate, relevant, and limited to what is necessary.
Data is accurate and kept up-to-date.
We store personal data no longer than necessary.
Data is handled securely with appropriate technical and organisational measures³⁴.

What Data We Collect

We may collect and process various types of information depending on your interactions with our website:

Contact Data: Name, email address, phone number and postal address (for contact forms, customer support, or quotes).
Order Data: Billing, delivery details and the items you purchase (during order processing).
Account Data (if applicable): Username, password, account activity, and preferences.
Payment Data: Payment method details (processed securely by our payment provider-never stored directly by us).
Technical Data: IP address, browser type, device information, and operating system (for security and analytics purposes).
Usage Data: Information about how you use our website and services.
Marketing Data: Preferences for receiving communications, and your interactions with marketing messages (if you opt in).
Cookie Data: Browser cookies and similar tracking technologies, governed by our Cookie Policy.

We do not knowingly collect special category data (e.g., health, religion, ethnicity), or children’s data unless specifically required by law (in which case, we provide additional safeguards as explained below)⁵.

How We Collect Data

Your personal data is collected when you:

Complete a contact or order form, send us an email, or use our live chat;
Place an order for products or request a quote;
Register an account or subscribe to email updates;
Browse our website (via cookies and analytics tools like Google Analytics);
Interact with social media plugins and widgets;
Consent to receive marketing communications⁶.

We may also obtain limited data from third parties (for example, payment processors or delivery partners), but only where this is necessary to provide our services².

Purposes for Processing Your Data & Legal Bases

We process your personal data only where we have a lawful basis under the UK GDPR/DUAA. The main purposes and legal bases are summarised below:

Processing Activity	Types of Data	Lawful Basis	Additional Notes
Contact form submissions	Contact/Account Data	Consent	You actively provide this; consent can be withdrawn at any time.
Order processing and fulfilment	Order/Contact/Payment Data	Contract	Necessary for contract performance.
Customer support & queries	Contact/Account Data	Legitimate Interests	Our interest in responding to your requests, balanced with your rights.
Analytics (Google Analytics)	Technical/Usage/Cookie Data	Consent	Cookie consent required before tracking; IP anonymisation enabled.
Marketing emails/newsletters	Contact/Marketing Data	Consent	Separate opt-in required for email marketing.
Managing cookie preferences	Cookie/Technical Data	Consent	Consent Banner allows settings.
Legal obligations (record-keeping, fraud prevention)	Order/Payment/Account Data	Legal Obligation	Required by law (e.g., tax, fraud).
Security and fraud prevention	Technical/Usage Data	Legitimate Interests / Legal Obligation	Security, preventing misuse.
Handling complaints & subject rights	All categories as needed	Legal Obligation	Required by data protection law.
International data transfers (e.g., analytics providers)	All relevant data	Consent/Appropriate Safeguards	See section on “International Data Transfers”

Detailed explanation:

Consent: For contact forms, newsletter sign-ups, non-essential cookies, and analytics, we request your explicit opt-in consent. Consent is voluntary and can always be withdrawn.
Contract: When you place an order, processing is necessary to fulfil our contract with you.
Legal Obligation: Some data must be kept for tax, accounting, fraud prevention, or to comply with law enforcement.
Legitimate Interests: We process certain data for website security, customer support, and usability improvements. We always balance our interests with your rights and freedoms¹⁵⁷⁸.

Table: Legal Bases for Data Processing

Purpose	Data Types Involved	Legal Basis under UK GDPR
Contact form submissions	Name, email, phone, message	Consent
Order processing & delivery	Name, address, order details	Contract
Customer account management	Account info, preferences	Contract / Legitimate Interests
Analytics (Google Analytics)	IP, device, usage data	Consent (cookie opt-in)
Marketing emails	Email address	Consent
Customer service communications	Name, email, order number	Legitimate Interests / Contract
Cookie preferences	Cookie, IP, user settings	Consent
Security & anti-fraud	IP, browser/device data	Legal Obligation / Legitimate Interests
Legal compliance/retention	Order, payment, transaction logs	Legal Obligation
Handling data rights/requests	Contact info, relevant case data	Legal Obligation
International data transfers	All above, as relevant	Consent / Appropriate Safeguards

See UK GDPR Article 6 and DUAA for explanation of legal bases¹⁹.

How We Use Your Data

We use your data to:

Respond to your enquiries or requests via contact forms, email, or other channels.
Process orders and arrange product delivery to your address (including sharing details with trusted delivery partners).
Manage your customer account (if you create one).
Send transactional notifications such as order confirmations or updates.
Provide customer support, including returns, refunds, or complaint handling.
Improve our website and services with aggregated analytics (with your consent).
Send marketing emails or promotions (only if you’ve opted in).
Secure our website, prevent fraud, and comply with UK law.
Maintain compliance records and demonstrate our accountability to regulators (such as the ICO)¹⁰³.

We never sell your personal data to third parties, nor do we use your data for automated decision-making with legal or similarly significant effects, unless required by law or with your permission.

How We Share and Disclose Data

We only share your data when necessary:

Payment processors: For secure handling of online payments (credit/debit cards, PayPal, etc.). These companies are independent controllers/processors and maintain their own privacy obligations.
Delivery partners: To fulfil your order.
Professional advisers (e.g., accountants, legal counsel): For business operations and compliance.
Technical service providers: Such as trusted website hosting, analytics, and email services. All third-party providers are contractually required to protect your data and process it only on our documented instructions¹¹.
Government authorities: Where required by law or for legal claims, fraud investigations, or similar.
Cookie/analytics providers (e.g., Google LLC): Only where you provide explicit consent to non-essential cookies. Data transfers are subject to additional safeguards; see “International Data Transfers” section.
Other situations: With your explicit instruction or consent.

All third-party processors are required to provide sufficient security measures and to comply with legal requirements under the contract¹¹.

How Long We Keep Your Data

We retain your personal data only as long as necessary for each purpose:

Order and account data: 7 years (statutory requirement for tax/accounting compliance, after which data will be securely deleted or anonymised).
Contact/Support data: 2 years from last contact (unless needed for legal requirements).
Marketing consent: Until you opt out or withdraw consent.
Cookie/Analytics data: Fixed periods as set by your cookie preferences (typically up to 26 months for analytics cookies).
Complaint/rights requests: 6 years after closure of the matter, to ensure compliance and enable defence in case of dispute.

We regularly review our retention policies and securely erase or anonymise personal data when no longer needed, in line with the storage limitation principle of UK GDPR¹².

Lawful Bases Table (Summary)

Activity	Legal Basis
Contact Form Data Collection	Consent
Order Processing	Contract
Customer Service Records	Legitimate Interest
Analytics / Cookies	Consent
Marketing Communications	Consent
Security & Fraud Prevention	Legal Obligation / Legitimate Interest
Legal and Complaint Handling	Legal Obligation
International Transfers	Consent / Adequate Safeguards

For more about each lawful basis, see the ICO’s https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/⁷.

Automated Decision-Making

We do not make decisions based solely on automated processing that have legal or similarly significant effects for individuals. If automated systems are ever used (e.g., for fraud checks), you will be notified in advance and given the right to request human intervention, review, and challenge any such decision, in line with DUAA and UK GDPR safeguards¹.

Children’s Privacy

Our website and products are directed primarily at adult customers. We do not knowingly collect or process data relating to children under 13. If you are a parent or guardian and believe we have inadvertently collected a child’s personal data, please contact us and we will promptly delete it. Where online forms may be accessible to children, we implement appropriate safeguards and, where required, obtain parental consent.

How We Secure Your Data

We take your privacy seriously, adopting privacy and security measures by design and by default, as per Article 25 of UK GDPR:

Encryption: All data transmitted between your browser and our website is encrypted using HTTPS (SSL).
Access Controls: Only authorised staff and partners may access your data, subject to confidentiality obligations.
Technical Safeguards: Our website is hosted with security-first providers, and our WordPress installation and plugins are regularly updated.
Backups: Secure, regular backups of key data are maintained for business continuity.
Firewalls and Anti-Malware: Active website security solutions and monitoring.
Limited Data Storage: We store only what is strictly necessary and actively remove data exceeding our retention periods.
Data Processing Agreements: Written contracts are in place with all third-party processors, as required by law¹³¹¹.

WordPress-specific security practices include:

Only using vetted, up-to-date plugins and themes within the 2025 theme environment.
Employing reputable consent and security plugins (such as GDPR Cookie Consent, CookieYes, Complianz, WPForms, and others) to manage risk and compliance.
Periodic security audits and vulnerability scans¹⁴¹⁵.

How We Use Cookies (Cookie Policy Summary)

We use cookies and similar technologies to improve your experience, help process orders, secure the website, and-if you agree-analyse how visitors use our site. On your first visit, you will see a cookie consent banner giving you the opportunity to:

Accept all cookies.
Reject all non-essential cookies.
Customise consent to specific cookie categories (such as analytics or marketing).

You can withdraw or adjust your consent at any time via the persistent “Cookie Settings” link in the footer¹⁶¹⁷¹⁸.

Types of cookies we use:

Strictly Necessary Cookies: Essential for shopping cart, security, and site functioning. Cannot be turned off.
Analytics Cookies: Help us understand visitor interactions (e.g., Google Analytics). Set only with your opt-in consent.
Preference/Functional Cookies: Remember site preferences if you choose.
Advertising Cookies: Not used unless stated otherwise.

For detailed information, please read our [Full Cookie Policy](insert link).

Google Analytics and Your Privacy

We use Google Analytics to help us understand how visitors interact with our website. This tool collects information such as IP addresses, device type, actions on the site, and time spent, using cookies. To comply with UK GDPR and DUAA:

We obtain your explicit consent before setting analytics cookies or collecting personal identifiers.
IP Anonymisation is enabled, so visitors’ identifying IP details are not stored.
Data Retention is set to automatically delete analytics data after 26 months or as otherwise specified in our settings.
Consent Mode is integrated (Google Consent Mode v2), meaning no personal data tracking occurs unless you expressly agree via the cookie banner.
No personal data is sent to Google unless you consent via the banner.
International Transfers: If analytics data is transferred outside the UK (e.g., to Google in the US), it is subject to appropriate safeguards such as the UK-US Data Bridge or approved Standard Contractual Clauses (see “International Data Transfers” below)¹⁹²⁰²¹.

You can opt out of Google Analytics at any time by updating your cookie preferences or using Google’s browser add-on.

Consent Management and Record-Keeping

We use reputable consent plugins in the WordPress environment (e.g., GDPR Cookie Consent, CookieYes, Complianz), which:

Display a transparent and accessible consent banner to all UK/EEA users.
Log and store each user’s consent state in an encrypted format (timestamp, preferences, and anonymised identifiers) in our secure backend.
Allow you to review or revoke your consent at any time.
Maintain a full audit trail to demonstrate compliance with UK GDPR and DUAA accountability requirements¹⁵¹.

Form submissions (such as via WPForms or Contact Form 7) require users to positively opt-in via a consent checkbox (not pre-checked) before submitting any personal data. Consent, once given, can be withdrawn easily by contacting us²²²³.

Managing Your Marketing Preferences

We do not send you marketing messages unless you have explicitly opted in (for example, by checking a box when signing up or requesting updates). You may unsubscribe at any time by:

Clicking the “unsubscribe” link in any marketing email.
Contacting us directly at the details in this policy.

Your choice does not affect order or service communications, which are required for us to fulfil your requests.

Your Data Protection Rights

Under UK GDPR and the DUAA, you have the following rights regarding your personal data:

Right to be Informed: To know how and why your data is being used (this policy fulfils that right).
Right of Access: To request a copy of your personal information.
Right to Rectification: To have inaccurate or incomplete data corrected.
Right to Erasure (“Right to be Forgotten”): To ask us to delete your data under certain circumstances.
Right to Restrict Processing: To request limits on how we use your data in specific cases.
Right to Data Portability: To get your data in a usable electronic format and transmit it to another provider.
Right to Object: To object to processing under certain legal bases, including direct marketing.
Right to Withdraw Consent: To withdraw your consent at any time (without affecting the lawfulness of prior use).
Right not to be subject to automated processing/decision-making: To request human intervention in automated decisions.

You may exercise your rights at any time by contacting us (see details above).

We have one month to respond to data rights requests. There is generally no charge for exercising your rights. If we need more information to verify your identity or clarify the request, we will “pause the clock” in accordance with DUAA procedures until we have sufficient information²⁴²⁵.

If we do not satisfy your concern, you have the right to complain to the ICO (Information Commissioner’s Office): https://ico.org.uk/make-a-complaint/

International Data Transfers

Some of our service providers (e.g., Google Analytics, cloud service vendors) may be located outside the UK. When your information is transferred internationally (for example, to the United States), we ensure:

Transfers are only made to recipients in countries deemed ‘adequate’ by UK regulation (e.g., via the UK-US Data Bridge or EU/UK Standard Contractual Clauses).
For US-based processors (such as Google), we verify DPF/UK-US Data Bridge certification.
If no adequacy arrangement applies, we use Standard Contractual Clauses and undertake a transfer risk assessment, as required by law.
Data is pseudonymised or anonymised where possible before transfer.
You are informed in this privacy policy, and we ensure that your rights and protections travel with your data internationally.

You can request further details of the safeguards we use by contacting us²⁰²⁶²⁷.

Contact Forms and Order Forms: Consent and Data Minimisation

When you use a contact or order form on our website:

We always ask for consent by way of an unchecked checkbox (which you must tick yourself).
We explain, in clear language, why we need the information and how it will be used (for example, to respond to your enquiry or process your order).
Only the information necessary to answer your query or fulfil your order is required²²²³.

Form submission data is stored securely on our UK-based server and routinely deleted or anonymised as per our retention schedule.

You can request a copy of your submissions or deletion of your data at any time.

Cookie Management and Consent Solutions

To help comply with the UK GDPR and DUAA, our website uses a trusted cookie consent management plugin (such as CookieYes, Complianz, or GDPR Cookie Consent, all compatible with WordPress 2025 theme):

Region-specific banners: Cookie banners are displayed to UK and EU users, informed by geolocation, per legal requirements.
Audit-ready logs: All user consents are securely logged and stored.
Prior blocking: Non-essential cookies (like Google Analytics) are blocked before you opt-in.
Category controls: You can adjust or withdraw consent at any time with an always-visible settings link.
Integration with Google Consent Mode v2: Ensures advertising and analytics cookies are only fired with your opt-in consent¹⁶¹⁷²¹.

Accountability, Record-Keeping and DUAA Requirements

We maintain documentation of all our data processing activities, as required under UK GDPR Article 30 and the DUAA. This includes:

Records of data types, purposes, retention periods, sharing, and safeguards.
Detailed logs of user consent actions.
Contracts with all data processors outlining their obligations.
Data Protection Impact Assessments (DPIAs) for new or high-risk processing.
Procedures for handling privacy complaints, including electronic submission options (per DUAA Section 7), and logging outcomes.
Security incident/breach logs, with reporting to the ICO as required by UK law⁴²⁸²⁹.

If you wish to see a summary of our accountability framework, please contact us.

Changes to this Privacy Policy

We may update this privacy policy from time to time as legal or technical requirements change, or as we improve our services. The “effective date” will be shown at the top of the page. We recommend reviewing this page regularly for updates. Where significant changes are made, we will notify you prominently (for example, by email if you hold an account/subscription).

How to Contact Us

If you have questions, concerns, or requests about this Privacy Policy or the way we handle your personal data, you can contact our Data Protection Responsible Person at:

[Insert business email address]
[Insert business postal address]
[Insert business telephone number]

If you have concerns that we cannot resolve, you may also contact the Information Commissioner’s Office (ICO):

Website:
Phone: 0303 123 1113

Additional Policies

For more details about our use of cookies, please see our [Cookie Policy]. For order-specific terms, please consult our Terms & Conditions.

Last updated: [Insert date of policy update]

Appendix: WordPress 2025 Theme-Privacy and Compliance Features

The Twenty Twenty-Five WordPress theme is designed with privacy best practices in mind, including:

Accessibility: All privacy banners, forms, and notices are designed to be accessible (keyboard/screen reader compatible)¹⁴.
Site Editor: Enables easy placement and update of Privacy Policy links in the footer, navigation, and forms.
Pattern Support: Built-in blocks for compliant contact/order forms that can integrate with privacy/consent fields.
Compatibility: Fully compatible with modern privacy plugins (CookieYes, GDPR Cookie Consent, Complianz, etc.), Google Consent Mode v2, and server-side analytics.
Security: Supports HTTPS and modern encryption as default; minimises plugin vulnerabilities by facilitating granular block control and easy updates.
Automated compliance updates: Frequent core/theme updates provide security and privacy enhancements in line with regulatory changes⁶.

If you have questions about using privacy tools or updating your preferences in the context of the Site’s design, please contact us.

Summary Table: Lawful Bases for Data Processing (UK GDPR & DUAA)

Processing Activity	Data Types	Lawful Basis	Retention Period	Key Safeguards
Contact Form Submission	Name, email, phone, msg	Consent	2 years	Consent banner, secure form
Order Processing	Name, addresses, order, payment*	Contract (plus Legal Obligation for accounting/tax)	7 years	HTTPS, access controls
Marketing Emails	Email address	Consent (user opt-in)	Until withdrawn	Easy unsubscribe, audit logs
Analytics (Google Analytics)	IP (anonymised), usage	Consent (opt-in cookie)	26 months	IP anonymisation, Consent Mode
Account Management	Account data	Contract / Legitimate Interests	Until closed + 2 yrs	Encrypted storage, password policies
Complaints/Rights Requests	All as needed	Legal Obligation	6 years after closure	Secure storage, audit logs
Security/Fraud Prevention	IP, technical data	Legal Obligation / Legitimate Interests	Varies	Firewalls, access logs
International Data Transfer	Varies	Consent/Appropriate Safeguards (e.g., UK-US Data Bridge)	As above	Standard Contractual Clauses, DPF certification

(*Note: No payment details are stored on our server; handled by certified payment providers.)

Thank you for trusting us with your data. We are committed to upholding your rights and maintaining the highest standards of privacy and security.

ho we are