Privacy policy

PrivacyPortal Ltd. Privacy Policy

Last Updated: 10 May 2026

A Note on Why This Policy Exists

You came to PrivacyPortal because privacy matters to you. It matters to us too — so we've tried to write this policy the way we'd want one written to us: plainly, specifically, and without the lawyerly fog that makes most privacy policies impossible to read.

Our commitments in summary:

  • We collect only what we need to sell you a device, ship it, and support you afterwards. Nothing more.
  • We do not sell your personal data to anyone, ever.
  • We do not use your data for cross-site behavioural advertising or third-party ad targeting.
  • We minimise what we share with payment processors, shipping carriers, and our hosting platform to what each one strictly needs to do its job.
  • We delete personal data when we no longer need it, on the schedules set out in Section 9 below.
  • You have full statutory rights over your data, and we make them easy to exercise — see Section 10.

The rest of this policy fills in the detail that we are required by law to give you, and that you are entitled to know.

1. Who We Are

PrivacyPortal Ltd is a company registered in England and Wales, trading from 16 Commerce Square, Lace Market, Nottingham, NG1 1HS. We are the data controller for the personal information described in this policy.

Our website is hosted on the Shopify platform. Shopify acts as our data processor for most processing activities, and as a joint or independent controller for some specific platform-level activities (described in Section 6).

For any privacy enquiry, contact: admin@privacyportal.co.uk or write to us at the address above.

2. The Personal Information We Collect

We only collect the information we genuinely need. Here is the complete list, what each item is for, and where it comes from:

From you, when you place an order or contact us

  • Name — to fulfil the order and address you in support communications.
  • Delivery address — to ship your order.
  • Billing address — for fraud prevention and tax compliance.
  • Email address — for order confirmation, delivery notifications, support, and (with your consent or under the soft opt-in) marketing.
  • Phone number — for shipping notifications and contacting you about delivery issues. Optional except where the carrier requires it.
  • Order details — what you ordered, including any customisation choices, configuration preferences, and the device's serial / IMEI once dispatched.
  • Communications you send us — emails, support tickets, and any information you choose to include in them.

From you, only if you create an account

  • Account credentials — username and a securely hashed password (we never see or store your password in readable form).
  • Order history and saved preferences — kept inside your account so you can see your past orders.

From your payment provider (we do NOT collect or store these ourselves)

  • Payment is processed by Shopify Payments, Stripe, or PayPal depending on your selection. They handle card numbers, CVC codes, and bank details directly. We never see your full card number or bank details. We only receive a transaction reference, the amount, and a payment confirmation.

Automatically, when you visit our website

  • Device and browser information — IP address, browser type, operating system, screen size. Used for security, fraud prevention, and to make sure the site renders correctly.
  • Usage information — which pages you visited and broad navigation patterns. Used for site improvement only, and only via privacy-respecting analytics (see Section 5 on cookies).

From third parties

  • Carriers — delivery confirmations and tracking events (Royal Mail, Parcelforce, DHL, etc.).
  • Fraud-prevention services — risk signals on transactions to help us prevent fraudulent orders.
  • We do not purchase customer lists or buy enriched data about you from data brokers.

3. How We Use Your Information and Our Lawful Bases

Under UK GDPR Article 6 (as amended by the Data (Use and Access) Act 2025), every use of your personal information must have a lawful basis. Here is exactly what we do and why we are allowed to do it:

What we do Why Lawful basis
Process your order, take payment, ship the device, handle returns To perform the contract you entered into with us Contract (Art 6(1)(b))
Send order confirmations, shipping updates, support replies To perform the contract Contract (Art 6(1)(b))
Maintain accounting records, file VAT returns, retain invoices We are required to by HMRC and Companies Act 2006 Legal obligation (Art 6(1)(c))
Detect, investigate, and prevent fraud Necessary to protect us and our customers from financial loss Recognised legitimate interest under DUAA 2025 / Sch 4
Keep our website and systems secure To prevent unauthorised access, abuse, and attacks Recognised legitimate interest under DUAA 2025 / Sch 4
Send marketing emails about similar products We want to tell you about new products that may interest you Soft opt-in under PECR (existing customers, similar products, easy unsubscribe) — or your explicit consent if you've never bought from us
Improve our website using analytics To understand which pages work and which don't Legitimate interest (Art 6(1)(f)), with a statistical-only, low-risk basis aligned with the DUAA 2025 cookie reforms
Respond to legal requests, defend legal claims We are required to comply with valid legal process Legal obligation (Art 6(1)(c)) and legitimate interest (Art 6(1)(f))

We do not rely on consent as the lawful basis for any processing other than non-essential marketing and (where required) certain cookies. This is a deliberate choice: it means you don't lose access to essential services if you decline non-essential consents.

We do not carry out automated decision-making with legal or similarly significant effects on you. Fraud-prevention scoring is one input that may flag an order for human review — never an automated rejection.

4. Who We Share Your Information With

We share your personal information only with the parties below, and only the minimum each one needs:

  • Shopify Inc. (our hosting and e-commerce platform) — order, account, and website-usage data. Shopify is a US company; transfers are covered by Shopify's certification under the UK Extension to the EU-US Data Privacy Framework, and by the UK International Data Transfer Agreement.
  • Payment processors (Shopify Payments, Stripe, PayPal — depending on your chosen method) — transaction data only. Card details go directly to them, not via us.
  • Shipping carriers (Royal Mail, Parcelforce, DHL, UPS, and equivalents in your destination country) — your name, delivery address, phone number, and order weight/value as required for shipping and customs.
  • Customs authorities (HMRC and the equivalent in your destination country) — declarations required by law for international shipments.
  • Email and customer support tools (e.g. our outbound email provider) — to send you transactional and (where applicable) marketing email.
  • Fraud prevention services — risk-scoring signals on transactions.
  • Our accountants and professional advisors — under strict confidentiality, where they need access to perform their work.
  • Law enforcement, regulators, or courts — where we are required to disclose by valid legal process. We do not voluntarily disclose customer data to authorities.

We do not share your personal information with:

  • Advertising networks for cross-site profiling or retargeting.
  • Data brokers or list-sellers.
  • Affiliated marketers, social media targeting platforms, or "data enrichment" providers.
  • Any party in exchange for money or services in kind.

If we are ever involved in a corporate transaction such as a merger, acquisition, or insolvency, we may have to transfer customer records as part of the deal. If that happens, the receiving entity will be bound by this policy or a materially equivalent one, and we will tell you before any change in how your data is used.

5. Cookies and Similar Technologies

We use the minimum cookies necessary to run the site and a small number of analytics cookies to understand how the site is used.

Cookie categories we use:

  • Strictly necessary — needed for the website to work (e.g. shopping cart, login session, fraud prevention, security). These do not require your consent.
  • Functional — remember your preferences (e.g. language, currency). These are now low-risk under the Data (Use and Access) Act 2025 reforms and we provide an easy opt-out rather than requiring opt-in.
  • Analytics — first-party, statistical-only analytics to improve the site. We do not use these to identify individuals or share data with third-party ad networks. Under DUAA 2025, this category is exempt from the consent requirement provided we offer a clear opt-out (which we do).
  • Marketing / advertising cookieswe do not use these. No Facebook Pixel, no Google Ads conversion tracking, no third-party retargeting beacons.

You can manage your cookie preferences at any time through the cookie banner or your browser settings. We respect Global Privacy Control (GPC) signals — if your browser sends one, we will treat it as an opt-out request.

6. Our Relationship with Shopify

The website is hosted by Shopify. To run it, Shopify processes the personal data described above on our instructions, as our data processor. Shopify also offers some platform-level features (such as fraud analysis across the wider Shopify network) where Shopify itself acts as a data controller for limited purposes.

We have disabled the Shopify features that share your data with other merchants for marketing or audience-building purposes. This includes Shopify Audiences and equivalent cross-merchant data products. Your data stays with us and the processors listed in Section 4.

For more detail on Shopify's role, see: https://www.shopify.com/legal/privacy/customers.

7. International Data Transfers

Some of our service providers (notably Shopify) are based in the United States or process data outside the UK. Where personal data leaves the UK, we rely on one or more of the following safeguards required by Articles 44–49 of the UK GDPR:

  • UK Adequacy Regulations for transfers to countries the UK Government has determined offer an adequate level of protection (e.g. the EEA).
  • The UK Extension to the EU-US Data Privacy Framework for transfers to certified US recipients.
  • The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses for other transfers, supported by a Transfer Risk Assessment.

If you would like a copy of the safeguards in place for any specific transfer, contact us at admin@privacyportal.co.uk.

8. Security

We apply technical and organisational measures appropriate to the sensitivity of the data and the risk of harm if it were exposed. These include:

  • Encryption in transit (TLS 1.2+) for all interactions with our website.
  • Encryption at rest for stored personal data on our hosted platform.
  • Secure password storage using modern hashing algorithms — we never see or store your password in readable form.
  • Access controls restricting which staff can see which data, and audit logging of access to customer records.
  • Two-factor authentication on administrative accounts.
  • Pseudonymisation of analytics data so it cannot be linked back to individual customers.
  • Vendor due diligence before engaging any new processor.

No security measure is perfect. If we ever discover a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commission within 72 hours and, where the risk is high, notify you directly without undue delay (UK GDPR Articles 33–34).

9. How Long We Keep Your Information

We keep personal data only for as long as we need it. Specifically:

Category Retention
Order and transaction records (including invoices) 6 years from the end of the financial year in which the order was placed (HMRC/Companies Act requirement)
Account information (where you have a registered account) Duration of the account, plus 12 months of inactivity, after which the account is anonymised
Customer support correspondence 24 months from last contact, unless retention is necessary for an ongoing dispute or legal claim
Marketing consent records Duration of consent + 24 months after withdrawal (to demonstrate the consent existed)
Email marketing list Until you unsubscribe
Cookies Per-cookie retention shown in the cookie banner. Most session cookies are deleted when you close the browser; persistent cookies expire within 12 months at the latest
Website analytics 14 months in pseudonymised form; raw IP addresses truncated within 30 days
Fraud-prevention records (including blocked transactions) 6 years (matching the time limit for fraud-related civil claims)

After the retention period expires, we either delete the data or irreversibly anonymise it for statistical purposes.

10. Your Data Protection Rights

Under UK GDPR (as amended by DUAA 2025), you have the rights below. We make them easy to exercise: just email admin@privacyportal.co.uk with what you want.

  • Right of access (Article 15) — get a copy of the personal data we hold about you, plus information about how we use it. We will respond within one calendar month, or up to three months for complex requests (we will tell you if we need more time and why). Following the DUAA 2025 reforms, our searches for your data will be reasonable and proportionate; we may ask you to clarify what you are looking for to give you a better answer.
  • Right to rectification (Article 16) — ask us to correct anything inaccurate or complete anything incomplete.
  • Right to erasure (Article 17, "right to be forgotten") — ask us to delete your data. We must keep some records for legal reasons (notably tax records for 6 years) but will delete everything else.
  • Right to restrict processing (Article 18) — ask us to pause certain uses while we resolve a query.
  • Right to data portability (Article 20) — get a copy of the data you have given us in a structured, commonly used, machine-readable format.
  • Right to object (Article 21) — object to processing based on our legitimate interests, including direct marketing. For direct marketing, this objection is absolute — we will stop, no questions asked.
  • Right to withdraw consent — for any processing based on your consent, you may withdraw it at any time, without affecting the lawfulness of processing before withdrawal.
  • Rights related to automated decision-making (Articles 22A–22D, as inserted by DUAA 2025) — we do not currently make any decisions about you based solely on automated processing that have legal or similarly significant effects. If we ever do, we will tell you in advance and give you the right to obtain human intervention, contest the decision, and make representations.
  • Right to complain — as required by the DUAA 2025, you have the right to complain directly to us about how we handle your personal data. Email admin@privacyportal.co.uk; we will acknowledge within 30 days and resolve without undue delay. You also have the right to complain to the Information Commission at any time (see Section 12).

We will not discriminate against you for exercising any of these rights. We may need to verify your identity before responding (using information you have already provided to us — we will not ask for new identity documents unless absolutely necessary).

11. Children's Data

Our products and services are intended for adults. We do not knowingly collect personal information from anyone under 18. If you are a parent or guardian and believe your child has provided us with personal information, contact us at admin@privacyportal.co.uk and we will delete it.

In line with the Children's Higher Protection Matters added to UK GDPR Article 25 by DUAA 2025, where any part of our service might foreseeably be accessed by a child, we apply a higher standard of data protection by design and default — even though our service is not directed at children.

12. Complaints

If you are unhappy with how we have handled your personal information, please contact us first at admin@privacyportal.co.uk. We take complaints seriously and will work to resolve any issue.

You also have the right to complain at any time to the UK supervisory authority:

Information Commission (formerly the Information Commissioner's Office, renamed under DUAA 2025) Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Helpline: 0303 123 1113 Website: https://ico.org.uk

If you live in the EEA, you may complain to the supervisory authority in your country of residence.

13. Changes to This Policy

We may update this policy from time to time as our practices, services, or the law change. The "Last Updated" date at the top of the policy will always tell you when it was last revised. For significant changes, we will provide a prominent notice on our website and (where appropriate) by email.

Changes do not have retrospective effect on the lawful bases relied on at the time of earlier processing.

14. Contact

PrivacyPortal Ltd 16 Commerce Square Lace Market Nottingham NG1 1HS United Kingdom

  • Email (privacy enquiries and rights requests): admin@privacyportal.co.uk
  • Phone: +44 115 772 0519 (Mon–Fri, 9am–5pm GMT)

For the purposes of UK GDPR and the Data Protection Act 2018, PrivacyPortal Ltd is the data controller of your personal information.

This policy has been drafted in compliance with the UK General Data Protection Regulation, the Data Protection Act 2018, the Data (Use and Access) Act 2025 (provisions in force from 5 February 2026), the Privacy and Electronic Communications Regulations 2003, and current Information Commission guidance.