Privacy Policy 

Title

Last updated: January 2026

1. Introduction 

Topiary Twins Ltd ("we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our website (www.topiarytwins.co.uk) and purchase our products.

 

Who we are:

  • Company name: Topiary Twins Ltd
  • Registered in England and Wales
  • Company number: 16920489
  • Registered office: 124 City Road, London, EC1V 2NX
  • Contact: hello@topiarytwins.co.uk

We are the data controller responsible for your personal data. This means we determine how and why your data is processed.

2. The Data We Collect 

We collect and process the following types of personal data:

 

2.1 Information You Provide Directly

 

When you place an order:

  • Full name
  • Email address
  • Delivery address
  • Billing address (if different)
  • Telephone number
  • Payment information (processed securely by our payment provider)

When you create an account:

  • Full name
  • Email address
  • Password (encrypted)
  • Order history
  • Saved addresses

When you contact us:

  • Name
  • Email address
  • Telephone number (if provided)
  • Message content
  • Any attachments (photos, documents)

When you book a consultation:

  • Name
  • Email address
  • Telephone number
  • Preferred consultation time
  • Information about your requirements (doorway dimensions, preferences, etc.)

When you subscribe to our newsletter:

  • Email address
  • Name (optional)
  • Communication preferences

2.2 Information We Collect Automatically

 

When you visit our website:

  • IP address
  • Browser type and version
  • Device type (desktop, mobile, tablet)
  • Operating system
  • Pages visited and time spent on pages
  • Referring website
  • Date and time of visit
  • Cookie data (see Section 8)

When you make a purchase:

  • Order details (products, quantities, prices)
  • Order date and time
  • Payment method used
  • Delivery tracking information
  • Communication history related to your order

2.3 Information from Third Parties

 

Payment providers: We receive confirmation of successful payments from Shopify Payments, PayPal, Klarna, and other payment processors. We do not store your full card details—these are handled securely by our payment providers.

 

Delivery couriers: We receive delivery confirmation, tracking updates, and proof of delivery information from our courier partners.

 

Marketing platforms: If you interact with our marketing emails or social media, we may receive engagement data (email opens, clicks, social media interactions).

3. How We Use Your Data 

We use your personal data for the following purposes:

 

3.1 To Fulfil Your Orders

 

Legal basis: Contract performance (necessary to fulfil our contract with you)

  • Process and dispatch your order
  • Arrange delivery with our couriers
  • Send order confirmations and updates
  • Provide customer service and support
  • Handle returns, refunds, and complaints
  • Send pre-dispatch photos of your plants

3.2 To Communicate with You

 

Legal basis: Contract performance and legitimate interests (providing good customer service)

  • Respond to your enquiries and requests
  • Provide aftercare advice and plant health support
  • Send transactional emails (order confirmations, dispatch notifications, delivery updates)
  • Request feedback on your purchase experience

3.3 To Improve Our Service

 

Legal basis: Legitimate interests (improving our products and services)

  • Analyse website usage to improve user experience
  • Understand customer preferences and buying patterns
  • Develop new products and services
  • Improve our delivery and fulfilment processes
  • Monitor and improve customer service quality

3.4 For Marketing (With Your Consent)

 

Legal basis: Consent (you can opt out at any time)

  • Send marketing emails about new products, offers, and content
  • Send care guides and seasonal advice
  • Share relevant content from our Journal
  • Notify you about restocks or new arrivals

You can unsubscribe at any time by clicking the unsubscribe link in any marketing email or contacting us at hello@topiarytwins.co.uk.

 

3.5 For Legal and Compliance Purposes

 

Legal basis: Legal obligation and legitimate interests (protecting our business)

  • Comply with legal and regulatory requirements
  • Prevent and detect fraud
  • Maintain plant health records and traceability
  • Respond to legal requests and court orders
  • Enforce our terms and conditions
  • Protect our rights and property

4. Data Sharing & Disclosure 

We share your personal data only when necessary and only with trusted partners who help us operate our business. We never sell your data to third parties.

 

4.1 Service Providers

 

Shopify (E-commerce Platform)

  • Purpose: Website hosting, order processing, payment processing
  • Data shared: All order and account information
  • Location: Canada (EU-US Data Privacy Framework certified)
  • Privacy policy: shopify.com/legal/privacy

Payment Processors (Shopify Payments, PayPal, Klarna)

  • Purpose: Secure payment processing
  • Data shared: Name, billing address, payment details
  • Location: Various (all GDPR-compliant)
  • Your payment card details are never stored by us—handled directly by payment providers

Delivery Couriers

  • Purpose: Delivering your orders
  • Data shared: Name, delivery address, telephone number, order contents
  • Location: UK-based courier partners

Email Service Provider 

  • Purpose: Sending transactional and marketing emails
  • Data shared: Name, email address, order history (for personalisation)
  • Location: USA (EU-US Data Privacy Framework certified)

Customer Service Tools 

  • Purpose: Managing customer enquiries and support tickets
  • Data shared: Name, email, order history, communication content
  • Location: USA (EU-US Data Privacy Framework certified)

Analytics Providers (Google Analytics)

  • Purpose: Website usage analysis
  • Data shared: Anonymised browsing data, IP address (anonymised)
  • Location: USA (EU-US Data Privacy Framework certified)
  • You can opt out using browser extensions or cookie settings

4.2 Legal Requirements

 

We may disclose your data if required by law, regulation, legal process, or government request, including to:

  • Comply with court orders or subpoenas
  • Respond to requests from law enforcement
  • Protect our rights, property, or safety
  • Prevent fraud or illegal activity
  • Enforce our terms and conditions

4.3 Business Transfers

 

If we're involved in a merger, acquisition, or sale of assets, your personal data may be transferred to the new owner. We'll notify you before your data is transferred and becomes subject to a different privacy policy.

5. International Data Transfers 

Some of our service providers are based outside the UK and European Economic Area (EEA). When we transfer data internationally, we ensure appropriate safeguards are in place:

 

Adequacy decisions: We transfer data to countries recognised by the UK government as providing adequate data protection (e.g., EU member states, Canada).

 

Standard Contractual Clauses: For transfers to countries without adequacy decisions, we use Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO).

 

EU-US Data Privacy Framework: Some US-based providers are certified under the EU-US Data Privacy Framework, providing appropriate safeguards for data transfers.

 

You can request more information about international transfers and safeguards by contacting us at hello@topiarytwins.co.uk.

6. Data Retention 

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy or as required by law.

 

6.1 Retention Periods

 

Customer account data:

  • Active accounts: Retained while your account is active
  • Inactive accounts: Deleted after 3 years of inactivity (you'll be notified before deletion)

Order data:

  • Purchase records: Retained for 7 years (UK tax and accounting requirements)
  • Delivery information: Retained for 2 years (for warranty and guarantee claims)
  • Payment transaction data: Retained for 7 years (financial regulations)

Marketing data:

  • Newsletter subscribers: Retained until you unsubscribe
  • Marketing consent records: Retained for 3 years after consent withdrawn (to prove compliance)

Customer service communications:

  • Support tickets and emails: Retained for 3 years (for service improvement and dispute resolution)

Website analytics:

  • Anonymized browsing data: Retained for 26 months (Google Analytics default)

Plant health and traceability records:

  • Retained for 3 years (plant health regulations)

6.2 Deletion

 

When retention periods expire, we securely delete or anonymize your data. You can request earlier deletion by exercising your right to erasure (see Section 9).

7. Data Security 

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it.

 

7.1 Security Measures

 

Technical safeguards:

  • SSL/TLS encryption for all data transmitted via our website
  • Secure password hashing (encrypted, not stored in plain text)
  • Regular security updates and patches
  • Restricted access to personal data (employees and contractors on a need-to-know basis)
  • Secure data backups

Organisational safeguards:

  • Staff training on data protection and security
  • Confidentiality agreements with employees and contractors
  • Regular security audits and assessments
  • Incident response procedures

Payment security: We do not store your full payment card details. All payment processing is handled by PCI-DSS compliant payment providers (Shopify Payments, PayPal, Klarna).

 

7.2 Your Responsibility

 

Protect your account:

  • Choose a strong, unique password
  • Don't share your password with anyone
  • Log out after using shared devices
  • Contact us immediately if you suspect unauthorised access

7.3 Data Breaches

 

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the ICO within 72 hours
  • Notify affected individuals without undue delay
  • Take immediate steps to contain and remedy the breach

8. Cookies & Tracking Technologies 

We use cookies and similar technologies to improve your experience on our website.

 

8.1 What Are Cookies?

 

Cookies are small text files stored on your device when you visit a website. They help the website remember your preferences and understand how you use the site.

 

8.2 Types of Cookies We Use

 

Essential cookies (strictly necessary):

  • Session management (keeping you logged in)
  • Shopping cart functionality
  • Payment processing
  • Security and fraud prevention

These cookies are necessary for the website to function and cannot be disabled.

 

Performance cookies:

  • Google Analytics (anonymised usage statistics)
  • Page load time monitoring
  • Error tracking

Functional cookies:

  • Language preferences
  • Remembering your choices (e.g., cookie consent)
  • Accessibility settings

Marketing cookies (with your consent):

  • Facebook Pixel (if used for advertising)
  • Google Ads conversion tracking
  • Email marketing tracking (open rates, click rates)

8.3 Managing Cookies

 

Browser settings: You can control cookies through your browser settings. Most browsers allow you to:

  • View and delete cookies
  • Block all cookies
  • Block third-party cookies only
  • Get a warning before a cookie is stored

Note: Blocking all cookies may affect website functionality (e.g., you won't be able to add items to your basket).

 

Cookie consent: When you first visit our website, you'll see a cookie banner. You can accept all cookies, accept only essential cookies, or customize your preferences.

 

You can change your cookie preferences at any time by clicking the "Cookie Settings" link in our footer.

 

8.4 Third-Party Cookies


 

Some cookies are placed by third-party services that appear on our pages (e.g., Google Analytics, payment providers). We don't control these cookies—refer to the third party's privacy policy for information about their cookies.

9. Your Rights 

Under UK GDPR and the Data Protection Act 2018, you have the following rights regarding your personal data:

 

9.1 Right of Access

 

You have the right to request a copy of the personal data we hold about you. This is known as a "Subject Access Request" (SAR).

We'll provide this information free of charge within one month of your request. If your request is complex or you've made multiple requests, we may extend this period by two months or charge a reasonable fee.

 

9.2 Right to Rectification

 

You have the right to request correction of inaccurate or incomplete personal data. You can update most information directly in your account settings or by contacting us.

 

9.3 Right to Erasure ("Right to be Forgotten")

 

You have the right to request deletion of your personal data in certain circumstances:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent (where processing was based on consent)
  • You object to processing and there are no overriding legitimate grounds
  • The data was processed unlawfully
  • Deletion is required to comply with a legal obligation

Note: We may be unable to delete data if we have a legal obligation to retain it (e.g., financial records for tax purposes).

 

9.4 Right to Restriction of Processing

 

You have the right to request that we restrict processing of your data in certain circumstances:

  • You contest the accuracy of the data (until we verify accuracy)
  • Processing is unlawful but you don't want erasure
  • We no longer need the data but you need it for legal claims
  • You've objected to processing (pending verification of legitimate grounds)

9.5 Right to Data Portability

 

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transfer it to another controller.

This right applies when:

  • Processing is based on consent or contract
  • Processing is carried out by automated means

9.6 Right to Object

 

You have the right to object to processing of your personal data in certain circumstances:

  • Processing based on legitimate interests (unless we demonstrate compelling legitimate grounds)
  • Direct marketing (you can opt out at any time)
  • Processing for research or statistical purposes

9.7 Rights Related to Automated Decision-Making

 

You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal effects or similarly significantly affect you.

 

We do not currently use automated decision-making or profiling that would significantly affect you.

 

9.8 Right to Withdraw Consent

 

Where processing is based on consent, you have the right to withdraw consent at any time. This won't affect the lawfulness of processing before withdrawal.

You can withdraw consent for marketing by:

  • Clicking "unsubscribe" in any marketing email
  • Updating preferences in your account settings
  • Contacting us at hello@topiarytwins.co.uk

9.9 How to Exercise Your Rights

 

To exercise any of these rights, contact us at:

  • Email: hello@topiarytwins.co.uk
  • Subject line: "Data Rights Request"
  • Include: Your name, email address, and details of your request

We may need to verify your identity before processing your request. We'll respond within one month (extendable to three months for complex requests).

 

No charge: Exercising your rights is free of charge unless your request is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or refuse the request.

10. Children's Privacy 

Our website and services are not intended for children under 16. We do not knowingly collect personal data from children under 16.

 

If you're under 16, please do not provide any personal data through our website. If we become aware that we've collected data from a child under 16 without parental consent, we'll take steps to delete it as quickly as possible.

 

If you believe we've collected data from a child under 16, please contact us immediately at hello@topiarytwins.co.uk.

11. Marketing Communications 

11.1 How We Use Your Data for Marketing

 

With your consent, we'll send you marketing communications about:

  • New products and collections
  • Special offers and promotions
  • Seasonal care advice and planting tips
  • Content from our Journal (design inspiration, care guides)
  • Restocks and availability updates

11.2 How to Opt Out

 

You can opt out of marketing at any time by:

  • Clicking "unsubscribe" at the bottom of any marketing email
  • Updating your preferences in your account settings
  • Contacting us at hello@topiarytwins.co.uk

Note: Even if you opt out of marketing, we'll still send transactional emails necessary for your orders (order confirmations, dispatch notifications, delivery updates).

 

11.3 Soft Opt-In

 

If you've purchased from us or enquired about our products, we may send you marketing about similar products under "soft opt-in" rules. You can opt out at any time using the methods above.

12. Third-Party Links 

Our website may contain links to third-party websites (e.g., social media, recommended pot suppliers, care resources). We're not responsible for the privacy practices of these websites.

 

When you leave our website, we encourage you to read the privacy policy of every website you visit. This Privacy Policy applies only to www.topiarytwins.co.uk.

13. Contact Us 

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

 

Email: hello@topiarytwins.co.uk
Subject line: "Privacy Enquiry"

 

By post:
Topiary Twins Ltd
124 City Road
London
EC1V 2NX
United Kingdom

 

Response time: We aim to respond to all enquiries within 48 hours (Monday-Friday, 9am-5pm).

14. Complaints  

If you're not satisfied with how we've handled your personal data or responded to your data rights requests, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO).

 

ICO Contact Details:

Website: ico.org.uk
Helpline: 0303 123 1113
Live chat: Available on the ICO website

 

By post:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

 

We'd appreciate the opportunity to address your concerns before you contact the ICO, so please contact us first at hello@topiarytwins.co.uk.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make significant changes, we'll:

  • Update the "Last updated" date at the top of this policy
  • Notify you by email (if you have an account or are subscribed)
  • Display a prominent notice on our website

We encourage you to review this Privacy Policy periodically. Continued use of our website after changes indicates acceptance of the updated policy.

 

The current version is always available at www.topiarytwins.co.uk/pages/privacy-policy.

This Privacy Policy was last updated in January 2026 and complies with UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003.