Privacy Policy

This Privacy Policy explains how Gluten Free Yourself Ltd (trading as "GF Yourself!") ("we", "us", or "our") collects, uses, stores, and protects your personal information when you use our website, subscribe to our gluten-free subscription box service, or otherwise interact with us.

1. Information We Collect

We collect the following types of personal information:

• Account Information: Name, email address, telephone number, and password.
• Delivery Information: Delivery address(es), including for Northern Ireland, Scottish Highlands, Islands, and Channel Islands where applicable.
• Payment Information: Payment card details and billing address (processed securely through our payment processor).
• Subscription Information: Subscription preferences, dietary requirements, product selections, order history, and cancellation/pause requests.
• Communication Records: Records of correspondence with our customer service team, including emails and any feedback you provide.
• Technical Information: IP address, browser type and version, device information, and cookies (see our Cookie Policy for more details).
• Marketing Preferences: Your consent to receive marketing communications from us.

2. How We Use Your Information

We use your personal information for the following purposes:

• Service Delivery: To process and fulfil your subscription orders, including arranging delivery of your monthly boxes.
• Account Management: To create and manage your account, process payments, and handle subscription changes (pausing, resuming, or cancelling).
• Customer Service: To respond to your enquiries, resolve issues, and provide support.
• Improvement of Services: To analyse usage patterns, improve our website, products, and services, and develop new offerings.
• Marketing Communications: To send you promotional emails, newsletters, and special offers (only with your consent, which you can withdraw at any time).
• Legal Compliance: To comply with legal obligations, prevent fraud, and protect our business interests.

3. Legal Basis for Processing

Under UK GDPR and the Data Protection Act 2018, we process your personal data based on the following legal grounds:

• Contractual Necessity: To fulfil our contract with you (processing your subscription and delivering products).
• Legitimate Interests: To improve our services, prevent fraud, and manage our business operations.
• Consent: For marketing communications and non-essential cookies.
• Legal Obligation: To comply with legal and regulatory requirements.

4. How We Share Your Information

We do not sell your personal information. We may share your data with the following third parties:

• Delivery Partners: We share delivery information with courier and postal services (including specialist carriers for offshore deliveries) to fulfil your orders.
• Payment Processors: We use secure third-party payment processors to handle transactions. We do not store your full payment card details.
• Service Providers: We work with trusted service providers for hosting, email communications, customer support, and analytics.
• Legal Requirements: We may disclose your information if required by law, court order, or to protect our rights and safety.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the new owner.

5. Data Retention

We retain your personal information for as long as necessary to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required by law. Specifically:

• Active subscriptions: We retain your data for the duration of your subscription and for a reasonable period afterwards to handle any queries or claims.
• Cancelled accounts: We retain transaction and order history for up to 7 years for accounting and tax purposes.
• Marketing data: We retain your marketing preferences until you withdraw consent or become inactive for a reasonable period.

6. Your Rights

Under UK data protection law, you have the following rights:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure: Request deletion of your personal data (subject to legal retention requirements).
• Right to Restrict Processing: Request that we limit how we use your data.
• Right to Data Portability: Request a copy of your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Withdraw your consent for marketing communications or cookies at any time.

To exercise any of these rights, please contact us at hello@gfyourself.co.uk. We will respond to your request within one month.

7. Security

We implement appropriate technical and organisational measures to protect your personal information from unauthorised access, loss, misuse, or disclosure. These include:

• Secure servers and encrypted connections (SSL/TLS)
• Access controls and password protection
• Regular security assessments and updates

While we take security seriously, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security but will notify you and relevant authorities of any data breach where legally required.

8. International Transfers

Your personal information is primarily stored and processed within the United Kingdom. If we transfer data outside the UK or EEA, we will ensure appropriate safeguards are in place, such as standard contractual clauses or adequacy decisions.

9. Cookies

Our website uses cookies to enhance your experience, analyse site traffic, and remember your preferences. You can manage cookie settings through your browser. For more information, please see our separate Cookie Policy.

10. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information.

11. Children's Privacy

Our services are not intended for children under the age of 16. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by email or through a prominent notice on our website. The "Last Updated" date at the top of this policy indicates when it was last revised.

13. Contact Us

If you have any questions about this Privacy Policy or how we handle your personal information, please contact us:

14. Complaints

If you are unhappy with how we have handled your personal information, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):