Privacy Policy
Effective date: 1 January 2026. Rose & Bloom Florists Ltd (registered in England and Wales) is committed to protecting your privacy and complying with the UK GDPR and Data Protection Act 2018.
1. Who we are and how to contact us
Rose & Bloom Florists Ltd acts as the data controller for personal data collected through our website and in our studio. Our registered studio address is 14 Brook Street, London, W1K 5EL, United Kingdom. For data protection enquiries please contact our Data Protection Representative by email at [email protected] or by phone on +44 20 7123 4567. If you prefer written correspondence, send a letter to the studio address above and address it to the Data Protection Representative. We aim to respond to data requests promptly and in accordance with statutory timescales. If you have a privacy concern you may also contact the Information Commissioner’s Office (ICO) in the UK; details on how to raise a concern with the ICO are available on their website. We keep records of data requests and their outcomes for accountability and continuous improvement of our privacy procedures.
2. Personal data we collect
We collect personal data you provide directly to us when you place an order, subscribe to a newsletter, complete a contact form, request a quotation, or book a consultation. This includes your name, email address, phone number, billing and delivery address, and any details you provide about an event or order preferences. We also collect technical data automatically when you visit our website, such as IP address, browsing behaviour, device type and cookies used to improve site functionality and performance. Where you consent, we may also process marketing preferences, which enable us to send promotional emails or offers. For event and installation work we may record additional details such as venue contact names, access instructions, guest numbers and required delivery times; these details are necessary to provide the contracted services. We never collect special category data (sensitive personal data) unless you explicitly provide it and request appropriate handling—for example, if you note accessibility needs for an event. Where we hold personal data about children for workshop bookings we require confirmation that a parent or guardian has provided consent for the child’s data to be processed.
3. How we use personal data and lawful bases
We use personal data to fulfil contractual obligations (for example, processing and delivering orders, providing consultations, arranging installations), to comply with legal obligations (financial records and tax requirements), and to pursue legitimate interests such as improving our services, maintaining customer relationships and preventing fraud. Where we send marketing communications, we rely on consent; you may withdraw consent at any time without affecting the lawfulness of earlier processing. Where photography or images are taken at events and you or your guests are identifiable, we will seek consent for editorial or promotional use. For enquiries we use contact details to respond and keep a record of the communication. We do not sell personal data to third parties. When we share data with trusted service providers (for example, payment processors, delivery partners, email platforms) we perform due diligence and ensure contracts require appropriate technical and organisational safeguards to protect your data. If we need to process data for a purpose beyond those listed we will notify you and, where required by law, seek your consent before doing so.
4. Cookies and analytics
Our website uses cookies and similar technologies to provide essential site functionality and to improve your experience. Essential cookies enable navigation and certain secure features. Performance and analytics cookies (e.g. aggregated usage statistics) help us understand how visitors use the site so we can improve pages and services. Marketing cookies are used only with your consent to deliver personalised offers and to measure campaign effectiveness. The cookie consent control presented at the bottom-right of our site allows you to accept or reject non-essential cookies. You may also control cookies via your browser settings, but blocking essential cookies may affect site functionality. Our analytics provider is configured to aggregate and anonymise data where possible. Please contact us at [email protected] if you would like a full list of cookies currently in use and their retention periods.
5. How long we retain your data
We keep personal data only for as long as is necessary for the purposes described in this policy and to comply with legal and tax obligations. Order and transactional records are retained for six years to satisfy HMRC and accounting requirements. Marketing preferences are stored until you withdraw consent. Contact enquiry records are kept for up to two years unless a longer retention is justified (for example, ongoing disputes or invoices). For event clients we retain key project files for up to seven years to help with anniversary orders and to ensure consistency for returning clients. We periodically review our retention schedules and securely delete or anonymise data when it is no longer required.
6. Your rights and exercising them
Under UK data protection law you have rights including the right to access personal data we hold about you, request correction of inaccuracies, request erasure (subject to legal and contractual restrictions), restrict or object to processing in certain circumstances, and request portability of data provided in a structured format. To exercise these rights please contact [email protected] with a clear description of your request and sufficient detail to locate the records. We will respond within one month in most cases; complex requests may require additional time and we will inform you if an extension is necessary. If you are not satisfied with our response you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) in the UK. We encourage you to contact us first so we may attempt to resolve your concern directly.
7. Security and third-party services
We implement appropriate technical and organisational measures to protect personal data from unauthorised access, loss, misuse or alteration. These measures include encrypted connections (TLS) for data in transit, access controls for staff systems, and routine security reviews. We work with third-party processors (for example, payment gateways, delivery providers, email platforms and analytics providers). Where personal data is shared with processors we use written contracts that set out data handling, confidentiality and security obligations, and we require processors to only act on our documented instructions. Some processors may be located outside the UK; where international transfers occur we ensure appropriate safeguards such as UK adequacy decisions, standard contractual clauses or other lawful transfer mechanisms are in place to protect data consistent with UK requirements.
8. Changes to this policy
We may update this Privacy Policy from time to time to reflect operational changes or new legal requirements. When significant changes occur we will highlight them on the site and update the effective date at the top of this page. Continued use of our services after we publish changes means you accept the updated policy. For material changes we will, where appropriate, seek consent for new processing activities and provide advance notice to affected users.
9. Contact and further information
If you have questions about this policy or wish to exercise a data subject right, contact our Data Protection Representative: Rose & Bloom Florists Ltd, 14 Brook Street, London, W1K 5EL, United Kingdom; email [email protected]; phone +44 20 7123 4567. For independent advice or to make a complaint you may contact the Information Commissioner’s Office (ICO). We are committed to transparency and will provide reasonable assistance to help you understand how we process and protect your personal data.