30% off first three subscription boxes with code JAN30

Privacy Policy

Last updated 03 September 2024

At Field & Flower we take the privacy of our customers seriously. This privacy policy outlines how we collect and use personal information you might provide us. Please read this document carefully.

From 25th May 2018, your personal data will be protected by the EU General Data Protection Regulation (also known as GDPR) and the UK Data Protection Act 2018. We refer to these legislations and “data protection laws” in this policy.

Field & Flower is the Data Controller of the personal information we hold about you.

We will only process your personal information as set out in this privacy policy, or otherwise notified and agreed to by you, or as we are permitted to do in accordance with data protection laws.

You acknowledge and agree that where you provide personal data about someone else to us, you have obtained that person’s consent for us to process this information in accordance with that purpose and in accordance with this privacy policy. For example, if you are purchasing items as a gift to another individual or entering another individual’s personal information as part of our recommend a friend scheme.

This privacy policy only applies to the collection of your personal data by us and the use of that data by us. It does not cover third-party websites to which we provide links, nor does it cover advertisers. We encourage you to review third-party policies if available when you visit those sites.

We may update this privacy policy from time to time, so you should periodically check this page for changes.

1. What is personal information?
2. Why do we need your personal information?
3. When do we collect your personal information?
4. What information do we collect?
5. What information don’t we collect?
6. What legal basis do we have for processing your data?
7. Who receives the information we collect?
8. Where do we store your information?
9. For how long do we store your information?
10. Your rights under data protection laws
11. Your other rights under data protection laws
12. Cookies & other technologies
13. Contact

1. What is personal information?

Personal information, or personal data, refers to any information relating to an identifiable person who can be directly or indirectly identified by that information. It does not refer to anonymous or pseudo-anonymous data where personal information has been removed and a person cannot be directly or indirectly identified.

2. Why do we need your personal information?

In general we need your personal information to: • Put together your orders and deliver them to your chosen delivery address. • Verify your identity and payment details and take payment for your order. • Communicate with you about your account, order or delivery. • Provide you with information relating to our products and services. • Operate the website and provide customer service. • Investigate any issues with our website, your account, order or delivery. • Personalise your experience of the website and our services. • Administer competition prizes. • Monitor website performance, behaviour and usage. • Monitor marketing and service communication performance. • Send you information about new products, services, promotions or special offers. • Send you information about related goods or services of selected third parties that may be of interest to you. • Show personalised advertisements to you on third-party websites. • Meet legal, regulatory and compliance requirements.

3. When do we collect your personal information?

In general we collect your personal information when you: • Create an account with us. • Make an online purchase. • Sign-up for our email newsletter. • Engage with us on social media. • Contact us with any questions, queries or complaints. • Enter competitions. • Complete our surveys. • Fill out any forms on our website. • Leave us product reviews or company reviews. • Visit our website.

4. What information do we collect?

• Information you give us: Personal information you give us when using our website, filling in forms, making a purchase, signing up for our email newsletter, or corresponding with us by phone, email or via social networks. This information can include names, billing addresses, delivery addresses, telephone numbers, email addresses and payment details. This information can directly identify you. • Information we collect about you: Technical information we automatically collect when you visit and browse our website. This information can include browser types, the country where your computer is located, web pages viewed, page interaction information, IP addresses, operation systems, user IDs, session IDs, transaction IDs, and operating systems. None of this information can be used to directly identify you as a person and no information will automatically be collected that can directly identify you. Most of this data is collected by our analytics platform, Google Analytics. We also collect technical information via tracking pixels in our email newsletters. This technical information includes IP addresses, operating systems, device information, along with performance metrics such as the time and date when the email was received, opened or clicked. • Information we receive from other sources: Information we receive from third-parties, such as advertising networks and analytics providers. This information can include general, aggregated demographic information such as age, gender, location, and interests. None of this information can be used to directly identify you.

5. What information don’t we collect?

We do not process any special categories of personal data, meaning data revealing: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic or biometric data; data concerning your health, sex life or sexual orientation; data relating to criminal convictions or offences.

6. What legal basis do we have for processing your data?

The data protection laws set out a number of reasons for which a company may collect and process your personal data, including: • Consent: In specific situations, we collect and process your data with your consent. For example, when you complete a survey or leave a product review. • Contractual obligations: In certain circumstances we need your personal data to comply with our contractual obligations. For example, if you order products from us we’ll collect your address details and pass them to our courier. • Legal compliance: If the law requires us to, we may need to collect and process your personal data. For example, passing on the details of people involved in criminal activity. • Legitimate interest: In specific situations, we require your data to pursue our legitimate interest in a way which would reasonably be expected as part of running our business and which does not impact your rights, freedoms or interests. For example, we will use your purchase history or preferences to offer you personalised promotions. Here’s how we process and use your personal data or information we collect about you, why we use it, and what our legal basis is for each: • To process any orders that you make by using our website: If we don’t collect your personal data during checkout, we won’t be able to process your order and comply with our legal obligations. The legal basis on which we process your personal data in this way is contractual obligation. • To respond to your queries or complaints: Handling your personal information enables us to respond to you and record such communication to inform any further correspondence with you. The legal basis on which we process your personal data in this way is contractual obligation. • To protect our business and your account from fraud: We’ll use your personal data to maintain, update and safeguard your account. We’ll also use your browsing activity and delivery address checks to identify potentially fraudulent transactions. The legal basis on which we process your personal data in this way is legitimate interest. • To process payments: We use your personal details to process payments for orders you make. The legal basis on which we process your personal data in this way is contractual obligation. • To perform payment security checks: We might use your personal data to perform security checks on your payment details when authorising payment or employ Dynamic 3D Secure authentication technology to protect against fraud. The legal basis on which we process your personal data in this way is legitimate interest. • To send you relevant, personalised communications in relation to updates, offers, promotions, services and products: We’ll use your preferences, purchase history, browsing history, and personal details to send you information we think you would be interested in receiving. The legal basis on which we process your personal data in this way is legitimate interest. • To send you our email newsletter: We’ll use the personal information supplied to us to send you email communications about Field & Flower news, products or offers. The legal basis on which we process your personal data in this way is legitimate interest. • To monitor email newsletter performance: We’ll use tracking pixels in our email newsletter and email communications in order to monitor performance and user interactions. The technical data collected can include IP address, device, operating system, and engagement metrics such as the date and time an email was received, opened, clicked or replied to. The legal basis on which we process your personal data in this way is legitimate interest. •To tell you about improvements to our service and current offers: We may use your personal details to contact you via telephone or post to tell you about recent improvements to our service and any current offers you may be interested in. The legal basis on which we process your personal data in this way is legitimate interest. • To send you communications required by law or which are necessary: We will use your personal information to send you information of updates to this privacy policy, product recalls, or service messages such as order confirmations. The legal basis on which we process your personal data in this way is contractual obligation. • To administer any of our prize draws or competitions: We will use your personal information to send you information on prize or competition winners. The legal basis on which we process your personal data in this way is consent. • To develop, test and improve our website, services and products: We will use automatically collected information, as outlined in the ‘Information we collect about you’ section above, to help us understand how visitors use the website and our services. The legal basis on which we process your personal data in this way is legitimate interest. • To comply with our contractual or legal obligations to share data with law enforcement: We will use your personal data and share it with law enforcement agencies or a court of law. The legal basis on which we process your personal data in this way is legal compliance. • To send you survey, feedback and review requests to help improve our services: We will use your personal data to send you surveys and feedback or review requests to help improve our services and your experience as a customer. The legal basis on which we process your personal data in this way is legitimate interest. • To decide what information to show you: We will use your personal data or technical information automatically collected to decide on which offers and products to show you on our website or in our email communications. The legal basis on which we process your personal data in this way is legitimate interest. • To share your details with third parties providing a service: We will share your personal data with third parties who are required to fulfil our contractual commitments to you in connection with your orders, such as couriers and suppliers. The legal basis on which we process your personal data in this way is contractual obligation. • To provide products or send communication to others: Where you have provided personal data about another person, such as when you send a gift to someone else, we need to process this data in order to provide our service to the other person or people. This will include sharing their details with third parties as outlined above. The legal basis on which we process your personal data in this way is legitimate interest. • To make our website better: We may use your personal data or technical information automatically collected to improve your experience on our website, such as showing you more relevant products, offers or information, or hiding content you have informed us you don’t wish to see. The legal basis on which we process your personal data in this legitimate interest. • Automated processing: We may carry out automated processing in order to tailor your experience of our website, such as automatically collecting information about your browsing habits and purchase history to promote relevant products or services. The data used to carry out this processing will be technical information automatically collected and this information will not be able to directly identify you as a person. This profiling will not have a significant impact on you or produce any legal effects. The legal basis on which we process your personal data in this way is legitimate interest. • To show you personalised advertising: We may use personal or technical data we have about you or your visit to the website, such as pages or products viewed, to show you personalised advertising, including remarketing advertisements, on third-party websites. The legal basis on which we process your personal data in this way is legitimate interest. If you’d like to stop receiving personalised advertisements there are a number of ways to do via the major advertising third-party websites sites: Google, Bing, and Facebook. There are also more options for you to control the advertisements you see on third-party websites in the 10. Your Rights Under Data Protection Laws section. • To show relevant advertising to similar individuals: We may use your personal data (name and email) to find similar users on third-party websites, such as Facebook, and show them relevant advertisements. Personal data shared in this way is never readable by third-parties and is securely hashed so no one can see your personal data. The legal basis on which we process your personal data in this way is legitimate interest. • If our business is sold: We will transfer your personal data to a third party if Field & Flower or its assets are acquired by said third party, in which case personal data held by us will be one of the assets transferred to the purchaser. The legal basis on which we process your personal data in this way is legitimate interest to ensure our business can be continued by a purchaser. If you object to our use of your personal data in this way, the relevant purchaser of our business may not be able to provide our service to you. We will not sell, rent or share your personal data with any third-parties in any manner which hasn’t been outlined above without your explicit consent. If you wish to change how we use your data, you’ll find details in the 10. Your Rights Under Data Protection Laws section.

7. Who receives the information we collect?

our personal data is shared by us with third party recipients that include: • Business partners and suppliers for the performance of any contract we enter into you, such as DPD and Packfleet (our couriers), Adyen (our payment provider), Magento (our web platform), Klaviyo (our email platform), etc. • Analytics and search engine providers that assist us in the improvement and optimisation of our website and marketing communications, such as Google, Bing, etc. • The purchaser of Field & Flower if the business is sold so they can provide our services to you. • Any law enforcement agencies or court of law if we are under a duty to disclose or share your personal information in order to comply with any legal obligations, or in order to enforce or apply our Terms and Conditions, or to protect the rights, property, or safety of Field & Flower, our customers, staff, or others. Any other third parties for the purposes of fraud protection and credit risk reduction. We are not responsible for the privacy policies or practices of third party recipients of your personal data. Please read any information those parties provide you about how, why and what the legal basis they have for processing your personal data. Where we pass your personal information to third parties providing a service necessary for us to meet our contractual obligation to you, those third parties have provided sufficient guarantees that your personal information will be protected and the use of that personal information will meet the requirements of the data protection laws.

8. Where do we store your information?

All information you provide us is stored on secure servers. Any payment transactions are encrypted using PCI compliant technology. We have implemented strict measures designed to secure your personal information from accidental loss, unauthorised access, alteration and disclosure. Information you provide us is transmitted using SSL or TLS encryption to keep your data safe. Although we do our best to protect your personal data, Field & Flower cannot guarantee the security of data transmitted via the internet. Any transmission is at your own risk.

9. For how long do we store your information?

• Where you create an account or purchase products from us, we will retain your data for a period of five (5) years after the goods were delivered, the account set up, or the services performed, to ensure that we are able to assist you should you have any questions or feedback in relation to our products or services and to protect or defend our legal rights. • Where you have consented to receive marketing communications from us we may contact you every two (2) years after you gave consent to ensure you are happy to continue receiving such communication. If you tell us you no longer wish to receive said communications, your personal data will be removed from our lists. • Where we have processed your data for any other reason (such as where you have contacted us with a query in connection with our products or services), we will retain your data for two (2) years after you contacted us. • Where we have automatically collected non-aggregated technical data (such as Session IDs, User IDs, etc) we will retain your data for twenty-six (26) months before it is permanently removed.

10. Your rights under data protection laws

At any time you have the right to: • Object to us processing your personal data where we are processing your data based on our legitimate interest. If you ask us to stop processing your personal data on this basis, we will stop processing your personal data unless we can demonstrate compelling grounds as to why the processing should continue in accordance with data protection laws. • Withdraw consent for us to process your personal data where we are processing your data based on your consent. If you would like us to stop processing your personal data in a specific way, you can let us know what process you object to by emailing [email protected]. Please note that withdrawing consent for a specific processing of your data might limit your ability to use the website or our ability to provide our services to you. Please note that opting out of personalised ads doesn’t mean you will stop seeing advertisements online – you’ll simply see non-personalised “generic” advertisements instead.

11. Your other rights under data protection laws

Right of access: You have the right to receive confirmation on whether your personal data is being processed by us and how we’re using that personal data. You have the right to access your personal data which we are processing. You can exercise this right for free. However, under data protection laws we are entitled to refuse to process your request, or to charge a fee, if we feel the request is manifestly unfounded or excessive. We will endeavour to respond to all requests for access to personal data within one (1) month. However, where requests are complex or numerous we will aim to respond and comply within a further two (2) months. Where an extension is required, we will inform you of this within one (1) month of receiving your original request and explain why the extension is necessary. Right of rectification: You have the right to have us rectify any inaccurate personal data we hold about you. You have the right to have incomplete personal data we hold about you completed with information you wish to provide. We take reasonable steps to check the accuracy of any information you provide us under this right and correct it where requested. Right of restriction: You have the right to restrict our processing of personal data where: • The accuracy of the data is being contested by you. • You consider the processing of your data to be unlawful. • We are processing your data on the basis of our legitimate interest. • You object to the processing of your data on the basis of our legitimate interest. Where any exercise by you of your right to restriction determines that our processing of particular personal data are to be restricted, we will then only process the relevant personal data in accordance with your consent and, in addition, for storage purposes and for the purpose of legal claims. Right of data portability: You have the right to receive your personal data in a structured, standard machine-readable format and the right to transmit such personal data to another controller. Right of erasure: You have the right to require we erase your personal data which we are processing where: • The processing of that data is no longer necessary in relation to the purposes for which your personal data was collected or otherwise originally processed. • You have withdrawn your consent and there is no other legal ground we can use to process your data. • You object to the processing of your personal data and we have no overriding legitimate interest for our processing. • The personal data has been unlawfully processed. • The erasure is required for compliance with a law to which we are subject. On verification of your request for erasure, please note that we will endeavour to erase the relevant data as quickly as possible and aim to comply with your request within one (1) month. However, where requests are complex or numerous we will aim to respond and comply within a further two (2) months. Where an extension is required, we will inform you of this within one (1) month of receiving your original request and explain why the extension is necessary. You can exercise these rights by contacting us directly at [email protected]. If you would like more information on the data protection laws and your rights, you can visit the Information Commissioner’s Office (ICO) website. If you would like to lodge a complaint about the data processing activities carried out by Field & Flower you can do so by raising your concerns with the ICO. You can also raise your concerns with us directly at [email protected] so we can resolve any issues you may have.

12. Cookies & other technologies

We use cookies on www.fieldandflower.co.uk and you should refer to our separate Cookie Policy for more information. This site may contain links to other sites, as well as objects or elements controlled by third-parties such as social networks, partner networks, advertisers and other third-parties. For example, we might use a plug-in to connect our website to social networks such as Facebook or Twitter. If you interact with these objects or elements (usually identified by the social network’s logo) your browser may send technical data relating to you (which cannot identify you directly), such as User ID, site behaviour, etc. Such information will be processed, owned and operated by these third parties according to their privacy policies. We do not have access or control other objects or elements controlled by third party websites, nor any responsibility for how the information they collect is used by said third-parties. Please read any information those thirties provide you about how, why and what the legal basis they have for processing your personal data.

13. Contact

If you have any questions regarding this privacy policy, please contact us using the details on our Contact Us page or by emailing [email protected].