Privacy Policy
Cellar Concierge
Our Privacy Policy was last updated on [DATE].
1. Who We Are
Cellar Concierge ("we," "us," "our") is a wine consultancy and online retailer based in London, United Kingdom. We are committed to protecting your personal data and handling it in a transparent and lawful way.
Data Controller:
Cellar Concierge
[Registered Company Name]
[Registered Address]
[Company Registration Number]
Email: [contact email]
Phone: [phone number]
We are registered with the Information Commissioner's Office (ICO). ICO Registration Number: [XXXXXXXX]
2. What Data We Collect
We collect and process the following categories of personal data:
Identity Data: Full name, date of birth (required for age verification).
Contact Data: Email address, phone number, postal address.
Transaction Data: Details of products or services purchased, payment reference numbers (we do not store full card numbers).
Technical Data: IP address, browser type, device type, pages visited, cookies and similar tracking technologies.
Profile Data: Your preferences, interests, and feedback where voluntarily provided (for example, your palate profile shared during a consultation).
Age Verification Data: Date of birth and, where applicable, verification data processed via our third-party age verification partner.
Communications Data: Emails, enquiry forms, and any records of correspondence with us.
3. How We Collect Your Data
We collect data directly from you when you:
Create an account or place an order on our website
Complete our age verification check at checkout
Book a consultation, tasting, or event service
Subscribe to our newsletter or marketing communications
Contact us by email or through our contact form
Leave a review or respond to a survey
We also collect data automatically via cookies and analytics tools when you browse our website.
4. Our Lawful Basis for Processing
Processing Activity
Lawful Basis
Processing your order and arranging delivery
Performance of a contract
Age verification at checkout and delivery
Legal obligation (Licensing Act 2003)
Fraud prevention and security
Legitimate interests
Sending transactional emails (order confirmation, dispatch)
Performance of a contract
Sending marketing emails and newsletters
Consent
Improving our website and services
Legitimate interests
Accounting, tax, and legal compliance
Legal obligation
5. How We Use Your Data
We use your personal data to:
Process and fulfil your orders, including coordinating delivery and age verification
Manage your account and respond to your enquiries
Send you transactional communications (order confirmations, dispatch notices)
Send you marketing communications, where you have given consent
Personalise our wine recommendations based on your stated preferences
Comply with our legal obligations, including licensing law and HMRC requirements
Prevent fraud and ensure the security of our website
Improve and develop our website, products, and services
6. Sharing Your Data
We do not sell your personal data. We share your data only where necessary with the following categories of trusted third parties, all of whom are bound by confidentiality obligations and, where required, Data Processing Agreements (DPAs):
Payment processors (e.g., Stripe, PayPal): to securely process payments
Delivery and courier partners: to arrange dispatch and delivery, including the transmission of your name, address, and the age verification requirement
Age verification providers: to verify that you are 18 years of age or over
Email marketing platforms (e.g., Mailchimp): to send newsletters and marketing communications (only where you have consented)
Website analytics providers (e.g., Google Analytics): to help us understand how visitors use our website
IT and hosting providers: to operate and maintain our website and systems
Professional advisers: including accountants, solicitors, and insurers, where strictly necessary
We may also disclose your personal data where required to do so by law, court order, or a regulatory authority.
7. International Data Transfers
Some of our third-party service providers operate outside the United Kingdom. Where we transfer your data to countries not deemed to provide an adequate level of protection under UK GDPR, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or reliance on an ICO adequacy decision.
8. Data Retention
We retain your personal data only for as long as necessary for the purposes set out in this policy, or as required by law.
Data Type
Retention Period
Order and transaction records
6 years (HMRC tax compliance)
Age verification records
3 years (licensing compliance)
Account data
Duration of account, plus 2 years after last activity
Marketing consent records
Until consent is withdrawn, plus 1 year
Enquiry and correspondence records
3 years
Website analytics data
26 months
9. Cookies
Our website uses cookies to improve your browsing experience. We use the following types of cookies:
Strictly necessary cookies: Essential for the website to function (e.g., your shopping basket, age gate session).
Analytics cookies: Help us understand how visitors interact with our website (e.g., Google Analytics). These are only placed with your consent.
Marketing cookies: Used to show you relevant content and advertisements. These are only placed with your consent.
You can manage your cookie preferences at any time via our Cookie Settings banner. For more information, please see our full [Cookie Policy].
10. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
Right to be informed: The right to know how your data is used (this policy).
Right of access: The right to request a copy of the personal data we hold about you (a Subject Access Request).
Right to rectification: The right to have inaccurate data corrected.
Right to erasure ("right to be forgotten"): The right to request deletion of your data, subject to legal retention obligations.
Right to restrict processing: The right to request that we limit how we use your data.
Right to data portability: The right to receive your data in a structured, machine-readable format.
Right to object: The right to object to processing based on legitimate interests or for direct marketing purposes.
Rights related to automated decision-making: The right not to be subject to solely automated decisions that significantly affect you.
To exercise any of these rights, please contact us at [contact email]. We will respond to all requests within one calendar month.
11. Marketing Communications
If you have given us consent to send you marketing communications, you can withdraw that consent at any time by:
Clicking the "Unsubscribe" link in any of our marketing emails
Emailing us at [contact email]
Withdrawal of consent will not affect the lawfulness of any processing carried out before the withdrawal.
12. Data Security
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or disclosure. These measures include encrypted data transmission (SSL/TLS), secure server hosting, and strict access controls.
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours as required by law, and will notify you without undue delay where the breach is likely to result in a high risk to your rights.
13. Children
Our website is intended for adults aged 18 and over only. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete it.
14. Links to Other Websites
Our website may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting a notice on our website or by email where appropriate. The "Last updated" date at the top of this policy will always reflect the most recent version.
16. How to Complain
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the UK's supervisory authority:
Information Commissioner's Office (ICO)
Website: www.ico.org.uk
Helpline: 0303 123 1113
We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first at [contact email].
