Privacy Policy

This Privacy Policy explains how Glazie Ltd ("we", "us") collects and uses personal information when you use this website. We are the controller of your personal data for the purposes of UK GDPR and the Data Protection Act 2018.

1. What we collect

• Account information: name, email, phone, optional company name, password (stored as a hash).
• Order information: items, dimensions, specification, delivery/collection address, postcode, customer notes, PO reference (optional).
• Payment information: handled directly by Stripe. We store only the payment intent reference, not the full card number. See Stripe's privacy notice at stripe.com/privacy.
• Communication: emails we send you (subject + send status + body hash) and operational logs for delivery troubleshooting.
• Cookies and similar technologies: see our Cookie Notice.

2. Why we use it

• To process your order, deliver the goods, and provide customer support.
• To send order, invoice, and review-window emails (legal basis: performance of contract).
• To meet our legal obligations (tax records, consumer-rights records).
• To improve the website and protect against fraud and abuse (legal basis: legitimate interests).
• To offer optional features such as saved quotes and order reorder (legal basis: performance of contract or consent).

3. Who we share it with

• Stripe — payment processing.
• Resend (or our configured email provider) — sending transactional email.
• Google Maps / Places API — used to help with address entry when configured. Google receives the address text you type. [Confirm with legal] the exact data flow.
• Our hosting provider — for site operation.
• HMRC and other authorities — where the law requires.

We do not sell your personal data.

4. How long we keep it

• Account: until you ask us to delete it.
• Orders, invoices, and transaction records: at least 6 years for tax purposes.
• Operational logs (webhook events, email logs, cron runs): up to [LOG_RETENTION_DAYS] days.
• Quotes you did not convert into orders: until they expire (currently 7 days after creation).

5. Your rights under UK GDPR

You have the right to:

• Ask for a copy of the personal data we hold about you (right of access).
• Have inaccurate data corrected (rectification).
• Have data deleted in certain circumstances (erasure).
• Object to or restrict certain types of processing.
• Withdraw consent at any time where we rely on consent.
• Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

You can exercise the right of access and right of erasure from your account. Today these endpoints are also available at GET /api/v1/my-account/privacy (export your data) and DELETE /api/v1/my-account/privacy (anonymise your account). [Confirm with legal] the wording and decide whether to expose explicit "Download my data" and "Delete my account" buttons in the customer account UI.

6. Contact

Email sales@glazie.co.uk for any privacy question. Our data protection contact is [DPO_OR_CONTACT_NAME], [DPO_OR_CONTACT_EMAIL].