Privacy Policy

1. Introduction and Data Controller

CloudRest Pillows Ltd is the data controller responsible for your personal information. We are registered in the United Kingdom and our registered office is located at 42 Portland Place, London, W1B 1NB, United Kingdom. Our company registration number is GB12345678. For all privacy-related inquiries, you may contact our Data Protection Officer at [email protected] or write to us at the address above.

This Privacy Policy applies to all personal data we collect through our website, email communications, customer service interactions, and any other touchpoints where you provide information to us. By using our services, you acknowledge that you have read and understood this policy and consent to the data processing activities described herein, where consent is the appropriate legal basis.

2. What Personal Data We Collect

We collect various types of personal data depending on how you interact with our website and services. The categories of data we collect include:

• Identity Data: Your full name, title, date of birth (if provided), and gender preferences for product recommendations.
• Contact Data: Your email address, postal address, telephone number, and billing address.
• Transaction Data: Details of products you have purchased, order history, payment amounts, delivery information, and transaction identifiers.
• Technical Data: Your IP address, browser type and version, operating system, device type, time zone setting, browser plug-in types and versions, and other technology on the devices you use to access our website.
• Usage Data: Information about how you use our website, including pages visited, time spent on pages, links clicked, search queries entered, and the website that referred you to us.
• Marketing and Communications Data: Your preferences for receiving marketing communications from us and your communication preferences.
• Cookie Data: Information collected through cookies and similar tracking technologies, as detailed in our Cookie Policy section below.

We do not knowingly collect special categories of personal data (such as health information, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, or data concerning sexual orientation) unless you voluntarily provide such information and we have a lawful basis to process it. We do not collect data from children under the age of 16 without verifiable parental consent.

3. How We Collect Your Data

We collect personal data through several methods during your interactions with CloudRest Pillows:

• Direct Interactions: When you create an account, place an order, subscribe to our newsletter, fill out a contact form, participate in surveys, request customer support, or communicate with us via email, phone, or live chat.
• Automated Technologies: As you navigate our website, we automatically collect technical and usage data through cookies, server logs, and similar tracking technologies. This includes information about your browsing behavior, device characteristics, and interaction patterns.
• Third-Party Sources: We may receive data about you from analytics providers such as Google Analytics, advertising networks like Google Ads and Meta Ads, payment processors such as Stripe and PayPal, and fraud prevention services. We also use social media platforms to understand customer demographics and preferences.
• Publicly Available Sources: We may supplement our records with information from publicly available sources such as company registries or address verification services to ensure accuracy of delivery information.

4. Legal Basis for Processing (GDPR Article 6)

Under GDPR, we must have a lawful basis to process your personal data. We rely on the following legal grounds:

• Consent (Article 6(1)(a)): You have given clear consent for us to process your personal data for specific purposes, such as sending marketing emails or using non-essential cookies. You may withdraw consent at any time.
• Contract Performance (Article 6(1)(b)): Processing is necessary to fulfill our contractual obligations to you, including processing orders, delivering products, and providing customer service.
• Legal Obligation (Article 6(1)(c)): We must process your data to comply with legal obligations, such as tax reporting, accounting requirements, and responding to lawful requests from authorities.
• Legitimate Interests (Article 6(1)(f)): Processing is necessary for our legitimate business interests, such as fraud prevention, network security, improving our services, and conducting business analytics, provided these interests do not override your fundamental rights and freedoms.

5. How We Use Your Personal Data

We use your personal data for the following purposes:

• Order Processing and Fulfillment: To process your orders, arrange delivery, handle returns and refunds, and communicate with you about your purchases.
• Customer Service: To respond to your inquiries, provide technical support, resolve complaints, and improve our customer service quality.
• Marketing Communications: To send you promotional emails, newsletters, and special offers about our products and services, but only where you have consented to receive such communications or where we have a legitimate interest to do so and you have not opted out.
• Website Improvement and Personalization: To analyze how visitors use our website, identify popular products, optimize user experience, and personalize content and product recommendations based on your browsing history and preferences.
• Fraud Prevention and Security: To detect and prevent fraudulent transactions, protect against unauthorized access, and ensure the security of our systems and customer data.
• Legal Compliance: To comply with our legal obligations, including tax and accounting requirements, and to respond to lawful requests from regulatory authorities or law enforcement.
• Business Analytics: To understand customer demographics, purchasing patterns, and market trends, enabling us to improve our product offerings and business operations.

6. Data Retention Periods

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal, accounting, or reporting requirements. Our specific retention periods are:

• Contact Form Submissions: 2 years from the date of submission, unless you request earlier deletion.
• Customer Account Data: For the duration of your account's active status plus 3 years after account closure, unless legal obligations require longer retention.
• Order and Transaction Data: 7 years from the transaction date to comply with UK tax and accounting laws.
• Marketing Consent Records: Until you withdraw consent, plus an additional 3 years to demonstrate compliance with data protection laws.
• Website Analytics Data: 26 months from the date of collection, in accordance with Google Analytics default settings.
• Cookie Data: Essential cookies expire when you close your browser; analytics cookies expire after 13 months; marketing cookies expire after 13 months or when you clear your browser cache.
• CCTV Footage (if applicable at events): 30 days unless required for security investigations.

After the retention period expires, we securely delete or anonymize your personal data so that it can no longer identify you. You may request earlier deletion by exercising your right to erasure, subject to legal exceptions.

7. Data Sharing and Third-Party Recipients

We share your personal data with carefully selected third-party service providers who assist us in operating our business. These recipients are contractually obligated to protect your data and use it only for the specific purposes we authorize. The categories of recipients include:

• Payment Processors: Stripe, PayPal, and other secure payment gateways process your payment information to complete transactions. They comply with PCI-DSS standards.
• Shipping and Delivery Partners: Courier services such as Royal Mail, DHL, and DPD receive your name and delivery address to ship products to you.
• Cloud Hosting Providers: Amazon Web Services (AWS) and similar infrastructure providers host our website and store data securely on servers located in the UK and EU.
• Email Service Providers: Mailchimp or similar platforms manage our email marketing campaigns and deliver newsletters to subscribers who have opted in.
• Analytics and Advertising Platforms: Google Analytics, Google Ads, Meta Pixel (Facebook/Instagram), and similar tools help us understand website performance and deliver targeted advertising. These platforms may collect data about your browsing behavior across multiple websites.
• Customer Support Tools: Zendesk or similar helpdesk software manages customer inquiries and support tickets, storing communication history for service improvement.
• Fraud Prevention Services: Third-party security providers analyze transaction data to detect and prevent fraudulent activity.

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes. All third-party processors are required to implement appropriate technical and organizational measures to protect your data and process it only in accordance with our instructions and applicable data protection laws.

8. International Data Transfers

Your personal data is primarily stored and processed within the United Kingdom and the European Economic Area (EEA). However, some of our third-party service providers may be located outside the UK and EEA, including in the United States. When we transfer your data internationally, we ensure appropriate safeguards are in place to protect your information:

• Standard Contractual Clauses (SCCs): We use European Commission-approved Standard Contractual Clauses with third-party processors located outside the EEA to ensure your data receives an adequate level of protection.
• Adequacy Decisions: Where the European Commission has determined that a country provides adequate data protection (such as certain approved jurisdictions), we may transfer data to those countries.
• Data Processing Agreements: All international data processors sign comprehensive data processing agreements that include security commitments, breach notification obligations, and audit rights.

You have the right to request information about the safeguards we have in place for international transfers and to obtain a copy of the relevant transfer mechanisms by contacting our Data Protection Officer at [email protected].

9. Your Data Protection Rights (GDPR Articles 15-22)

Under GDPR and UK data protection law, you have the following rights regarding your personal data:

• Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you, along with information about how we use it, who we share it with, how long we retain it, and the source of the data.
• Right to Rectification (Article 16): If your personal data is inaccurate or incomplete, you have the right to request correction or completion of the information.
• Right to Erasure / Right to be Forgotten (Article 17): In certain circumstances, you have the right to request deletion of your personal data, such as when it is no longer necessary for the purpose it was collected, when you withdraw consent, or when we have no legal grounds to continue processing.
• Right to Restriction of Processing (Article 18): You can request that we temporarily restrict how we use your data while we verify its accuracy, determine the lawfulness of processing, or while you object to processing.
• Right to Data Portability (Article 20): Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Right to Object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Right to Withdraw Consent: Where we rely on consent as the legal basis for processing, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection, if you believe we have not handled your data properly. Contact the ICO at ico.org.uk or call 0303 123 1113.

To exercise any of these rights, please contact our Data Protection Officer at [email protected] or write to us at 42 Portland Place, London, W1B 1NB, United Kingdom. We will respond to your request within one month, though this may be extended by two additional months for complex requests. We may require proof of identity before processing your request to protect against unauthorized access to your data.

10. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your browsing experience, analyze website performance, and deliver personalized content and advertisements. Cookies are small text files stored on your device when you visit our website. We use the following types of cookies:

• Essential Cookies: These cookies are necessary for the website to function properly. They enable core functionality such as security, network management, shopping cart operations, and user authentication. You cannot opt out of essential cookies as the website will not work without them. Duration: Session-based (deleted when you close your browser).
• Analytics Cookies: We use Google Analytics and similar tools to understand how visitors interact with our website, which pages are most popular, and where improvements can be made. These cookies collect aggregated, anonymized data that cannot identify you personally. Duration: 13 months.
• Marketing and Advertising Cookies: These cookies track your browsing activity across websites to deliver personalized advertisements and measure the effectiveness of our marketing campaigns. We use Google Ads, Meta Pixel (Facebook/Instagram), and similar platforms. Duration: 13 months.
• Functionality Cookies: These cookies remember your preferences such as language selection, region, and font size to provide enhanced, personalized features. Duration: 12 months.

You can manage your cookie preferences through our cookie consent banner when you first visit the website or by adjusting your browser settings. Most browsers allow you to refuse or delete cookies. Please note that disabling cookies may affect the functionality of our website and your user experience. To learn more about cookies and how to control them, visit www.aboutcookies.org or www.allaboutcookies.org.

11. Data Security Measures

We implement robust technical and organizational security measures to protect your personal data against unauthorized access, accidental loss, destruction, alteration, or disclosure. Our security practices include:

• Encryption: All data transmitted between your browser and our servers is encrypted using SSL/TLS protocols (HTTPS). Payment information is encrypted and processed through PCI-DSS compliant payment gateways.
• Access Controls: Access to personal data is restricted to authorized personnel who require it to perform their job duties. All employees sign confidentiality agreements and receive data protection training.
• Secure Infrastructure: Our servers are hosted in secure data centers with physical security controls, fire suppression systems, and 24/7 monitoring. We use firewalls, intrusion detection systems, and regular security audits.
• Regular Backups: We maintain regular encrypted backups of data to prevent loss and ensure business continuity in case of technical failure.
• Vulnerability Management: We conduct regular security assessments, penetration testing, and software updates to identify and remediate potential vulnerabilities.

While we strive to protect your data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security but will notify you and the relevant supervisory authority within 72 hours if we become aware of a data breach that poses a risk to your rights and freedoms.

12. Children's Privacy

Our website and services are not directed at children under the age of 16. We do not knowingly collect personal data from children without verifiable parental consent. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us immediately at [email protected] so we can delete the information. We are committed to protecting the privacy of children and complying with all applicable laws regarding children's data protection, including the Children's Online Privacy Protection Act (COPPA) where applicable.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. When we make material changes, we will notify you by prominently posting a notice on our website homepage and updating the "Last Updated" date at the top of this policy. For significant changes that affect how we process your data, we may also send you an email notification to the email address associated with your account, where we have a lawful basis to do so. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of our website after changes have been posted constitutes your acceptance of the updated policy. If you do not agree with the changes, you should stop using our services and contact us to exercise your data protection rights.

14. Contact Information and Data Protection Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us using the details below:

We aim to respond to all privacy inquiries within 5 business days and to fulfill data subject access requests within one month. If you are not satisfied with our response or believe we are processing your data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection: