Privacy Policy

1. Who we are and scope of this policy

This Privacy Policy explains how BoxCantonese collects, uses, discloses, and protects your personal data when you visit or use the website available at https://www.boxcantonese.co.uk (the “Site”). It applies to visitors and users in the United Kingdom and, where applicable, the European Economic Area (EEA).

For the purposes of UK data protection law (UK GDPR and the Data Protection Act 2018), BoxCantonese is the “controller” of your personal data collected through the Site. Where you are in the EEA, we process your personal data in accordance with the EU GDPR when it applies.

2. Data we collect

We collect personal data that you provide directly, data collected automatically, and data we receive from third parties:

  • Data you provide: name, email address, and any information you include when you contact us (e.g., via contact forms), sign up to newsletters, request information, post comments (where available), or otherwise communicate with us.
  • Account details (where available): username, password, preferences, and profile information if you create an account on the Site.
  • Transactional data (if you purchase products or services): order details, billing details, and payment status. Card payments, if offered, are processed by third‑party payment providers; we do not receive your full card number or security code.
  • Usage and technical data: IP address, device identifiers, browser type and version, time zone, operating system, pages viewed, referring/exit pages, clickstream data, and interaction with the Site. This may be collected via cookies and similar technologies.
  • Cookies and similar technologies: information from cookies, pixels, tags, and local storage as described in Section 5.
  • Social media and embedded content: if you interact with social media features or embedded content on the Site, the relevant platform may share limited data with us in accordance with its own privacy practices.

The Site is not intended for children under 13, and we do not knowingly collect personal data from children under 13.

3. Purposes of processing

We use your personal data for the following purposes:

  • To operate and provide the Site: enabling browsing, features, account creation and login (where available), and customer support.
  • To respond to your requests: answering enquiries, providing information, and managing communications.
  • To send you updates and marketing: sending newsletters or marketing communications when you have opted in, and enabling you to unsubscribe at any time.
  • To process transactions: handling orders, payments, and related administration (if purchases are available).
  • To improve the Site: monitoring performance, fixing errors, developing new features, and analyzing usage (including through analytics cookies where you have consented).
  • To maintain security: preventing fraud, abuse, and security incidents, and protecting the integrity of our systems.
  • To comply with legal obligations: record‑keeping, responding to lawful requests, enforcing our terms, and establishing or defending legal claims.

4. Legal bases for processing

We process personal data under the following legal bases:

  • Consent: for non‑essential cookies/analytics, direct marketing by email or similar electronic means, and other activities where we ask for and you grant consent. You may withdraw consent at any time.
  • Contract: to provide requested services or information, manage your account, and process transactions you initiate.
  • Legitimate interests: to operate, secure, and improve the Site, prevent misuse, and communicate with you about our services (other than direct marketing by electronic means where consent is required). We balance these interests against your rights and freedoms.
  • Legal obligation: to comply with applicable laws, regulatory requirements, and lawful requests.

5. Cookies and similar technologies

Cookies are small text files placed on your device. We use:

  • Strictly necessary cookies: required for the Site to function (e.g., security, network management, basic functionality). These do not require consent.
  • Preferences/functional cookies: to remember your settings and enhance your experience (used only where necessary or with your consent).
  • Analytics/performance cookies: to understand how visitors use the Site and improve performance. These are used only with your consent.
  • Advertising/targeting cookies: to deliver and measure ads if such features are enabled. These are used only with your consent.

You can control cookies by:

  • Using the cookie choices presented when you first visit the Site and revisiting them by clearing cookies in your browser to re‑display the choices.
  • Adjusting your browser settings to accept, refuse, or delete cookies. Browser “Help” pages explain how to manage cookies.

Disabling non‑essential cookies may affect certain features. Third‑party services and embedded content may also set their own cookies; their privacy practices apply.

6. Sharing your personal data

We share personal data only as necessary for the purposes described above:

  • Service providers (processors): website hosting, content delivery networks, security and anti‑abuse tools, analytics providers, email and newsletter platforms, customer support tools, and payment processors. These providers act on our instructions and are bound by appropriate contractual obligations.
  • Professional advisers: legal, compliance, or accounting advisers where needed.
  • Authorities and legal disclosures: to comply with laws, enforce our terms, or protect rights, property, and safety.
  • Business transfers: in connection with a reorganisation, merger, or similar event, subject to applicable data protection safeguards.

We do not sell your personal data.

7. International data transfers

Your personal data may be transferred outside the UK and EEA where our service providers or partners are located. When we do so, we ensure appropriate safeguards are in place, such as:

  • Adequacy regulations/decisions: transfers to countries recognized as providing an adequate level of protection.
  • Appropriate safeguards: the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as applicable.
  • Certified recipients: where applicable, transfers to US recipients certified under the UK Extension to the EU‑U.S. Data Privacy Framework.

You can obtain more information about these safeguards by contacting us as described in Section 11.

8. Data retention

We keep personal data only for as long as necessary for the purposes set out in this Policy, including to meet legal, accounting, or reporting requirements. Typical retention periods are:

  • Account information (where applicable): for the life of the account and up to 6 years after closure.
  • Communications and enquiry records: up to 3 years after the last interaction.
  • Transactional records (if purchases are available): up to 6 years for tax and legal purposes.
  • Analytics data: up to 25 months, or as configured by the analytics tool with your consent.
  • Technical logs for security: up to 12 months, unless a longer period is required to investigate incidents.
  • Marketing preferences: until you withdraw consent or opt out, after which we may retain a suppression record to honor your choice.

Where deletion is not feasible (for example, due to backup systems), we will securely store and isolate the data from further processing until deletion is possible.

9. Data security

We implement appropriate technical and organisational measures designed to protect personal data, including access controls, encryption in transit, secure configurations, monitoring, and staff awareness. No system is completely secure; if we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant authority as required by law.

10. Your rights

Subject to conditions and exemptions under applicable law, you have the following rights:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: ask us to correct inaccurate or incomplete data.
  • Erasure: request deletion of your data in certain circumstances.
  • Restriction: ask us to restrict processing in certain cases.
  • Portability: receive data you provided to us in a structured, commonly used, machine‑readable format and request we transmit it to another controller where technically feasible.
  • Object: object to processing based on our legitimate interests, and to direct marketing at any time.
  • Withdraw consent: withdraw your consent where processing is based on consent (this does not affect processing before withdrawal).

To exercise your rights, contact us as set out in Section 11. We may need to verify your identity to process your request. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO). Contact details: ico.org.uk, telephone 0303 123 1113, or write to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

11. Data protection contact

BoxCantonese is not required to appoint a Data Protection Officer. For any questions about this Policy or to exercise your data protection rights, please contact the BoxCantonese privacy team via the contact form available on the Site at https://www.boxcantonese.co.uk. Please include sufficient details to help us identify you and respond to your request.

12. Children’s privacy

The Site is not directed to children under 13. If you believe a child under 13 has provided personal data to us, please contact us so we can take appropriate action, including deletion where appropriate.

13. Automated decision‑making

We do not carry out automated decision‑making, including profiling, that produces legal or similarly significant effects about you. If this changes in the future, we will provide you with meaningful information about the logic involved and the significance and envisaged consequences, as required by law.

14. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. We will post the updated version on this page and update the effective date below. Your continued use of the Site after the effective date constitutes your acceptance of the updated Policy.

Effective date: 14 December 2025

About The Editorial Team Terms of Service Legal Notice Privacy Policy Sitemap Contact
© 2025 BoxCantonese