Privacy Policy

Last updated: March 2026

1. Controller and contact details

The data controller responsible for your personal data in connection with this website is:

Thiphroxslyxao
9-11 Broadway
London SW1H 0AZ
United Kingdom

Email: community@thiphroxslyxao.world
Phone: +44 20 7222 1828

If you have questions about this policy or your personal data, please contact us using the details above.

2. Legal basis and applicable law

This Privacy Policy describes how we collect, use, store and protect your personal data. It is written to comply with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018 (DPA 2018)
• Privacy and Electronic Communications Regulations 2003 (PECR), as amended

We process personal data only where we have a lawful basis: consent, contract, legal obligation, vital interests, public task, or legitimate interests, as set out in the UK GDPR.

3. Personal data we collect

We may collect and process the following categories of personal data:

3.1 Data you provide

• Identity and contact data: name, email address, telephone number (if provided), delivery address.
• Transaction data: order details, payment-related information (handled by our payment providers; we do not store full card numbers).
• Communications: content of messages you send via contact forms, email or phone.

3.2 Data collected automatically

• Technical and usage data: IP address, browser type and version, device type, operating system, referring URL, pages visited, date and time of access. This may be collected via cookies and similar technologies where you have consented or where strictly necessary. See our Cookie Policy for details.

4. Purposes and lawful bases for processing

We use your data for the following purposes and on the following legal bases:

• Order fulfilment and customer service: to process orders, deliver products, handle returns and refunds, and respond to enquiries. Lawful basis: performance of a contract; legitimate interests (efficient customer service).
• Communications: to send order and delivery confirmations, and to reply to your messages. Lawful basis: performance of a contract; consent where we send marketing.
• Legal and regulatory compliance: to comply with applicable laws (e.g. tax, consumer rights, product safety). Lawful basis: legal obligation.
• Website operation and security: to run and secure our website, prevent fraud and abuse, and improve our services. Lawful basis: legitimate interests.
• Analytics and improvement: where you have consented to analytics cookies, we may use data to understand how the site is used and to improve it. Lawful basis: consent.
• Marketing: only where you have given clear consent, we may send you information about our products and offers. You can withdraw consent at any time. Lawful basis: consent.

5. Retention periods

We keep your data only for as long as necessary for the purposes above:

• Order and transaction data: typically 7 years from the end of the financial year in which the transaction occurred, for legal and tax compliance.
• Customer service and correspondence: for the duration of the enquiry and for a reasonable period afterwards (e.g. up to 3 years) for reference and dispute resolution.
• Marketing consent and preferences: until you withdraw consent or object, and then we retain a minimal record that you have opted out to honour your choice.
• Technical and access logs: as required for security and troubleshooting, typically up to 12 months unless a longer period is required by law.
• Cookie-related data: as set out in our Cookie Policy.

After the retention period, we securely delete or anonymise your data so it can no longer identify you.

6. Your rights under UK GDPR

You have the following rights in relation to your personal data:

• Right of access: you can request a copy of the personal data we hold about you (subject to certain exceptions).
• Right to rectification: you can ask us to correct inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”): in certain circumstances you can ask us to delete your data.
• Right to restrict processing: in certain circumstances you can ask us to limit how we use your data.
• Right to data portability: where processing is based on contract or consent and is carried out by automated means, you can ask to receive your data in a structured, commonly used format.
• Right to object: you can object to processing based on legitimate interests or to direct marketing at any time.
• Right to withdraw consent: where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
• Right to lodge a complaint: you have the right to complain to the supervisory authority. In the UK this is the Information Commissioner’s Office (ICO): ico.org.uk.

To exercise any of these rights, contact us using the details in section 1. We will respond within one month, subject to any extension where requests are complex or numerous. We may need to verify your identity before processing a request.

7. Data sharing and recipients

We may share your data with:

• Service providers: payment processors, delivery and logistics partners, email and hosting providers, and IT support, who act on our instructions and are bound by data processing agreements where required.
• Professional advisers: lawyers, accountants or insurers where necessary for our legitimate business or legal obligations.
• Public authorities: where we are required to do so by law (e.g. HMRC, courts, or regulators).

We do not sell your personal data. If we transfer data outside the UK, we ensure appropriate safeguards (e.g. adequacy decisions, standard contractual clauses) are in place as required by UK law.

8. Security measures

We implement appropriate technical and organisational measures to protect your data against unauthorised access, alteration, disclosure or destruction, including:

• Use of HTTPS and secure connections for data in transit.
• Access controls and authentication so only authorised personnel can access personal data.
• Regular review of our systems and practices.
• Contractual and security requirements for third-party processors.

No method of transmission or storage is completely secure. We will notify you and the ICO of a personal data breach where we are required to do so by law.

9. Children

Our website and services are not directed at individuals under 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it promptly.

10. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top will be revised. We encourage you to review this page periodically. Where changes are significant, we may notify you by email or a notice on the website.

11. How to contact us

For any questions about this Privacy Policy or your personal data:

Thiphroxslyxao
9-11 Broadway, London SW1H 0AZ, United Kingdom
Email: community@thiphroxslyxao.world
Phone: +44 20 7222 1828