Privacy Policy

This Privacy Policy explains how Bump & Breathe ("we", "us", "our") collects, uses, and protects your personal data when you visit bumpandbreathe.com or make a purchase from us. We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

Bump & Breathe is a UK‑based sole trader creating pregnancy‑safe scent balms.

Contact: info@bumpandbreathe.com
Website: bumpandbreathe.com

For any data-related queries, please contact us at the email address above. As a small business, we do not have a formal Data Protection Officer, but we take your privacy seriously and will respond to all enquiries promptly.

2. What Personal Data We Collect

We may collect the following types of personal data:

2.1 Data You Provide Directly

• Name and email address (when placing an order or contacting us)
• Delivery address and billing address
• Phone number (if provided at checkout)
• Payment information (processed securely by Shopify — we never see or store your full card details)
• Any messages you send us via email or contact forms

2.2 Data Collected Automatically

• IP address
• Browser type and version
• Device type
• Pages visited and time spent on site
• Referring URL
• Approximate location (derived from IP address)

2.3 Data Collected via Third Parties

• Shopify — order data, checkout data, and customer account information
• Google Analytics — anonymised usage and behaviour data
• Shopify Payments / payment providers — transaction data for fraud prevention

3. Why We Collect Your Data & Our Lawful Basis

We collect and process your data for the following purposes:

• To process and fulfil your order — including sending confirmation, dispatch, and delivery notifications. Lawful basis: contract performance
• To handle returns, refunds, or complaints — Lawful basis: contract performance and legal obligation
• To improve our website — using anonymised analytics data to understand how visitors use the site. Lawful basis: legitimate interests
• To prevent fraud — using IP address and device data to detect and prevent fraudulent transactions. Lawful basis: legitimate interests
• To comply with legal obligations — such as tax records and accounting requirements. Lawful basis: legal obligation
• To respond to your enquiries — when you contact us directly. Lawful basis: legitimate interests

We do not use your data for automated decision-making or profiling. We do not sell your data to third parties.

4. How Long We Keep Your Data

• Order data — retained for 7 years to comply with HMRC tax record requirements
• Customer account data — retained until you request deletion
• Analytics data — retained in anonymised form for up to 26 months (Google Analytics default)
• Contact enquiries — retained for up to 2 years, then deleted

5. Who We Share Your Data With

We only share your data with trusted third parties where necessary:

• Shopify Inc. — our ecommerce platform, which processes orders and payments on our behalf. Shopify is certified under the EU-US Data Privacy Framework and complies with UK GDPR.
• Google LLC — for Google Analytics. We use IP anonymisation. Google may process data outside the UK; they are certified under the EU-US Data Privacy Framework.
• Courier and delivery services — your name and delivery address are shared with our courier to fulfil your order.
• Payment processors — payment data is handled securely by Shopify's payment providers. We do not store payment card details.

We do not share your data with any other third parties without your explicit consent.

6. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right to access — you can request a copy of the data we hold about you
• Right to rectification — you can ask us to correct inaccurate data
• Right to erasure — you can ask us to delete your data, subject to legal obligations
• Right to restrict processing — you can ask us to limit how we use your data
• Right to data portability — you can request your data in a portable format
• Right to object — you can object to processing based on legitimate interests

To exercise any of these rights, please contact us at info@bumpandbreathe.com. We will respond within 30 days.

7. Cookies

We use cookies on this website. For full details of the cookies we use and how to manage them, please see our Cookie Policy, which is incorporated into this Privacy Policy by reference.

8. Data Security

We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse. Our website uses HTTPS encryption, and all payment processing is handled by Shopify's PCI-compliant infrastructure.

While we take every precaution, no method of transmission over the internet is 100% secure. If you have concerns about data security, please contact us.

9. International Data Transfers

Some of our third-party providers (including Shopify and Google) may process your data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, including reliance on adequacy decisions or Standard Contractual Clauses as approved under UK GDPR.

10. Children's Privacy

Our website and products are not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated date. We encourage you to review this policy periodically.

12. How to Complain

If you are unhappy with how we have handled your personal data, please contact us first at info@bumpandbreathe.com and we will do our best to resolve your concern.

You also have the right to lodge a complaint with the UK's data protection authority, the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Phone: 0303 123 1113