Data Retention Policy
Last updated: 25 May 2026
This page sets out how long we keep different categories of personal data. We follow the UK GDPR principle of storage limitation — data is kept only for as long as we need it, then deleted or anonymised.
Retention schedule
| Data category | Retention period | Reason |
|---|---|---|
| Order records (customer details, items, value) | 7 years | HMRC / Companies Act 2006 |
| VAT invoices | 6 years | HMRC VAT record-keeping requirement |
| Customer account profile (name, email, addresses) | Until deletion requested or 3 years of inactivity | Service continuity |
| Marketing consent and preferences | Until consent withdrawn | UK GDPR Art. 7 |
| Support correspondence (email, chat) | 3 years from last contact | Customer service & dispute resolution |
| Card payment data | Not stored by us — held by Stripe per their retention policy | PCI-DSS minimisation |
| Website analytics (GA4) | 14 months | Default GA4 setting, anonymised |
| Server logs (nginx access, error) | 30 days rolling | Security & debugging |
| Backups containing personal data | 30 days rolling | Disaster recovery |
| CCTV (in-store, not website-related) | 30 days rolling | Crime prevention |
Deletion process
At the end of the retention period, personal data is either:
- Erased — removed from primary databases and from backups at the next rotation cycle, or
- Anonymised — stripped of personal identifiers so the remaining data cannot be linked back to you (used for long-term reporting and trend analysis).
Exceptions
We may keep data beyond these periods where required by law (e.g. a legal hold during litigation) or where it is necessary for the establishment, exercise or defence of legal claims.
Your rights
You can request deletion of your personal data at any time. See our Right to Erasure page.