Privacy Policy

Last updated: 21 October 2025

This Privacy Policy explains how The Tiny Lux Co. Ltd (“Tiny Lux”, “we”, “us”, “our”) collects, uses, shares, and protects your personal data when you visit tinylux.co.uk (the “Site”) or purchase our products.

We operate from the United Kingdom and ship primarily from Türkiye (Turkey). Our production web hosting is located in Germany and Finland. When you select GBP / EUR / USD or we display local currency and shipping options based on your location, the processing described below applies. We are the data controller under the UK GDPR and the Data Protection Act 2018. Where we offer goods to EEA residents, we also align with the EU GDPR.

1) Who we are (Controller)

• Company: The Tiny Lux Co. Ltd (registered in England & Wales)
• Company number: 15566590
• Incorporated: 16 March 2024
• Registered office: 2, Frederick Street, Kings Cross, London, WC1X 0ND, United Kingdom
• Contact email: [email protected]
• Data Protection Contact: Privacy Team — [email protected]

EU/EEA Representative (GDPR Art. 27): To be appointed. Until then, EEA residents may contact us via the details above.

Supervisory authorities:

UK residents can complain to the ICO (Information Commissioner’s Office). EEA residents can complain to their local data protection authority.

2) What data we collect

• Identity & Contact — name, email, phone, billing & shipping addresses, account details.
• Order & Payment — items purchased, order IDs, totals, payment method, limited payment status metadata. We do not store full card numbers.
• Technical — IP address, device/OS/browser, language, referrer/UTM, session IDs, error logs.
• Usage — pages visited, clicks, search terms, cart events, currency/region selection.
• Communications — messages to support, reviews/comments (with IP and user-agent for anti-spam).
• Marketing preferences — newsletter opt-ins/outs, cookie consent choices, ad preferences.
• Fraud/risk signals — from our payment and anti-fraud tools.

Sources: directly from you; from your device (including cookies/pixels); from payment, analytics, shipping, and anti-fraud providers; and address-validation services.

3) Why we use your data & legal bases (UK GDPR / EU GDPR)

Where we rely on consent, you can withdraw it any time (e.g., unsubscribe links, cookie settings). Where we rely on legitimate interests, you can object and we’ll assess your request.

4) Cookies & tracking (GBP/EUR/USD and advertising)

• Essential cookies operate the Site (login, checkout, security).
• Preferences remember choices like currency (GBP/EUR/USD), region, and language.
• Analytics/Performance help us understand usage and improve the Site.
• Marketing/Advertising enable retargeting and measurement across sites/apps.

Consent in the UK/EU/EEA: we obtain prior consent for non-essential cookies. You can change choices any time via the cookie banner/settings. We also respect the Global Privacy Control (GPC) signal as an opt-out of sale/share/targeted advertising where legally required.

See our Cookie Policy for cookie names, lifetimes, and partners.

5) Payments (we don’t store card details)

Payments are processed securely by PayPal. If you pay with a PayPal account or via PayPal “guest checkout” by card, your details are processed directly by PayPal—we do not receive or store your full card/bank details. PayPal may act as an independent controller for parts of the processing (e.g., fraud checks, regulatory screening, credit offerings) and may transfer data internationally subject to its own safeguards.

• Provider: PayPal (Europe) S.à r.l. et Cie, S.C.A. (and PayPal group entities)
• Privacy notice: PayPal Privacy Statement

For chargebacks, disputes, or fraud prevention we may share limited order information with PayPal (e.g., transaction amount, device/IP risk signals, delivery confirmation).

6) Sharing your data (no selling of personal data)

We do not sell your personal data. We share data only with:

• Payment provider — PayPal – to take payment and prevent fraud.
• Shipping & logistics (FedEx, UPS, DHL) – to deliver orders and manage returns; many shipments dispatch from Türkiye (Turkey). We share only what’s necessary to ship your order: name, delivery/billing address, email/phone for delivery updates, order contents and values, and—where required—customs information (e.g., HS codes, declared value, tax/VAT IDs). Carriers may act as independent controllers for their own operations and regulatory compliance.
• IT & hosting – Site hosting and security (servers in Germany and Finland).
• Analytics & marketing – analytics platforms, ad networks, social platforms (only where consented, where required).
• Professional services – auditors, accountants, legal advisors.
• Authorities – where required by law, to protect our rights or prevent fraud.

We sign contracts with processors to protect your data.

7) International transfers

We may transfer data outside the UK/EU—for example, to Türkiye for fulfilment or to providers in other countries. Where we do so, we use appropriate safeguards, such as:

• EU Standard Contractual Clauses (SCCs) and/or the UK IDTA/Addendum;
• adequacy decisions where available; and
• additional technical/organisational measures (encryption, access controls).

8) Retention

• Orders & invoices: at least 6 years for tax/accounting.
• Analytics & technical logs: typically ≤ 24 months.
• Accounts: while active; we can delete or anonymise on request unless we must retain data by law.
• Marketing: until you unsubscribe or your consent expires/ is withdrawn.

9) Your rights (UK/EU/EEA)

You have the right to access, rectify, erase, restrict, object, and data portability. You also have the right to withdraw consent and to complain to a supervisory authority (ICO in the UK, your local DPA in the EEA). To exercise rights, email [email protected]. We’ll respond within 30 days (or as permitted by law).

10) US state privacy notice (California, Colorado, Connecticut, Utah, Virginia)

This section applies where state laws grant additional rights:

Categories collected: Identifiers (name, email, address), transaction data, internet/network activity (IP, device), approximate geolocation, inferences for advertising, and commercial information (orders). We collect from you, your device/cookies, and partners (payments, shipping, analytics, ads) and use data for the purposes in Section 3.

Sale/Share/Targeted Advertising: We do not sell personal information for money. We may “share” or process for targeted advertising via advertising cookies and pixels. You can opt-out via the cookie banner/settings; we honour GPC.

Your rights (subject to verification): access, correction, deletion, portability, opt-out of sale/share/targeted advertising, and limit the use of sensitive information (if applicable). Virginia/Colorado/Connecticut users can appeal a denial by emailing [email protected] with subject “Appeal”. California residents can also use a “Do Not Sell or Share My Personal Information” link (when available) or email us.

We do not knowingly process data of minors under 13 for targeted advertising.

11) Children’s privacy

Our Site is not intended for children under 13. We do not knowingly collect personal data from children. If you believe a child has provided data, contact us to delete it.

12) Security

We use appropriate technical and organisational measures, including encryption in transit (HTTPS), restricted access, and continuous monitoring. No system is 100% secure; please use a strong, unique password and keep it confidential.

13) Changes

We may update this Policy from time to time. We’ll post the updated version with a new “Last updated” date. Material changes may be notified via the Site or email.

14) Contact

For privacy questions or requests: [email protected]

Postal address: The Tiny Lux Co. Ltd, 2, Frederick Street, Kings Cross, London, WC1X 0ND, United Kingdom