Privacy policy
What this policy covers
This policy explains how Ricki Robin Ltd (we, us, the brand) collects, uses, stores, and shares your personal information when you visit ricki-robin.store, ricki-robin.com, or interact with us by email or social media. It is written for the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation where applicable to EU customers.
We have written this policy in plain English. If anything is unclear, write to support@ricki-robin.com and we will explain.
What we collect
When you visit our store or buy something, we collect:
- Identity and contact data: name, email address, postal address, telephone number (if you provide one).
- Account data: if you create an account, your login email and any preferences you set.
- Order data: what you bought, when, the price, the size and colour, the delivery address, the billing address, the order status.
- Payment data: we do not store full payment-card details. Card payments are processed by Shopify Payments and Stripe. USDC payments are processed via Coinbase on the Base network through Shopify Payments. We receive only the last four digits, card type, and expiry month and year for our records.
- Communication data: the content of any email, contact-form, or Shopify Inbox message you send us.
- Marketing consent data: whether you have opted in to receive marketing emails, and (later) SMS.
- Usage data: pages you visit, products you view, items you add to cart, time-on-page, referring source, device and browser type. Collected via Google Analytics 4 — only if you accept analytics cookies.
We do not collect your race, ethnicity, religious belief, political opinion, trade-union membership, health information, sexual orientation, genetic or biometric data. We have no need for any special-category data and we do not ask for it.
Why we collect it (lawful bases)
Under UK GDPR, every collection has a lawful basis. Ours are:
- Performance of a contract: your name, address, payment details, and order history are needed to fulfil your order. Without them we cannot ship.
- Consent: marketing emails and (later) SMS, plus non-essential cookies (analytics, marketing). You can withdraw at any time.
- Legitimate interests: fraud prevention, basic site analytics, customer service, improving the products and the store. We balance these against your rights and document the assessment internally.
- Legal obligation: retaining order records for HMRC and Companies House for the periods required by UK tax and company law.
Your data protection rights
Under the UK General Data Protection Regulation (UK GDPR) you have the following rights in relation to your personal data:
- Right of access — you can ask us for a copy of the personal data we hold about you.
- Right to rectification — you can ask us to correct any inaccurate or incomplete data we hold about you.
- Right to erasure ("right to be forgotten") — you can ask us to delete your personal data in certain circumstances.
- Right to restriction of processing — you can ask us to limit how we use your data in certain circumstances.
- Right to data portability — you can ask us to provide your data in a structured, commonly used, machine-readable format so you can transfer it to another organisation.
- Right to object — you can object to our processing of your data where we rely on legitimate interests or for direct marketing.
- Rights related to automated decision-making and profiling — you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects.
To exercise any of these rights, please email support@ricki-robin.com with the subject line "Privacy — [Right Name]" (for example "Privacy — Right of access"). We will respond within 30 days as required by UK GDPR Article 12.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at any time: ico.org.uk.
Who we share it with (our processors)
We use third-party services to run the brand. Each one is a "data processor" — they handle your data only on our instructions, under a written contract.
- Shopify — runs the store and processes orders. (US/Canada with UK servers.)
- Printful — fulfils your order on our behalf. We share your name and shipping address with Printful so they can print and ship. (US/EU.)
- Stripe — payment processing for cards and USDC. (US.)
- Coinbase — USDC settlement on the Base network. (US.)
- PayPal — alternative payment processing. (US.)
- Omnisend — marketing email and (later) SMS, only if you opt in. (US.)
- Google — Google Analytics 4 and Google Workspace email. (US/EU.)
- Judge.me — review collection and moderation, only if you write a review. (Canada.)
- Vercel and Cloudflare — hosting infrastructure for ricki-robin.com and defensive domains. (US/EU.)
- Sinden Ventures Limited — our EU authorised representative for product-safety law (EU GPSR). They receive your shipping address only when an EU product-safety enquiry is raised. (Cyprus.)
We do not sell your personal data to anyone. Ever. Not for advertising, not for "data co-ops", not for any reason.
International transfers
Some of our processors operate outside the United Kingdom and the EEA, mainly in the United States. Where this applies we rely on the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs), and we choose providers with appropriate safeguards.