Privacy Policy

Last updated: [DATE]

This policy explains how Aponia CBD Ltd ("we", "us", "our") collects, uses and protects your personal data when you visit aponiacbd.co.uk or buy our products. We are the data controller for the personal information described here. We are registered with the Information Commissioner's Office (ICO) under registration number [ICO Reg. No.].

1. Who to contact

For any questions about this policy or to exercise your rights, contact us at sales@aponiacbd.co.uk or by post to Aponia CBD Ltd, [Registered office address], United Kingdom.

2. What data we collect

  • Order information — your name, delivery address, billing address, email address, telephone number and the products you have ordered.
  • Payment information — handled by our payment processor; we do not store full card details on our servers.
  • Communications — any messages, emails or contact-form submissions you send us.
  • Technical data — IP address, browser type, device, operating system, referring URL and basic usage information collected via cookies (see our Cookie Policy).
  • Marketing preferences — your consent choices for marketing communications and cookies.
  • Lifestyle context responses — if you complete the optional "lifestyle context" tool on the site, your answers are processed in your browser only and are not transmitted to us unless you choose to share them.

3. How we use your data and our lawful basis

  • To fulfil your order (lawful basis: performance of a contract) — processing payment, dispatching goods, providing customer service.
  • To meet our legal obligations (lawful basis: legal obligation) — accounting, tax, consumer-protection record-keeping, food-supplement traceability.
  • To improve the site and our products (lawful basis: legitimate interests, balanced against your rights) — analytics on aggregate usage, where you have given cookie consent.
  • To send you marketing communications (lawful basis: consent) — only where you have actively opted in. You can withdraw consent at any time.
  • To prevent fraud and protect the site (lawful basis: legitimate interests) — basic security logging.

4. Who we share your data with

We share personal data only with the third-party providers we need to run the business, under appropriate contracts:

  • Payment processor — to take payment securely.
  • Delivery and fulfilment partners — to dispatch your order.
  • Email provider — to send order confirmations and (with your consent) marketing emails.
  • Hosting provider (Vercel Inc.) and content delivery network — to operate the website.
  • Analytics provider — only if you have consented to analytics cookies.
  • Professional advisers (accountants, lawyers) where required.
  • Regulators or law-enforcement bodies where we are legally required to do so.

We do not sell your personal data to anyone.

5. International transfers

Some of our service providers (for example our hosting and email providers) may process data outside the United Kingdom. Where this happens, we rely on the UK's adequacy regulations or on the International Data Transfer Agreement (IDTA) / EU Standard Contractual Clauses with the UK Addendum to provide an appropriate level of protection.

6. How long we keep your data

  • Order and customer-service records: 6 years after the end of the financial year in which the order was placed (HMRC requirement).
  • Marketing-consent records: until you withdraw consent or for 24 months of inactivity, whichever is sooner.
  • Cookie consent records: up to 12 months, after which we ask again.
  • Site analytics (where consented): aggregated and retained no longer than 26 months.

7. Your rights under UK GDPR

You have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • request erasure of your data in certain circumstances;
  • restrict or object to certain processing, including direct marketing;
  • data portability for data you have provided to us;
  • withdraw consent at any time, where processing is based on consent.

To exercise any of these rights, email sales@aponiacbd.co.uk. We will respond within one month. You also have the right to lodge a complaint with the Information Commissioner's Office (ico.org.uk or 0303 123 1113).

8. Security

We use industry-standard technical and organisational measures to protect your personal data, including encryption in transit (HTTPS), restricted access to personal data on a need-to-know basis, and contractual safeguards with our processors.

9. Cookies

Our use of cookies and similar technologies is described in our Cookie Policy.

10. Changes to this policy

We may update this policy from time to time. The "last updated" date at the top tells you when. If we make material changes that affect how we use your data, we will let you know by a notice on the site or by email.