Privacy Policy
Last updated: March 2026
At Auntie Marlene's, we take your privacy seriously. This policy explains what personal data we collect, why we collect it, and what we do with it. We've written it in plain English so you can actually understand it.
We are the data controller for the personal data we collect through our website at auntiemarlenes.com. We are a UK-based e-commerce business selling hair and beauty products.
What Data We Collect
We only collect data that we genuinely need to run our store and give you a good experience. Here's what we collect and when:
When You Create an Account
- Your name and email address
- Your Google profile information (if you sign in with Google)
- A profile photo (if provided by your Google account)
When You Place an Order
- Your name, email, and phone number
- Delivery and billing addresses
- What you ordered and how much you paid
- Payment details (handled securely by Shopify Payments — we never see or store your full card number)
When You Browse Our Site
- Pages you visit and products you view
- Your device type, browser, and operating system
- Your approximate location (country/region level)
- How you found us (e.g. search engine, social media)
- Technical data like your IP address
When You Sign Up for Emails
- Your email address
- Your name (if provided)
- Whether you open our emails and click any links (so we can send you more relevant content)
How We Use Your Data
We use your data for specific purposes, and we always have a legal basis for doing so under UK GDPR:
To Fulfil Our Contract With You
- Processing and delivering your orders
- Sending order confirmations and shipping updates
- Handling returns and refunds
- Managing your account
For Our Legitimate Interests
- Improving our website and understanding how people use it
- Detecting and preventing fraud
- Fixing bugs and technical issues
- Analysing sales trends to stock the right products
With Your Consent
- Sending you marketing emails and newsletters
- Showing you personalised ads on social media
- Setting non-essential cookies on your device
You can withdraw your consent at any time — just unsubscribe from our emails or update your cookie preferences.
Who We Share Your Data With
We never sell your personal data. We only share it with trusted third parties who help us run our business:
Checkout and Payments
Shopify — Our checkout is hosted by Shopify. When you place an order, Shopify processes your payment securely through Shopify Payments. They handle your card details, billing address, and order information. Shopify is PCI DSS compliant, meaning they meet the highest standards for payment security.
Analytics and Performance
- Plausible Analytics — A privacy-friendly analytics tool that does not use cookies and does not track you across websites. It gives us basic stats like page views and referral sources without collecting personal data.
- PostHog — Helps us understand how people use our site so we can make it better. This includes things like which pages you visit, what you click on, and where you might get stuck.
- Vercel Analytics — Monitors our website's performance (page load speeds, errors) so we can keep things running smoothly.
- Sentry — Tracks technical errors on our site. If something breaks, Sentry helps us find and fix it quickly. It may collect limited technical data about your device and browser when an error occurs.
Marketing and Advertising
- Meta Pixel (Facebook/Instagram) — With your consent, we use the Meta Pixel to measure how effective our ads are on Facebook and Instagram. This may track actions you take on our site (like viewing a product or making a purchase) and share that data with Meta for ad targeting.
- Resend — We use Resend to send you transactional emails (order confirmations, shipping updates, password resets) and marketing newsletters if you've opted in. Resend processes your email address and name to deliver these messages.
Authentication
Google OAuth — If you choose to sign in with Google, we receive your name, email address, and profile photo from Google. We use this only to create and manage your account. We also offer magic link sign-in via email as an alternative.
Cookies
Cookies are small files stored on your device that help our website work properly and give us insights into how you use it.
Essential Cookies
These are needed for the site to work — things like keeping you logged in, remembering what's in your bag, and processing your checkout. You can't opt out of these because the site wouldn't function without them.
Analytics Cookies
These help us understand how visitors interact with our website. Note that Plausible Analytics does not use cookies at all. PostHog and Vercel Analytics may set cookies to help us measure site usage and performance.
Marketing Cookies
The Meta Pixel sets cookies to track conversions from our Facebook and Instagram ads. These are only set with your consent.
You can manage your cookie preferences at any time through your browser settings. For more details about the specific cookies we use, please see our Cookie Policy.
Your Rights Under UK GDPR
Under UK data protection law, you have a number of rights over your personal data. These are free to exercise and we aim to respond within 30 days.
- Right of access — You can ask us for a copy of all the personal data we hold about you.
- Right to rectification — If any of your data is wrong or incomplete, you can ask us to correct it.
- Right to erasure — You can ask us to delete your personal data. We'll do this unless we have a legal reason to keep it (like tax records for completed orders).
- Right to restrict processing — You can ask us to limit how we use your data in certain circumstances.
- Right to data portability — You can ask us to give you your data in a machine-readable format so you can transfer it to another service.
- Right to object — You can object to us processing your data for direct marketing or where we rely on legitimate interests.
- Rights around automated decision-making — We don't make any automated decisions that significantly affect you, but you have the right not to be subject to them.
How to Exercise Your Rights
To make a request, email us at hello@auntiemarlenes.com with the subject line "Data Rights Request". We may need to verify your identity before processing your request.
If you're not happy with how we handle your request, you have the right to complain to the Information Commissioner's Office (ICO), the UK's data protection authority.
Data Retention
We don't keep your data forever. Here's how long we hold onto different types of information:
- Account data — Kept for as long as you have an account with us. If you ask us to delete your account, we'll remove your data within 30 days.
- Order data — Kept for 7 years after your last order, as required by UK tax law (HMRC requirements).
- Marketing data — Kept until you unsubscribe. Once you opt out, we'll remove you from our mailing list within 7 days, though we may keep a record of your email on a suppression list to make sure we don't accidentally email you again.
- Analytics data — Plausible does not store any personal data. PostHog data is retained according to their data retention policies. Sentry error logs are typically retained for 90 days.
- Cookie data — Varies by cookie. Session cookies are deleted when you close your browser. Other cookies have specific expiry dates, detailed in our Cookie Policy.
International Data Transfers
Some of the third-party services we use are based outside the UK. When your data is transferred internationally, we make sure it's protected:
- Shopify — Based in Canada, with servers globally. Shopify complies with international data transfer requirements and uses standard contractual clauses.
- PostHog, Sentry, Vercel, Resend — These services are based in the United States. Data transfers are protected by the UK-US Data Bridge (an extension of the EU-US Data Privacy Framework) and/or standard contractual clauses approved by the ICO.
- Meta — Based in the United States. Transfers are covered by standard contractual clauses and the UK-US Data Bridge.
- Plausible — Based in the EU and processes data within the EU/EEA, which has adequate data protection standards recognised by the UK.
Children's Privacy
Our website and services are not aimed at children under 16. We do not knowingly collect personal data from anyone under 16 years of age. If you are a parent or guardian and believe your child has given us personal data, please contact us at hello@auntiemarlenes.com and we will delete it promptly.
Contact Us
If you have any questions about this privacy policy, want to exercise your data rights, or just want to know more about how we handle your data, get in touch:
- Email: hello@auntiemarlenes.com
- Website: auntiemarlenes.com
We aim to respond to all privacy-related enquiries within 7 days. For data rights requests, we will respond within 30 days as required by UK GDPR.
Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices or for legal reasons. When we make significant changes, we'll let you know by posting a notice on our website or sending you an email. We encourage you to check this page occasionally to stay informed.
Questions About Your Privacy?
We're here to help. If anything in this policy is unclear or you want to know more about how we handle your data, just ask.
Contact Us