Curating your experience
✦
✦
✦
✦
✦
✦
Elevate Your Elegance
Elevate Your Elegance
Curating your experience
Legal
Last updated: 1 March 2025
ARCHANGEL by shimz (“we”, “us”, “our”) is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store and share your personal data when you visit archangelbymz.com(the “Site”) or purchase products from us, and sets out your rights under the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”).
Please read this policy carefully. By using our Site, you acknowledge that you have read and understood this policy.
The data controller responsible for your personal data is:
Depending on how you interact with us, we may collect the following categories of personal data:
We process your personal data only where we have a valid legal basis under UK GDPR Article 6. The table below sets out each purpose and its corresponding legal basis.
| Purpose | Legal Basis |
|---|---|
| Processing and fulfilling your order, including payment, delivery and aftercare | Performance of a contract (Art. 6(1)(b)) |
| Creating and managing your account | Performance of a contract (Art. 6(1)(b)) |
| Sending transactional communications (order confirmation, dispatch, returns) | Performance of a contract (Art. 6(1)(b)) |
| Preventing and detecting fraud, and ensuring the security of our Site | Legitimate interests (Art. 6(1)(f)) — protecting our business and customers |
| Improving our Site, products and services through analytics | Legitimate interests (Art. 6(1)(f)) — developing our business |
| Sending marketing emails and newsletters about our collections and offers | Consent (Art. 6(1)(a)) — you may withdraw consent at any time |
| Personalising your browsing experience and targeted advertising | Consent (Art. 6(1)(a)) |
| Complying with legal and regulatory obligations (e.g. tax records, consumer rights) | Legal obligation (Art. 6(1)(c)) |
| Responding to legal claims or establishing, exercising or defending legal rights | Legitimate interests (Art. 6(1)(f)) |
Where we rely on legitimate interests, we have conducted a balancing test and concluded that our interests are not overridden by your rights and freedoms. You have the right to object to processing based on legitimate interests — see Section 8.
We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by law. Our standard retention periods are:
At the end of the applicable retention period, personal data is securely deleted or anonymised. Where data is anonymised, it may be retained indefinitely for statistical or analytical purposes.
We share your personal data with carefully selected third parties who process data on our behalf as data processors, or who receive data as independent controllers. All processors are bound by data processing agreements requiring them to apply equivalent protections to your data.
All payment transactions on our website are processed by Stripe, Inc., a PCI-DSS Level 1 certified payment gateway. Your card and banking details are submitted directly and securely to Stripe using TLS encryption — we never see, transmit, or store your full payment credentials on our servers. Stripe acts as an independent data controller for its fraud prevention and compliance obligations. See the Stripe Privacy Policy.
Your name and delivery address are shared with our courier and fulfilment partners solely for the purpose of delivering your order. These partners are contractually prohibited from using your data for any other purpose.
We use analytics services (such as Google Analytics with IP anonymisation enabled, or a privacy-first alternative) to understand how visitors use our Site. Analytics data is collected only with your consent via our cookie banner and is processed in anonymised or pseudonymised form where possible.
We use a third-party email service provider to send transactional and marketing communications. This provider processes your email address and name on our behalf under a data processing agreement.
Our Site is hosted on cloud infrastructure within the UK or European Economic Area (“EEA”). All hosting providers are bound by UK GDPR-compliant data processing agreements.
We may share data with solicitors, accountants and insurers where strictly necessary for the conduct of our business, subject to professional confidentiality obligations.
We do not sell, rent or trade your personal data to any third party for marketing purposes.
Some of our third-party service providers may process personal data outside the UK or the EEA. Where this occurs, we ensure appropriate safeguards are in place to protect your data in accordance with UK GDPR Chapter V requirements, including:
You may request a copy of the relevant transfer safeguards by contacting us at privacy@archangelbymz.com.
We implement appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, disclosure, alteration or destruction. These measures include TLS/SSL encryption for data in transit, access controls and authentication requirements, regular security reviews, and staff training on data protection. However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify affected individuals without undue delay.
Under UK GDPR, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to exemptions, but we will always respond to your request within one calendar month (extendable by a further two months in complex cases, with notice).
Right of Access (Subject Access Request)
You have the right to obtain confirmation as to whether we process your personal data and, if so, to receive a copy of that data and supplementary information about how it is processed.
Right to Rectification
You have the right to require us to correct inaccurate personal data and to complete incomplete personal data concerning you, without undue delay.
Right to Erasure ("Right to be Forgotten")
You have the right to require us to erase your personal data in certain circumstances — for example, where it is no longer necessary for the purpose for which it was collected, or where you withdraw consent and there is no other legal basis for processing.
Right to Restriction of Processing
You have the right to require us to restrict processing of your personal data in certain circumstances — for example, while we verify the accuracy of data you have contested, or where processing is unlawful but you prefer restriction to erasure.
Right to Data Portability
Where processing is based on your consent or the performance of a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used and machine-readable format, and to have it transmitted to another controller where technically feasible.
Right to Object
You have the right to object to processing of your personal data based on our legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing for that purpose immediately. Where you object on the basis of legitimate interests, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms.
Right to Withdraw Consent
Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. You can withdraw marketing consent at any time by clicking "unsubscribe" in any marketing email or by contacting us.
Rights Related to Automated Decision-Making and Profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. We do not currently make such decisions.
Right to Lodge a Complaint with the ICO
You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you are unhappy with how we handle your personal data (see Section 9 below). We would, however, appreciate the opportunity to address your concerns directly before you approach the ICO.
To exercise any of the above rights, please contact us at privacy@archangelbymz.com. We may need to verify your identity before fulfilling a request.
The ICO is the UK supervisory authority for data protection. If you believe we have not handled your personal data in accordance with applicable law, you have the right to make a complaint to the ICO:
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk
We use cookies and similar technologies on our Site. For full details of the cookies we use, how we use them and how you can manage your preferences, please see our Cookie Policy.
Our Site may contain links to third-party websites. We have no control over, and accept no responsibility for, the privacy practices or content of those websites. We encourage you to read the privacy policy of any website you visit.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology or legal obligations. We will publish the revised policy on this page with an updated “Last updated” date. For material changes, we will notify you by email (if we hold your email address) or by displaying a prominent notice on our Site. We encourage you to review this policy periodically.
If you have any questions, concerns or requests relating to this Privacy Policy or the way we process your personal data, please contact our privacy team:
Email: privacy@archangelbymz.com
ARCHANGEL by shimz, registered in England & Wales