Privacy Policy

By using our Site and Services, you consent to the collection and processing of your personal data as described in this Privacy Policy. If you do not agree with the terms of this policy, please do not use our Site or Services.

1. Information We Collect


We collect personal data that you provide to us voluntarily and data we automatically collect through your use of the Site, in accordance with the data minimisation principle (only collecting what is necessary for our business purposes).

1.1 Personal Data You Provide Voluntarily


  • Order and Payment Information: Name, shipping address, billing address, email address, phone number, payment card details (processed by third-party payment providers, not stored by us), and order preferences when you purchase our unbleached bamboo and recycled paper products.
  • Account Information: If you create an account, your chosen username, password, and contact details (to manage your orders and preferences).
  • Communication Data: Messages, inquiries, or feedback you send to us via our contact forms, email, or other communication channels.

1.2 Automatically Collected Personal Data


When you use our Site, we may automatically collect limited technical data to ensure the Site’s functionality and security, including:

  • IP address
  • Browser type and version
  • Device type, operating system, and screen resolution
  • Pages you visit on the Site and the time/date of your visit
  • Referral source (how you found our Site)

This data is collected using session cookies (temporary, deleted when you close your browser) and server logs—we do not use persistent cookies for tracking or advertising purposes without your explicit consent.

2. Purposes of Processing Your Personal Data


We process your personal data only for specific, legitimate purposes and on the following legal bases under the UK GDPR:

  1. Performance of a contract (Article 6(1)(b)): To process and fulfill your product orders, arrange shipping and delivery, process payments, and provide order confirmations and updates.
  2. Legitimate interests (Article 6(1)(f)): To maintain the security and functionality of our Site (e.g., detecting fraud or technical issues), improve our products and Services, and respond to your inquiries or feedback. Our legitimate interests do not override your fundamental rights and freedoms.
  3. Your explicit consent (Article 6(1)(a)): If you opt-in to receive marketing communications (e.g., newsletters, product updates, promotions), we will process your contact details to send these communications. You may withdraw your consent at any time (see Section 7).
  4. Compliance with legal obligations (Article 6(1)(c)): To retain transaction records for tax, accounting, and regulatory purposes as required by UK law.

3. Sharing of Your Personal Data


We do not sell, rent, or lease your personal data to third parties for commercial purposes. We may share your personal data only with trusted third-party service providers (data processors) who act on our behalf to deliver the Services, and only to the extent necessary for the purposes outlined in Section 2. All third-party processors are bound by written data processing agreements (in compliance with UK GDPR Article 28) to ensure they protect your personal data and process it only in accordance with our instructions.

Our trusted third-party processors include:

  • Payment Service Providers: To process credit/debit card payments and ensure secure financial transactions (e.g., PayPal, Stripe). These providers do not store your payment details on our behalf.
  • Logistics and Shipping Partners: To deliver your orders to the provided shipping address (e.g., Royal Mail, DPD).
  • IT and Hosting Providers: To host our Site and maintain its technical functionality (data is stored on secure UK-based servers).

We may also disclose your personal data if required by law (e.g., to comply with a court order, regulatory request, or to protect our legal rights, property, or safety, and that of our customers and the public).

4. Data Retention


We retain your personal data only for the minimum period necessary to fulfill the purposes for which it was collected, or as required by applicable UK law.

  • Order and Transaction Data: Retained for 7 years from the date of your order to comply with UK tax and accounting regulations.
  • Account Data: Retained for as long as your account is active, or for 12 months after your last interaction with us (whichever is later), then securely deleted.
  • Communication Data: Retained for 6 months after the resolution of your inquiry/feedback, then securely deleted.
  • Automatically Collected Technical Data: Retained for 30 days from your last Site visit, then anonymised (so it can no longer identify you).

Once the retention period expires, your personal data will be securely deleted or anonymised (rendered unidentifiable) and will not be used for any further purposes.

5. Cross-Border Data Transfers


All personal data we collect is stored on UK-based servers by our hosting providers. We do not transfer your personal data to countries outside the European Economic Area (EEA) unless required to fulfill your order (e.g., international shipping). If a cross-border transfer is necessary:

  • We ensure the recipient country provides an adequate level of data protection as determined by the UK Information Commissioner’s Office (ICO); or
  • We use UK International Data Transfer Agreements (IDTA) or EU Standard Contractual Clauses (SCC) to impose binding data protection obligations on the third-party recipient.

You may request a copy of the safeguards we use for cross-border data transfers by contacting us (see Section 9).

6. Data Security


We take all reasonable technical and organisational measures (in compliance with UK GDPR Article 32) to protect your personal data from unauthorised access, loss, theft, alteration, or destruction. Our security measures include:

  • Encryption of data in transit (HTTPS protocol) and data at rest (for stored personal data).
  • Strict access controls—only authorised Company staff have access to your personal data, and only for the purposes outlined in this policy.
  • Regular security audits and updates to our Site and IT systems to address vulnerabilities.
  • Secure data processing by third-party providers (as outlined in Section 3).

Despite our best efforts, no electronic storage or transmission is 100% secure. We cannot guarantee absolute security, but we will take immediate action to mitigate any risks in the event of a data breach.

Data Breach Notification


In the event of a personal data breach that poses a high risk to your rights and freedoms under the UK GDPR, we will:

  1. Notify the UK Information Commissioner’s Office (ICO) within 72 hours of discovering the breach;
  2. Notify you without undue delay (via email or post) of the breach, including details of the data involved, the potential impact, and the measures we are taking to address it.

7. Your Data Protection Rights Under UK GDPR


As a data subject under the UK GDPR, you have the following rights in relation to your personal data. We will respond to all valid requests free of charge within one month (we may extend this period by up to two months for complex requests, and we will notify you if this is necessary).

Your rights include:

  1. Right to Access: Request a copy of the personal data we hold about you and confirmation of how we process it.
  2. Right to Rectification: Request correction of any inaccurate or incomplete personal data we hold about you.
  3. Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data if it is no longer necessary for the purposes we collected it, you withdraw your consent, or you object to processing (and no legal basis for processing remains).
  4. Right to Restriction of Processing: Request that we restrict processing of your personal data (e.g., if you contest the accuracy of the data or the lawfulness of our processing).
  5. Right to Data Portability: Request a copy of your personal data in a structured, commonly used, machine-readable format (e.g., CSV, Excel) for transfer to another data controller.
  6. Right to Object: Object to the processing of your personal data for the purpose of our legitimate interests (Section 2) or direct marketing.
  7. Right to Withdraw Consent: Withdraw your explicit consent to processing (e.g., marketing communications) at any time—this does not affect the lawfulness of processing before your withdrawal.
  8. Right to Lodge a Complaint: Lodge a complaint with the UK Information Commissioner’s Office (ICO) if you are dissatisfied with how we process your personal data (ICO contact details: https://ico.org.uk, 0303 123 1113).

To exercise any of these rights, please contact us using the details in Section 9. We may request proof of identity to verify your request (to protect your personal data from unauthorised access).

8. Marketing Communications


If you opt-in to receive marketing communications from us (e.g., newsletters, product launches, exclusive offers), we will send these to your provided email address or phone number. You may unsubscribe from marketing communications at any time by:

  • Clicking the "unsubscribe" link in any marketing email we send you;
  • Contacting us directly using the details in Section 9;
  • Updating your preferences in your account settings (if you have an account).

We will stop sending marketing communications to you within 48 hours of receiving your unsubscribe request.

9. Contact Us


If you have any questions, concerns, or requests regarding this Privacy Policy, or the processing of your personal data, please contact our Data Protection Officer (DPO) at:

  • Email: support@mail.nicepaper.co.uk
We will respond to all inquiries and requests promptly and in compliance with UK GDPR requirements.

10. Changes to This Privacy Policy


We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or business operations. Any changes will be posted on this page with an updated Last Updated date, and the changes will take effect immediately upon posting.

We encourage you to review this Privacy Policy regularly to stay informed about how we protect your personal data. Your continued use of our Site and Services after the effective date of the updated policy constitutes your acceptance of the changes.