Privacy Policy

Last updated: 3 March 2026

This Privacy Policy explains how we collect, use, share and protect your personal data when you visit our website, create an account, sign up to marketing, make a purchase, contact us, or otherwise interact with us.

1) Who we are (Data Controller)

Data Controller: Vyoma Brands Ltd (company number 16968522) trading as TurtleDove London
Registered office: 71ā€“75 Shelton Street, London, United Kingdom, WC2H 9JQ
VAT: GB510749210

Contact (privacy queries): customerservice@turtledovelondon.com
(Please use this email for data rights requests too.)

2) Key definitions

ā€œPersonal dataā€ means information relating to an identified or identifiable living individual (for example name, email, address, device identifiers, online identifiers, order history).

3) The laws we follow

We follow applicable UK data protection law, including the UK GDPR and Data Protection Act 2018, plus relevant updates introduced by the UKā€™s Data (Use and Access) Act 2025 (in force in stages).
We also follow UK e-privacy rules for cookies and similar technologies (PECR) and ICO guidance.

If you are located in the EEA, we also aim to meet EU GDPR transparency standards (particularly around cookies, marketing and international transfers).

4) What personal data we collect

Depending on how you interact with us, we may collect:

A) Identity & contact data

  • Name, email address, phone number
  • Billing/delivery address

B) Account data

  • Login details (e.g., password is stored in an encrypted/hashed form by our platform/provider)
  • Wishlist / saved items (if enabled)

C) Order & payment data

  • Items purchased, order values, delivery and returns history
  • Payment status and limited payment identifiers
    Note: payment card details are processed by payment providers and are not typically stored by us.

D) Customer support data

  • Emails, messages, call notes, complaint history, photos you send us (e.g., product issue)

E) Device & usage data

  • IP address, device type, browser, pages viewed, clicks, timestamps, approximate location derived from IP
  • Cookie and similar technology identifiers

F) Marketing preferences

  • Email/SMS opt-in status, marketing engagement (opens/clicks), preference centre settings

5) How we collect your data

We collect personal data:

  • Directly from you (checkout, account creation, forms, email, phone)
  • Automatically (cookies, pixels, server logs)
  • From third parties (e.g., delivery partners for tracking updates; fraud/chargeback signals from payment providers)

6) Why we use your personal data (purposes & lawful bases)

We only use your data where we have a lawful basis. Common lawful bases:

A) To provide the website and keep it secure

  • Prevent fraud, troubleshoot, protect accounts, maintain logs
    Lawful basis: legitimate interests; and/or legal obligation (security measures).

B) To fulfil your order and manage your account

  • Process orders, deliver items, manage returns/exchanges, send service emails (order confirmations, delivery updates)
    Lawful basis: contract (performance of a contract).

C) To take payments and prevent fraud

  • Use payment gateways; detect suspicious transactions
    Lawful basis: contract; legitimate interests; legal obligation where applicable.

D) Customer service and complaints handling

  • Respond to enquiries, handle complaints, keep records
    Lawful basis: legitimate interests; contract where related to an order.

E) Marketing (email/SMS) and personalised ads (where applicable)

  • Send newsletters/offers only where youā€™ve opted in (or where permitted under ā€œsoft opt-inā€ rules for existing customers, with an easy opt-out every time, where applicable)
    Lawful basis: consent (and/or legitimate interests only where the law allows).
  • Show ads on platforms like Meta/Google and measure performance (pixels/SDKs)
    Lawful basis: consent for non-essential cookies/technologies (where required under PECR/ICO guidance).

F) Analytics and improving our site

  • Understand site performance and shopping behaviour (e.g., GA4/Hotjar-style tools)
    Lawful basis: consent for non-essential cookies/technologies (where required) and/or legitimate interests for strictly necessary operational analytics (depending on configuration and law).

G) Legal obligations

  • Accounting/tax record-keeping, responding to lawful requests, handling disputes
    Lawful basis: legal obligation; legitimate interests.

7) Cookies, pixels and similar technologies

We use cookies and similar technologies (e.g., tags, pixels, SDKs) for:

  • Strictly necessary (cart, checkout, site security)
  • Preferences/functional (language, region)
  • Analytics (site measurement and improvement)
  • Marketing/targeting (ad measurement and personalisation)

Where required, we ask for your consent before placing non-essential cookies/technologies, and you can change your choices at any time via our cookie settings. The ICO expects clear, accessible explanations and meaningful control for users.

8) Who we share your data with

We share personal data only as needed to run our business, including:

  • E-commerce & hosting platform (e.g., Shopify and related apps)
  • Payment providers (e.g., Stripe, PayPal, Apple Pay / Google Pay / Shop Pay)
  • Delivery partners/couriers (to deliver your order and provide tracking)
  • Email/SMS and marketing platforms (e.g., Klaviyo or similar)
  • Analytics and UX tools (e.g., Google Analytics, heatmapping tools)
  • Advertising platforms (e.g., Meta, Google) where you consent to marketing technologies
  • Professional advisers (accountants, legal advisers) where necessary
  • Insurers (where necessary)
  • Authorities / law enforcement where required by law or to prevent crime

We do not sell your personal data.

9) Klarna

If you choose Klarna payment options, we will share certain details (such as contact and order information) with Klarna so they can assess eligibility and provide their services. Klarna processes your personal data under its own privacy notice.

10) International data transfers (outside the UK/EEA)

Some of our suppliers may process data outside the UK/EEA (commonly the United States). When we do this, we use appropriate safeguards such as:

  • UK IDTA and/or UK Addendum to EU Standard Contractual Clauses; and/or
  • the UK Extension to the EUā€“US Data Privacy Framework (ā€œUKā€“US Data Bridgeā€) where the US recipient is certified.

11) How long we keep your data (retention)

We keep personal data only as long as needed for the purposes described above, including:

  • Orders, invoices, and tax records: typically 6ā€“7 years (to meet tax/accounting obligations and manage legal claims)
  • Customer service correspondence: usually up to 24 months after resolution (unless longer is needed for a dispute)
  • Marketing records: until you unsubscribe/opt out, or we no longer use the channel
  • Cookie data: varies by cookie type; see cookie settings for durations

We may keep data longer if required by law, to enforce our terms, or for disputes.

12) How we protect your data

We use appropriate technical and organisational measures, such as:

  • Access controls (need-to-know access)
  • Encryption in transit (HTTPS/SSL)
  • Secure supplier selection and contractual protections
  • Monitoring and security practices designed to reduce unauthorised access

No online system is 100% secure, but we work to protect your data appropriately.

13) Your rights

Subject to legal limits and conditions, you may have the right to:

  • Access your data
  • Correct inaccurate data
  • Delete your data
  • Restrict processing
  • Object to processing (including certain legitimate interests and direct marketing)
  • Data portability
  • Withdraw consent (where we rely on consent)
  • Not be subject to solely automated decisions that have legal/similarly significant effects (we donā€™t generally do this)

To exercise rights: email customerservice@turtledovelondon.com

14) Complaints

We encourage you to contact us first so we can help.

You also have the right to complain to the UK regulator, the Information Commissionerā€™s Office (ICO).

(UK law reforms under the Data (Use and Access) Act include phased changes to complaints handling requirements; we maintain a complaints process and will update this Policy as further commencement dates apply.)

15) Children

Our website is not intended for children and we do not knowingly collect data from children. If you believe a child has provided us personal data, please contact us and we will take appropriate steps.

16) Changes to this policy

We may update this Privacy Policy from time to time. We will post the latest version on our website and update the ā€œLast updatedā€ date above.