Privacy Notice (UK GDPR)

Last updated: 21 October 2025

1) Who we are (data controller)

Eden Horticulture Limited (company no. 08235884) is the data controller for personal data we process.
Registered office: Lifford Lane, Kings Norton, Birmingham, West Midlands, B30 3JN, United Kingdom
Trading address: Eden Horticulture, 10 Hortonwood West, Queensway, Telford, TF1 6AH, United Kingdom
Email (privacy matters): info@edenhorticulture.co.uk 

---

2) Personal data we collect

Depending on how you interact with us:

• Account & contact: name, job title, business name, addresses, email, phone.

• Orders & returns: order details, invoices, payment method info (tokens/last 4 from payment processor), RMA/returns records, images and serial/batch numbers uploaded via our Returns Portal.

• Communications: emails, portal messages, call notes.

• Device & usage: IP address, device/browser info, cookies/analytics, portal/app logs.

• CCTV: footage at our premises (signs displayed).

We don’t intentionally collect special category data. Please don’t include it in your communications with us.

---

3) Why we use your data (lawful bases)

We only process what we need, for:

• Contract (Art. 6(1)(b)): create/manage trade accounts, process orders, deliveries, returns/RMAs, warranties.

• Legitimate interests (Art. 6(1)(f)): run and improve services, customer service, analytics, fraud/security (incl. CCTV), credit control, and B2B direct marketing you can opt out of anytime.

• Legal obligations (Art. 6(1)(c)): tax/VAT, product safety, responding to lawful requests.

• Consent (Art. 6(1)(a)): electronic marketing where PECR requires consent; you can withdraw consent at any time.

---

4) Marketing & your choices

If you’re an existing customer, we may email B2B product/service updates under the soft opt-in. You can unsubscribe at any time using the link in our emails or by contacting us. Where consent is required under PECR, we’ll ask first.

---

5) Where your data comes from

• Directly from you/your colleagues (account setup, orders, returns).

• Our platforms (Shopify storefront, Returns Portal, email).

• Delivery and payment updates from our providers.

• Public business sources (e.g., Companies House) and, where relevant, credit-checking or fraud-prevention partners.

---

6) Who we share data with

We use trusted providers to run our business. These include (as applicable):

• Payments: PCI-compliant payment processors and banks (we don’t store full card details).

• Shipping & logistics: couriers, pallet networks, freight partners.

• IT & communications: email, cloud hosting, analytics and security services.

We only share what’s necessary. If we sell or reorganise our business, your data may transfer to the new owner on the same terms.

---

7) International transfers

Some providers may process data outside the UK. We rely on UK adequacy regulations where available, or the UK IDTA/Standard Contractual Clauses with appropriate safeguards.

---

8) Retention (how long we keep data)

• Orders, invoices & returns: 6 years from the end of the financial year (HMRC).

• Customer service tickets/RMAs: 3 years after closure (audit/warranty trail).

• Marketing contacts: until you unsubscribe or after 24 months of inactivity.

• CCTV: typically 30–90 days, unless kept longer for incidents or legal claims.
  We may retain data longer where required by law or to establish/exercise/defend legal claims.

---

9) Security

We apply technical and organisational measures including encryption in transit, access controls, role-based permissions, least-privilege access, logging, and staff training. No system is perfectly secure; we maintain incident response processes.

---

10) Automated decisions & profiling

We may use automated tools for fraud screening, account risk and credit control. These may affect fulfilment or credit terms, but we don’t make legally significant decisions without human review. You can request human intervention or contest a decision.

---

11) Your rights

You can: access, rectify, erase (where applicable), restrict, object (including object to direct marketing at any time), request portability, and withdraw consent where processing relies on consent.
To exercise rights, email info@edenhorticulture.co.uk. We’ll respond within one month.

---

12) Complaints

We’d like to resolve your concerns first. You can also complain to the Information Commissioner’s Office (ICO): ico.org.uk/concerns or 0303 123 1113.

---

13) Children

Our services are for business customers. We don’t knowingly collect data from children.

---

14) Changes to this notice

We’ll post updates here and change the “last updated” date. For material changes, we’ll notify account holders.

---

Addendum: Returns Portal transparency

When you log a case at www.edenhorticulture.co.uk/returnsportal we process the evidence you upload (e.g., photos, videos, serial/batch numbers, packing slips) to verify and resolve your RMA.

• Legal bases: contract (resolve your order/return), legitimate interests (fraud prevention, quality, audit), legal obligations (product safety).

• Sharing: where needed with manufacturers for warranty decisions and with couriers for damage claims.

• Retention: kept with the RMA record per the schedule above.