Privacy Policy

Effective date: 05/08/2026

Introduction Whitby Fossils (we, us, our) operates fossil preparation services, an online shop and booking services. We respect your privacy and are committed to protecting your personal data. This policy explains what personal data we collect, why we collect it, how we use it, with whom we share it, how long we keep it, and your rights.

Data controller Whitby Fossils [Business address] [Contact email] [Contact telephone]

If you need to contact our data protection representative, use the contact details above.

Data we collect We may collect and process the following personal data:

  • Identity and contact information: name, title, postal address, email address, telephone number.

  • Account and booking details: user account credentials, booking dates, service preferences, communication preferences.

  • Transaction and payment information: payment card details, billing address, order history. Payment card details are processed via our third‑party payment processor and are not stored on our servers except where required for refunds or dispute resolution and then only in accordance with applicable law.

  • Communications: correspondence you send to us (by email, phone or post), and records of our communications with you.

  • Marketing and preferences: marketing consents, interests and preferences for receiving communications.

  • Website and device information: IP address, browser type, device identifiers, pages visited, referral source, duration of visits, cookies and other tracking technologies.

  • Photographs or media: images you provide for identification, projects or social media (used only with your consent).

  • Special category data: we do not generally collect special category data. If you provide any health or disability information (for access needs) we will process it only where necessary and with appropriate safeguards.

How we collect data We collect data:

  • Directly from you when you book services, create an account, make a purchase, sign up for newsletters, contact us or provide feedback.

  • Automatically when you use our website or services (cookies and analytics).

  • From third parties such as payment processors, shipping providers, publicly available sources, social media platforms (when you interact with our pages) and marketing platforms.

Purposes and legal basis for processing We process personal data for the following purposes and on these legal bases:

  • To perform a contract with you: to provide services you request (bookings, purchases, preparations), process orders and payments, fulfil and deliver purchases, manage returns and refunds.

  • To comply with legal obligations: accounting, tax and regulatory requirements, handling disputes and enforcing our terms.

  • For our legitimate interests: to operate and improve our business and website, to provide customer support, to prevent fraud, to ensure network and information security, to send administrative messages, to personalise and improve our services and marketing, and to analyse how customers use our site.

  • With your consent: for direct marketing (newsletter and promotional emails), cookies and some analytics where consent is required. You may withdraw consent at any time.

Sharing and disclosure of personal data We may share personal data with:

  • Service providers and processors: payment processors, couriers, IT and hosting providers, marketing and analytics providers, CRM providers, and other vendors who process data on our behalf.

  • Professional advisers: lawyers, accountants and insurers for legal and compliance purposes.

  • Third parties where required by law: regulators, law enforcement or courts.

  • Buyers or prospective buyers: in the event of a sale, merger, reorganisation or similar corporate transaction, with safeguards in place.

  • Public and social channels: where you post or agree to have images or reviews published.

We require third parties to handle your personal data securely and only act on our instructions or in accordance with their own lawful bases.

International transfers Some service providers may process or store data outside the UK or European Economic Area. Where we transfer personal data internationally we will ensure appropriate safeguards are in place, such as standard contractual clauses, UK adequacy decisions, or equivalent protections under applicable law.

Security We implement technical and organisational measures to protect personal data against unauthorised or unlawful processing and accidental loss, destruction or damage. Measures include encryption, access controls, secure servers and regular security testing. No system can be guaranteed 100% secure; if a data breach affecting your personal data occurs we will notify you and the Information Commissioner’s Office where required by law.

Data retention We retain personal data only as long as necessary for the purposes for which it was collected, to fulfil legal and accounting obligations, to resolve disputes and to enforce agreements. Typical retention periods:

  • Account and transaction records: 7 years for accounting and tax purposes.

  • Marketing data: until you unsubscribe or withdraw consent.

  • Contact and customer service records: up to 3 years after the last contact or transaction unless needed longer for legal reasons.

  • Website logs and analytics: anonymised or