Privacy Policy

Privacy Policy – Lulla Babys
Back to store
Legal & Trust

Privacy Policy

Your privacy matters to us. This policy explains what personal data we collect, how we use it, and the rights you hold under UK law.

Last updated: 1 May 2025
UK GDPR & Data Protection Act 2018
support@lullababys.com
Contents
01 Who We Are 02 Data We Collect 03 How We Use Your Data 04 Legal Basis for Processing 05 Cookies & Tracking 06 Sharing Your Data 07 Data Retention 08 Your Rights 09 Children's Privacy 10 International Transfers 11 Security 12 Changes to This Policy
01

Who We Are

Lulla Babys Ltd ("we", "us", "our") is the data controller responsible for your personal data. We operate the online store at lullababys.com, selling baby and infant products to customers in the United Kingdom.

Data Controller

Lulla Babys Ltd — Registered in England & Wales
Email: support@lullababys.com
For all data-related enquiries, please contact us at the address above.

We are committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

02

Data We Collect

We collect personal data that you provide directly to us, as well as data generated automatically when you use our website. This may include:

Identity Data

First and last name, username or similar identifier

Contact Data

Email address, phone number, billing and delivery addresses

Payment Data

Transaction details (card data is processed by Shopify Payments / Stripe — we do not store full card numbers)

Order Data

Products purchased, order history, delivery preferences and returns

Technical Data

IP address, browser type, device information, pages visited, time spent on site

Marketing Data

Preferences for receiving marketing, communication history and opt-out records

We do not collect sensitive personal data (such as health, racial, or religious information) and do not knowingly collect data from children under 16 without verified parental consent.

03

How We Use Your Data

We use your personal data only for lawful purposes. The ways in which we may use your data include:

  • Processing and fulfilling your orders, including delivery and returns
  • Managing your customer account and purchase history
  • Sending order confirmations, shipping updates and customer service communications
  • Sending marketing emails and promotional offers, only where you have consented or we have a legitimate interest
  • Improving our website, products and services through analytics
  • Detecting and preventing fraud or other unlawful activity
  • Complying with legal and regulatory obligations
  • Responding to your enquiries and support requests

We will never sell your personal data to third parties for their own marketing purposes.

04

Legal Basis for Processing

Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following bases:

Legal Basis When We Rely on It
Contract performance Processing your order, managing your account, arranging delivery and handling returns
Legal obligation Keeping financial records, complying with tax and consumer protection law
Legitimate interests Fraud prevention, website analytics, improving our services, and marketing to existing customers
Consent Sending marketing emails to new subscribers; placing non-essential cookies

Where we rely on consent, you may withdraw it at any time by contacting us at support@lullababys.com or clicking "unsubscribe" in any marketing email.

05

Cookies & Tracking Technologies

Our website uses cookies and similar technologies to enhance your browsing experience and help us understand how visitors use our site. Cookies are small text files stored on your device.

  • Essential cookies: Required for the website and shopping cart to function correctly. Cannot be disabled.
  • Analytics cookies: Help us understand visitor behaviour (e.g. Google Analytics). Only placed with your consent.
  • Marketing cookies: Used to deliver relevant advertisements and track campaign performance. Only placed with your consent.
  • Preference cookies: Remember your settings and choices across visits (e.g. currency, language).

You can manage your cookie preferences at any time via the cookie banner on our website or through your browser settings. Withdrawing consent for non-essential cookies will not affect your ability to shop with us.

Shopify & Third-Party Cookies

As our store is built on Shopify, some cookies are set by Shopify for platform functionality, fraud prevention and analytics. Shopify's privacy practices are described at shopify.com/legal/privacy.

06

Sharing Your Data

We do not sell or rent your personal data. We may share it with trusted third parties only where necessary to operate our business:

  • Shopify Inc.: Our e-commerce platform provider. Processes order, payment and account data on our behalf.
  • Payment processors (e.g. Shopify Payments, Stripe, PayPal): To securely handle payment transactions.
  • Delivery and logistics partners: To ship your orders (e.g. Royal Mail, DPD, Evri). Only your name and address are shared.
  • Email marketing services (e.g. Klaviyo, Mailchimp): To manage and send marketing communications, with your consent.
  • Analytics providers (e.g. Google Analytics): To analyse website traffic and improve our services.
  • Legal and regulatory authorities: Where required by law, court order, or to protect our legal rights.

All third-party service providers are required to maintain appropriate security measures and are only permitted to use your data to provide services to us, in accordance with our instructions.

07

Data Retention

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting and reporting requirements.

  • Order and transaction records: Retained for 7 years to comply with HMRC requirements.
  • Customer account data: Retained for as long as your account is active, plus 2 years after last activity.
  • Marketing consent records: Retained for 3 years from the date of last interaction.
  • Website analytics data: Typically retained for 26 months (Google Analytics default).

When your data is no longer required, we will securely delete or anonymise it.

08

Your Rights Under UK GDPR

As a data subject under UK GDPR, you have the following rights in relation to your personal data:

Right What It Means
Access Request a copy of the personal data we hold about you (Subject Access Request)
Rectification Ask us to correct inaccurate or incomplete data
Erasure Request deletion of your data where there is no legitimate reason to continue processing it
Restriction Ask us to suspend processing of your data in certain circumstances
Portability Receive your data in a structured, machine-readable format and transfer it to another organisation
Objection Object to processing based on legitimate interests or for direct marketing purposes
Withdraw consent Withdraw any previously given consent at any time, without affecting prior lawful processing

To exercise any of your rights, please contact us at support@lullababys.com. We will respond within one calendar month as required by UK GDPR. There is no charge for making a request.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

09

Children's Privacy

Our website and services are intended for use by adults. We do not knowingly collect personal data from children under the age of 16. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us at support@lullababys.com and we will take steps to delete that data promptly.

While our products are designed for babies and infants, all purchases must be made by an adult.

10

International Data Transfers

Some of our third-party service providers (including Shopify, Google, and email platforms) may process your data outside the United Kingdom. Where this occurs, we ensure that appropriate safeguards are in place to protect your data, such as:

  • UK adequacy regulations recognising equivalent levels of protection in the destination country
  • Standard contractual clauses approved by the ICO
  • Binding corporate rules or other approved transfer mechanisms

You can request further information about international transfers by contacting us at support@lullababys.com.

11

Security

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, loss, alteration or disclosure. These measures include:

  • SSL/TLS encryption for all data transmitted through our website
  • Secure hosting and payment processing via Shopify's PCI-DSS compliant infrastructure
  • Restricted access to personal data on a need-to-know basis
  • Regular review of our data security practices

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform you without undue delay, as required by UK GDPR.

12

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email.

We encourage you to review this policy periodically to stay informed about how we protect your data.

Questions about your data?

Our team is here Monday to Friday, 9am – 5pm (GMT). We aim to respond to all data enquiries within one calendar month.

Contact Us →