Política de privacidade
This Privacy Notice explains how MV EDUCATION LTD, trading as Alder & Rose (“we”, “us”, “our”), collects, uses, shares and protects your personal data when you visit alderandrose.shop, place an order, register an account, or otherwise engage with our brand. It is written to comply with the United Kingdom General Data Protection Regulation as it forms part of UK domestic law by virtue of the Data Protection Act 2018 (“UK GDPR”), the Privacy and Electronic Communications Regulations 2003 (“PECR”), and, where applicable, the EU GDPR (Regulation 2016/679), the Swiss Federal Act on Data Protection (revFADP), and the California Consumer Privacy Act as amended by the CPRA (“CCPA/CPRA”).
1. Data controller and contact details
The data controller responsible for your personal data is:
- Legal entity: MV EDUCATION LTD (trading as Alder & Rose)
- Companies House registration: 17028593, registered in England and Wales
- Registered office: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
- Privacy enquiries / DPO mailbox: contact@alderandrose.shop
We intend to notify the Information Commissioner’s Office (“ICO”) and obtain a data protection fee registration where the volume of processing activity makes this required under the Data Protection (Charges and Information) Regulations 2018. We have not appointed a statutory Data Protection Officer because we do not meet the thresholds in Article 37 UK GDPR; however, the mailbox above is a single, monitored channel for all privacy enquiries.
2. Categories of personal data we process
| Category | Examples |
|---|---|
| Identity data | First and last name, salutation, date of birth where voluntarily provided. |
| Contact data | Billing and delivery addresses, email address, telephone number. |
| Financial data | Card scheme, last four digits, billing address — collected and tokenised by our PCI DSS compliant processors. We never see or store full card numbers. |
| Transaction data | Order history, basket contents, returns and refunds, gift messages, sizing notes. |
| Technical data | IP address, device type, browser, operating system, language, time zone, referral URL. |
| Profile data | Account credentials (hashed), preferences, wish lists, saved sizing. |
| Usage data | Pages viewed, clickstream, search terms, session duration, scroll depth. |
| Marketing data | Subscription status, channel preferences, engagement with newsletters. |
| Special category data | We do not knowingly collect Article 9 special category data. If garments are made-to-measure and you choose to share medical or accessibility information, processing is on the basis of explicit consent (Article 9(2)(a) UK GDPR) and limited to the fitting purpose. |
3. Purposes and lawful bases (Article 6 UK GDPR)
| Purpose | Data used | Lawful basis |
|---|---|---|
| Processing your order, payment and delivery | Identity, contact, financial, transaction | Article 6(1)(b) — performance of a contract |
| Tax, accounting and statutory record keeping | Identity, transaction, financial | Article 6(1)(c) — legal obligation (Companies Act 2006, VAT Act 1994, Money Laundering Regulations 2017) |
| Account management and customer service | Identity, contact, profile, transaction | Article 6(1)(b) and (f) — contract and legitimate interests |
| Fraud prevention, payment authentication, chargeback defence | Identity, financial, technical | Article 6(1)(c) and (f) — legal obligation under PSR 2017 and our legitimate interest in preventing crime |
| Direct marketing to existing customers (soft opt-in) | Identity, contact, transaction, marketing | Article 6(1)(f) UK GDPR with PECR Regulation 22(3) soft opt-in. Withdrawable at any time. |
| Direct marketing to prospects who subscribed | Contact, marketing | Article 6(1)(a) — consent |
| Analytics and product improvement | Technical, usage | Article 6(1)(a) consent for non-essential cookies; aggregated analytics on a legitimate interests basis |
| Site security, integrity and abuse prevention | Technical, usage | Article 6(1)(f) — legitimate interests in protecting our services |
| Defending or pursuing legal claims | Any of the above | Article 6(1)(f) — legitimate interests |
Where we rely on legitimate interests, we have completed a Legitimate Interests Assessment that balances our purpose against your rights and freedoms. You may request a summary by contacting us.
4. Sources of personal data
Most data comes directly from you when you place an order, register an account, contact us, or subscribe to communications. Some technical and usage data is collected automatically through cookies and similar technologies (see our Cookie Policy). Limited data may come from third parties such as payment processors confirming an authorisation, couriers updating delivery status, or fraud prevention partners returning a risk score.
5. Recipients and sub-processors
We share personal data only with vetted recipients under written data processing agreements. The principal recipients are:
| Recipient | Role | Location of processing |
|---|---|---|
| Shopify International Limited / Shopify Inc. | E-commerce platform, hosting, order management | Ireland, Canada, USA |
| Shopify Payments / Stripe Payments Europe Ltd | Card acquiring and tokenisation | Ireland, USA |
| PayPal (Europe) S.à r.l. et Cie, S.C.A. | Alternative payment method | Luxembourg, USA |
| Royal Mail Group plc, DPD UK, DHL Parcel UK, FedEx Express UK | Carriage and last-mile delivery | United Kingdom, EEA, recipient’s country |
| Klaviyo Inc. | Transactional and marketing email service provider | USA, Ireland |
| Google LLC (Google Analytics 4, reCAPTCHA) | Audience measurement and bot mitigation | USA, EEA |
| Cloudflare Inc. | Content delivery, DDoS and bot protection | Global edge network |
| Professional advisers, accountants, auditors, insurers | Legal, financial and risk advice | United Kingdom |
| HMRC, ICO, law enforcement and courts | Statutory disclosure where lawfully required | United Kingdom |
We do not sell your personal data and do not share it with third parties for their own independent marketing purposes.
6. International transfers
Where personal data is transferred outside the United Kingdom, we rely on a lawful transfer mechanism under Articles 44–49 UK GDPR:
- Transfers to the European Economic Area, Switzerland and other jurisdictions covered by UK adequacy regulations are made on the basis of those adequacy decisions.
- Transfers to the United States are made under the UK Extension to the EU–US Data Privacy Framework where the recipient is certified, or under the ICO’s International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum where it is not.
- We document supplementary measures following our Transfer Impact Assessments, including encryption in transit and at rest, pseudonymisation, contractual onward-transfer restrictions, and challenge of unlawful government access requests.
You may request a copy of the relevant safeguards by writing to contact@alderandrose.shop.
7. Retention schedule
| Record | Retention period | Reason |
|---|---|---|
| Order, invoice and tax records | 6 years from end of the relevant financial year | Section 386 Companies Act 2006 and Schedule 11 VAT Act 1994 |
| Customer account data | Until closure plus 12 months | Reactivation, dispute and warranty handling |
| Marketing subscriptions | Until unsubscribe, or 24 months of inactivity | Data minimisation under Article 5(1)(c) UK GDPR |
| Web analytics | 14 months (Google Analytics 4 default) | Limited to what is necessary for trend analysis |
| Cookie consent records | 12 months | Demonstrating PECR compliance |
| Customer service correspondence | 3 years from last contact | Limitation Act 1980 simple contract claims |
| Fraud and chargeback evidence | 6 years | Card scheme rules and PSR 2017 |
| CCTV | Not applicable — we operate online only | — |
At the end of the retention period we either delete the data or irreversibly anonymise it for statistical use.
8. Your rights under UK GDPR
You have the right to: be informed; access your data; rectify inaccurate data; erase data (“right to be forgotten”); restrict or object to processing; data portability; and object to direct marketing at any time. Where processing relies on consent, you may withdraw it without affecting the lawfulness of prior processing.
To exercise any right, email contact@alderandrose.shop. We will verify your identity proportionately and respond within one calendar month, extendable by two further months for complex requests under Article 12(3) UK GDPR. There is no fee unless the request is manifestly unfounded or excessive.
If you are not satisfied, you may lodge a complaint with the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, telephone 0303 123 1113, ico.org.uk. We would, however, appreciate the opportunity to address your concerns first.
9. Children
Our website and products are directed at adults. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact us so we may delete it.
10. Automated decision-making and profiling
We carry out limited automated fraud screening on payment transactions through Shopify Payments, Stripe and PayPal. These checks return a risk score that may decline a transaction. The decision does not produce legal effects on you, you may reattempt with an alternative method, and a human will review on request. We do not carry out profiling that produces legal or similarly significant effects within the meaning of Article 22 UK GDPR.
11. Security measures
- TLS 1.2+ encryption in transit across the entire storefront and checkout.
- Card data tokenised inside the PCI DSS Level 1 environments of Shopify Payments, Stripe and PayPal — never stored on our servers.
- Encryption at rest on platform databases, role-based access control, and least-privilege principle.
- Multi-factor authentication on all administrative accounts.
- Logging, monitoring, vulnerability management and patching of the underlying platform.
- Background checks and confidentiality undertakings for personnel handling customer data.
12. Personal data breaches
If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the ICO without undue delay and within 72 hours where feasible, in accordance with Article 33 UK GDPR. Where the breach is likely to result in a high risk, we will inform affected data subjects without undue delay under Article 34, with clear remediation guidance.
13. California residents (CCPA / CPRA)
If you are a California resident, you have the right to know the categories and specific pieces of personal information we collect, the sources, the purposes and the categories of recipients; to request deletion; to correct inaccurate information; to opt out of the “sale” or “sharing” of personal information for cross-context behavioural advertising; and to non-discrimination for exercising these rights. We do not sell personal information for monetary consideration. Where the cookies described in our Cookie Policy may amount to “sharing”, you may opt out via the cookie banner or a Global Privacy Control signal. To make a verifiable consumer request, email contact@alderandrose.shop with the subject line “California Privacy Request”. Authorised agents must provide written permission and proof of identity.
14. EU representative (Article 27 EU GDPR)
Where our processing is subject to the EU GDPR because we offer goods to data subjects in the European Union, we will appoint an Article 27 representative established in the Union. Until appointment is finalised, the contact point for EU residents remains contact@alderandrose.shop and we cooperate fully with EU supervisory authorities.
15. Marketing and the PECR soft opt-in
We send transactional messages (order confirmation, shipping updates, returns acknowledgements) on the basis of contractual necessity. Where you have purchased a similar product, we may send marketing emails on the PECR Regulation 22(3) soft opt-in basis; every message contains an unsubscribe link and an opportunity to refuse at the point of collection. SMS, push and prospect-list emails are sent only with your prior consent.
16. Updates and version history
We review this notice at least annually and whenever processing changes materially. The current version is 1.0 dated 9 May 2026. Material changes will be notified by email to active customers and through a banner on the storefront.
17. Related policies
For any privacy or data protection enquiry, please write to contact@alderandrose.shop.