GDPR Policy UK

Last updated: Sep 08, 2025

Applied to: United Kingdom

(This version replaces all prior versions)


This Policy explains how Pet Awesome Limited (“Pet Awesome”, “we”, “us”, “our”) complies with the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018, and Privacy and Electronic Communications Regulations (PECR) in relation to all personal data we process across our UK operations (website, ecommerce, marketing, customer support, fulfilment, vendors, and internal HR/finance). It also sets out your rights and our internal procedures for governance, risk, and compliance. 

  • Controller: Pet Awesome Limited 
  • Company No.: 14888803 
  • Registered Office: Highdown House, 11 Highdown Road, Leamington Spa, Warwickshire, CV31 1XT
  • Contact (Data Protection Lead): support@pet-awesome.com 
  • ICO Registration No.: ZB987133


If you are based in the EEA and we actively target you, we will appoint an EU Representative (per Article 27 UK/EU GDPR).

 

1. SCOPE AND AUDIENCE

 

This Policy applies to: 

  • All personal data processed by Pet Awesome in the UK, whether digital or paper. 
  • All staff, contractors, and suppliers who handle personal data on our behalf. 
  • All processing connected to our ecommerce site, order fulfilment, marketing communications, analytics, payment processing, customer service, and business operations. 


It covers both customer data (B2C) and business contact data (B2B), and references our separate Privacy Policy (external statement) and Cookie Policy (PECR compliance).

 

2. KEY DEFINITIONS (UK GDPR Article 4)


  • Personal Data: Any information relating to an identified or identifiable natural person (e.g., name, email, address, device ID). 
  • Processing: Any operation on personal data (collection, storage, use, disclosure, deletion, etc.).
  • Controller: The entity determining purposes and means of processing (Pet Awesome).
  • Processor: A third party processing data on our behalf (e.g., Shopify, fulfilment partners).
  • Special Category Data: Sensitive data (e.g., health, biometrics). We do not routinely collect this.
  • Pseudonymisation/Anonymisation: Techniques to reduce identifiability; anonymised data is not personal data. 
  • International Transfer: Sending personal data outside the UK.

 

3. DATA PROTECTION (UK GDPR Article 5)

 

We commit to: 

  • Lawfulness, fairness, transparency — clear purposes and notices (see Privacy Policy). 
  • Purpose limitation — collected for specified, explicit purposes only. 
  • Data minimisation — adequate, relevant, and limited to what is necessary. 
  • Accuracy — kept up to date; rectified or erased if inaccurate. 
  • Storage limitation — kept no longer than necessary (see Retention Schedules). 
  • Integrity & confidentiality — security by design and default. 
  • Accountability — evidence of compliance (records, DPIAs, training, policies).

 

4. LAWFUL BASES WE RELY ON (UK GDPR Article 6)

 

We use the following lawful bases depending on the activity: 

  • Contract — to take and fulfil orders, process payments/returns, manage accounts, customer service. 
  • Legitimate Interests — website security, fraud prevention, analytics, service improvement, non-intrusive direct marketing to existing customers (soft opt-in under PECR). We conduct Legitimate Interests Assessments (LIAs) (summary in Annex D). 
  • Consent — email/SMS marketing to new subscribers, non-essential cookies/advertising trackers, some profiling; consent is granular, freely given, informed, and withdrawable at any time. 
  • Legal Obligation — tax, accounting, regulatory reporting, responding to lawful requests. 
  • Vital Interests/Public Task — not typically applicable to our activities. 


We do not carry out solely automated decisions with legal or similarly significant effects on individuals.

 

5. WHAT WE PROCESS AND WHY (Records of Processing)

 

We maintain ROPA (Records of Processing Activities) in line with Article 30. A high-level snapshot is in Annex A (Processing Map). Typical categories: 

  • Identity & Contact (name, email, phone, addresses) — order fulfilment; support; marketing (with consent/soft opt-in). 
  • Transactional (orders, returns, payment status) — fulfilment, accounting, fraud checks.
  • Technical/Usage (IP, device, browser, page views) — security, performance, analytics (consent where required). 
  • Marketing Preferences (opt-ins, unsubscribes) — compliance with PECR/UK GDPR. 
  • Support Content (messages, attachments) — customer service. 
  • Supplier/Vendor Data (business contacts) — contract management. 


Special category data is not intentionally collected. If you submit such data inadvertently (e.g., in a support message), we will securely restrict and delete where appropriate.

 

6. PECR & DIRECT MARKETING

 

  • Email/SMS marketing to individuals requires prior consent, except “soft opt-in” for existing customers (similar products/services; clear opt-out in each message). 
  • Cookie consent (non-essential cookies) is obtained via our banner/manager before setting tags (see Cookie Policy). 
  • We honour unsubscribe links and do-not-contact preferences promptly.

 

7. CHILDREN'S DATA

 

Our services are not directed to children under 13. We do not knowingly collect children’s data. If discovered, we will delete it promptly.

 

8. INTERNATIONAL TRANSFERS AND SAFEGUARDS

 

Where data is transferred outside the UK: 

  • Use UK adequacy decisions (e.g., EEA), or 
  • IDTA or UK Addendum to EU SCCs, plus Transfer Impact Assessments (TIAs) and appropriate technical/organisational safeguards (encryption, access controls). 
  • If in future we actively target individuals in the EEA, we will appoint an EU Representative as required under Article 27 EU GDPR.


We keep an inventory of our international flows (see Annex H).

 

9. PROCESSORS AND VENDOR MANAGEMENT (Article 28)

 

We only appoint processors providing sufficient guarantees. Our Data Processing Agreements (DPAs) require: 

  • Processing only on our documented instructions, 
  • Confidentiality, 
  • Security measures, 
  • Sub-processor controls, 
  • Assistance with rights requests, incidents, and DPIAs, 
  • Deletion/return of data at end of services, 
  • Audit rights. 


Categories of processors are listed in Annex B (e.g., Shopify, payment providers, cloud hosting, email/SMS, analytics, adtech, 3PL fulfilment, customer support tools).

 

10. SECURITY MEASURES (Article 32)

 

We apply technical and organisational measures appropriate to risk, including: 

  • Encryption in transit (TLS) and at rest (where supported by providers). 
  • Access controls & least privilege, with 2FA for admin systems. 
  • Network & application security, vulnerability management, patching. 
  • Backups & recovery, logging and monitoring. 
  • Secure SDLC practices for any custom code or integrations. 
  • Data minimisation/anonymisation, segregation of environments. 
  • Staff training and confidentiality obligations. 
  • Vendor risk assessments and contractual controls. 


A non-exhaustive summary is in Annex E.

 

11. DATA BREACH AND INCIDENT RESPONSE

 

We maintain an Incident Response Plan and Breach Register

  • Assess incidents rapidly to determine likelihood/severity of risk. 
  • Notify the ICO within 72 hours if a breach is likely to result in risk to individuals’ rights and freedoms, including required details. 
  • Notify affected individuals without undue delay where there is a high risk to their rights and freedoms, with guidance on protective steps. 
  • Contain, remediate, document root cause and lessons learned. 
  • Cooperate with regulators.

 

12. DATA SUBJECT RIGHTS (Articles 12-23)

 

You have the right to: 

  • Be informed (transparent notices). 
  • Access your personal data (Subject Access Requests). 
  • Rectification of inaccurate data. 
  • Erasure (“right to be forgotten”), where applicable. 
  • Restriction of processing. 
  • Data portability (structured, commonly used, machine-readable format). 
  • Object to processing based on legitimate interests or to direct marketing (including profiling for marketing). 
  • Not be subject to decisions based solely on automated processing with legal/similar significant effects. 


How to exercise: email support@pet-awesome.com


Verification: we may request information to confirm identity. 


Timelines: respond within 1 month (extendable by up to 2 months for complex/multiple requests—notice provided within the first month). 


Fees: free of charge unless requests are manifestly unfounded/excessive (then a reasonable fee or refusal with justification). 


Third-party data: we will redact/withhold where necessary to protect others’ rights. 


Portability format: typically CSV/JSON or reasonable equivalent. 


You can also complain to the ICO (www.ico.org.uk | 0303 123 1113). We encourage you to contact us first so we can resolve any concerns.

 

13. DATA RETENTION AND DELETION

 

We only retain data as long as necessary for purposes collected and to meet legal/operational needs. See Annex C for a detailed schedule. Illustrative periods: 

  • Orders/Invoices/Tax records: 6–7 years (legal/accounting). 
  • Customer accounts: active lifecycle; 24 months after inactivity then deletion/anonymisation (unless a legal basis requires longer). 
  • Marketing lists: until withdrawal of consent or 24 months inactivity (whichever is sooner), then suppression list retained to respect opt-outs. 
  • Support tickets: typically 24 months from closure. 
  • Web server logs / security logs: 12 months (shorter/longer if justified). 
  • Cookie consent records: up to 12 months.

 

14. DATA PROTECTION BY DESIGN & DEFAULT (Article 25)

 

We embed privacy throughout our processes and products: 

  • DPIAs for high-risk processing (e.g., new adtech stacks, large-scale profiling; new payment/identity tech; novel tracking). 
  • Minimisation & pseudonymisation by default. 
  • Granular consent and opt-out options. 
  • Role-based access and least privilege. 
  • Testing & reviews before launch, and periodically.

 

15. DPIAs & WHEN WE DO THEM

 

Triggers for a DPIA include: 

  • Systematic and extensive profiling with significant effects, 
  • Large-scale processing of personal data, 
  • New tech that may pose high risk, 
  • Data matching across sources, 
  • Tracking in public areas (not applicable to our normal activity), 
  • International data transfers that materially increase risk. 


Process: identify risks, consult stakeholders (and, if appropriate, users), evaluate mitigations, record decisions. Where residual high risk remains, we will consult the ICO prior to processing.

 

16. AUTOMATED DECISION-MAKING AND PROFILING

 

We use profiling for advertising segmentation and on-site personalisation (e.g., recommendations). 

  • We do not make solely automated decisions that have legal or similarly significant effects on individuals. 
  • You may object to profiling for marketing at any time (unsubscribe/manage cookies). 
  • We will provide human review if any significant automated assessment is introduced in future.

 

17. TRAINING, GOVERNANCE & ACCOUNTABILITY

 

  • Annual privacy & security training for relevant staff; onboarding for new hires. 
  • Quarterly vendor reviews and annual policy review (or sooner if laws/practices change).
  • Board/management oversight: this Policy is approved at senior level. 
  • Documentation: ROPAs, DPAs, DPIAs, LIAs, breach logs, transfer assessments.

 

18. COMPLAINTS & QUERIES

 

Questions, concerns, or rights requests:


PET AWESOME LIMITED 

Company Number: 14888803 

Address: 

Highdown House 11 Highdown Road 

Leamington Spa 

Warwickshire 

CV31 1XT

Email: support@pet-awesome.com 


We aim to resolve issues quickly and transparently. 


You can escalate to the ICO at any time.

 

19. POLICY CHANGES

 

We may update this Policy to reflect changes in law, guidance, or our operations. The “Last updated” date will change; significant changes will be communicated on-site and/or by email, where appropriate.

 

 

See the Annexes of this Policy below: