Information
Privacy policy
Last updated 14 July 2026
Read this before you publish. A privacy policy has to describe what you actually do, not what a template says. The bracketed bits below are yours to fill in, and if you ever add an email newsletter tool, analytics, or a Facebook pixel, this page has to change with it. Not legal advice.
We are a two-person business. We hold as little about you as we can get away with, we do not sell it to anybody, and you can have it deleted whenever you want.
Who we are
Lunar and Earth, a sole trader, of 1 Kestrel Close, Ferndown BH22 9TW, United Kingdom. We are the data controller for the information described here. Email lunarandearthwholesale@gmail.com, telephone 07909 787910.
What we hold, and why
| What | Why we have it | How long |
|---|---|---|
| Your name, email, delivery address, phone number | To take payment for an order and get it to you | Six years, because tax law makes us keep records of sales |
| What you ordered, and what you paid | The order itself; and to sort out any problem afterwards | Six years |
| Your email, if you sign up to hear from us | To send you the occasional email — only because you asked | Until you unsubscribe |
| Trade account: business name, contact, and a scrambled version of your password | To run your trade account and show you your prices | While the account is open, then six years |
We never see your card number. It goes straight to Stripe, our payment processor, and never touches our website. We could not leak it if we tried.
How long we keep it
Ninety days after your parcel is posted, we forget you. Your name, your address, your phone number and your email are deleted from our database. Not archived somewhere. Deleted.
What survives is the sale itself — the order number, what was in it, what it cost, and when. HMRC require that for six years and we have no choice about it. But a sales ledger is not a mailing list, and there is no good reason for us to be sitting on your address years from now.
Ninety days rather than thirty because returns run to twenty-eight days, a lost-parcel claim can drag on, and a card dispute may land months later — at which point we have to prove where we posted it. Any shorter and we would end up writing to customers to ask them for their own address back.
The deletion runs by itself, every night. Nobody has to remember to do it.
Who else touches it
- Stripe — takes the payment. They are the data controller for your card details.
- Cloudflare — hosts the website and the order database.
- Royal Mail or a courier — gets your parcel to you. They get your name and address, and nothing else.
- Google (Gmail) — we read and answer your emails there. If you write to us, Google holds that message.
- Stripe also sends your receipt. We do not use a separate mailing service.
That is the whole list. We do not sell your details, we do not rent them, and we do not hand them to advertisers.
Cookies
The site keeps your basket in your own browser’s storage so it survives a refresh. If you sign in to a trade account we set one cookie so the site knows it is you. Both are strictly necessary to make the shop work, which is why there is no cookie banner nagging you.
Keeping it safe
Passwords are stored scrambled (hashed with PBKDF2), never as text. The connection to the site is encrypted. The database is not reachable from the public internet. If we ever had a breach that put you at real risk, we would tell you, and the regulator, within 72 hours.
Your rights
Under the UK GDPR and the Data Protection Act 2018, you can ask us to:
- show you what we hold about you
- correct anything that is wrong
- delete it — though we may have to keep order records for tax purposes
- hand it over in a portable format
- stop using it for a particular purpose, or restrict what we do with it
Email us and we will do it within a month. It is free.
Our lawful bases
- Performing a contract — we cannot post you a fossil without your address.
- Legal obligation — HMRC requires us to keep sales records.
- Consent — the newsletter, and only that. Withdraw it any time; every email has an unsubscribe link.
If we get it wrong
Tell us first — we would rather fix it. But you have the right to complain to the Information Commissioner’s Office at ico.org.uk, or on 0303 123 1113.
Who we are
Lunar and Earth, a sole trader, of 1 Kestrel Close, Ferndown BH22 9TW, United Kingdom. We are the data controller for the information described here. Email lunarandearthwholesale@gmail.com, telephone 07909 787910.
What we hold, and why
| What | Why we have it | How long |
|---|---|---|
| Your name, email, delivery address, phone number | To take payment for an order and get it to you | Six years, because tax law makes us keep records of sales |
| What you ordered, and what you paid | The order itself; and to sort out any problem afterwards | Six years |
| Your email, if you sign up to hear from us | To send you the occasional email — only because you asked | Until you unsubscribe |
| Trade account: business name, contact, and a scrambled version of your password | To run your trade account and show you your prices | While the account is open, then six years |
We never see your card number. It goes straight to Stripe, our payment processor, and never touches our website. We could not leak it if we tried.
How long we keep it
Ninety days after your parcel is posted, we forget you. Your name, your address, your phone number and your email are deleted from our database. Not archived somewhere. Deleted.
What survives is the sale itself — the order number, what was in it, what it cost, and when. HMRC require that for six years and we have no choice about it. But a sales ledger is not a mailing list, and there is no good reason for us to be sitting on your address years from now.
Ninety days rather than thirty because returns run to twenty-eight days, a lost-parcel claim can drag on, and a card dispute may land months later — at which point we have to prove where we posted it. Any shorter and we would end up writing to customers to ask them for their own address back.
The deletion runs by itself, every night. Nobody has to remember to do it.
Who else touches it
- Stripe — takes the payment. They are the data controller for your card details.
- Cloudflare — hosts the website and the order database.
- Royal Mail or a courier — gets your parcel to you. They get your name and address, and nothing else.
- Google (Gmail) — we read and answer your emails there. If you write to us, Google holds that message.
- Stripe also sends your receipt. We do not use a separate mailing service.
That is the whole list. We do not sell your details, we do not rent them, and we do not hand them to advertisers.
Cookies
The site keeps your basket in your own browser’s storage so it survives a refresh. If you sign in to a trade account we set one cookie so the site knows it is you. Both are strictly necessary to make the shop work, which is why there is no cookie banner nagging you.
Keeping it safe
Passwords are stored scrambled (hashed with PBKDF2), never as text. The connection to the site is encrypted. The database is not reachable from the public internet. If we ever had a breach that put you at real risk, we would tell you, and the regulator, within 72 hours.
Your rights
Under the GDPR you can ask us to:
- show you what we hold about you
- correct anything that is wrong
- erase it — subject to records we must keep by law
- hand it over in a portable format
- restrict or object to what we do with it
We will respond within one month, free of charge.
Our lawful bases
- Article 6(1)(b) — performance of a contract, for your order.
- Article 6(1)(c) — legal obligation, for tax records.
- Article 6(1)(a) — consent, for the newsletter and nothing else.
Where your data goes
We are in the United Kingdom, outside the EEA. The European Commission has adopted an adequacy decision for the UK, which is the legal basis on which your data may be transferred to us. Adequacy decisions are reviewed periodically and can lapse.
A decision you need to make
If you actively offer goods to people in the EU, Article 27 of the GDPR may require you to appoint a representative established in the EU, and to name them on this page. There are exemptions for occasional, low-risk processing. Do not guess at this — take advice before you switch on EU shipping.
If we get it wrong
Tell us first. But you have the right to complain to the data protection authority in your own country.
Who we are
Lunar and Earth, a sole trader, of 1 Kestrel Close, Ferndown BH22 9TW, United Kingdom. We are the data controller for the information described here. Email lunarandearthwholesale@gmail.com, telephone 07909 787910.
What we hold, and why
| What | Why we have it | How long |
|---|---|---|
| Your name, email, delivery address, phone number | To take payment for an order and get it to you | Six years, because tax law makes us keep records of sales |
| What you ordered, and what you paid | The order itself; and to sort out any problem afterwards | Six years |
| Your email, if you sign up to hear from us | To send you the occasional email — only because you asked | Until you unsubscribe |
| Trade account: business name, contact, and a scrambled version of your password | To run your trade account and show you your prices | While the account is open, then six years |
We never see your card number. It goes straight to Stripe, our payment processor, and never touches our website. We could not leak it if we tried.
How long we keep it
Ninety days after your parcel is posted, we forget you. Your name, your address, your phone number and your email are deleted from our database. Not archived somewhere. Deleted.
What survives is the sale itself — the order number, what was in it, what it cost, and when. HMRC require that for six years and we have no choice about it. But a sales ledger is not a mailing list, and there is no good reason for us to be sitting on your address years from now.
Ninety days rather than thirty because returns run to twenty-eight days, a lost-parcel claim can drag on, and a card dispute may land months later — at which point we have to prove where we posted it. Any shorter and we would end up writing to customers to ask them for their own address back.
The deletion runs by itself, every night. Nobody has to remember to do it.
Who else touches it
- Stripe — takes the payment. They are the data controller for your card details.
- Cloudflare — hosts the website and the order database.
- Royal Mail or a courier — gets your parcel to you. They get your name and address, and nothing else.
- Google (Gmail) — we read and answer your emails there. If you write to us, Google holds that message.
- Stripe also sends your receipt. We do not use a separate mailing service.
That is the whole list. We do not sell your details, we do not rent them, and we do not hand them to advertisers.
Cookies
The site keeps your basket in your own browser’s storage so it survives a refresh. If you sign in to a trade account we set one cookie so the site knows it is you. Both are strictly necessary to make the shop work, which is why there is no cookie banner nagging you.
Keeping it safe
Passwords are stored scrambled (hashed with PBKDF2), never as text. The connection to the site is encrypted. The database is not reachable from the public internet. If we ever had a breach that put you at real risk, we would tell you, and the regulator, within 72 hours.
Your rights
The United States has no single federal privacy law covering shops like ours. Your rights depend on your state. Rather than work out which state you are in, we will simply give everybody the same rights:
- Know — ask what we have collected about you, and why.
- Delete — ask us to erase it, except records we must keep for tax.
- Correct — have us fix anything wrong.
- Opt out of sale or sharing — an easy one. We do not sell or share your personal information, to anyone, for anything. There is nothing to opt out of.
- No retaliation — exercise any of these and we will not charge you more or serve you worse.
Email lunarandearthwholesale@gmail.com and we will action it within 45 days.
California, specifically
If you are a California resident, the CCPA as amended by the CPRA gives you the rights listed above. We have not sold or shared personal information in the past twelve months, and we do not process sensitive personal information for the purpose of inferring characteristics about you.
Children
The shop is not aimed at children and we do not knowingly collect information from anyone under 16. If you think we have, tell us and we will delete it.
Your data crosses the Atlantic
We are in the United Kingdom. If you buy from us, your details are processed in the UK and the EU. By ordering, you understand that.