Introduction & Data Controller
LaceBelle London Ltd ("LaceBelle London", "we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our website lacebellelondon.com, make a purchase, or otherwise interact with us.
We are the Data Controller of your personal data as defined under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
LaceBelle London Ltd
Registered in England & Wales
Company Number: 09847263
Registered Office: 118 Kensington High Street, London W8 7RG, United Kingdom
ICO Registration Number: ZA847263
Please read this policy carefully. By using our website or making a purchase, you acknowledge that you have read and understood this Privacy Policy. If you have any questions, please contact our Data Protection Officer (details in Section 14).
What Data We Collect
We may collect the following categories of personal data:
Data You Provide Directly
- Identity Data: First name, last name, title
- Contact Data: Email address, telephone number, billing and delivery address
- Account Data: Username, password (stored in hashed form), purchase history, wishlist
- Payment Data: Payment card details (processed securely via Stripe or PayPal; we do not store full card numbers)
- Communications Data: Records of correspondence with our Customer Care team, including emails and contact form submissions
- Preference Data: Sizing preferences, marketing preferences, survey responses
Data Collected Automatically
- Technical Data: IP address, browser type and version, operating system, device type, time zone
- Usage Data: Pages visited, time spent on pages, referring URLs, clicks and interactions
- Cookie Data: Information stored via cookies and similar tracking technologies (see Section 9)
Data from Third Parties
- Analytics data from Google Analytics
- Advertising data from Meta (Facebook/Instagram) and Pinterest, where you have consented
- Fraud prevention data from payment processors
We do not collect any Special Category data (as defined under UK GDPR Article 9) such as health information, racial or ethnic origin, or biometric data.
How We Use Your Data
We use your personal data for the following purposes:
- Order fulfilment: Processing and delivering your orders, managing returns and exchanges, communicating order status and tracking information
- Account management: Creating and maintaining your customer account, providing access to order history and preferences
- Customer service: Responding to enquiries, complaints, and support requests
- Marketing communications: Sending promotional emails, new arrival alerts, and exclusive offers — only where you have opted in or where we have a legitimate interest (see Section 4)
- Personalisation: Tailoring your browsing and shopping experience based on past behaviour and preferences
- Site improvement: Analysing usage data to improve our website functionality, product range, and customer experience
- Fraud prevention & security: Detecting and preventing fraudulent transactions and protecting our business and customers
- Legal compliance: Meeting our legal and regulatory obligations, including tax, accounting, and consumer protection law
Legal Basis for Processing
Under the UK GDPR, we are required to have a lawful basis for processing your personal data. We rely on the following bases:
| Processing Activity | Legal Basis |
|---|---|
| Processing your order and payment | Contract (Art. 6(1)(b)) — necessary to perform the contract with you |
| Sending order confirmation and tracking emails | Contract (Art. 6(1)(b)) |
| Marketing emails to existing customers | Legitimate Interests (Art. 6(1)(f)) — subject to right to opt out |
| Marketing emails to new subscribers | Consent (Art. 6(1)(a)) — freely given, specific, informed |
| Analytics and site improvement | Legitimate Interests (Art. 6(1)(f)) |
| Fraud prevention | Legitimate Interests (Art. 6(1)(f)) and Legal Obligation (Art. 6(1)(c)) |
| Retaining financial records | Legal Obligation (Art. 6(1)(c)) — HMRC requirements |
Data Sharing
We do not sell, rent, or trade your personal data. We share your data only with trusted third-party service providers who are contractually bound to keep it confidential and process it only as instructed by us:
Payment Processing
- Stripe, Inc. — Payment card processing (PCI-DSS compliant). Stripe Privacy Policy
- PayPal Holdings, Inc. — PayPal checkout processing. PayPal Privacy Policy
- Klarna Bank AB — Buy Now, Pay Later services. Klarna Privacy Policy
Shipping & Logistics
- Royal Mail Group Ltd — UK and international delivery (name and address shared)
- DPD Group — UK Express and European delivery
- DHL Express (UK) Ltd — International delivery
Email & Marketing
- Mailchimp (The Rocket Science Group LLC) — Email marketing platform (name and email address). Mailchimp Privacy Policy
Analytics
- Google Analytics (Google LLC) — Website analytics using anonymised data. Data may be stored in the United States (see Section 6). Google Privacy Policy
Other Disclosures
We may disclose your personal data where required by law, by court order, or by regulatory authority, including to HMRC, the ICO, or law enforcement agencies.
International Transfers
Some of our third-party service providers operate outside the United Kingdom. Where we transfer your personal data internationally, we ensure appropriate safeguards are in place in accordance with UK GDPR Chapter V:
- Adequacy decisions: We transfer data to countries recognised by the UK as providing adequate data protection (including EU/EEA countries under the UK's adequacy regulations)
- Standard Contractual Clauses (SCCs): For transfers to countries without an adequacy decision (such as the United States), we rely on the International Data Transfer Agreement (IDTA) approved by the ICO, or equivalent UK SCCs
- Binding Corporate Rules: Where applicable for multinational providers with approved BCRs
You may request details of the specific safeguards in place for any particular transfer by contacting our DPO.
Data Retention
We retain your personal data only for as long as necessary for the purposes for which it was collected, or as required by law:
| Data Type | Retention Period | Reason |
|---|---|---|
| Order and transaction records | 7 years | HMRC legal requirement (tax and accounting) |
| Customer account data | 3 years from last login or until account deletion | Legitimate interest in customer service |
| Marketing preferences | 3 years from last engagement, or until unsubscribe | Consent / legitimate interest |
| Customer service correspondence | 3 years | Dispute resolution and legitimate interest |
| Website analytics data | 26 months (Google Analytics default) | Site improvement (legitimate interest) |
| Cookie consent records | 13 months | Legal compliance (PECR) |
Upon expiry of the applicable retention period, data is securely deleted or anonymised so it can no longer be linked to an individual.
Your Rights
Under UK GDPR, you have the following rights regarding your personal data. You can exercise these rights at any time by contacting our DPO:
Right of Access
Request a copy of the personal data we hold about you (Subject Access Request). We will respond within 30 days.
Right to Rectification
Request correction of any inaccurate or incomplete personal data we hold about you.
Right to Erasure
Request deletion of your personal data ("right to be forgotten") where there is no legitimate reason for us to continue processing it.
Right to Portability
Receive your personal data in a structured, machine-readable format and transfer it to another data controller.
Right to Object
Object to processing based on legitimate interests or for direct marketing purposes. We will stop unless we have compelling grounds.
Right to Restrict
Request restriction of processing in certain circumstances, for example while accuracy is contested.
Withdrawal of Consent
Withdraw consent at any time where processing is based on consent (e.g. marketing emails). Withdrawal does not affect prior processing.
Right to Complain
Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or call 0303 123 1113.
To exercise any of the above rights, please email dpo@lacebellelondon.com. We will respond within 30 calendar days. In some cases we may need to verify your identity before proceeding.
Cookies Policy
Our website uses cookies and similar technologies to enhance your browsing experience and provide personalised features. A cookie is a small text file placed on your device when you visit a website.
Types of Cookies We Use
| Category | Purpose | Examples | Can Be Disabled? |
|---|---|---|---|
| Essential | Necessary for the website to function. Cannot be turned off. | Session cookies, cart cookies, login state, CSRF tokens | No |
| Analytics | Measure how visitors use our site to help us improve performance and content. | Google Analytics (_ga, _gid) | Yes |
| Functional | Enable enhanced features such as remembering your preferences. | Language preference, currency, size preference cookies | Yes |
| Marketing | Track your browsing across sites to deliver relevant advertising. | Meta Pixel, Pinterest Tag, Google Ads | Yes |
Managing Cookies
When you first visit our website, you will be presented with a cookie consent banner. You may accept all cookies, reject non-essential cookies, or customise your preferences. You can update your choices at any time by clicking the "Cookie Settings" link in the footer.
You can also manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. For detailed instructions, visit aboutcookies.org. Please note that disabling certain cookies may affect your experience on our site.
We use IP anonymisation in Google Analytics, meaning your IP address is truncated before being stored. We do not allow Google to use your data for their own advertising purposes.
Marketing Communications
We would love to keep you informed about new collections, exclusive offers, styling inspiration, and special events. We send marketing emails on an opt-in basis — we will only contact you for marketing if you have given us explicit consent, or if you are an existing customer and we contact you about similar products (under the "soft opt-in" provisions of PECR).
Each marketing email we send contains a clear and easy one-click unsubscribe link. You can also:
- Update your preferences in your account dashboard under "Communication Preferences"
- Email hello@lacebellelondon.com at any time to be removed from our mailing list
- Text STOP in reply to any SMS marketing message
Please allow up to 5 business days for unsubscribe requests to be processed. You may still receive transactional emails (order confirmations, shipping notifications) regardless of your marketing preferences, as these are necessary for contractual performance.
Security Measures
We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction:
- SSL/TLS encryption — All data transmitted between your browser and our website is encrypted using 256-bit SSL (HTTPS)
- PCI-DSS compliance — We use Stripe and PayPal for payment processing, both of which are fully PCI-DSS Level 1 compliant. We do not store payment card data on our servers
- Password security — All customer passwords are stored using bcrypt hashing with salt; we cannot retrieve your password in plain text
- Access controls — Access to personal data is restricted to authorised staff members on a need-to-know basis, governed by a Data Access Policy
- Regular security audits — Our systems are subject to periodic security reviews and penetration testing by independent third parties
- Data breach procedure — In the unlikely event of a data breach affecting your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, in accordance with UK GDPR Article 33/34
Please note that no method of transmission over the internet is 100% secure. Whilst we strive to protect your data, we cannot guarantee absolute security.
Children's Privacy
Our website, products, and services are not directed at or intended for individuals under the age of 16 years. We do not knowingly collect personal data from children under 16.
If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us immediately at dpo@lacebellelondon.com and we will take steps to delete such data promptly.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Display a prominent notice on our website
- Notify registered customers by email where the changes are significant
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of our website after any changes constitutes your acceptance of the updated policy.
Contact & Data Protection Officer
If you have any questions, concerns, or requests relating to this Privacy Policy or the way in which we handle your personal data, please contact our Data Protection Officer:
Data Protection Officer
LaceBelle London Ltd
118 Kensington High Street, London W8 7RG, United Kingdom
Email: dpo@lacebellelondon.com
General Enquiries: hello@lacebellelondon.com
We aim to respond to all privacy-related enquiries within 5 business days and to all Subject Access Requests within 30 calendar days.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Questions About Your Privacy?
Our Data Protection Officer is here to help. We take your privacy seriously and aim to respond within 5 business days.