Privacy Policy

Last updated: October 12, 2025

Introduction

We safeguard your personal data. This Privacy Policy explains how MADE BY WOODSMOKE Limited processes your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. If you are in the EEA, the EU GDPR may also apply in specific circumstances described below.

If you have questions, contact us at privacy@madebywoodsmoke.co.uk or by post at MADE BY WOODSMOKE Limited, 7, Forbes Business Centre, Kempson Way, Bury St Edmunds, Suffolk, IP32 7AR.

In this policy, “we” and “us” mean MADE BY WOODSMOKE Limited as the data controller.

Who we are

• Data controller: MADE BY WOODSMOKE Limited
• Registered address: 7, Forbes Business Centre, Kempson Way, Bury St Edmunds, Suffolk, IP32 7AR
• Company number: 13429830
• ICO registration number: ZB220878
• Privacy contact: privacy@madebywoodsmoke.co.uk
• Data Protection Officer: We have not appointed a Data Protection Officer. Please use the privacy contact above for all requests.

When EU GDPR applies

If you are in the European Economic Area (EEA), or if we offer goods or services to you in the EEA or monitor your behaviour there, the EU General Data Protection Regulation (EU GDPR) applies to the relevant processing. For processing in the UK, the UK GDPR and the Data Protection Act 2018 apply.

Where this policy refers to “UK GDPR”, read that as “EU GDPR” for processing that is subject to the EU GDPR. If both regimes are relevant to different parts of our operations, we apply the stricter requirement where they differ and will clarify any material differences on request.

For processing in scope of EU GDPR we follow EU GDPR requirements, and for UK‑scope processing we follow UK GDPR and the Data Protection Act 2018. Where they differ, we apply the stricter requirement.

EU representative

We do not have an establishment in the EEA. If and when our activities require it, we will appoint an EU representative under Article 27 GDPR and update this policy with their contact details.

Customers outside the UK

If you access our services from outside the UK, this Privacy Policy applies to our processing. Where your local law requires additional information, rights, or protections, we will comply with those requirements to the extent they apply to us.

Applicability of local laws

• EEA residents: Where you are in the EEA, or where we offer goods or services to you in the EEA or monitor your behaviour there, the EU General Data Protection Regulation (EU GDPR) applies to the relevant processing. For processing in the UK, the UK GDPR and the Data Protection Act 2018 apply. We will appoint an EU representative if and when our activities require it and will update this policy with their details.
• Rest of world: Local consumer, tax, and privacy laws may grant you additional rights. You can contact us to exercise those rights where applicable.

Cross border purchases, taxes and invoices

For cross‑border purchases, we process personal data necessary to determine VAT and other taxes, apply the correct place‑of‑supply rules, generate compliant invoices or receipts, and meet our record‑keeping obligations in the relevant jurisdictions. This may include your billing name, address, country, tax identification numbers, and transaction details.

• Where required, we apply EU VAT rules for digital services and may use VAT OSS or similar schemes to report and remit VAT.

International data transfers (additional detail)

We maintain appropriate data protection terms with our providers. Where personal data is transferred outside the UK or EEA, we rely on recognised transfer mechanisms such as adequacy decisions or the EU Standard Contractual Clauses together with the UK International Data Transfer Addendum, and we apply technical and organisational measures appropriate to risk.

What do we collect?

Under GDPR, we:

• Maintain appropriate security when we process personal data.
• Process personal data lawfully, fairly, and transparently.
• Collect personal data for specified, explicit, and legitimate purposes.
• Limit personal data to what is adequate, relevant, and necessary.
• Keep personal data accurate and, where needed, up to date.
• Retain personal data only for as long as necessary.

Information we collect

We collect several types of information to provide and improve our services.

Personal data you provide

While you use our website, we may ask you to provide certain personally identifiable information so we can contact or identify you and deliver the services you request. This may include:

• Contact information you submit via WPForms, such as name, email address, mailing address, and phone number
• Account information if you create an account via MemberPress, such as username, password, and profile information
• Payment information processed by Stripe, such as card details and billing address. We do not store full card numbers
• Marketing preferences and subscription information for Mailchimp campaigns

Usage data we collect automatically

• IP address, browser type and version, device information
• Pages visited, events, and time spent
• Date and time of your visit

How we use your information and our legal bases

We only process personal data where we have a lawful basis. The table below summarises typical purposes and legal bases.

• Enquiry handling via forms or email
  • Legal basis: Legitimate interests (to respond to enquiries) or steps prior to entering a contract
• Account registration and membership delivery via MemberPress
  • Legal basis: Contract
• Payments processing via Stripe
  • Legal basis: Contract and Legal obligation (tax and accounting)
• Marketing communications via Mailchimp (only if you opt in)
  • Legal basis: Consent
  • Notes: We follow PECR rules. We send marketing only with your consent. You can withdraw your consent at any time using the unsubscribe link in our emails or by contacting us.
• Analytics (Google Analytics 4 with IP anonymisation)
  • Legal basis: Consent for non‑essential cookies under PECR
• Website operation, security, and fraud prevention
  • Legal basis: Legitimate interests
• Compliance with laws and regulations
  • Legal basis: Legal obligation

Cookies and similar technologies

We use essential and non‑essential cookies.

• Essential cookies are required for the site to function and are set without consent.
• Non‑essential cookies (such as analytics) are used only with your consent under the UK Privacy and Electronic Communications Regulations (PECR).

You can manage or withdraw consent at any time using the “Cookie settings” link in the site footer or your browser settings. Some features may not function without certain cookies.

We maintain a cookie register identifying cookie name, provider, purpose, and duration. Analytics retention in GA4 is set to 14 months.

Third‑party providers and roles

Note on MemberPress and WPForms: These are self‑hosted WordPress plugins. Personal data submitted through these plugins is stored on our hosting (Kinsta) and delivered via our CDN/security provider (Cloudflare). Kinsta and Cloudflare act as our processors for this hosting and delivery.

We use trusted service providers. Some act as our processors, and some act as independent controllers for parts of the processing. Please review their privacy information for details.

• MemberPress — membership and account management. Role: processor for account data; may act as independent controller for certain analytics or service logs. See their privacy policy.
• Stripe — payment processing. Role: independent controller for payment data; we receive limited transaction metadata.
• WPForms — form submissions stored in our system and emailed to our team. Role: processor.
• Mailchimp — email marketing (opt‑in only). Role: independent controller for email delivery and analytics features; processor for subscriber list storage.
• Adobe Fonts — font delivery. Role: independent controller for limited technical data to serve fonts.
• Google Analytics (GA4) — audience measurement with IP anonymisation enabled. Role: independent controller for analytics data.
• Hosting/CDN (e.g., Kinsta and Cloudflare) — hosting, caching, and security. Role: processor.

We have data processing or controller terms in place with each provider. Where personal data is transferred outside the UK or EEA, we rely on adequacy decisions or Standard Contractual Clauses together with the UK International Data Transfer Addendum, plus supplementary measures informed by our transfer risk assessments.

Data Security

We use technical and organisational measures appropriate to risk, including encryption in transit, access controls, least‑privilege permissions, multi‑factor authentication where available, backups, and vendor due diligence.

Data Retention

We keep personal data only as long as necessary for the purposes set out in this policy.

• Analytics data: retained per GA4 settings [e.g., 14 months]
• Enquiry data: typically 24 months
• Account data: for the life of the account, then up to 6 years for legal and tax purposes
• Transaction records: 6 years
• Marketing data: until you withdraw consent or unsubscribe

Your Data Protection Rights

Under UK GDPR you have the rights set out below. If you are in the EEA, equivalent rights apply under the EU GDPR. You can also complain to your local supervisory authority in the EEA.

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling
• The right to withdraw consent
• The right to complain to a supervisory authority

To exercise your rights, email privacy@madebywoodsmoke.co.uk or write to the address above. We respond within one month of receipt and may extend by up to two further months for complex requests. We may need to verify your identity before acting on a request.

You can lodge a complaint with the Information Commissioner’s Office: ico.org.uk, 0303 123 1113.

You can find contact details for EU data protection authorities on the European Data Protection Board website.

 

Automated decision-making

We do not carry out automated decision‑making that produces legal or similarly significant effects. If this changes, we will update this policy.

Children’s Privacy

This website is not designed for children under the age of 16.

If you believe we have collected information about a child under the age of 16, please contact us by sending a message so we can delete the information.We do not intentionally or knowingly gather information about children under the age of 16.

For information society services directed at UK users, the UK age for consent to online services is 13. We do not offer memberships to users under 16.

External Websites

Our website contains links to external sites. We are not responsible for their content or privacy practices. Review their privacy policies before using those sites.

Disclosures

We do not sell personal data. We share data only with the categories of recipients listed above, with professional advisers, authorities where required by law, or to establish or defend legal claims.

Updates to this policy

We may update this policy. We will post the new version here and update the “Last updated” date above. For material changes, we may also provide additional notice.

Our Details

• Email: privacy@madebywoodsmoke.co.uk
• Post: MADE BY WOODSMOKE Limited, 7, Forbes Business Centre, Kempson Way, Bury St Edmunds, Suffolk, IP32 7AR
• Contact form: Contact us

More Information about Data Protection

You can find further information about data protection and your rights at the Information Commissioner’s Office website.