Privacy Policy

Taylor Craft Productions ("we", "us", "our") is a family-run business in Bedfordshire, England, that designs and handcrafts bespoke oak memorial crosses. This Privacy Policy explains what personal information we collect when you use our website, place an order, get in touch or subscribe to our newsletter, how we use that information, who we share it with, and the rights you have over it.

We are committed to protecting your privacy and handling your personal information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. For the purposes of those laws, Taylor Craft Productions is the data controller of the personal information collected through this website.

This policy is effective from the date shown above. We will update the effective date whenever the policy is materially revised.

We only collect personal information that you give us directly, or that is generated automatically as a necessary part of running the website. We do not buy customer lists or obtain personal information from third-party data brokers.

Information you give us: when you use our contact form (at /contact) or our maintenance enquiry form, we collect your name, email address, telephone number (if you choose to provide it), the subject of your enquiry and the contents of your message. Where you tick the newsletter opt-in box on those forms, we also record your preference to receive marketing emails.

Newsletter sign-ups: when you subscribe to our newsletter via the header form, the footer, or any newsletter section on the site, we collect your email address and a short note of which page the sign-up came from.

Orders and personalisation: when you place an order, we collect your name (or first and last name if you check out as a guest), email address, telephone number, delivery address (street, city, postcode, country), and the personalisation details for the cross itself — typically the loved one's name, their dates of birth and passing, any personalised description you choose to add, and your design selections (font, halo, finish and so on).

Account registration: if you choose to create an account, we additionally store a hashed version of your password, along with your first name, last name and telephone number.

Reviews: if you leave a review, we collect your name, the review text, your star rating and, where relevant, a reference to the product or order being reviewed.

Information collected automatically: as is standard for most websites, our hosting provider logs basic technical information when you visit — for example your IP address, browser type, the pages you view and the date and time of your visit. We use this to keep the site secure and to understand which pages are most useful. We do not run third-party advertising trackers on our site.

Payment data: when you pay for an order, your card details are collected and processed directly by Stripe on a page hosted by Stripe. We never see or store your full card number, expiry date or security code.

We use your personal information only for the purposes for which it was collected, and we keep that use to the minimum necessary. Specifically, we use your information to: take and confirm your order; produce and send you the digital proof of your cross; manufacture and deliver your order; provide order updates and dispatch notifications; respond to enquiries and customer service requests; administer your account if you have one; process refunds, returns or warranty claims; comply with our legal obligations under English law (in particular tax and accounting record-keeping); detect and prevent fraud and abuse of the site; and, where you have opted in, send you our newsletter and occasional marketing communications.

We will not use your information for any purpose that is incompatible with the reason it was originally collected without first asking you.

Under UK GDPR, we are required to identify a lawful basis for processing your personal information. The lawful bases on which we rely are as follows.

Performance of a contract: we rely on this basis to process your order, communicate with you about your order, produce your proof, take payment via Stripe, arrange delivery, and manage your account if you have one. Without this information we cannot fulfil our side of the contract.

Consent: we rely on consent when we send you marketing emails (you opt in at the point of sign-up, and can withdraw at any time using the unsubscribe link in every email) and when we set non-essential cookies. You may withdraw your consent at any time; withdrawal does not affect the lawfulness of any processing carried out before withdrawal.

Legal obligation: we rely on this basis to retain order and payment records for the periods required by HMRC and other UK regulators, and to respond to lawful requests from public authorities.

Legitimate interests: we rely on this basis for the day-to-day running of the business — for example responding to enquiries you send us, preventing fraud, securing the website, and improving our products and service based on aggregate information about how the site is used. Where we rely on legitimate interests, we have considered your rights and concluded that they are not overridden by ours.

We do not sell your personal information, and we do not share it for any third party's own marketing purposes. We share information only with the service providers we need in order to run our business, and only to the extent necessary for them to provide their service to us. Each of the providers below is contractually required to protect your information and to use it only on our instructions.

Stripe — handles all card payments on our behalf via its hosted checkout page (stripe.com). Stripe receives your name, billing address and card details directly; we receive only a confirmation that payment has been made.

Resend — sends our transactional emails, including order confirmations, proof emails and dispatch notifications. Resend processes your name and email address solely to deliver these messages.

Neon — hosts our PostgreSQL database, in which order records, account records, enquiries, newsletter subscriptions and reviews are stored. Neon's servers are located within the EEA (eu-west-2).

Vercel — hosts the website itself and provides storage for product imagery and other media through Vercel Blob.

Parcel courier — to deliver your order, we share the recipient's name, delivery address and contact information with the courier of the day (typically Royal Mail or a parcel carrier). The courier uses this only to make the delivery and provide tracking.

We may also disclose personal information where we are required to do so by law, by a regulator or by a court order, or where disclosure is necessary to protect our rights, our customers or the public.

Our database (Neon) and our website host (Vercel) operate from data centres within the European Economic Area, which is recognised by the UK government as offering an adequate level of data protection.

Some of our other providers — for example Stripe and Resend — are headquartered outside the United Kingdom and the EEA. Where personal information is transferred to a country that is not the subject of a UK adequacy regulation, we rely on appropriate safeguards as required by UK GDPR, in particular the UK International Data Transfer Agreement or the EU Standard Contractual Clauses together with the UK addendum. Copies of these safeguards are available on request.

We keep your personal information only for as long as we need it for the purpose for which it was collected, and to meet any legal obligations. The standard periods we apply are as follows.

Order records (including the personalisation details and proof images for your cross): 7 years from the date of the order, in line with HMRC record-keeping requirements.

Account data: for the lifetime of your account plus 2 years after the account is closed, to allow us to answer any follow-up questions and to meet our legal obligations.

Newsletter subscriptions: until you unsubscribe. Once you unsubscribe, we retain a minimal record of the unsubscribe itself so that we do not accidentally email you again.

Enquiries (contact form, maintenance form): 24 months from the date of the enquiry, after which they are deleted unless they have become part of an order or open dispute.

Where any information is anonymised — for example for statistical reporting about site usage — it is no longer personal data and may be retained without time limit.

A cookie is a small text file placed on your device by a website. We use cookies sparingly and only in the categories described below.

Strictly necessary cookies: a session cookie keeps you logged in if you have an account, and remembers the contents of your basket between page loads. These cookies are essential for the site to work and cannot be turned off through our site.

Administrator cookie: an "admin_bypass_maintenance" cookie is set only for administrators of the site so that they can preview the site while it is in maintenance mode. It is not set on ordinary visits.

Payment cookies: when you proceed to payment, you are taken to a page hosted by Stripe (stripe.com). Stripe sets its own cookies on that page; these are governed by Stripe's own privacy policy.

You can control or delete cookies through your browser settings at any time. Disabling strictly necessary cookies may prevent parts of the site from working correctly. The Information Commissioner's Office publishes general guidance on cookies at ico.org.uk.

Under UK GDPR you have a number of rights in relation to the personal information we hold about you. You may exercise any of these rights by emailing us using the contact details at the foot of this page. We will respond within one month of receiving your request, in line with the timescale set out in UK GDPR.

Right of access: you may ask us to confirm whether we hold personal information about you, and to provide you with a copy of that information.

Right to rectification: you may ask us to correct any information about you that is inaccurate, or to complete any information that is incomplete.

Right to erasure (the "right to be forgotten"): you may ask us to delete the personal information we hold about you, subject to the limits of our legal obligations to retain certain records (for example order records for HMRC).

Right to restrict processing: you may ask us to pause our use of your personal information while a query is being resolved.

Right to data portability: where we hold information on the basis of consent or contract and process it by automated means, you may ask us to provide it to you in a structured, machine-readable format, or to transfer it directly to another provider where this is technically possible.

Right to object: you may object to our processing of your information where we rely on legitimate interests, and you may at any time ask us to stop sending you marketing.

Right to withdraw consent: where we rely on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of any processing carried out before withdrawal.

Right to lodge a complaint: you have the right to complain to the Information Commissioner's Office (the UK's independent data protection regulator) if you are not satisfied with the way we have handled your personal information. Details are in the "Contact Us and Complaints" section at the foot of this policy. We would always prefer to resolve concerns directly first, so please do come to us before approaching the ICO.

Our website and products are intended for adults. We do not knowingly collect personal information from anyone under the age of 16. If we become aware that we have collected personal information from a child under 16 without verifiable parental consent, we will delete that information promptly.

We take the security of your personal information seriously and have appropriate technical and organisational measures in place to protect it. Account passwords are stored only in a one-way hashed form, all data is transmitted between your browser and our servers over an encrypted HTTPS connection, and access to the underlying database is restricted to a small number of authorised personnel.

Card data is never stored on our servers — it is processed directly by Stripe under their own PCI DSS-compliant systems.

No system can be guaranteed to be 100% secure. We work hard to protect your information, but cannot warrant the absolute security of any information transmitted to or from our website. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the Information Commissioner's Office in line with our obligations under UK GDPR.

We may update this Privacy Policy from time to time, for example to reflect changes in the law, in our business or in the services we use. When we make a change we will update the effective date at the top of the page. Where the change is material, we will draw it to your attention by email (where we hold a current email address for you) or by a clear notice on the site.

If you have any questions about this Privacy Policy, want to exercise any of your rights, or have a concern about the way we handle your personal information, please get in touch using the contact details below.

You also have the right to complain to the Information Commissioner's Office at any time. The ICO can be contacted at: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Helpline: 0303 123 1113. Website: ico.org.uk. We would always prefer the chance to resolve any concerns directly with you first, but you do not need to ask us before approaching the ICO.