Privacy policy

Last Updated: 12 March 2026

Who We Are

Northline Home Ltd, trading as Northline Home ('we', 'us', 'our'), is the data controller responsible for your personal data.

Legal Name	Northline Home Ltd
Trading Name	Northline Home
Registration Number	16947825
ICO Registration Number	ZC108220
Registered Office	71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Email	contact@northline-home.com
Phone	+44 7874 272427
Website	https://northline-home.com

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website or purchase from us. It also sets out your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Please read this policy carefully. If you have any questions, contact us at contact@northline-home.com.

1. What Personal Data We Collect

We collect the following categories of personal data when you use our Services:

Data you provide directly:

Full name
Delivery and billing address
Email address
Phone number
Payment information (processed securely by our payment providers — see Section 5)
Order details and purchase history
Communications you send us (emails, contact form messages)
Account login credentials (if you create an account)
Product reviews or feedback you submit

Data collected automatically when you visit our website:

IP address
Browser type and version
Device type and operating system
Pages visited and time spent on each page
Referring website or search terms
Cookie identifiers (see Section 8)

Data we do not collect:
We do not collect or process sensitive personal data (also known as 'special category data') such as racial or ethnic origin, religious beliefs, health data, biometric data, or sexual orientation.

We do not knowingly collect data from children under the age of 18.

2. How We Use Your Personal Data

We process your personal data for the following purposes and on the following legal bases under UK GDPR:

Purpose	Legal Basis
Processing and fulfilling your order	Contract — necessary to perform our contract with you
Sending order confirmation, dispatch, and tracking emails	Contract — necessary to perform our contract with you
Processing payments and preventing fraud	Contract + Legal Obligation
Responding to your customer service enquiries	Contract / Legitimate Interests
Managing returns, refunds, and exchanges	Contract + Legal Obligation
Sending marketing emails (if you opted in)	Consent — you can withdraw at any time
Improving our website and understanding how it is used	Legitimate Interests
Complying with legal obligations (tax, accounting, fraud prevention)	Legal Obligation
Protecting the security of our website and Services	Legitimate Interests

We will never use your personal data for purposes incompatible with the original reason it was collected without first obtaining your consent.

Under the UK GDPR, we process your personal data on the following legal bases:

Contract (Article 6(1)(b)): Processing necessary to fulfil your order, deliver your products, process payments, and manage your account
Legal Obligation (Article 6(1)(c)): Processing required to comply with UK law, including tax records, fraud prevention, and consumer protection obligations
Legitimate Interests (Article 6(1)(f)): Processing for our legitimate business interests, such as improving our website, preventing fraud, and analysing how our Services are used — provided these interests do not override your fundamental rights
Consent (Article 6(1)(a)): Processing for marketing communications where you have opted in — you may withdraw consent at any time without affecting the lawfulness of prior processing

We share your personal data only with trusted third parties where necessary to operate our business and provide our Services to you.

Data processors (such as Shopify and Cloudflare) act strictly on our instructions and are contractually bound to protect your data through Data Processing Agreements (DPAs) in accordance with UK GDPR Article 28.

Independent data controllers (such as Google, Meta, TikTok, Pinterest, Klarna, and Klaviyo) determine how they process your data under their own privacy policies, which are available on their respective websites. We are not responsible for their processing activities.

We do not sell your personal data. Where we share data with independent controllers for advertising purposes, the legal basis is your consent — Article 6(1)(a) UK GDPR — obtained through our cookie consent banner.

Third Party	Purpose
Shopify Inc.	E-commerce platform
Stripe / Shopify Payments	Payment processing
Klarna	Payment processing
Revolut Pay	Payment processing
Apple Pay	Payment processing
Google Pay	Payment processing
Royal Mail	Order delivery and tracking
DPD	Order delivery and tracking
Evri	Order delivery and tracking
Google Analytics	Website analytics
Track123	Order tracking portal
TrackBee	Conversion tracking and pixel data
Cloudflare	Website security and performance — processes IP addresses and device data
Klaviyo	Email marketing — processes names, email addresses, and purchase history
Pinterest	Advertising and interest-based targeting
Meta (Facebook)	Advertising and conversion tracking via TrackBee
TikTok	Advertising and conversion tracking via TrackBee

Business Transfers: In the event of a merger, acquisition, or sale of all or part of our business, your personal data may be transferred to the acquiring entity. We will notify you before any such transfer and inform you of your rights.

Legal Disclosure: We may disclose your personal data if required to do so by law, court order, or to cooperate with law enforcement or regulatory authorities.

5. Payment Data

All payment transactions are processed securely by our payment providers — Shopify Payments, Stripe, Klarna, Revolut Pay, Apple Pay, and Google Pay. We do not store your full card number, CVV, or banking details on our servers at any time. Payment data is encrypted and handled in accordance with PCI DSS (Payment Card Industry Data Security Standard) requirements. Please refer to each payment provider's privacy policy, available on their respective websites, for full details of how your financial data is handled.

6. International Data Transfers

As we use Shopify to operate our store, some of your personal data may be stored on servers located outside the United Kingdom (including the United States and the European Union). Where this occurs, we ensure appropriate safeguards are in place, including:

Reliance on the UK-US Data Bridge (the UK's adequacy framework for US data transfers) where applicable
International Data Transfer Agreements (IDTAs) — the UK equivalent of Standard Contractual Clauses — where required by UK GDPR

We take all reasonable steps to ensure that international transfers of your personal data are handled securely and in full compliance with UK GDPR.

7. How Long We Keep Your Data

We retain your personal data only for as long as necessary for the purpose for which it was collected, or as required by UK law:

Data Type	Retention Period
Order and transaction records	7 years (UK HMRC tax requirement)
Customer account data	Duration of account + 2 years after last activity
Customer service communications	3 years
Marketing consent records	Until consent is withdrawn + 1 year
Website analytics data	26 months (Google Analytics default)

When personal data is no longer required, we will securely delete or anonymise it. Where immediate deletion is not possible (e.g. backup archives), we will isolate it from further processing until deletion is possible.

8. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to operate correctly, analyse usage, and support marketing activities.

Cookie Type	Purpose
Strictly Necessary	Required for the website to function — cannot be disabled (e.g. shopping cart, checkout, login, security)
Performance	Collect data about how visitors use our site (e.g. Google Analytics). Under the Data (Use and Access) Act 2025, analytics cookies may not require explicit consent where risk is demonstrably low and transparency is maintained. You may still opt out via your browser settings or the Google Analytics opt-out tool at any time.
Targeting	Deliver relevant advertisements and track campaign performance — requires your consent
Functional	Remember your preferences (e.g. saved items, session data)

You can control cookie preferences through your browser settings or our cookie consent banner. Disabling certain cookies may affect the functionality of our website.

Global Privacy Control (GPC): We recognise and honour GPC signals from your browser as a valid opt-out of non-essential tracking and targeted advertising.

Google Consent Mode V2: We use Google Consent Mode V2 to manage how Google tags behave based on your consent choices. Where you decline non-essential cookies, Google Consent Mode uses anonymous, aggregated signals only. No personally identifiable data is passed to Google without your consent.

9. Data Security

We implement appropriate technical and organisational security measures to protect your personal data, including:

SSL/TLS encryption on all pages of our website
Secure, access-controlled systems for storing customer data
Regular security reviews of our third-party service providers
Staff access to personal data limited to those who need it to perform their role

Despite our best efforts, no internet transmission or storage system is 100% secure. If you believe your personal data has been compromised, please contact us immediately at contact@northline-home.com.

10. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, in accordance with UK GDPR Article 33.

Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, explaining what happened, what data was affected, and what steps we are taking to address the situation.

As a UK data subject, you have the following rights:

Right	What It Means
Right of Access	Request a copy of all personal data we hold about you (Subject Access Request)
Right to Rectification	Request correction of inaccurate or incomplete data
Right to Erasure	Request deletion of your personal data where there is no legal reason to retain it
Right to Restrict Processing	Request that we limit how we use your data in certain circumstances
Right to Data Portability	Receive your data in a structured, machine-readable format
Right to Object	Object to processing based on legitimate interests or for direct marketing
Right re: Automated Decisions	Request human review of any automated decision that significantly affects you
Right to Withdraw Consent	Withdraw consent at any time where processing is consent-based — does not affect prior lawful processing

To exercise any of these rights, contact us at:

Email: contact@northline-home.com

We will respond to all valid requests within 30 days as required by UK GDPR. We will not charge a fee for reasonable requests.

12. Right to Complain to the ICO

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the UK supervisory authority.

We would appreciate the opportunity to resolve your concern before you contact the ICO — please reach out to us first at contact@northline-home.com.

13. Marketing Communications

We will only send you marketing emails if you have explicitly opted in. Every marketing email includes an unsubscribe link. You may also opt out at any time by:

Clicking the unsubscribe link in any marketing email
Emailing contact@northline-home.com with the subject line "Unsubscribe"

Unsubscribing from marketing does not affect transactional emails related to your orders (confirmation, dispatch, tracking, and returns).

14. Children's Privacy

Our Services are intended for users who are at least 18 years old. We do not knowingly collect personal data from children under 18. If you believe we have inadvertently collected data from a child, please contact us at contact@northline-home.com and we will delete it promptly.

15. Do Not Track (DNT)

There is currently no universal technical standard for Do-Not-Track signals. We do not currently respond to DNT browser signals. However, we do honour Global Privacy Control (GPC) signals as a valid opt-out of non-essential tracking and targeted advertising.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements — including updates arising from the Data (Use and Access) Act 2025 as ICO guidance is published. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify you by email. We encourage you to review this policy periodically.