Meridian & Cole

1. Overview & Controller Identity

Meridian & Cole ("we," "us," or "our"), operating via your-domain.com, is the data controller responsible for your personal information. We are committed to protecting your privacy and handling your data transparently, lawfully, and in accordance with the General Data Protection Regulation (GDPR), the UK GDPR, and all applicable privacy legislation.

This Privacy Policy applies to all visitors, users, and customers who interact with our website, services, or communications. By using our site, you acknowledge the practices described herein.

2. Data We Collect

Information You Provide Directly

Contact details: name, email address, phone number, postal address
Account information: username, password (encrypted), profile preferences
Communications: messages submitted via contact forms, email correspondence, support enquiries
Transaction data: billing details, purchase history, service requests (payment card data processed by our PCI-compliant payment provider — we do not store raw card numbers)

Information Collected Automatically

Technical data: IP address, browser type and version, device identifiers, operating system
Usage data: pages visited, time spent, referral URLs, click-path behaviour
Cookies & tracking: session cookies, analytics identifiers (see Section 4)

Information from Third Parties

We may receive data from analytics providers, advertising networks, and social media platforms where you have chosen to interact with us through those channels, subject to their own privacy policies.

3. Legal Basis for Processing

We process your personal data under the following lawful bases:

Consent (Art. 6(1)(a) GDPR): Where you have given explicit consent, such as for marketing emails or non-essential cookies.
Contract (Art. 6(1)(b)): To fulfil or prepare a contract with you, including delivering services you have requested.
Legal Obligation (Art. 6(1)(c)): Where processing is necessary for compliance with applicable law.
Legitimate Interests (Art. 6(1)(f)): For fraud prevention, network security, improving our services, and basic analytics — balanced against your fundamental rights.

                ⚠️ Withdrawal of Consent: You may withdraw consent at any time without affecting the lawfulness of prior processing. Contact us or use the unsubscribe link in any marketing email.
            

4. Cookie Policy

We use cookies and similar tracking technologies to enhance functionality, analyse site performance, and deliver relevant content. You can manage cookie preferences via your browser settings or our cookie consent tool.

Category	Purpose	Duration	Consent Required
Essential	Session management, security, core functionality	Session	No
Analytics	Traffic measurement, performance monitoring (e.g., Google Analytics)	Up to 2 years	Yes
Marketing	Targeted advertising, remarketing, conversion tracking	Up to 90 days	Yes
Preferences	Remembering your settings and personalisation choices	Up to 1 year	Yes

5. Third-Party Services

We engage trusted third-party service providers who process data on our behalf under strict data processing agreements:

Google Analytics / Google Ads: Website analytics and advertising performance measurement. Data may be transferred to Google LLC servers. Governed by Google's Privacy Policy and standard contractual clauses.
Payment Processors: PCI DSS-compliant providers (e.g., Stripe, PayPal) handle all payment transactions. We do not receive or store full card details.
Email & CRM Platforms: Used for transactional and marketing communications, subject to your preferences.
Hosting & CDN Providers: Infrastructure providers storing data in secure, GDPR-compliant data centres.
Social Media: Embedded content or share buttons from platforms such as LinkedIn, Facebook, or Twitter may set their own cookies when enabled.

We do not sell your personal data to any third party. Data transfers outside the UK/EEA are safeguarded by appropriate mechanisms including Standard Contractual Clauses or adequacy decisions.

6. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes outlined in this policy or as required by law:

Account & customer data: Retained for the duration of our relationship plus 7 years (tax and legal compliance)
Marketing data: Until you withdraw consent or request erasure
Contact form enquiries: Up to 3 years from last interaction
Analytics data: Aggregated/anonymised data retained up to 26 months; identifiable data per cookie duration
Legal & compliance records: As required by applicable law, typically 6–10 years

Upon expiry of the retention period, data is securely deleted or anonymised in accordance with our internal data management procedures.

7. Your Rights

Under GDPR and applicable privacy laws, you hold the following rights regarding your personal data. To exercise any right, contact us using the details in Section 9.

👁 Right to Access

Request a copy of the personal data we hold about you (Subject Access Request).

✏️ Right to Rectification

Request correction of inaccurate or incomplete personal data.

🗑️ Right to Erasure

Request deletion of your data ("right to be forgotten") where no legal basis exists for retention.

⏸️ Right to Restrict

Request restriction of processing in specific circumstances while a dispute is resolved.

📦 Right to Portability

Receive your data in a structured, machine-readable format for transfer to another controller.

🚫 Right to Object

Object to processing based on legitimate interests or for direct marketing purposes.

We will respond to all verifiable requests within 30 days. No fee applies unless requests are manifestly unfounded or excessive. We may request proof of identity before processing your request.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. These measures include SSL/TLS encryption for data in transit, access controls, regular security assessments, and staff training on data protection obligations.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, inform affected individuals without undue delay.

9. Contact & Complaints

For any privacy-related enquiries, to exercise your rights, or to raise a concern, please contact our Data Protection contact:

📬 Privacy Contact — Meridian & Cole

Website: your-domain.com

Email: [email protected]

Subject line: "Privacy Request – [Your Name]"

We aim to respond to all privacy enquiries within 5 business days and fulfil all statutory obligations within the required timeframes.

Supervisory Authority

If you are dissatisfied with our response, you have the right to lodge a complaint with the relevant data protection supervisory authority in your jurisdiction. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk. EU residents may contact their national Data Protection Authority.

Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. The "Last Updated" date at the top of this page indicates when the most recent revision was made. Material changes will be communicated via prominent notice on our website or direct notification where appropriate. Continued use of our services after changes constitutes acceptance of the revised policy.

Privacy Policy

Table of Contents