Privacy Policy

1. Introduction and who we are

This Privacy Policy explains how Ganesha Online collects, uses, shares and protects your personal data when you visit or make a purchase on ganeshaonline.co.uk. We act as the “controller” of your personal data under applicable law.

We are committed to treating your information with care and transparency and to complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

Effective date: 8 February 2026

2. Personal data we collect

We collect and process the following categories of personal data:

  • Identity and contact data: name, billing and delivery address, email address, telephone number.
  • Account data: username, password, preferences, saved addresses, order history.
  • Order and transaction data: items purchased, order value, payment method, delivery details, invoices, and records of returns or refunds.
  • Payment data: details necessary to process payments and prevent fraud. Card payments are processed by secure third-party providers; we do not store full card numbers or security codes.
  • Communications: messages you send to us (for example, by email or forms), customer service notes, and your marketing preferences.
  • Device and usage data: IP address, device identifiers, browser type, operating system, referral URLs, pages viewed, time spent, and actions taken on our site. This may be collected using cookies and similar technologies.
  • Cookies and similar technologies data: information from cookies, pixels and tags used for functionality, security, analytics and, where applicable, marketing.
  • Information from partners: delivery updates from couriers, payment approval/decline and fraud information from payment processors, and analytics or anti-abuse signals from service providers.

We do not intentionally collect special categories of personal data (such as health, biometric, or religious information) or information about criminal convictions in the ordinary course of our business.

3. How we use your data and legal bases

We use your personal data for the purposes and on the legal bases set out below:

  • To operate our website and provide our services (creating and managing your account, processing orders, payments and deliveries, providing customer support): Performance of a contract and/or legitimate interests.
  • To send service messages (order confirmations, delivery updates, account notifications, changes to terms): Performance of a contract and/or legal obligation.
  • To provide marketing communications (news, offers, promotions): Consent (where required under PECR) or legitimate interests where permitted. You can opt out at any time.
  • To personalise and improve our site and services (troubleshooting, analytics, A/B testing, usability, product improvement): Legitimate interests.
  • To maintain security and prevent fraud (fraud detection, abuse prevention, account and network security): Legitimate interests and/or legal obligation.
  • To comply with legal and regulatory requirements (tax and accounting records, responding to lawful requests): Legal obligation.
  • To defend and exercise legal claims (managing disputes, enforcing our terms): Legitimate interests.

Where we rely on consent, you can withdraw it at any time. Where we rely on legitimate interests, we balance our interests against your rights and expectations and apply appropriate safeguards.

4. Cookies and similar technologies

We use cookies, pixels and similar technologies to make our website work, to keep it secure, to understand performance, and—where permitted—to tailor content or marketing.

  • Strictly necessary cookies: required for core functions such as navigation, security, and checkout. These cannot be switched off in our systems.
  • Performance/analytics cookies: help us understand how visitors use our site so we can improve it.
  • Functionality cookies: remember choices such as language, region, and saved preferences.
  • Advertising/targeting cookies (if used): may be set by us or our partners to build a profile of your interests and show you relevant adverts.

Cookie durations vary. Some are session cookies (deleted when you close your browser), others are persistent (stored until they expire or you delete them). You can manage cookies through your browser settings and, where provided, using on-site cookie settings. Disabling certain cookies may affect site functionality.

5. Sharing your personal data

We share your data only when necessary, with appropriate safeguards:

  • Service providers (processors): companies that help us operate, including website hosting and cloud infrastructure, payment processing and fraud prevention, email and communications delivery, analytics, customer support tools, and couriers/fulfilment partners. They act on our instructions and must protect your data.
  • Professional advisers: accountants, auditors, lawyers and insurers for compliance and business governance.
  • Authorities and regulators: where required by law or to protect rights, safety, and security.
  • Business transfers: if we are involved in a merger, acquisition, financing, or sale of assets, your data may be transferred to the relevant entity with continuity of protections.

We do not sell your personal data.

6. International transfers

Your personal data is primarily processed in the United Kingdom. Where we transfer data to service providers located outside the UK (and, where applicable, outside the European Economic Area), we ensure appropriate safeguards are in place, such as:

  • an adequacy regulation by the UK government for the destination country;
  • the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses;
  • other safeguards permitted by law, together with risk assessments and technical/organisational measures.

You can request more information about international transfer safeguards using the contact details in section 15.

7. Data retention

We keep personal data only for as long as necessary for the purposes described in this policy, including to comply with legal, accounting or reporting requirements. Typical retention periods include:

  • Account data: for as long as your account remains active and for a reasonable period thereafter if needed to respond to queries or enforce our terms.
  • Order and transaction records: generally up to six years after the end of the relevant financial year to meet tax and accounting obligations and limitation periods.
  • Customer support communications: up to three years after resolution, unless a longer period is required for legal claims or compliance.
  • Marketing data: until you withdraw consent or object to processing, after which we retain a minimal suppression record to honour your preference.
  • Cookies/analytics data: in line with the specific cookie’s lifespan or aggregated/anonymised sooner where feasible.

When retention is no longer necessary, we securely delete or anonymise the data.

8. Your rights

Under the UK GDPR, you have the following rights, subject to conditions and exemptions:

  • Right to be informed about how we use your data.
  • Right of access to obtain a copy of your personal data.
  • Right to rectification to correct inaccurate or incomplete data.
  • Right to erasure to request deletion of your data in certain circumstances.
  • Right to restrict processing in certain circumstances.
  • Right to data portability to receive certain data in a structured, commonly used and machine-readable format and to transmit it to another controller.
  • Right to object to processing based on legitimate interests, including profiling, and to object at any time to direct marketing.
  • Rights related to automated decision-making including profiling, where applicable.

To exercise your rights, please use the contact details in section 15. We may need to verify your identity before responding. We aim to respond within one month. You will not generally have to pay a fee unless your request is manifestly unfounded, repetitive or excessive.

You can withdraw consent for marketing at any time by following the instructions in our messages or by contacting us.

9. Children’s privacy

Our website is not directed to children under 13 years of age, and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, please contact us so we can take appropriate steps.

10. Data security

We apply appropriate technical and organisational measures to protect personal data, including secure transport (TLS) of data in transit, robust access controls, staff training, vulnerability management, backups, and supplier due diligence. No method of transmission or storage is completely secure; if we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant authority when required by law.

11. Marketing communications

Where permitted by law, we may send you marketing messages about our products and services. We will obtain your consent where required. You can opt out at any time by following the unsubscribe instructions in the message or by contacting us. Even if you opt out, we may still send you non-marketing service messages (for example, order updates).

12. Automated decision-making

We do not make decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects about you. If this changes, we will inform you and explain your rights in relation to such processing.

13. Complaints

If you have concerns about how we handle your personal data, please contact us first so we can try to resolve the issue. You also have the right to lodge a complaint with the UK supervisory authority, the Information Commissioner’s Office (ICO):

  • Telephone: 0303 123 1113
  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

14. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements or other factors. When we make material changes, we will take reasonable steps to inform you (such as by prominently posting a notice on our website). The “Effective date” at the top shows when this policy last changed.

15. How to contact us and our DPO status

Controller: Ganesha Online (ganeshaonline.co.uk)

Data Protection Officer (DPO): We are not required to appoint a Data Protection Officer. For all privacy questions, requests or complaints, please contact our privacy team using the contact details provided in the footer of our website or by using our usual customer contact methods.

When contacting us about your data, please include your name, contact details, and a brief description of your request so we can assist you efficiently.

About The Editorial Team Terms of Service Legal Notice Privacy Policy Sitemap Contact
© 2026 Ganesha Online