Privacy Policy
At Liu&Liu, your privacy is treated with the same care and respect as the silks we weave. This Privacy Policy explains how we collect, use, and protect your personal information in accordance with the UK and EU General Data Protection Regulation (GDPR).
1. Who we are (the Controller)
Controller: Liu & Liu LTD (trading as “Liu & Liu”)
Registered office: Bartle House, Manchester, M2 3WQ, United Kingdom
Contact: support@liuandliu.com
This notice explains how we process personal data in line with Article 13/14 UK GDPR/EU GDPR. You must be told this information at the time we obtain your data (or shortly after if we obtain it from another source). ICOUK GDPR
2. The personal data we collect
Provided by you
- Identification and contact data (name, email, phone, billing/shipping address).
- Order and customer service data (orders, returns, messages).
- Marketing preferences and consents.
Collected automatically
- Device/usage data (IP address, device identifiers, browser type/version, pages viewed, timestamps) via strictly necessary cookies and (with consent) analytics/advertising cookies. See Cookie & Tracking below.
From third parties (where relevant)
- Payment processors (payment status/AVS checks, tokenized references).
- Delivery carriers and address verification tools.
- Fraud‑prevention and risk vendors.
- Marketing/email service providers.
When we obtain data from other sources, we meet the transparency duties in Article 14. UK GDPR
We do not intentionally collect special categories of data. Please do not provide such data in free‑text fields.
3. Purposes and legal bases (UK GDPR/EU GDPR Art. 6)
We process your data only where a lawful basis applies:
| Purpose | Examples | Legal basis |
|---|---|---|
| Purchase, fulfilment & support | Taking/fulfilling orders, updates, returns | Contract (Art. 6(1)(b)) |
| Payments & fraud prevention | Processing payments, chargeback handling, fraud screening | Contract; Legitimate interests (preventing fraud); and/or Legal obligation |
| Delivery & logistics | Courier labels, tracking | Contract |
| Account management | Saved addresses, order history | Contract; Legitimate interests |
| Analytics & site improvement | Measuring performance, fixing errors | Consent for non‑essential cookies under PECR; Legitimate interests for subsequent analytics processing, where appropriate |
| Direct marketing (email/SMS) | Newsletters, offers | Consent (opt‑in) or soft‑opt‑in for existing customers, with opt‑out at any time |
| Legal, tax & compliance | Records retention, regulator responses | Legal obligation (Art. 6(1)(c)) |
Direct marketing: Individuals can object at any time; if they do, we must stop. Soft‑opt‑in may apply to existing customers if the strict conditions are met (same/similar products, opt‑out at collection and in each message). GDPR TextICO+1
4. Cookie & tracking technologies (PECR + UK/EU GDPR)
- We only set non‑essential cookies (e.g., analytics/ads, A/B testing, personalisation) with your consent obtained through our consent banner.
- Strictly necessary cookies (e.g., to put items in the cart, process checkout, provide security) do not require consent.
- Consent must be freely given, specific, informed and unambiguous (no pre‑ticked boxes, no implied consent by scrolling; cookie walls generally invalidate consent). You can withdraw consent at any time via “Cookie Settings.” ICOEuropean Data Protection Board
5. Children
We do not knowingly offer our services directly to children. Where we rely on consent for an online service offered directly to a child:
- In the EEA, a child may consent from age 16 (member states may set 13–16).
- In the UK, the age is 13. Where required, we obtain parental/guardian consent and use proportionate age‑assurance. GDPRICO
6. How we share personal data
We do not sell personal data. We share only as needed with:
- Platform provider: Shopify, which generally acts as our processor (see Shopify’s DPA) and, for certain “Enhanced Services,” as a separate controller per its terms. ShopifyShopify Help Center
- Payment processors: e.g., Shopify Payments/Stripe, PayPal, Apple/Google Pay (controllers for payment data).
- Operational vendors: hosting/CDN, email and customer‑support tools, analytics/anti‑fraud, delivery/courier services, address verification, returns management, and installed Shopify apps (each with its own privacy terms).
- Professional advisers and authorities where required by law, to protect rights, or to prevent fraud/security incidents.
We use contracts (including data‑processing terms) and due diligence to ensure vendors protect your data and act only on our instructions where they are processors. Shopify Help Center
7. International data transfers
Where data is transferred outside the UK/EEA, we use lawful safeguards, including:
- EU Standard Contractual Clauses (SCCs) (Commission Decision (EU) 2021/914). EUR-Lex
- UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs. ICO
- Adequacy decisions (e.g., Canada (commercial organisations), Switzerland, New Zealand, Japan, etc., as recognised by the European Commission). European Commission
- Where applicable and the vendor is certified, transfers to the US may rely on the EU‑US Data Privacy Framework (and, for UK personal data, the UK‑US Data Bridge). Data Privacy FrameworkGOV.UK
We also conduct transfer risk assessments where appropriate, in line with ICO guidance. ICO
8. Security
- We implement appropriate technical and organisational measures to protect personal data, considering the risks, the state of the art and costs (e.g., encryption in transit, access controls, least‑privilege, vendor oversight, incident response). This reflects GDPR Article 32 and ICO security guidance. GDPRICOIf a personal data breach is likely to risk individuals’ rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where there is a high risk, we will inform affected individuals without undue delay. ICOGDPR
9. How long we keep data (retention)
- We keep data only for as long as necessary for the purposes above, including to comply with law and defend legal claims. For example, order/accounting records are generally retained up to 6 years under UK tax/VAT rules. Marketing data is kept until you opt out or we delete it as part of regular suppression list maintenance. GOV.UK
10. Your rights (UK & EU)
Subject to conditions and exemptions, you have:
- Access to your data; rectification of inaccuracies; erasure; restriction; portability; objection to processing based on legitimate interests; and the right to object at any time to direct marketing (including related profiling)—if you object, we must stop. You also have rights in relation to automated decision‑making. ICOGDPR Text
- You may withdraw consent at any time; it must be as easy to withdraw as to give. Withdrawal does not affect prior lawful processing. GDPR
- How to exercise your rights: email us. We will verify identity and respond within one month (extendable by two months for complex requests). You may also change cookie preferences via [Cookie Settings].
11. Complaints
If you are unhappy with how we handle your data, please contact us first. You also have the right to complain to your local Supervisory Authority:
- UK: Information Commissioner’s Office (ICO), ico.org.uk (see “Make a complaint”).
- EEA: your national data protection authority (see the EDPB list of members). ICOEuropean Data Protection Board
12. Automated decision‑making
- We do not make decisions based solely on automated processing that produce legal or similarly significant effects about you. If we ever do, we will tell you and ensure safeguards required by Article 22 (human review, ability to express your view and contest the decision). GDPR
13. Third‑party links
- Our site may link to third‑party websites/services. Their privacy notices govern those services.
14. Changes to this notice
- We will update this notice when necessary and post the new version with an updated effective date.
15. Platform, apps and payments — important specifics for Shopify stores
- Shopify: We run our store on Shopify. Shopify typically acts as our processor under its Data Processing Addendum (DPA); in limited cases (e.g., certain “Enhanced Services”) Shopify may act as an independent controller. Shopify describes its international transfers (including onward transfers) and safeguards in its help centre and DPA. ShopifyShopify Help Center+1
- Apps (e.g., upsell, analytics, email, reviews): Apps you install in Shopify can act as processors or independent controllers. Always review the app’s own privacy terms. We require vendors to provide appropriate contractual safeguards (e.g., SCCs/IDTA where relevant). Shopify Help Center
16. Direct marketing under PECR (email/SMS)
- For electronic mail marketing to individual subscribers (including sole traders/partnerships), we obtain consent or rely on the soft‑opt‑in where permitted. Every message contains an unsubscribe. For corporate subscribers, different rules apply but we respect objections and preferences. ICO+1
Contact us
LIU&LIU LTD
Bartle House, Manchester, M2 3WQ, United Kingdom
Email: support@liuandliu.com