Your data, in plain English .

Who we are

Petal Powered is operated by Petal Powered, Inc., a company registered in [England & Wales] with its registered office at [address]. We are the data controller for visitors to petalpowered.co.uk and for our florist customers. For data your shop collects about your customers, we act as a data processor on your behalf — that arrangement is covered by our Data Processing Agreement.

If you have any questions about this policy or your data, please email [email protected].

What we collect

When you visit petalpowered.co.uk

• Anonymous, aggregated analytics about page views and traffic sources
• A minimal cookie to remember you've dismissed any banner messages
• Information your browser sends automatically (IP address, browser type, referrer) — held for a short period to detect abuse and diagnose problems

When you start a free trial or send us a message

• Your name and email address
• Your shop name, city (optional), and where you are in your journey
• Anything else you choose to tell us in the message field

When you become a paying customer

• Billing details (handled by Stripe — we never see or store your card number)
• VAT number (if applicable) and invoicing address
• Account login, password (hashed), and audit logs of what you did and when
• Support correspondence

Why we have it (lawful basis)

Under UK GDPR we rely on the following lawful bases:

• Contract: to set up your account, run your shop, take payment, and provide support.
• Legitimate interests: to keep the platform secure, prevent abuse, improve the product, and answer one-off questions from people who aren't yet customers.
• Legal obligation: to keep accounting records (HMRC requires we keep invoices for at least six years) and to respond to lawful requests from the authorities.
• Consent: for any optional marketing emails — you can withdraw consent at any time using the unsubscribe link.

Who we share it with

We use a small number of carefully chosen suppliers to run the service. Each is a data processor bound by a written agreement and equivalent security obligations. We do not sell personal data to anyone, ever, and we do not share it with advertisers.

• Stripe — payment processing (UK & Ireland)
• Amazon Web Services (London region) — hosting and storage
• Postmark / Resend — transactional email
• Google Analytics — anonymised website analytics
• Tawk.to — live chat, if you opt to use it
• HMRC, our accountants, and our solicitors — where required by UK law

How long we keep it

• Trial enquiries that don't convert: 12 months, then deleted
• Active customer data: for as long as your account is open
• Closed accounts: deleted within 90 days of cancellation, except invoices and tax records which we keep for six years to satisfy HMRC
• Support correspondence: three years from the date of the last reply
• Server logs: 30 days

International transfers

Our infrastructure sits in the UK. Where a sub-processor we use stores data outside the UK (for example, occasional Stripe operations), we rely on the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, plus additional safeguards where appropriate.

Your rights

Under UK GDPR you have the right to:

• Ask for a copy of the personal data we hold about you (right of access)
• Ask us to correct anything that's wrong (rectification)
• Ask us to delete your data, subject to our HMRC obligations (erasure)
• Ask us to stop or limit how we use it (restriction)
• Object to certain uses, including direct marketing
• Ask for your data in a portable format (portability)
• Withdraw consent for anything you previously consented to

To exercise any of these, email [email protected]. We'll reply within 30 days. If you're not happy with our response, you can complain to the Information Commissioner's Office at ico.org.uk — though we'd very much rather you spoke to us first.

Cookies

We use two kinds of cookies:

• Strictly necessary cookies — needed to run the site (for example, to remember your cookie preference). These don't require consent under UK PECR.
• Analytics cookies (Google Analytics) — help us understand how the marketing site is used. These only load after you've clicked "Accept all" in the cookie banner. If you don't accept, they're never set.

You can change your mind at any time using the "Cookie preferences" link in the footer of every page. Your choice is stored in a cookie called pp_consent and remembered for 12 months.

Children

Petal Powered is a tool for businesses. We don't knowingly collect personal data from anyone under 16.

Changes to this policy

We may update this policy from time to time. If we make a meaningful change, we'll email customers and update the "Last updated" date below. Continued use of Petal Powered after a change means you accept the updated policy.

Last updated: 18 May 2026.