Privacy policy
# Privacy Policy
This policy explains how Lucius Group Ltd ("Lucius", "we", "us")
collects and uses your personal data when you visit lucius.co.uk,
place an order, or apply for a trade account.
We are the data controller for the information we collect. We take
your privacy seriously and process personal data in accordance with
the UK General Data Protection Regulation (UK GDPR) and the Data
Protection Act 2018.
## Who we are
Lucius Group Ltd
Registered in Scotland · Company no. SC_______
Registered office: [insert registered address]
Email: hello@lucius.co.uk
If you have questions about this policy or how we handle your data,
email hello@lucius.co.uk.
## What data we collect
**When you place an order:**
- Name, delivery address, billing address
- Email address and phone number
- Payment details (processed by our payment provider — we don't
store full card details ourselves)
- Order history and preferences
**When you apply for a trade account:**
- Everything above, plus:
- Registered company name and trading address
- Companies House number
- VAT number (if registered)
- Business type and trading history information
- Any additional notes you provide in your application
**When you create an account or subscribe to our newsletter:**
- Email address
- Communication preferences
- Marketing engagement data (opens, clicks)
**When you contact us:**
- Your name, email, and the content of your message
- Any order numbers or account information you reference
**Automatically when you visit the site:**
- IP address and approximate location (country/region level)
- Browser type, device, and operating system
- Pages visited, time spent, referring website
- Cookie data (see Cookies section below)
## How we use your data
| Purpose | Lawful basis (UK GDPR) |
|---|---|
| Processing your orders and payments | Contract |
| Shipping and delivery | Contract |
| Communicating about your order | Contract |
| Managing your customer or trade account | Contract |
| Verifying trade applications (incl. Companies House lookups) | Legitimate interests (fraud prevention) |
| Providing customer support | Contract / legitimate interests |
| Marketing emails (where you've opted in) | Consent |
| Analytics and site improvement | Legitimate interests |
| Complying with legal obligations (tax, accounting) | Legal obligation |
| Preventing fraud and abuse | Legitimate interests |
## Who we share your data with
We don't sell your data. We share it only with the service providers
we need to operate the business:
- **Shopify** — our e-commerce platform (stores all customer and
order data). Shopify's privacy policy: shopify.com/legal/privacy
- **Payment processors** — Stripe and/or Shopify Payments handle
card transactions directly; we receive confirmation but not
card numbers
- **Shipping couriers** — Royal Mail, DPD, and pallet couriers
receive name, address, and phone number to make deliveries
- **Email service provider** — for transactional emails (order
confirmations, shipping updates) and marketing emails if you've
opted in
- **Accounting software** — order and invoice data is exported for
VAT returns and accounting purposes
- **Companies House** — we query their public API to verify trade
applications (public data, no personal information shared)
We may also disclose data if legally required (court order, HMRC
request, law enforcement) or to protect our rights, property, or
safety.
**We do not transfer personal data outside the UK or European
Economic Area except where our service providers (notably Shopify)
operate globally with appropriate safeguards under UK GDPR.**
## How long we keep your data
- **Order records**: 7 years (HMRC requirement for VAT-registered businesses)
- **Customer account data**: until you close your account, then 7 years
for any associated orders
- **Trade application data**: 7 years whether approved or rejected
- **Marketing preferences**: until you unsubscribe
- **Contact form enquiries**: 2 years unless they become orders
- **Analytics data**: 26 months (standard Google Analytics retention)
## Your rights under UK GDPR
You have the right to:
- **Access** — request a copy of the personal data we hold about you
- **Rectify** — ask us to correct inaccurate data
- **Erase** — ask us to delete your data ("right to be forgotten"),
subject to our legal retention obligations
- **Restrict processing** — ask us to pause using your data while
disputes are resolved
- **Data portability** — receive your data in a portable format
- **Object** — object to processing based on legitimate interests
- **Withdraw consent** — where we rely on consent (e.g. marketing)
To exercise any of these rights, email hello@lucius.co.uk. We'll
respond within one month. There's no fee for a reasonable request.
You also have the right to complain to the Information Commissioner's
Office (ICO) at ico.org.uk or 0303 123 1113 if you believe we've
mishandled your data.
## Cookies
We use cookies to make the site work, remember your preferences,
and understand how the site is used. You can manage cookies via
your browser settings.
- **Strictly necessary** (e.g. shopping cart, login) — always active
- **Functional** (e.g. language preferences) — on by default, can
be disabled
- **Analytics** (e.g. Shopify Analytics, Google Analytics) — only
set if you consent via the cookie banner
- **Marketing** (e.g. Meta pixel if enabled) — only set if you
consent via the cookie banner
Most cookies expire within 30-365 days; analytics cookies may
persist up to 26 months.
## Marketing communications
We'll only send you marketing emails if you've actively opted in
(for example, ticking the newsletter box at checkout or signing up
in the footer). You can unsubscribe at any time via the link in
any marketing email, or by emailing hello@lucius.co.uk.
Transactional emails (order confirmations, shipping updates, account
notifications) are sent regardless of marketing preferences because
they relate to your contract with us.
## Children
Lucius does not knowingly collect data from anyone under 16. If
you believe we've inadvertently collected data from a child, please
contact hello@lucius.co.uk and we'll delete it.
## Changes to this policy
We may update this policy occasionally. The date at the bottom
reflects the most recent update. Material changes will be
communicated via email to account holders.
---
Last updated: 24/04/2026