Home / Company / Privacy
Company · Privacy policy

Your data, in plain English.

We're a small UK company that needs to know your name and address to ship you a desk. We'd rather tell you clearly what we collect and why, than hide it in a 4,000-word legal document. This is the full policy — the summary below covers 90% of it.

Last updated · 14 Mar 2026 · Version · 1.2 · ICO reg · ZB912345
Plain English summary
We collect only what's needed to ship you something and keep the site running. We never sell your data. Here's the short list:
We collect name, email, delivery address, order contents
We keep orders for 6 years — HMRC requires it
We use Plausible for privacy-friendly analytics (no cookies)
You can ask us to delete your data at any time
×
We don't sell or share your data for advertising
×
We don't use Google Analytics, Facebook Pixel, or tracking cookies
×
We don't send marketing emails unless you opt in
×
We don't build advertising profiles about you
01

Who we are

Deskrove Ltd is the data controller for any personal information we hold about you. We're a UK company registered in England and Wales, trading as Deskrove.

Legal entity
Deskrove Ltd
Company number
14782345
Registered address
Unit 7, Attercliffe Works,
Sheffield S4 7YB
ICO registration
ZB912345
VAT number
GB 428 5691 38
Privacy contact
privacy@deskrove.co.uk

We don't have a formal Data Protection Officer because we don't meet the UK GDPR threshold (we're too small and don't do large-scale profiling). For any data question, Anya Petrosyan, our co-founder, is the named point of contact.

02

What we collect

We collect the minimum needed to ship you a product and keep the website running. Every category below has a lawful basis under UK GDPR.

What
Why we need it
Lawful basis
Order informationName, email, delivery address, items ordered, delivery notes
To ship your order, confirm it by email, and handle any warranty or return requests later.
Contract · UK GDPR Art 6(1)(b)
Payment detailsCollected only when we're about to ship — not at reservation
To take payment when your items ship. We use Stripe — we don't see or store your card number ourselves.
Contract · UK GDPR Art 6(1)(b)
Website analyticsPages visited, referring site, rough country-level location, screen size
To understand what's working on the site and fix what isn't. Via Plausible — no cookies, no individual tracking, aggregated only.
Legit interest · Art 6(1)(f)
Support emailsAnything you send us at hello@, returns@, warranty@
To help you with the question you emailed about, and look up the thread later if you follow up.
Contract + legit interest
Marketing email listEmail only — if and when you explicitly opt in
To send occasional updates (new products, important policy changes). Unsubscribe link in every email.
Consent · UK GDPR Art 6(1)(a)
Accounting recordsInvoices, VAT returns, company bookkeeping
Because HMRC requires it. We keep financial records for 6 years after the end of the tax year they relate to.
Legal obligation · Art 6(1)(c)

We do not collect: phone numbers (unless you provide one in delivery notes), date of birth, gender, any "special category" data (health, ethnicity, politics, religion), device fingerprints, or your social media handles.

03

Why we use it

Each piece of data above has one purpose — fulfil your order and keep the website running. We don't use your data for anything you haven't asked for.

  • Fulfilling your order — processing payment, printing the label, emailing tracking, handling warranty claims and returns
  • Running the business — VAT returns, bookkeeping, responding to your questions, preventing fraud
  • Improving the site — aggregated analytics only, no individual profiling, no A/B testing on you without you knowing
  • Keeping you informed — important order updates (always), marketing emails (only if you opt in)
×
We don't profile you for advertising. We don't use your purchase history to target ads on other platforms. We don't share your email with "marketing partners". There is no "marketing partners" list.
04

Who we share it with

We share your data only with processors that help us run the business. Each one is contractually bound to use your data only for the service they provide us.

Processor
What they do for us
Location
Transfer
Postmark
Transactional email — order confirmations, dispatch notifications
United States
UK IDTA
Stripe
Payment processing — card details (not seen by us)
Ireland & US
Adequacy
Plausible
Website analytics — no cookies, EU-hosted, GDPR-native
Germany (EU)
Adequacy
Netlify
Website hosting — serves the site; processes IP for logs (90d)
US edge network
UK IDTA
Fastmail
Our business email (hello@, etc.) — where your emails to us live
Australia
UK IDTA
DX Freight / DPD / Royal Mail
Shipping — gets your name + address to deliver your order
United Kingdom
UK
Xero
Accounting — invoices and VAT, pulled from order data
United Kingdom
UK

For US-based processors, we rely on the UK International Data Transfer Addendum (IDTA) to the EU Standard Contractual Clauses. For EU-based processors, the UK has an adequacy decision with the EU, so no additional safeguards are required.

We don't use: Google Analytics, Meta Pixel, TikTok Pixel, Mailchimp, HubSpot, Zendesk, Intercom, or any ad-tech partners.

05

How long we keep it

We keep personal data only for as long as we genuinely need it. After that, it's deleted on a rolling automated schedule.

  • Order records6 years after the end of the tax year the order was placed in. This is the HMRC requirement for financial records; we can't delete it earlier.
  • Support emails3 years from last activity on the thread. Then archived and deleted.
  • Marketing listuntil you unsubscribe or we shut down the list, whichever comes first. Unsubscribing removes you within 48 hours.
  • Website analytics (Plausible) — aggregated, not linked to individuals. Retained indefinitely at the aggregate level, but there's nothing to delete because it's not about a specific person.
  • Server logs (Netlify)90 days, then auto-purged. IP addresses, timestamps, page requested.
  • Backups — rolling 30-day backup window. Data deleted from live systems persists in backups for up to 30 more days.
06

Your rights under UK GDPR

You have eight rights under UK GDPR. Here they all are. To exercise any of them, email privacy@deskrove.co.uk — we respond within one calendar month (usually one working day for simple requests).

Right 01
To be informed

You're reading it. This page exists to tell you what we do with your data, and we update it when things change.

Right 02
To access your data

You can ask for a copy of everything we hold on you. We'll send it as a JSON or PDF file within one month. Free.

Right 03
To rectify errors

If we've got something wrong (name spelling, address typo) email us and we'll fix it within 48 hours.

Right 04
To erase your data

You can ask us to delete everything — except what we're required to keep for HMRC (order + invoice records for 6 years).

Right 05
To restrict processing

You can ask us to stop doing certain things with your data (e.g., sending marketing) while keeping the data itself.

Right 06
To portability

You can ask for your data in a machine-readable format (JSON) to take somewhere else. Again — free, one month.

Right 07
To object

You can object to us processing your data based on legitimate interest. In practice this means analytics — object, and we exclude you.

Right 08
Against automated decisions

We don't make automated decisions about you — no algorithmic pricing, no risk scoring, no AI moderation. Nothing to object to yet.

07

Cookies — there's almost none

We use one first-party cookie and no third-party cookies.

  • deskrove_cart_v1 — stores your cart contents so they persist if you close the tab. Strictly necessary for the site to work. No consent banner required under PECR for strictly-necessary cookies.
  • No analytics cookies. Plausible is cookieless — it identifies unique visitors by a hashed combination of IP + user agent that rotates daily and can't identify you.
  • No advertising cookies. We don't run ads on the site and don't use remarketing pixels.
  • No social media cookies. We don't embed Facebook, Twitter, or Instagram widgets.

Because the only cookie is strictly necessary, we don't show a cookie consent banner. If we ever add an analytics cookie, we'll add a banner and this policy will change.

08

Complaints & questions

First — email us at privacy@deskrove.co.uk. Anya or James responds personally within one working day. 90% of privacy issues are resolved this way — usually someone wants their account deleted or their mailing list preference changed, both 2-minute jobs.

Still unhappy? You have the right to complain to the UK's data protection authority:

Authority
Information Commissioner's Office (ICO)
Website
ico.org.uk
Helpline
0303 123 1113 (UK local rate)
Address
Wycliffe House, Water Lane,
Wilmslow, Cheshire SK9 5AF

We'd appreciate you coming to us first — faster, friendlier, and usually enough. But if you don't feel we've handled your concern well, you absolutely have that escalation route.