Privacy & cookies policy

We collect the minimum personal data needed to deliver your wedding stationery and to keep our business running. This page explains exactly what we collect, why, who we share it with, and your rights under UK data protection law.

Last updated 20 April 2026

1. Who we are

Tavern Creative Ltd is the data controller for personal data collected via taverncreative.co.uk. We’re registered in England and Wales (Company No. 11100975) and based in Kent, United Kingdom.

For questions about your data, email studio@taverncreative.co.uk.

2. What data we collect

When you order

  • Your name, email address and delivery address
  • Your phone number (passed to the delivery carrier when needed)
  • The wedding date, partner names, and wedding details you enter into the design tool
  • Your design choices (template, palette, accent colour, section content)
  • Any photos or QR-code destinations you upload into a design

When you create an account

  • Email address and password (stored hashed by Supabase Auth — we never see your plaintext password)
  • Optional profile fields: full name, partner names, wedding date, style/colour preferences
  • Saved designs, draft text, and any associated proofs

When you contact us

  • Anything you send via the contact form, the in-editor feedback button, or any reply to our transactional emails
  • Any thread of messages that follows (stored so you can see replies in your dashboard)

Automatic data

  • Pages visited, browser/device type, approximate location (city-level via IP)
  • A list of recently-viewed product slugs, stored on your own device in localStorage (never sent to our servers)
  • Cookies as set out in section 6

3. Why we collect it (lawful basis)

  • To fulfil your order — performance of contract
  • To send transactional emails (order confirmation, shipping updates) — performance of contract
  • To send wedding lifecycle reminders ("ready to design your invitations?", "time for thank you cards") — legitimate interest. You can unsubscribe at any time
  • To request a Google review after delivery — legitimate interest, opt-out anytime
  • To improve the website + diagnose issues — legitimate interest
  • To meet HMRC, accounting and other legal requirements — legal obligation

4. Who we share data with

We never sell your personal data. We share strictly limited data with the following processors so we can run the service:

  • Supabase — hosting our database and authentication. EU/UK region.
  • Stripe — payment processing. We never see or store your card number; Stripe is PCI-DSS Level 1 certified.
  • Resend — transactional and lifecycle email delivery.
  • Delivery carriers — Royal Mail, DPD, Evri, FedEx depending on destination. Name, address and phone shared so your parcel arrives.
  • Vercel — website hosting.

We may also share data when legally required to do so (court order, HMRC request, fraud investigation).

5. How long we keep it

  • Order & financial records — 7 years (HMRC requirement)
  • Customer accounts & saved designs — until you ask us to delete them, then within 30 days
  • Marketing email subscriptions — until you unsubscribe
  • Web analytics — anonymised after 14 months

6. Cookies

We use a small number of cookies — only what’s needed:

  • Essential — Supabase Auth session cookies (so you stay logged in), Stripe checkout cookies, CSRF tokens. These can’t be disabled without breaking the site.
  • Functional — preference for filter selections and dismissed banners.

We don’t use third-party advertising cookies. We don’t set Google Analytics cookies that identify individual users. You can manage or block cookies in your browser settings — see aboutcookies.org.

7. Your rights under UK GDPR

You have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure — ask us to delete your data (subject to the 7-year retention rule for completed orders)
  • Restriction — ask us to stop processing your data while a query is investigated
  • Portability — get your data in a machine-readable format to take elsewhere
  • Object — to processing based on legitimate interest, including marketing emails
  • Withdraw consent — where we’re relying on consent

Email studio@taverncreative.co.uk and we’ll respond within 30 days. There’s no fee for any of these requests.

8. Marketing emails & unsubscribe

Lifecycle marketing emails (wedding-stationery reminders, Google review requests) are sent under legitimate interest. Every marketing email carries a one-click unsubscribe link, which we honour immediately. You can also unsubscribe at any time at /unsubscribe.

Unsubscribing from marketing doesn’t affect transactional emails about an active order — you’ll still receive order confirmations, proofs and shipping notifications.

9. Security

Personal data is held in encrypted databases hosted in the UK/EU. Connections to the website are encrypted with HTTPS. Passwords are hashed by Supabase Auth — we never see plaintext. We follow industry standard practices but no system is 100% secure; if we ever discover a personal data breach affecting you, we’ll notify you and the ICO within 72 hours of becoming aware.

10. Children

Our service is intended for adults arranging wedding stationery. We don’t knowingly collect data from anyone under 16.

11. Complaints

If you’re unhappy with how we’ve handled your data, please email us first so we can put things right. You also have the right to lodge a complaint with the UK’s Information Commissioner’s Office at any time:

ico.org.uk — telephone 0303 123 1113.

12. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email or a banner on this website. The "Last updated" date at the top reflects the most recent revision.