GDPR Policy

Effective Date: 22nd July 2025
Next Review Date: July 2026

1. Introduction

Carrot Top Marketing (“we”, “us”, or “our”) is committed to protecting the privacy and security of your personal data. This GDPR Policy outlines how we collect, use, store, and protect your personal data in accordance with the UK General Data Protection Regulation (UK GDPR).

2. Data Controller

Carrot Top Marketing is the data controller responsible for your personal data. If you have any questions about this policy or how we handle your data, please contact us at:

Carrot Top Marketing
6 Cadnam Road
Southsea
PO4 9JT
Email: hello@carrottopmarketing.co.uk

3. Data We Collect

We may collect, use, store, and transfer different categories of personal data, including

3.1 Identity Data

• First name
• Last name
• Username or similar identifier
• Title
• Date of birth
• Gender

3.2 Contact Data

• Billing address
• Delivery address
• Email address
• Telephone numbers

3.3 Financial Data

• Bank account details
• Payment card details

3.4 Transaction Data

• Details about payments to and from you
• Details of services purchased from us

3.5 Technical Data

• IP address
• Browser type and version
• Time zone setting and location
• Browser plug-in types and versions
• Operating system and platform
• Other technology on the devices you use to access our website

3.6 Profile Data

• Username and password
• Purchase history
• Preferences, interests, feedback, and survey responses

3.7 Usage Data

• Information about how you use our website, products, and services

3.8 Marketing and Communications Data

• Marketing preferences
• Communication preferences

3.9 Special Categories of Personal Data

We do not intentionally collect special categories of personal data (e.g. racial or ethnic origin, religious or philosophical beliefs, sexual orientation, political opinions, trade union membership, health data, or biometric data). If you voluntarily provide such data, we will only process it with your explicit consent or where legally permitted.

4. How We Collect Your Personal Data

We collect personal data using the following methods

4.1 Direct Interactions

You may provide personal data by filling out forms or communicating with us via email, phone, or post.

4.2 Automated Technologies

When you interact with our website, we may automatically collect technical data using cookies, server logs, and similar technologies.

4.3 Third Parties and Public Sources

We may receive personal data from third-party providers (e.g., analytics services) and publicly available sources.

5. How We Use Your Personal Data

We only use your personal data where the law allows. The lawful bases we rely on include:

• Performance of a Contract – Where we need to provide products or services you’ve requested
• Legal or Regulatory Obligation – Where we are required to comply with the law
• Legitimate Interests – Where it is necessary for our business and your rights do not override those interests
• Consent – Where you have given clear permission for us to process your data

5.1 Purposes for Which We Use Your Data

We use your data to:

• Register you as a new customer (Performance of Contract)
• Process and deliver services to you (Performance of Contract)
• Manage our relationship with you (Performance of Contract, Legal Obligation, Legitimate Interests)
• Administer and protect our business and website (Legal Obligation, Legitimate Interests)
• Deliver relevant website content and advertising (Legitimate Interests, Consent)
• Conduct data analytics to improve our services (Legitimate Interests)
• Make recommendations about products or services that may interest you (Legitimate Interests, Consent

6. Sharing Your Personal Data

We may share your data with trusted third parties, including:

• Service Providers: IT, website, email, and hosting providers
• Professional Advisers: Legal, financial, and insurance professionals
• Government Authorities: HM Revenue & Customs or other regulators where required by law

We require all third parties to respect the confidentiality of your personal data and comply with applicable data protection laws.

7. Data Security

We have implemented appropriate technical and organisational measures to prevent your personal data from being accidentally lost, used, accessed, or disclosed in an unauthorised way.

8. Data Retention

We retain your personal data only as long as necessary for the purposes for which it was collected, including legal and accounting requirements. Typically, we keep client records for up to six (6) years after the conclusion of a business relationship.

9. Your Legal Rights

Under UK GDPR, you have the following rights:

• Access your personal data
• Request correction of inaccurate or incomplete data
• Request deletion of your personal data (in specific circumstances)
• Object to or restrict processing
• Withdraw consent where processing is based on consent
• Request transfer of your data to another provider (data portability)

To exercise these rights, contact us at hello@carrottopmarketing.co.uk

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
https://www.ico.org.uk