Privacy Policy
Introduction
I take your privacy seriously. Where I am provided with information that identifies you or another person it will only be used in accordance with this privacy policy and the requirements of the General Data Protection Regulation (GDPR).
1. Contact details:
Online: https://www.theomoye.co.uk/contact
2. What information I collect, use, and why:
I collect or use the following information to provide services and goods, including delivery:
- Names and contact details
- Addresses
- Purchase or account history
- Photographs or video recordings
I collect or use the following information for the operation of customer accounts and guarantees:
- Names and contact details
- Addresses
I collect or use the following information to comply with legal requirements:
I collect or use the following personal information for dealing with queries, complaints or claims:
- Names and contact details
- Customer or client accounts and records
3. Lawful bases and data protection rights
Under UK data protection law, I must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. Which lawful basis I rely on may affect your data protection rights which are set out in brief below.
- Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where I get personal information from and who I share personal information with. There are some exemptions which means you may not receive all the information you ask for.
- Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete.
- Your right to erasure - You have the right to ask us to delete your personal information.
- Your right to restriction of processing - You have the right to ask us to limit how I can use your personal information.
- Your right to object to processing - You have the right to object to the processing of your personal data.
- Your right to data portability - You have the right to ask that I transfer the personal information you gave us to another organisation, or to you.
- Your right to withdraw consent – When I use consent as our lawful basis you have the right to withdraw your consent at any time.
If you make a request, I must respond to you without undue delay and in any event within one month.
To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.
4. Our lawful bases for the collection and use of your data
Our lawful bases for collecting or using personal information to provide services and goods are:
- Consent - I have permission from you after I gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
- Contract – I have to collect or use the information so I can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
- Legal obligation – I have to collect or use your information so I can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
- Legitimate interests – I’m collecting or using your information because it benefits you, my organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. My legitimate interests: For my own commercial activity where my use of your data is proportionate, has minimal impact on your rights and freedoms and is in an activity you might reasonably expect me to be engaged in. For more information on my use of legitimate interests as a lawful basis you can contact me using the contact details set out above.
- Recognised legitimate interests - my pre-approved purpose for collecting or using personal information to provide and improve products and services for clients.
My lawful bases for collecting or using personal information for the operation of customer accounts and guarantees are:
- Consent - I have permission from you after I gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
- Contract – I have to collect or use the information so I can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
- Legal obligation – I have to collect or use your information so I can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
My lawful bases for collecting or using personal information for legal requirements are:
- Consent - I have permission from you after I gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
- Contract – I have to collect or use the information so I can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
- Legal obligation – I have to collect or use your information so I can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
- Recognised legitimate interests - my pre-approved purpose for collecting or using personal information for recruitment purposes.
My lawful bases for collecting or using personal information for dealing with queries, complaints or claims are:
- Consent - I have permission from you after I gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
5. How long I keep information
I will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. I will retain and use your Personal Data to the extent necessary to comply with my legal obligations (for example, if I am required to retain your data to comply with applicable laws), resolve disputes, and enforce my legal agreements and policies.
For more information on how long I store your personal information or the criteria I use to determine this please contact me using the details provided above.
6. Sharing information outside the UK
Where necessary, I will transfer personal information outside of the UK. When doing so, I will take all steps reasonably necessary to comply with the UK GDPR, making sure appropriate safeguards are in place.
7. How to complain
If you have any concerns about my use of your personal information, you can make a data protection complaint to me:
Online: https://www.theomoye.co.uk/contact
If you remain unhappy with how I’ve used your data after raising a complaint with me, you can also complain to the ICO.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint
Data Protection Complaints Policy
1. Purpose
This policy explains how Theo Moye handles data protection complaints fairly, promptly, and in line with UK data protection law, including the internal complaints process requirements introduced by the Data (Use and Access) Act 2025 and set out in DPA 2018, s.164A.
2. Scope
This policy applies where an individual complains that I have infringed data protection law in connection with their personal data (or personal data of someone they are authorised to act for).
It covers complaints received from customers, staff, suppliers, website users, and any other individuals whose personal data I process. The duty to operate a complaints process applies broadly and the Information Commissioner’s Office (ICO) states there are no exemptions.
Personal data (or personal information) means information that identifies or relates to an individual.
The ICO is the UK’s independent regulator for data protection and privacy. It provides guidance to organisations, investigates complaints, and has legal powers to take enforcement action where organisations do not comply with data protection law.
3. What is a “data protection complaint”?
A data protection complaint is any expression of dissatisfaction where the person considers I have breached data protection legislation in how I handled their personal information, and they do not need to use legal terms or cite legislation.
Examples include complaints about:
- how I responded to a subject access request (SAR) (a request for a copy of personal information I hold about the individual) or other rights request;
- security measures used to protect personal data (including concerns following a breach, whether or not reportable to the ICO);
- how I collected, used, stored, retained, or kept personal data accurate.
4. What is not a data protection complaint?
Sometimes people complain about service or other issues while also exercising data protection rights; the ICO explains that this doesn’t count as a data protection complaint (for example, a customer service complaint combined with a deletion request).
Where a complaint raises both data protection issues and other concerns I will treat it as a “mixed complaint”. I will handle the data protection aspects under this policy and ensure they are identified, recorded, and responded to separately and alongside any non-data protection issues.
If it is unclear whether the person intends to raise a data protection complaint, I will ask them to clarify.
5. How people can complain to me
I provide clear routes for individuals to complain directly to us, and I will accept complaints however they are received.
Preferred contact details:
Online form: https://www.theomoye.co.uk/contact
I invite use of the preferred method above, but people can complain via any channel (including via social media), and I must accept the complaint regardless.
Where a complaint comes in via social media, I will request an alternative contact method because social media is generally not a secure way to exchange personal information.
6. My legal duties
I will facilitate the making of complaints.
When I receive a data protection complaint, I will:
- Acknowledge receipt within 30 days (the 30 days run from when the complaint is received).
- Without undue delay - take appropriate steps to respond (including making appropriate enquiries and keeping the complainant informed of progress).
- Without undue delay - inform the complainant of the outcome.
7. Making people aware of their right to complain
I will tell people that they can complain to me (and that they can also complain to the ICO) at the point I collect their personal information, for example in my privacy notice, using clear and plain language.
I will also include information about this right when I respond to a subject access request.
8. Identity and authority checks
I will verify identity where necessary. If I have doubts about the complainant’s identity, I may ask for proof of ID and I will do this as early as possible; if I already have enough information to confirm identity, I will not request more.
If someone complains on behalf of another person, I must check they are authorised to act for that person (for example, by a signed letter of authority or appropriate power of attorney). If I do not have evidence of authority, I will not investigate until I receive it.
9. My process (step-by-step)
- Logging and triage (Day 0 onward) -
I will log the complaint on receipt, record the channel it came through. The duty to investigate begins when the complaint is received, not after the acknowledgement is sent.
I will check whether it is a data protection complaint (see section 3) and, if unclear, I will ask the individual to clarify their intent.
- Acknowledgement (within 30 days) -
I will acknowledge the complaint within 30 days. The acknowledgement will confirm receipt, that I will look into it, and the next steps. The 30 days start the day after receipt, including weekends/bank holidays, and if the last day falls on a weekend or public holiday the deadline moves to the next working day.
I will make operational arrangements to ensure acknowledgements are sent even during absence.
- Investigation (without undue delay) -
I will investigate without undue delay (meaning as soon as reasonably possible, and without unnecessary delay). What is “undue” depends on the circumstances, and factors such as complexity, scale, and any harm caused by any delay.
In most cases, I aim to provide a substantive response within one month, although complex complaints may take longer.
My investigation will be proportionate and may include reviewing relevant records, speaking to relevant parties, comparing the complaint with the data I hold, and checking compliance with my own policies and standards.
If I need more information to understand the complaint, I will ask as soon as possible. I may also ask what outcome the individual is seeking to help resolve matters efficiently.
- Keeping the complainant informed (without undue delay) -
I will keep the complainant updated about progress without undue delay, including timeframes, and where there are delays, the reason for these will be explained.
- Outcome (without undue delay) -
Once I have finished my investigation, I will inform the complainant of the outcome without an unjustifiable or excessive delay.
My response will clearly explain what I did, what I found, and (where appropriate) what I changed or corrected. If I consider I complied with data protection law, I will explain why and provide enough detail to help the complainant understand how I reached that view; the ICO suggests itemising complaint points and responding to each.
If the complaint is upheld, I may (as appropriate) correct data, amend processes, undertake training, or take other remedial steps.
10. How to complain to the ICO
Individuals can complain to the ICO at any time. The ICO will, in most cases, ask individuals to raise their complaint with the organisation first, but the ICO remains available to handle eligible data protection complaints.
ICO complaint information: https://ico.org.uk/make-a-complaint/data-protection-complaints/
11. Record keeping and retention
I will keep records to demonstrate compliance, including:
- date received;
- acknowledgement;
- key communications and documents;
- outcome; and
- actions taken.
I will not retain personal information for longer than necessary.
I may also monitor themes and trends to identify recurring issues and improve compliance.
12. Children and vulnerable individuals
Children have the same rights as adults, but merit specific protection; if I receive a complaint from a child, I will use clear, plain language and assess competence to exercise rights.
13. Policy ownership and review
Policy owner: Theo Moye
Effective date: 19/06/2026
This policy may be updated at any time and without warning.