Privacy Policy

Who we are

BondageBox is a trading name. Operator contact for any privacy matter: [email protected]. Postal: PO Box 228, Hitchin, Hertfordshire SG4 0WW.

What we collect

• Account details, name, email, password (stored hashed via bcrypt, never recoverable in plaintext).
• Order details, items, prices, dates, delivery address. Required to fulfil the order.
• Payment, handled by PayPal. We never see, store, or transmit card numbers. PayPal returns a transaction id and the billing/shipping addresses; that's the entire payment-side data we hold.
• Newsletter, email address only, with the source ("welcome popup", "footer", "finder", "quiet-beginning") so we can see which surface a subscriber came through. Unsubscribe link in every email.
• Site analytics, only after you accept the cookie banner. Google Analytics 4 in standard configuration; IP addresses anonymised, no cross-site identifiers.
• Saved-for-later items, a small list of product slugs in a browser cookie (bb_saved). Never sent to us until you explicitly share the list via the "Send to a partner" feature.

What we do not collect

• Card numbers, CVCs, or expiry dates. PayPal handles all of that.
• Any data revealing your shopping behaviour from outside this site.
• Profiles built from your order history for advertising, we don't sell, rent, or share data with ad networks.

Why we collect it

Three reasons, in order:

1. To fulfil your order. Without an address, we can't ship; without an email, we can't confirm dispatch or take a return question.
2. To run the site you're using. Session cookies for cart and login; CSRF tokens for security; the site won't function without these and they're exempt from consent under UK law.
3. To send marketing emails you've subscribed to. Only with your explicit opt-in, and only the categories you signed up for. One-click unsubscribe.

Who we share with

Only the parties strictly necessary to fulfil your order:

• PayPal, payment processor. Their privacy policy at paypal.com/uk/legalhub/privacy-full.
• Royal Mail / DPD, delivery carrier. Just your name and address.
• Brevo, transactional email (order confirmations, shipping updates, newsletter). Email address only.
• XTrader Adult, our drop-shipping fulfilment partner for catalogue products. They see the shipping address and item list; nothing else.

We never sell or rent personal data. We never share data for advertising purposes. If you'd like the full list of sub-processors with their security certifications, we'll send it on request.

How long we keep it

Account data and order history: as long as you hold an account with us, plus 7 years after closure (HMRC retention requirements on financial records). Newsletter data: until you unsubscribe, then 30 days for housekeeping. Analytics cookies: 14 months maximum.

Your rights

Under UK GDPR you have the right to:

• Access the data we hold about you (subject access request).
• Correct any inaccurate data.
• Delete your data, subject to legal retention obligations.
• Receive your data in a portable format.
• Withdraw consent for marketing at any time.
• Lodge a complaint with the ICO at ico.org.uk if you believe we've mishandled your data.

To exercise any of these, email [email protected], we respond within 30 days, usually much sooner.

Cookies

Three categories, set per UK PECR rules:

• Essential, cart session, CSRF token, age-gate, cookie-consent banner state. Set automatically; no consent needed.
• Analytics, Google Analytics 4. Set only after you click "Accept" in the cookie banner. Withdraw consent by clicking "Cookie preferences" in the footer at any time.
• Marketing, none currently. We don't run retargeting pixels or share data with ad networks. If that changes, this page changes first.

Updates to this policy

If we materially change what we collect or how we use it, we'll update this page and email anyone whose stored data is affected by the change. The "last updated" date below moves only on real changes, not for typo fixes.