Privacy Policy

Privacy Policy

Last updated: 14 May 2026

Squishy Light ("we," "us," "our") is a UK-based online retailer. This policy explains what data we collect, why, and what we do with it. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR), and applicable privacy laws worldwide including the EU GDPR, the California Consumer Privacy Act (CCPA), and equivalent legislation in other jurisdictions.

What data we collect

Information you provide directly: Name, email address, shipping address, billing address, phone number (if provided), and any message content you send via our contact form.

Order information: Products purchased, order value, payment method. We do not store full card details — payment is processed securely by Shopify Payments and/or PayPal.

Information collected automatically: IP address, browser type, device type, operating system, referring URL, pages visited, time spent on pages, and approximate geographic location derived from IP address.

How we use your data

To fulfil orders: Processing payments, arranging shipping, sending order confirmations and tracking information. Legal basis: performance of a contract.

To communicate with you: Responding to enquiries, sending service-related emails. Legal basis: legitimate interest.

To send marketing emails: Only if you have opted in via our newsletter signup. You can unsubscribe at any time. Legal basis: consent.

To improve our website: Analysing how visitors use our site to improve functionality and user experience. Legal basis: legitimate interest.

To run advertising: Using tracking pixels to measure ad performance and show relevant ads. Legal basis: consent (via cookie banner).

Cookies and tracking technologies

We use cookies and similar technologies on our website. These include:

Essential cookies: Required for the website to function (e.g., shopping cart, checkout). These cannot be disabled.

Analytics cookies:

Shopify analytics (Shopify Inc.) — Built-in analytics provided by our e-commerce platform, collecting data about page views, sessions, traffic sources, and purchase activity to help us operate and improve the store.

Microsoft Clarity (Microsoft Corporation) — Records anonymised session data including mouse movements, clicks, and scrolling behaviour to help us understand how visitors interact with our website. No personally identifiable information is collected. Data may be processed in the United States.

Advertising cookies:

Meta Pixel and Conversions API (Meta Platforms, Inc.) — Tracks actions on our website (such as page views, add-to-cart events, and purchases) to measure the effectiveness of our Facebook and Instagram advertising and to enable retargeting. Some data is sent directly from our servers via the Conversions API for accuracy. Data may be transferred to Meta servers in the United States.

TikTok Pixel (TikTok Technology Limited / ByteDance) — Tracks actions on our website (such as page views, add-to-cart events, and purchases) to measure the effectiveness of our TikTok advertising and to enable retargeting. Data may be transferred to servers outside the UK/EEA, including the United States, Singapore, and Ireland.

Other:

Google Search Console (Google LLC) — A site-ownership verification tag is present on our website to allow us to access search performance data via Google Search Console. This tag does not set cookies or collect visitor data; it confirms to Google that we are the verified owner of the domain.

You can manage your cookie preferences at any time via the cookie banner shown on your first visit, or by clearing cookies in your browser. Most browsers allow you to refuse or delete cookies via their settings. Disabling non-essential cookies will not affect the core functionality of our website.

Who we share data with

Shopify Inc. — Our e-commerce platform provider. Shopify processes order data, payment information, and website analytics on our behalf. Shopify also provides our email marketing service (Shopify Email), which stores subscriber email addresses if you opt in to our newsletter.

Shipping providers — Your name, address, and order details are shared with our shipping partners to fulfil your order.

Payment processors — Shopify Payments (which uses Stripe as the underlying processor) and/or PayPal process your payment. We never see or store your full card details.

Reviews platform — Judge.me (Judge.me Pty Ltd) stores and displays customer reviews submitted on our website.

Advertising platforms — Meta (Facebook/Instagram) and TikTok receive event data via their respective pixels and server-side integrations as described above.

Analytics providers — Microsoft Clarity receives anonymised browsing data as described above.

We do not sell, rent, or trade your personal data to any third party for their own marketing purposes.

International data transfers

Some of our third-party service providers are based outside the UK and EEA (primarily in the United States, Canada, and Singapore). Where data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), adequacy decisions, or the service provider's participation in recognised data transfer frameworks such as the UK-US Data Bridge.

Data retention

Order data: Retained for 6 years after the date of purchase, as required for tax and accounting purposes under UK law.

Marketing data: Retained until you unsubscribe or request deletion.

Analytics data: Automatically anonymised and aggregated. Individual session recordings in Microsoft Clarity are retained for up to 30 days.

Contact form messages: Retained for up to 12 months unless ongoing correspondence requires longer.

Your rights

Under UK GDPR and equivalent laws, you have the right to:

Access your personal data — request a copy of what we hold about you.

Rectification — request correction of inaccurate data.

Erasure — request deletion of your data, subject to legal retention requirements.

Restrict processing — request that we limit how we use your data.

Data portability — receive your data in a structured, commonly used format.

Object — object to processing based on legitimate interest, including direct marketing.

Withdraw consent — where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, email us at originalsquishylight@gmail.com. We will respond within 30 days.

California residents (CCPA)

If you are a California resident, you have additional rights under the CCPA, including the right to know what personal information we collect and share, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at originalsquishylight@gmail.com.

Children's privacy

Our website is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child, please contact us and we will delete it promptly.

Security

We take reasonable technical and organisational measures to protect your personal data. Our website uses SSL/TLS encryption. Payment processing is handled by PCI DSS-compliant providers. However, no method of transmission over the internet is 100% secure.

Changes to this policy

We may update this policy from time to time. The date at the top of this page will be revised accordingly.

Data controller and supervisory authority

The data controller responsible for your personal data is Squishy Light, a trading name operated from the United Kingdom. For data protection queries, contact us at originalsquishylight@gmail.com. Our registered correspondence address for legal and regulatory purposes is 6 Toyse Close, Burwell, CB25 0DG, United Kingdom. If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the UK's supervisory authority, the Information Commissioner's Office (ICO).