City Garden Privacy Policy

This Privacy Policy explains how City Garden collects, uses, stores, and protects personal data of customers in our service area. It also explains your rights under the General Data Protection Regulation and relevant local data protection laws. This policy applies to all City Garden customers and any individuals who interact with us in connection with our services in the area we operate.

Scope and Data Controller

City Garden is the controller of the personal data described in this Privacy Policy. This means that City Garden determines the purposes and means of the processing of your personal data. This policy applies when you purchase our products or services, visit our premises, use our online services, or otherwise interact with City Garden as a customer or potential customer in our service area.

Types of Personal Data We Collect

We collect and process different categories of personal data depending on how you interact with us. These may include identification and contact details such as name, postal address, billing address, delivery address, and user account details where applicable. We may also collect communication details such as your preferred contact method and records of communications you have with us, including inquiries, feedback, and complaints.

We collect transactional and service information, including details of purchases, services requested, booking information, payment status, and related billing information. Payment card details may be processed securely by our payment service providers, and we do not retain full card details except where strictly necessary and in compliance with applicable security standards. We may also process technical and usage information related to your use of our online services, such as anonymised or pseudonymised data about how you access and use our website, for security and service improvement purposes.

In limited cases, we may collect optional preference information that you provide to help us tailor our services, for example your garden preferences, plant interests, or communication preferences. We do not intentionally collect special categories of personal data such as health data, except where you voluntarily share relevant information for service delivery, and only to the extent necessary and with appropriate safeguards.

How We Collect Your Data

We collect personal data directly from you when you contact us, request a quote, place an order, purchase products or services, create an account, or communicate with us in person or online. We may also collect data automatically when you use our online services, for example through basic logs that help us maintain system security and performance. In some cases, we may receive information from third party partners who help us deliver services to you, for example logistics providers, payment processors, or marketing partners, but only where this is lawful and necessary.

Lawful Bases for Processing

We process your personal data only when we have a valid legal basis under the GDPR. The primary lawful bases we rely on are performance of a contract, where processing is necessary to enter into or fulfil a contract with you, for example to process orders, deliver products and services, manage bookings, handle payments, and provide customer support. We also process data based on our legitimate interests, where we have a reasonable business interest that is not overridden by your rights and freedoms, such as improving our services, managing our relationship with customers, securing our systems, and preventing misuse or fraud.

We process your data to comply with legal obligations, including tax, accounting, and consumer protection laws, as well as obligations to keep appropriate business records. In some cases, we rely on your consent, for example for certain types of direct marketing, optional customer surveys, or where we process information that you choose to share beyond what is strictly necessary. When we rely on consent, you can withdraw it at any time, without affecting the lawfulness of processing before withdrawal.

Purposes of Processing

We use your personal data to provide and manage our products and services to you, including taking and fulfilling orders, planning and delivering services at your property, processing payments, and managing our customer relationship. We use data to communicate with you about your orders, bookings, changes to services, and important updates to this Privacy Policy or our terms and conditions.

We may process anonymised or aggregated data to analyse how our services are used, improve the quality and relevance of our offerings, and develop new services. We also process data to maintain the security of our systems, to protect our business, customers, and staff against fraud, misuse, or other unlawful activities, and to support the establishment, exercise, or defence of legal claims.

Data Sharing and Processors

City Garden may share personal data with carefully selected service providers that act as processors on our behalf. These processors may include information technology and hosting providers, payment processing services, logistics and delivery partners, customer relationship management providers, and professional advisers who help us with accounting or legal matters. When we use processors, they are contractually required to process personal data only according to our instructions, to protect it appropriately, and not to use it for their own purposes.

We may also share personal data where required by law, regulation, or legal process, or where we believe that disclosure is necessary to protect our rights, property, or safety, or that of our customers or others. In the event of a business restructuring, merger, or transfer of all or part of our business, personal data may be transferred as part of that transaction, subject to appropriate safeguards.

International Data Transfers

Where we transfer personal data outside the European Economic Area or the United Kingdom, we take steps to ensure that appropriate safeguards are in place, such as standard contractual clauses or equivalent measures, so that your data remains protected in line with GDPR requirements.

Data Retention

City Garden keeps personal data only for as long as necessary for the purposes for which it was collected, or as required by law. We retain customer account and order information for the duration of our relationship with you and for a subsequent period to comply with legal obligations, resolve disputes, and maintain appropriate business records. Specific retention periods may vary depending on the type of data and legal requirements, for example accounting records are generally kept for a minimum period specified by tax and company legislation.

When personal data is no longer required, it is either securely deleted, anonymised, or irreversibly de-identified so that it can no longer be associated with an identifiable individual.

Data Security

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures may include access controls, security configurations, staff training, and procedures to test and assess the effectiveness of our safeguards. While we take reasonable steps to protect your data, no system can be fully secure, and we encourage you to take care when sharing information and to notify us promptly if you suspect any misuse of your data in connection with City Garden.

Your Data Protection Rights

As a customer of City Garden in our service area, you have a number of rights under the GDPR in relation to your personal data. You have the right to request access to your personal data, including information about how we process it. You have the right to request rectification of inaccurate or incomplete data, and in some circumstances, the right to request erasure of your data where there is no longer a lawful basis for us to continue processing it.

You may have the right to request restriction of processing in certain situations, such as while we verify the accuracy of data or assess an objection you have raised. You also have the right to object to processing that is based on our legitimate interests or carried out for direct marketing purposes. In some cases, you have the right to data portability, allowing you to receive your personal data in a structured, commonly used, and machine readable format and to transmit it to another controller where technically feasible.

Where we rely on consent as a lawful basis, you can withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Exercising Your Rights and Complaints

If you wish to exercise any of your rights or have questions about how City Garden processes your personal data, you can contact us using the contact details provided on our official communication channels. We will respond to your request in accordance with applicable data protection laws and may request additional information to verify your identity where necessary.

You also have the right to lodge a complaint with a supervisory authority if you believe that your data protection rights have been infringed. We encourage you to contact City Garden first so that we can address your concerns wherever possible.

Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or best practices. Any updated version will apply to all City Garden customers in our service area from the date it is made available. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.