Privacy Policy
Last updated: 3 July 2026
1. Introduction
The Floral Muse (“we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose and safeguard your personal data when you visit our website, place orders, or communicate with us. We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data controller
The Floral Muse, a boutique florist operating in Leeds, United Kingdom, is the data controller responsible for your personal data. Our website is located at thefloralmuse.uk.
3. Personal data we collect
We collect only the personal data necessary to provide our services:
- Order data: Name, telephone number, email address (optional), delivery address, delivery instructions, preferred delivery date, gift messages, and social media handles (e.g. WhatsApp, WeChat, Instagram) when provided for order fulfilment.
- Payment data:When you pay by card, your card details are entered on Stripe's secure hosted checkout and are never seen or stored by us. Stripe returns only what we need to fulfil and account for your order — for example the payment status, amount and a transaction reference (never your full card number).
- Chat assistant data: Messages you send to our on-site chat assistant, used to answer your enquiry.
- Technical data: When you use our website, we may collect IP address, browser type, device type and pages visited. With your consent, we use analytics services to understand how visitors use our site; this data is used in aggregated form only.
- Order tracking: If you request an email link to view your orders, we send a secure, time-limited link to the email address you provide.
4. How we use your data
We use your personal data only for the following purposes:
- Fulfilling orders (creating arrangements, delivery, collection)
- Communicating with you about your order or enquiry
- Inviting you to review your experience after your order is fulfilled (optional — opt out at checkout, unsubscribe from any invitation, or object at any time; see Section 8)
- Improving our website and services (with consent, where applicable)
- Complying with legal obligations (e.g. tax, accounting)
We do not sell, rent or share your personal data with third parties for marketing purposes.
5. Lawful basis
Under UK GDPR we process your data on the following lawful bases: contract (to fulfil orders and provide services), legitimate interests (to run our business, prevent fraud, improve services, and invite post-purchase reviews), legal obligation (tax, accounting and other legal requirements), and consent where explicitly obtained (e.g. non-essential cookies, optional marketing).
6. Data retention
We retain order and contact data for up to seven years for tax and accounting purposes. Chat assistant data is retained only as long as necessary to respond and conduct any follow-up. Aggregated analytics data is retained according to our analytics provider's policies. After retention periods, we delete or anonymise data where possible.
7. Data security
We implement appropriate technical and organisational measures to protect your personal data. This includes encryption in transit (HTTPS), secure storage, access controls restricted to authorised personnel, and secure session handling. We do not store payment card details on our servers; card payments are processed by Stripe, a PCI-DSS-certified payment provider, on its own secure hosted checkout.
8. Third-party processors
We use trusted service providers who process data on our behalf under appropriate agreements. These include: Stripe(card payment processing — see below); Cloudflare (website hosting, content delivery, database/storage and anti-bot protection); Resend (transactional email such as order confirmations and tracking links); TomTom and postcodes.io(to calculate delivery distance and pricing from the postcode you enter); our on-site chat assistant's AI provider (Groq, below); and, where you have consented, analytics and review-collection services. All processors are bound by contractual obligations to protect your data and comply with applicable privacy laws.
Stripe— card payments (including Apple Pay and Google Pay) are handled by Stripe on its secure, PCI-DSS-certified hosted checkout. Your card details are entered directly with Stripe and never reach our servers; Stripe returns only a payment confirmation and reference. We rely on the lawful basis of performance of a contract. Stripe processes your data as an independent controller under its own privacy policy (opens in new tab).
Groq, Inc. — our on-site chat assistant sends the message you type to it (plus a little recent conversation context) to Groq, Inc. (United States) to generate a reply. We rely on our legitimate interest in providing instant support; messages are processed only to answer you and are not used to train models. See section 11 (International transfers) below.
Google Customer Reviews — when you place an order and have accepted analytics cookies, we may share your email address, order code, and estimated delivery date with Google so they can email you a one-question rating survey after delivery. Submission is optional. You can opt out at the point of order on the confirmation page, or by withdrawing cookie consent.
Trustpilot — after your order is dispatched, we share your email address and order reference with Trustpilot so they can invite you to review your experience. We rely on our legitimate interest in obtaining genuine customer feedback; this invitation is sent by email and is not dependent on cookies. Leaving a review is optional. You can opt out when you place your order (a checkbox at checkout), unsubscribe from any invitation, or object at any time by contacting us. Trustpilot processes your data as an independent controller under its own privacy policy (opens in new tab).
9. Your rights (UK GDPR)
You have the right to:
- Access your personal data
- Rectification of inaccurate data
- Erasure (in certain circumstances)
- Restriction of processing
- Object to processing based on legitimate interests
- Data portability (where applicable)
- Withdraw consent at any time
- Lodge a complaint with the Information Commissioner's Office (ico.org.uk)
To exercise these rights, contact us at hello@thefloralmuse.uk or via our Enquire page.
11. International transfers
Your data is primarily stored and processed in the United Kingdom and European Economic Area. Some providers process data outside the UK/EEA — for example Stripe and Groq, Inc. (United States) and Cloudflare's global content-delivery network. If you order from outside the UK, we process your data to fulfil your delivery within the UK in the same way. Where we transfer data outside the UK or EEA, we ensure appropriate safeguards (such as adequacy decisions or Standard Contractual Clauses) are in place.
12. Changes to this policy
We may update this Privacy Policy from time to time. The effective date at the top will be revised when changes are made. We encourage you to review this page periodically. Continued use of our website after changes constitutes acceptance of the updated policy where appropriate.
13. Contact us
For privacy enquiries, to exercise your rights, or to contact our data protection representative: hello@thefloralmuse.uk or use our Enquire page.