Privacy Policy (UK GDPR) | NY&T UK LIMITED

Privacy Policy & Data Governance

Effective Date: May 2024. NY&T UK LIMITED ("the Company") is committed to the highest standards of data protection. This policy outlines our compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller Information

The data controller is NY&T UK LIMITED, registered at 20 Elborow Way Cawston Rugby CV22 7XD England. Our Data Protection Officer (DPO) can be reached at info@mangrovemelt.sbs.

2. Categories of Data Collected

We process several categories of personal data, including but not limited to:

Identity Data: Full legal name, title, and date of birth for age-restricted deliveries.
Contact Data: Secure delivery addresses, private email addresses, and encrypted phone numbers.
Financial Data: We do not store full credit card numbers. All payments are processed via Tier-1 PCI-DSS compliant gateways.
Logistical Data: GPS coordinates for delivery optimization and delivery history.

3. Lawful Basis for Processing

We process data under the following legal bases: - Contractual Necessity: To fulfill your delivery requests. - Legal Obligation: For tax and regulatory reporting in the UK. - Legitimate Interests: To improve our service efficiency and ensure the security of our couriers.

4. Data Retention and Security

Personal data is retained for a period of six years following the last transaction to comply with UK HMRC requirements. All data is stored on encrypted, UK-based servers. We utilize 256-bit AES encryption for all data at rest and TLS 1.3 for all data in transit.

5. International Transfers

As a UK-focused entity, we do not typically transfer data outside the European Economic Area (EEA). If such a transfer is required, it is done under standard contractual clauses (SCCs) to ensure equivalent protection.

6. Your Rights Under UK GDPR

You possess the right to: - Request access to your personal dossier. - Correct any inaccuracies in your record. - Request the "Right to be Forgotten" (Erasure), subject to legal retention mandates. - Object to automated decision-making and profiling.