Privacy Policy

Privacy Policy

Last Updated: 15 January 2026

1. Introduction

At Herba Direct UK ("we", "us", "our"), we are committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our website and services.

We take our responsibilities under UK data protection law seriously and are committed to transparency about how we handle your personal data.

2. Data Controller

The data controller responsible for your personal data is:

Herba Direct UK
Essex House
Upminster
Essex
RM13 2SJ
United Kingdom

Email: support@herbadirectuk.co.uk
Website: www.herbadirectuk.co.uk

If you have any questions about this Privacy Policy or how we handle your data, please contact us using the details above.

3. Supervisory Authority

The supervisory authority for data protection in the UK is:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
United Kingdom

Website: www.ico.org.uk
Helpline: 0303 123 1113

You have the right to lodge a complaint with the ICO if you believe we have not handled your personal data appropriately.

4. What is Personal Data?

Personal data means any information relating to an identified or identifiable person. This includes:

  • Name and contact details (address, email, phone number)
  • Account login credentials
  • Payment and financial information
  • Order history and preferences
  • Device and browser information
  • IP addresses and cookies
  • Any other information that can identify you directly or indirectly

5. Legal Basis for Processing Your Data

We only process your personal data when we have a legal basis to do so under UK GDPR. The legal bases we rely on include:

  • Contract: Processing is necessary to fulfil our contract with you or to take steps before entering into a contract
  • Legal Obligation: Processing is required to comply with UK laws and regulations
  • Legitimate Interests: Processing is necessary for our legitimate business interests, provided your rights don't override these interests
  • Consent: You have given us clear consent to process your data for a specific purpose

6. What Personal Data We Collect and Why

6.1 Website Browsing Data

What we collect:

  • IP address
  • Browser type and version
  • Operating system
  • Date and time of access
  • Pages visited and URLs accessed
  • Referring website (where you came from)
  • Device information
  • Session identifiers

Why we collect it:

  • To enable you to access and use our website
  • To maintain website security and prevent fraud
  • To troubleshoot technical issues
  • To understand how visitors use our site and improve user experience

Legal basis: Legitimate interests (providing and improving our services)

How long we keep it: Log files are typically retained for 90 days

6.2 Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your browsing experience. Cookies are small text files stored on your device.

Types of cookies we use:

  • Essential Cookies: Necessary for the website to function properly (e.g., shopping cart, security)
  • Performance Cookies: Help us understand how you use our site (e.g., Google Analytics)
  • Functional Cookies: Remember your preferences and settings
  • Marketing Cookies: Track your activity to show you relevant advertisements

For detailed information about the specific cookies we use, please see our Cookie Policy.

Legal basis: Legitimate interests (essential cookies); Consent (non-essential cookies)

How to manage cookies: You can control cookies through your browser settings. However, blocking essential cookies may prevent you from using certain website features.

6.3 Account Registration

What we collect:

  • Full name
  • Email address
  • Password (encrypted)
  • Date of account creation

Why we collect it:

  • To create and manage your account
  • To enable you to access member features
  • To communicate with you about your account

Legal basis: Contract (providing services you've requested)

How long we keep it: Until you delete your account, or 3 years after your last activity, whichever comes first. If legal retention obligations apply, we may keep data longer.

6.4 Orders and Purchases

What we collect:

  • Full name
  • Billing address
  • Delivery address
  • Email address
  • Phone number
  • Order details (products, quantities, prices)
  • Order history
  • IP address at time of order

Why we collect it:

  • To process and fulfil your orders
  • To communicate about order status and delivery
  • To handle returns, refunds, and customer service enquiries
  • To maintain business records and comply with legal obligations
  • To detect and prevent fraud

Legal basis: Contract (fulfilling your order); Legal obligation (accounting and tax requirements)

How long we keep it:

  • Active order data: Until order is complete and any returns/warranty period expires
  • Financial records: 6 years from end of accounting year (legal requirement)
  • Marketing preferences: Until you withdraw consent or 3 years of inactivity

6.5 Payment Information

What we collect: We do not directly collect or store your full payment card details. Payment processing is handled by our secure payment processor, Stripe.

Information we receive from Stripe:

  • Payment confirmation
  • Last 4 digits of card number
  • Card type (Visa, Mastercard, etc.)
  • Transaction status and ID

Why we collect it:

  • To complete your purchase
  • To process refunds if needed
  • To maintain transaction records
  • To comply with financial regulations

Legal basis: Contract; Legal obligation

Third-party processor: Stripe, Inc.
Stripe's Privacy Policy: https://stripe.com/gb/privacy

For questions about payment processing, please refer to Stripe's privacy policy.

How long we keep it: Payment confirmation data retained for 6 years (accounting requirements)

6.6 Delivery Information

What we share with delivery partners:

We share necessary information with our logistics partners (Evri and Yodel) to deliver your orders.

Information shared:

  • Your name
  • Delivery address
  • Email address
  • Phone number (when provided)
  • Order reference number

Why we share it:

  • To enable delivery of your order
  • To provide you with delivery notifications and tracking
  • To allow you to manage delivery preferences (change date/location)

Legal basis: Contract (fulfilling delivery obligations)

Third-party processors:

  • Evri - Privacy Policy: https://www.evri.com/privacy-policy
  • Yodel - Privacy Policy: https://www.yodel.co.uk/privacy-policy

6.7 Customer Service and Contact

What we collect:

  • Name
  • Email address
  • Phone number (if provided)
  • Details of your enquiry or issue
  • Communication history with us
  • Any other information you choose to provide

Why we collect it:

  • To respond to your questions and requests
  • To provide customer support
  • To resolve complaints
  • To improve our services

Legal basis: Legitimate interests (providing customer service); Contract (when related to your orders)

How long we keep it:

  • General enquiries: 2 years after last contact
  • Complaints: 6 years (potential legal claims)
  • Account-related queries: Linked to your account retention period

How We Communicate With You

When you place an order with us, we may contact you via:

  • Email for order confirmations, shipping updates, and customer service
  • Phone if we need to clarify order details or provide support
  • WhatsApp to provide personalised product support and guidance

We use WhatsApp to offer customer support related to the products you've purchased. This may include:

  • Usage instructions and tips for getting the best results
  • Follow-up on your progress and wellness journey
  • Answering questions about your order and products
  • Providing personalised guidance for challenges and programs

Your Choice: You can opt out of WhatsApp communication at any time by:

  • Replying to your order confirmation email, or
  • Responding to any WhatsApp message and asking not to be contacted this way

We will immediately note your preference and respect your choice. If you opt out of WhatsApp, you can still contact us anytime via email or phone for support.

Your Privacy: Your WhatsApp number and contact information are used only for customer support purposes related to your purchase. We never share your personal information with third parties for marketing purposes.

6.8 Newsletter and Marketing

What we collect:

  • Email address
  • Name (if provided)
  • Subscription preferences
  • Email engagement data (opens, clicks)

Why we collect it:

  • To send you our newsletter
  • To inform you about products, offers, and updates
  • To measure the effectiveness of our communications

How we obtain consent: We use a double opt-in process. After you subscribe, we send a confirmation email with a link you must click to confirm your subscription. This ensures you genuinely want to receive our emails.

Legal basis: Consent

Third-party processor: Mailchimp (The Rocket Science Group LLC)
Mailchimp's Privacy Policy: https://www.intuit.com/privacy/statement/

How to unsubscribe: Click the "unsubscribe" link in any newsletter, or email us at support@herbadirectuk.co.uk

How long we keep it: Until you unsubscribe, or 3 years of no engagement with our emails

6.9 Analytics and Website Performance

We use analytics tools to understand how visitors use our website and to improve our services.

Google Analytics:

What's collected:

  • Pages viewed and time spent on pages
  • Device type, browser, and operating system
  • General location (country/city level)
  • How you arrived at our site
  • Click and navigation patterns

Why we use it:

  • To understand user behavior and preferences
  • To identify popular content and products
  • To improve website design and functionality
  • To optimize marketing campaigns

Legal basis: Legitimate interests; Consent (where required for cookies)

Data processor: Google LLC
Google Analytics Privacy: https://policies.google.com/privacy
Opt-out tool: https://tools.google.com/dlpage/gaoptout

Google Analytics data is anonymized where possible and retention is set to 26 months.

6.10 Marketing and Advertising

We may use your data to show you relevant advertising on third-party websites and platforms.

What data is used:

  • Products you've viewed or purchased
  • Pages you've visited
  • Browsing patterns on our site
  • Demographic information (age range, location)

Where you might see our ads:

  • Google Display Network
  • Social media platforms
  • Other websites in advertising networks

Why we do this:

  • To show you products you might be interested in
  • To remind you of products you viewed
  • To make our advertising more efficient and relevant

Legal basis: Legitimate interests; Consent (for cookies)

How to opt out:

  • Adjust cookie preferences on our website
  • Use browser privacy settings
  • Use platform-specific ad preference controls:
    • Google: https://adssettings.google.com
    • Facebook: Account Settings > Ads
  • Install browser extensions that block tracking

7. Third-Party Services and Integrations

We use various third-party services to operate our website and business. These providers may process your personal data on our behalf.

Third-Party Services We Use:

Service Provider Purpose Privacy Policy
Website Hosting Various Host our website Contact us for details
Payment Processing Stripe, Inc. Process payments https://stripe.com/gb/privacy
Delivery Services Evri / Yodel Deliver orders https://www.evri.com/privacy-policy / https://www.yodel.co.uk/privacy-policy
Email Marketing Mailchimp Send newsletters https://www.intuit.com/privacy/statement/
Analytics Google LLC Website analytics https://policies.google.com/privacy
Fonts Google LLC Web fonts https://policies.google.com/privacy
eCommerce Platform WooCommerce (Automattic) Online shop functionality https://automattic.com/privacy/
Content Management WordPress (Automattic) Website management https://automattic.com/privacy/

Data Processing Agreements: We maintain contracts with all third-party processors that require them to:

  • Process data only according to our instructions
  • Implement appropriate security measures
  • Comply with UK GDPR
  • Notify us of any data breaches

International Data Transfers:

Some of our service providers are based outside the UK (particularly in the USA). When we transfer your data internationally, we ensure adequate protection through:

  • Standard Contractual Clauses approved by UK authorities
  • Adequacy decisions (where applicable)
  • Other appropriate safeguards as required by UK GDPR

You can request information about the specific safeguards in place by contacting us.

8. Legal Disclosures

We may disclose your personal data if required to do so by law or in response to:

  • Court orders or legal processes
  • Requests from law enforcement or regulatory authorities
  • Protection of our legal rights and property
  • Prevention of fraud or criminal activity
  • Protection of safety and security of individuals

Legal basis: Legal obligation; Legitimate interests (protecting rights and safety)

We will only disclose the minimum information necessary and will notify you where legally permitted.

9. Data Security

We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it.

Security Measures Include:

Technical Measures:

  • TLS/SSL encryption for data transmission (you'll see the padlock icon in your browser)
  • Encrypted storage of sensitive data
  • Secure password requirements and encryption
  • Regular security testing and vulnerability assessments
  • Firewalls and intrusion detection systems
  • Secure backup procedures

Organizational Measures:

  • Staff training on data protection and security
  • Access controls (staff only access data they need for their role)
  • Confidentiality agreements with staff and contractors
  • Data protection policies and procedures
  • Regular review and update of security measures
  • Incident response procedures

Your Responsibility:

  • Choose a strong, unique password for your account
  • Keep your password confidential
  • Log out after using shared devices
  • Keep your contact information up to date
  • Report any security concerns to us immediately

Data Breach Notification:

In the unlikely event of a data breach that poses a risk to your rights, we will:

  • Notify the ICO within 72 hours (where required)
  • Notify affected individuals without undue delay (where high risk exists)
  • Take immediate steps to contain and remedy the breach

10. Data Retention

We only keep your personal data for as long as necessary for the purposes we collected it.

Retention Periods:

Data Type Retention Period Reason
Browsing logs 90 days Technical maintenance
Account information Until account deletion + 30 days Service provision
Inactive accounts 3 years from last login, then deleted Housekeeping
Order information 6 years from order date Legal requirement (accounting)
Payment records 6 years from transaction Legal requirement (tax)
Customer service records 2-6 years depending on type Service improvement/legal claims
Marketing consent Until withdrawn or 3 years inactivity Regulatory compliance
Newsletter data Until unsubscribe Service provision
Cookies As specified in Cookie Policy Various

After retention periods expire, we securely delete or anonymize your data so it can no longer identify you.

Legal Hold: If your data is subject to legal proceedings, regulatory investigation, or other legal obligations, we may retain it beyond normal retention periods until resolved.

11. Your Data Protection Rights

Under UK GDPR, you have the following rights regarding your personal data:

11.1 Right to Access (Subject Access Request)

You have the right to request a copy of the personal data we hold about you.

What we'll provide:

  • Confirmation of what data we process
  • Copy of your personal data
  • Information about how we use it
  • Who we share it with
  • How long we keep it
  • Your other rights

How to request: Email support@herbadirectuk.co.uk with "Subject Access Request" in the subject line.

Response time: Within 30 days (may be extended by 2 months for complex requests)

Cost: Free (excessive or repeated requests may incur a reasonable fee)

11.2 Right to Rectification

You have the right to correct inaccurate or incomplete personal data.

How to exercise:

  • Update information in your account settings, or
  • Email us with the corrections needed

Response time: Within 30 days

11.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data in certain circumstances:

  • The data is no longer needed for its original purpose
  • You withdraw consent (where consent was the legal basis)
  • You object to processing and there are no overriding legitimate grounds
  • Data was unlawfully processed
  • Legal obligation requires deletion

Limitations: We may not be able to delete data if we need it for:

  • Legal obligations
  • Legal claims or defense
  • Fulfilling contracts
  • Exercising rights of freedom of expression

How to exercise: Email support@herbadirectuk.co.uk or delete your account through account settings

11.4 Right to Restrict Processing

You can request we limit how we use your data while we:

  • Verify accuracy of disputed data
  • Determine if our legitimate interests override your objection
  • Keep data you need for legal claims (when we no longer need it)

Effect: We'll store the data but not use it (except with your consent or for legal claims)

11.5 Right to Data Portability

You can request your data in a structured, commonly used, machine-readable format (e.g., CSV file) and have it transferred to another provider.

Applies to: Data you provided to us where processing is based on consent or contract and is automated.

How to exercise: Email support@herbadirectuk.co.uk specifying the data you want

11.6 Right to Object

Marketing: You can object to marketing communications at any time by:

  • Clicking "unsubscribe" in emails
  • Adjusting preferences in your account
  • Emailing support@herbadirectuk.co.uk

Legitimate interests: You can object to processing based on our legitimate interests. We'll stop unless we have compelling legitimate grounds that override your interests.

11.7 Right to Withdraw Consent

Where we process your data based on consent, you can withdraw it at any time.

Effect: We'll stop processing for that purpose (doesn't affect the lawfulness of processing before withdrawal)

How to exercise:

  • Unsubscribe from emails
  • Adjust cookie settings
  • Email support@herbadirectuk.co.uk

11.8 Right to Lodge a Complaint

If you believe we've mishandled your data, you can complain to:

Herba Direct UK first (preferred):
Email: support@herbadirectuk.co.uk

Information Commissioner's Office:
Website: www.ico.org.uk
Helpline: 0303 123 1113
Report online: https://ico.org.uk/make-a-complaint/

How to Exercise Your Rights

Contact us:

  • Email: support@herbadirectuk.co.uk
  • Write to: Data Protection, Herba Direct UK, Essex House, Upminster, Essex, RM13 2SJ

What to include:

  • Your full name
  • Your account email (if applicable)
  • Clear description of your request
  • Proof of identity (to protect your data)

What happens next:

  1. We'll acknowledge your request within 3 business days
  2. We may request additional information to verify your identity
  3. We'll respond to your request within 30 days
  4. For complex requests, we may extend by 2 months (we'll explain why)

12. Children's Privacy

Our services are intended for individuals aged 18 and over. We do not knowingly collect personal data from anyone under 18.

If you're under 18: Please do not use our services or provide us with any personal data.

Parents/Guardians: If you believe your child has provided us with personal data, please contact us immediately at support@herbadirectuk.co.uk and we will delete it promptly.

13. Marketing Preferences

How We Use Your Data for Marketing

If you've given consent or we have a legitimate interest, we may contact you about:

  • Products you might be interested in
  • Special offers and promotions
  • News and updates about our services
  • Surveys and feedback requests

Marketing Channels

  • Email: Our primary marketing channel (requires your consent)
  • SMS/Text: Only with explicit consent
  • Phone: Only with explicit consent
  • Post: Based on legitimate interests (you can opt out)

How We Determine What to Send You

We may use:

  • Your purchase history
  • Products you've viewed
  • Your preferences and interests
  • Similar products to those you've bought

Your Marketing Choices

Opt out at any time:

  • Click "unsubscribe" in any marketing email
  • Adjust preferences in your account settings
  • Reply "STOP" to text messages
  • Email support@herbadirectuk.co.uk
  • Write to us at the address above

Effect of opting out:

  • We'll stop sending marketing within 48 hours
  • You'll still receive order confirmations and essential service emails
  • We'll keep a record that you've opted out (to prevent re-adding you)

14. Automated Decision-Making and Profiling

Current Status: We do not currently use automated decision-making or profiling that produces legal or similarly significant effects.

What we might do in future:

  • Product recommendations based on browsing/purchase history
  • Personalized marketing content
  • Fraud detection algorithms

If we implement significant automated decision-making in future, we will:

  • Update this Privacy Policy
  • Inform affected users
  • Provide information about the logic involved
  • Offer the right to human intervention and to contest decisions

15. Links to Other Websites

Our website may contain links to third-party websites, plugins, and applications. Clicking these links may allow third parties to collect or share data about you.

Important: We do not control these third-party websites and are not responsible for their privacy practices. This Privacy Policy only applies to our website.

Our advice: When you leave our website, read the privacy policy of every website you visit.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

  • Changes in our practices
  • Legal or regulatory requirements
  • New features or services
  • User feedback

When we make changes:

  • We'll update the "Last Updated" date at the top
  • For significant changes, we'll notify you via:
    • Email (if we have your address)
    • Prominent notice on our website
    • Account notification
  • You'll be asked to review and accept material changes

Your continued use: Using our services after changes indicates acceptance of the updated policy.

Review regularly: We recommend reviewing this policy periodically to stay informed about how we protect your data.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

Herba Direct UK

Email: support@herbadirectuk.co.uk
(We aim to respond within 2 business days)

Mail:
Data Protection
Herba Direct UK
Essex House
Upminster
Essex
RM13 2SJ
United Kingdom

Website: www.herbadirectuk.co.uk

Summary of Key Points

Quick Reference:

  • ✅ We only collect data necessary to provide our services
  • ✅ Your payment details go directly to Stripe (we never see your full card number)
  • ✅ You can access, correct, or delete your data at any time
  • ✅ You can unsubscribe from marketing emails anytime
  • ✅ We use cookies – you can control these in your browser
  • ✅ We keep data secure with encryption and access controls
  • ✅ We don't sell your personal data to third parties
  • ✅ We retain data only as long as necessary or legally required
  • ✅ You can complain to the ICO if you're not happy with how we handle your data
  • ✅ Our services are for ages 18+

Need help? Email support@herbadirectuk.co.uk

This Privacy Policy was last updated on 15 January 2026