Privacy Policy
This Privacy Policy explains how Kidz City ("we", "us", "our") collects, uses and protects your personal data when you visit or buy from kidzcity.co.uk. We are committed to handling your data in line with the UK GDPR and the Data Protection Act 2018.
1. Who we are (data controller)
The data controller responsible for your personal data is:
- Business name: Kidz City
- Trading as / legal entity: Kidz City
- Registered/trading address: 20–22 Wenlock Road, London, N1 7GU, United Kingdom
- Contact email: admin@kidzcity.co.uk
- ICO registration number (if applicable): Not currently registered with the ICO
2. What personal data we collect
When you shop with us we collect only what we need to process and deliver your order:
| Category | Examples | Why we collect it |
|---|---|---|
| Identity & contact | Name, email address, delivery address, phone (if provided) | To fulfil and deliver your order and contact you about it |
| Order data | Items purchased, order number, order value (GBP), order history | To process your purchase and handle returns/refunds |
| Payment data | Card payment is handled by Stripe; we receive confirmation and the last 4 digits / payment status, not your full card number | To take payment securely and reconcile orders |
| Technical & usage | IP address, browser/device type, cookies (see Section 7) | To run the website securely and, where you consent, measure usage |
We do not sell your personal data, and we do not collect special-category data.
3. Payment processing — Stripe
All card payments are processed by Stripe Payments Europe, Ltd. ("Stripe"), our payment processor, acting as an independent controller/processor for the payment. Your card details are entered directly into Stripe's secure systems; Kidz City never sees or stores your full card number. Stripe processes your payment data in accordance with its own privacy policy and applicable card-network and PCI-DSS standards. See Stripe's privacy policy at https://stripe.com/privacy.
4. How we use your data (lawful bases)
- To perform our contract with you (UK GDPR Art. 6(1)(b)): processing orders, taking payment via Stripe, arranging Royal Mail delivery, handling returns and refunds.
- To comply with legal obligations (Art. 6(1)(c)): keeping tax/accounting records.
- For our legitimate interests (Art. 6(1)(f)): securing the website, preventing fraud, and responding to your enquiries.
- With your consent (Art. 6(1)(a)): non-essential cookies/analytics and any optional marketing emails. You can withdraw consent at any time.
5. Who we share your data with
We share data only with parties needed to run the store:
- Stripe — payment processing (see Section 3).
- Royal Mail (and any carrier we use) — to deliver your order; they receive your name and delivery address.
- Our hosting/storefront platform (the Medusa storefront and backend, hosted on Railway) and none.
- HMRC / authorities where required by law.
We do not sell or rent your personal data to third parties for their own marketing.
6. Where your data is stored / international transfers
Our infrastructure providers (including Stripe, our hosting provider Railway, and our database provider Neon) may process data in the UK, EEA or other countries. Where data is transferred outside the UK, we rely on appropriate safeguards such as UK adequacy regulations or the International Data Transfer Agreement / Addendum.
7. Cookies
We use cookies that are strictly necessary for the website and checkout to work (e.g. session and cart cookies) — these do not require consent. Any non-essential cookies (e.g. analytics) are only set with your consent via our cookie banner, in line with the Privacy and Electronic Communications Regulations 2003 (PECR). You can manage or withdraw consent at any time via the cookie settings or your browser. We use essential cookies only (basket, region and session). We do not currently use analytics or marketing cookies
8. How long we keep your data (retention)
- Order and transaction records: kept for 6 years after the relevant tax year, to meet UK accounting and tax obligations.
- Account/contact details: kept for as long as you have an account or an active order relationship, then deleted or anonymised.
- Marketing consent records: kept until you unsubscribe, plus a short period to evidence consent.
- Technical logs: kept for a short period (typically up to 12 months) for security.
9. Your rights
Under UK GDPR you have the right to: access your data; have inaccurate data corrected; have data erased (where applicable); restrict or object to processing; data portability; and withdraw consent at any time. To exercise any right, email admin@kidzcity.co.uk. We will respond within one month.
You also have the right to complain to the UK regulator, the Information Commissioner's Office (ICO) — https://ico.org.uk — if you are unhappy with how we handle your data.
10. Security
We use HTTPS across kidzcity.co.uk, and payment data is handled by Stripe over secure, PCI-DSS-compliant systems. We take reasonable technical and organisational measures to protect your data.
11. Changes to this policy
We may update this policy from time to time. The current version and its effective date are shown below.
Data controller: Kidz City · Kidz City · 20–22 Wenlock Road, London, N1 7GU, United Kingdom Contact: admin@kidzcity.co.uk Last updated: 10 June 2026