Privacy Policy
Last updated: 13 July 2026
Page title: Privacy Policy · Shopify slug: privacy-policy
This policy explains how DUREXA collects, uses, shares and protects personal data when you visit durexa.com, place an order or contact us. It is intended to reflect the UK GDPR, the Data Protection Act 2018 and, where applicable, the EU GDPR and PECR.
1. Data Controller
The controller is the legal operator identified in the Legal Notice. Privacy enquiries may be sent to contact@durexa.com.
2. Types of Data We Process
- identity and contact particulars, including name, email, telephone number and addresses;
- order, delivery, return, customer-service and transaction records;
- limited payment-related data received from payment providers;
- account, preference and marketing-consent data;
- technical and usage data, such as IP address, browser, device, cookie identifiers and interactions with the site;
- communications and evidence supplied in support of an enquiry, complaint or return.
3. Purposes and Legal Bases
- Contract — Article 6(1)(b): taking payment, fulfilling orders, arranging delivery, managing returns and responding to pre-contract enquiries.
- Legal obligation — Article 6(1)(c): tax, accounting, fraud-prevention, consumer-protection and regulatory duties.
- Legitimate interests — Article 6(1)(f): securing the website, preventing abuse, improving operations, defending legal claims and understanding service performance, after balancing your rights.
- Consent — Article 6(1)(a): non-essential cookies and marketing where consent is required. Consent may be withdrawn at any time.
4. Payment Processing
Payments may be handled by providers such as Stripe, PayPal and Klarna, depending on the options displayed at checkout. These providers process payment data under their own privacy terms and security controls. Major card-processing environments are commonly certified against PCI DSS Level 1; however, the precise certification and service configuration should be checked with each provider before publication. DUREXA does not store complete card numbers or CVV codes.
5. Retention
We retain data only as long as reasonably necessary for the stated purpose and applicable legal obligations. Core order and accounting records may commonly need to be kept for around six years under UK tax and company-record requirements; a longer period is used only where a specific rule, dispute, investigation or legal claim requires it. Marketing preferences are kept until withdrawal or until they are no longer needed. Security logs and routine enquiries are normally kept for shorter, proportionate periods.
6. Recipients
Personal data may be disclosed, where necessary, to:
- delivery partners such as Royal Mail, DHL, DPD, Evri and UPS;
- payment, fraud-prevention and checkout providers;
- hosting, ecommerce, analytics, communications and customer-support suppliers;
- professional advisers, insurers, auditors and accountants;
- public authorities or courts where disclosure is legally required.
Service providers are required to protect the data and use it only for authorised purposes.
7. International Transfers
Where data is transferred outside the United Kingdom or EEA, we use an applicable adequacy regulation, the UK International Data Transfer Agreement, the UK Addendum to standard contractual clauses, EU standard contractual clauses or another lawful safeguard. Relevant supplementary measures are considered where required.
8. Cookies and Tracking
Strictly necessary cookies support checkout, security and core site functions. Non-essential analytics, advertising or personalisation technologies are used only where permitted and, where required, after consent through the cookie banner. You can change choices through the consent tool and browser settings. Withdrawing consent does not affect earlier lawful processing.
9. Your Rights
Subject to legal conditions and exemptions, you may have the right to:
- be informed about processing;
- access your personal data;
- correct inaccurate or incomplete data;
- request erasure;
- restrict processing;
- receive or transfer certain data in a portable format;
- object to processing based on legitimate interests or to direct marketing;
- withdraw consent and challenge qualifying solely automated decisions.
Send requests to contact@durexa.com. We may need to verify identity and may retain limited records of the request.
10. Security
We use proportionate technical and organisational measures, including encrypted transmission, access controls, secure service providers, backups, monitoring and staff or contractor confidentiality obligations. No internet transmission is completely risk-free.
11. Automated Decision-Making
We do not make decisions producing legal or similarly significant effects solely by automated means unless this is necessary for a contract, authorised by law or based on explicit consent with appropriate safeguards. Payment and fraud providers may conduct automated checks under their own notices.
12. Complaints
Please contact us first at contact@durexa.com. You also have the right to complain to the UK Information Commissioner’s Office at www.ico.org.uk. EU residents may complain to the competent supervisory authority in their country.
13. Updates
We may revise this policy to reflect changes in law, technology, providers or business practices. The current version and revision date will remain available on this page.