Last updated 30 June 2026.
This Privacy Policy explains what personal information Daisy Co. ("Daisy Co.", "we", "us") collects when you use this website, why we collect it, who we share it with, how long we keep it, and the rights you have over it. We are committed to handling your information lawfully and transparently.
Who is responsible for your data (data controller): Daisy Co., [insert registered business name, address, and ABN / company registration number]. For any privacy question or to exercise your rights, contact us at hello@daisyco.co.
(a) Account information. If you create an account, we store the following in our secure customer database (hosted on Cloudflare D1): your first and last name, email address, phone number (if provided), saved delivery addresses, your order history, product favourites, reviews you submit, and any "notify me when back in stock" requests. Your password is never stored in readable form, it is protected with scrypt, a strong one-way password-hashing algorithm with a unique per-user salt, so it cannot be recovered, even by us.
(b) Order and payment information. When you check out, your billing and shipping address, phone number, and card details are entered directly on Stripe's secure hosted checkout page. Card details never reach our website or our servers. Stripe processes the payment and shares order and contact details with us (through the Stripe dashboard) so we can fulfil and support your order. The price you are charged is always set by us server-side, never taken from your browser.
(c) Usage and analytics information. With your consent, we use PostHog (EU region) to understand how our shop is used, for example pages viewed, items added to cart, and checkouts started. This is tied to a random, anonymous identifier. If you are signed in, we link these events to your internal account ID (a random identifier) only: we do not send your name, email, or address to our analytics provider. We do not use session recording or advertising/tracking cookies.
(d) Communications. We send transactional emails (such as email verification, password reset, and restock alerts) via Resend. If you contact us by email, we keep that correspondence to handle your query.
(e) Technical information. Like all websites, our hosting and security provider (Cloudflare) processes technical data such as your IP address and request logs to deliver the site and protect it from abuse.
| Purpose | Lawful basis (UK/EU GDPR) |
|---|---|
| Creating and managing your account; processing and delivering orders; customer support | Performance of a contract |
| Securing the site and accounts; preventing fraud and abuse | Legitimate interests |
| Product analytics to improve the shop | Consent |
| Marketing emails (if any) | Consent (you can opt out at any time) |
| Meeting legal, tax, and accounting obligations | Legal obligation |
Where we rely on consent, you can withdraw it at any time without affecting processing that already took place.
We keep cookie use to a minimum:
You can also clear or block cookies and local storage in your browser settings; blocking essential storage may stop you from staying signed in.
We do not sell your personal information. We share it only with the service providers ("processors") needed to run the shop, each acting under a data-processing agreement:
| Provider | What they handle | Region |
|---|---|---|
| Stripe | Payments, billing/shipping details (PCI-DSS Level 1) | Global, with GDPR safeguards |
| Cloudflare | Website hosting, serverless functions, customer database, security | Global edge, with GDPR safeguards |
| PostHog | Product analytics (consent-based) | European Union |
| Resend | Transactional email delivery | Global, with GDPR safeguards |
We may also disclose information where required by law, or to protect our rights, customers, or the safety of others.
Our analytics data is stored in the European Union. Some providers (such as Stripe, Cloudflare, and Resend) may process data outside your country. Where personal data is transferred internationally, it is protected by appropriate safeguards such as Standard Contractual Clauses or an equivalent approved mechanism.
We keep account information for as long as your account is active, and order records for as long as needed to fulfil legal, tax, and accounting obligations. Analytics data is retained for a limited period in line with our analytics provider's settings. If you close your account or ask us to erase your data, we will delete it unless we are legally required to keep certain records.
We design the site to minimise the personal data it holds. Payment card data is handled entirely by Stripe and never touches our systems. Account passwords are stored only as salted scrypt hashes. Administrative functions are protected behind authentication, and all traffic is served over HTTPS. No method of transmission or storage is perfectly secure, but we take reasonable steps to protect your information.
Depending on where you live (including under UK/EU GDPR and the Australian Privacy Principles), you may have the right to:
To exercise any of these, email hello@daisyco.co and we will respond within the time required by law. You also have the right to complain to a data protection authority, in the UK the Information Commissioner's Office (ICO), in the EU your local supervisory authority, or in Australia the Office of the Australian Information Commissioner (OAIC).
This shop is not directed at children, and we do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.
Our website may link to other sites (for example, Stripe's checkout). We are not responsible for the privacy practices of other websites; please review their policies.
We may update this policy from time to time by updating this page, and will revise the "last updated" date above. Please check back periodically.
Questions about this policy or your data? Email hello@daisyco.co.