Privacy Policy
Last updated: 2 July 2026
Page title: Privacy Policy · Shopify slug: privacy-policy
LUREXO ("we", "us", "our") is committed to handling your personal data responsibly. This Privacy Policy explains in straightforward terms which personal data we collect, the purposes it serves and the way in which it is managed. The governing frameworks are the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR) and the Data Protection Act 2018.
1. Data Controller
The data controller within the meaning of the UK GDPR is the operator of the website lurexo.com. Questions regarding this policy or the processing of your personal data may be directed to contact@lurexo.com. Full provider details are contained in our Legal Notice.
2. Types of Data We Process
When you place an order or send us an enquiry, we may process the following categories of personal data:
- First name, surname and email address
- Billing and delivery address
- Telephone number (optional — used solely for delivery updates)
- Payment details (handled exclusively by our payment partners — we do not store card data)
- Order and purchase history
- Technical data regarding your device and browsing activity (IP address, browser type, pages viewed)
3. Purposes of Processing and Legal Bases
- Processing your order — name, address, email and payment details are necessary to fulfil the contract of sale concluded with you (Art. 6(1)(b) UK GDPR).
- Communication with customers — including order acknowledgements, dispatch notifications and responses to service enquiries (Art. 6(1)(b) UK GDPR).
- Improving our shop — usage analysis enables us to refine our website on an ongoing basis (Art. 6(1)(f) UK GDPR — legitimate interest).
- Meeting legal obligations — business records are retained in line with applicable UK tax and commercial legislation (Art. 6(1)(c) UK GDPR).
4. Payment Processing
Transactions are handled by our certified partners — among them Stripe, PayPal, Klarna and Viva Wallet — all of whom are accredited to PCI DSS Level 1. Payment credentials are entered directly within their secured systems; full card details are never accessible to or stored by LUREXO.
5. Data Retention Period
Order data is kept for between 6 and 10 years in accordance with UK tax and bookkeeping law — in particular HMRC guidelines and the Companies Act 2006. Marketing consent records are held until you choose to opt out. Data that is no longer required for the purpose for which it was collected is deleted or anonymised without delay.
6. Recipients of the Data
Personal data is shared with third parties only to the extent required to fulfil your order:
- Delivery carriers (e.g. Royal Mail, DHL, DPD, Evri, UPS) for shipping your goods
- Payment partners for the secure processing of transactions
- Email service providers for transactional messaging
- Hosting providers for the technical operation of the website
- Accountants and legal advisers, where required to meet legal obligations
We have concluded appropriate data processing agreements with all third-party processors in accordance with Art. 28 UK GDPR.
7. Data Transfers to Third Countries
Any transfer of personal data to countries outside the United Kingdom or the European Economic Area (EEA) is carried out only where an adequacy decision is in place or where suitable safeguards — such as the Standard Contractual Clauses approved by the UK or EU Commission — are in force pursuant to Art. 45 ff. UK GDPR.
8. Cookies and Tracking
Our website uses cookies and comparable technologies. Further details are provided in our Cookie Policy. Non-essential cookies may be refused or adjusted at any time via the cookie banner or your browser settings.
9. Your Rights as a Data Subject
You hold the following rights in respect of your personal data:
- Right of access (Art. 15 UK GDPR) — you may ask what personal data we hold about you
- Right to rectification (Art. 16 UK GDPR) — incorrect data may be put right
- Right to erasure (Art. 17 UK GDPR) — where no legal retention obligation applies
- Right to restriction of processing (Art. 18 UK GDPR)
- Right to data portability (Art. 20 UK GDPR)
- Right to object (Art. 21 UK GDPR) — to processing based on legitimate interest
- Right to withdraw consent at any time (Art. 7(3) UK GDPR)
- Right to lodge a complaint with a supervisory authority (Art. 77 UK GDPR)
To exercise any of these rights, please send a short message to contact@lurexo.com.
10. Security of Your Data
We apply appropriate technical and organisational measures to shield your data against unauthorised access, loss or misuse — including SSL/TLS encryption, hardened server environments, tightly controlled access permissions and regular security assessments.
11. Automated Decision-Making
We do not carry out automated decision-making or profiling within the meaning of Art. 22 UK GDPR.
12. Right to Complain
If you consider that the way in which we process your personal data infringes the UK GDPR, you have the right to file a complaint with a data protection supervisory authority — in particular the Information Commissioner's Office (ICO) in the United Kingdom (www.ico.org.uk), or any supervisory authority in the EU member state where you are habitually resident, work or where the alleged infringement took place.
13. Updates to This Policy
We may update this Privacy Policy from time to time to account for changes in law or in how we operate. The version currently in force is always published here.