privacy policy

twenty five London is the controller of the personal data described here — we decide what is collected and why. our registered trader details are set out separately on the site.

for anything to do with your data — a question, a request, or a concern — write to us at care@twentyfivelondon.com. we read every message and reply in person.

if you join our list, we collect your email address so we can send you news of drops and the occasional letter from the house. that is all the marketing list holds.

if you place an order, we collect your name, delivery and billing address, contact details, and the items you bought, so we can take payment, dispatch your order within two working days, and handle returns within the 30-day window. your card is handled by Stripe — we receive confirmation that payment succeeded, never your full card number.

if you contact us, we keep that correspondence so we can help you and keep a record of what was agreed. as you browse, we also collect limited cookie and analytics data — how the site is used, on an aggregate basis — to keep it fast and to guard against fraud.

we send marketing email only with your consent, which you can withdraw at any time. we process your order data because it is necessary to perform our contract with you — to take payment, ship, and accept returns.

we rely on our legitimate interests to prevent fraud, to keep the site secure, and to understand in aggregate how it is used. where the law requires us to keep records — tax and accounting, for example — we process the relevant data to meet that legal obligation.

we work with a small set of trusted processors, each acting on our instructions. Vercel hosts the site and provides privacy-respecting analytics. Medusa runs our commerce and order system. our email service provider sends the newsletter and your order emails. Stripe processes payments. MeiliSearch powers product search.

some of these providers may process data outside the UK. where they do, we rely on appropriate safeguards — such as UK adequacy decisions or standard contractual clauses — so your data keeps the same level of protection wherever it is handled. we do not sell your personal data to anyone.

we keep newsletter data until you unsubscribe or ask us to remove you, after which we delete it. we keep order and delivery records for as long as needed to fulfil the order and honour returns, and then for the period UK tax and accounting law requires — generally six years from the end of the relevant financial year.

support correspondence is kept only as long as it is useful to resolve your query and any follow-up. analytics data is retained in aggregate and for a limited period.

under UK GDPR you can ask us for a copy of your data, ask us to correct it, ask us to erase it, ask us to restrict or object to how we use it, and ask us to send it to you or another provider in a portable form. where we rely on consent — for marketing — you can withdraw it at any time, and every email carries an unsubscribe link.

to exercise any of these rights, email care@twentyfivelondon.com. we will respond within one month and we will not charge you for a routine request.

if you think we have mishandled your data, please tell us first at care@twentyfivelondon.com so we can put it right.

you also have the right to complain to the Information Commissioner's Office, the UK supervisory authority, at ico.org.uk.