Terms of service

Privacy Policy

Last updated: 08/06/2026

1. Who we are

PawLunova is a trading name of Yutani Ltd, registered in England and Wales. Yutani Ltd is the "data controller" responsible for your personal data.

2. The personal data we collect

Identity and contact data: name, billing/delivery address, email, phone number.
Order and transaction data: items purchased, order value, delivery details, and payment-confirmation data (we do not store full card details — these are handled by our payment processors).
Account data: login credentials and preferences (if you create an account).
Technical and usage data: IP address, device/browser data, and how you use our site (via cookies — see our Cookie Policy).
Marketing data: your marketing preferences and consent records.

3. How and why we use your data — and our lawful basis

Purpose	Lawful basis (UK GDPR)
To process and deliver your order and handle returns/refunds	Performance of a contract
To take payment and prevent fraud	Performance of a contract; legal obligation; legitimate interests
To meet tax, accounting and other legal duties	Legal obligation
To respond to your enquiries and provide customer service	Legitimate interests; performance of a contract
To send marketing emails about similar products	Consent, or the "soft opt-in" legitimate-interests basis for existing customers (you can opt out at any time)
To use analytics and improve our website	Consent (via cookies)
To maintain the security of our site and business	Legitimate interests

4. Who we share your data with

We share data only with trusted third parties who help us run our business, including:

Shopify (our e-commerce platform/hosting);
Payment processors ([e.g. Shopify Payments / Stripe / PayPal]);
Delivery carriers ([Royal Mail / DPD / [CARRIER]]);
Email marketing provider ([e.g. Klaviyo / Mailchimp]);
Analytics providers ([e.g. Google Analytics]);
professional advisers and, where legally required, regulators or law-enforcement bodies.

5. International transfers

Some of our providers are based outside the UK (for example in the United States). Where we transfer your personal data outside the UK, we ensure a similar level of protection by relying on a valid UK transfer mechanism — such as UK "adequacy" regulations, the UK Extension to the EU–US Data Privacy Framework (the "UK–US Data Bridge") where the recipient is certified, or the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses. You can ask us for details of the safeguards in place.

6. How long we keep your data

We keep personal data only as long as necessary. For example, we keep order and transaction records for [6 years plus the current year] to meet HMRC/tax and accounting obligations; account data for as long as your account is active; and marketing data until you withdraw consent or opt out. [Insert your actual specific retention periods — vague "as long as necessary" statements are not sufficient on their own.]

7. Your rights

Under the UK GDPR and Data Protection Act 2018 you have the right to: be informed; access your data; have inaccurate data corrected (rectification); have data erased; restrict processing; data portability; object to processing (including an absolute right to object to direct marketing); and rights relating to automated decision-making. To exercise any right, contact [PRIVACY EMAIL]. We will respond within one month. You also have the right to complain to the ICO (ico.org.uk; helpline 0303 123 1113), though we'd ask you to contact us first.

8. Marketing

We will only send you marketing emails where you have consented, or where you are an existing customer and we are marketing similar products (the "soft opt-in"). You can withdraw consent or unsubscribe at any time via the link in any marketing email or by contacting us.