Skip to content

Kissy Bang Bang

Privacy Policy

Version 2.1. Last updated 29 May 2026. This policy explains what personal data we collect when you use KissyBangBang.com, why we collect it, and what your rights are under UK GDPR and the Data Protection Act 2018.

1. Who we are

Goldmine Souvenirs Ltd (trading as Kissy Bang Bang) is the data controller for the personal data we collect through KissyBangBang.com. We're a company registered in England and Wales under number 06417974, with our trading address at Eurolink Business Centre, 49 Effra Road, London SW2 1BZ, United Kingdom. Our VAT number is GB 930 9561 16.

We are not required to appoint a Data Protection Officer under UK GDPR, and we don't have one. If you have any questions about your data or this policy, get in touch via our contact page.

↑ Back to top

2. The data we collect, why, and our legal basis

We only collect personal data we need to run the shop, process your order, deliver it to you, and meet our legal obligations. The table below sets out what we collect, why, and the legal basis under UK GDPR Article 6.

What we collect Why Legal basis
Name, billing and shipping address, email, phone (optional), order details To process and deliver your order, send confirmations, handle support Contract (Art 6(1)(b))
Payment status and last four digits of card To confirm payment and handle refunds. Full card details never reach us. They go directly to Stripe. Contract (Art 6(1)(b))
Account login details, address book, order history (if you create an account) To let you check out faster and view past orders Contract (Art 6(1)(b))
Artwork, logos, photos, text you upload via Design Your Own To produce your personalised wrappers Contract (Art 6(1)(b))
Messages you send via our contact form To reply and provide support Legitimate interests (Art 6(1)(f)): replying to enquiries
Invoicing and order records To meet UK accounting, tax, and Companies House obligations Legal obligation (Art 6(1)(c))
IP address, browser and device information, technical request logs To protect the site from fraud and abuse, and to keep it running Legitimate interests (Art 6(1)(f)): security
Analytics data (visit patterns, pages viewed, source) To understand how the site is used and improve it Consent (Art 6(1)(a)) — set via our cookie banner

We do not collect special category data (such as health, religion, or biometric data) and we do not ask you for any.

↑ Back to top

3. How long we keep your data

We only keep data for as long as we need it for the purpose it was collected, or for as long as the law requires us to.

Type of data Retention period
Order records, invoices, accounting data 6 years from the end of the relevant tax year (HMRC requirement)
Customer account data Until you delete the account. Transactional records linked to past orders are kept for 6 years.
Design Your Own artwork files 90 days after dispatch, then deleted unless you ask us to keep them for reprints
Support messages via contact form Up to 24 months after the matter is resolved
IP addresses and technical request logs Held by our hosting provider and security tools for the short periods needed to detect and prevent fraud, abuse, and attack. We don't retain copies of these logs ourselves.
Subscriber and review-request records For as long as you remain a customer or subscriber, plus 12 months after you opt out (to evidence the original consent or soft opt-in)
Cookies As set out in our Cookie Policy, controlled by you via the cookie banner

↑ Back to top

4. Who we share your data with

We share data only with the processors we need to run the shop. We don't sell your data to anyone, and we don't share it for any third party's own marketing.

Who What they do Where
Stripe Payments UK Ltd Processes card payments. They receive your card details and billing information directly. We never see your full card number. UK / US (international transfer below)
Royal Mail and tracked couriers Delivers your order. Receives your name, address, and phone number where needed. UK and destination country
Unlimited Web Hosting (unlimitedwebhosting.co.uk) Hosts the website and stores order data. UK-based. UK
Cloudflare Protects the site from attack, speeds delivery, filters bot traffic. Receives IP addresses and request headers. US (international transfer below)
Google Analytics 4 (if you consent to analytics cookies) Anonymised site-usage analytics US (international transfer below)
Google Ads (if you consent to advertising cookies) Conversion measurement for our ad campaigns US (international transfer below)
Our accountants and tax advisers For statutory accounting, VAT returns, and audit UK

We may also disclose data where we're legally required to (for example a court order, a request from HMRC, or to report criminal content to the relevant authority).

↑ Back to top

5. International transfers

Some of our processors are based in the United States (Stripe, Cloudflare, Google). When personal data leaves the UK, we rely on the UK Government's International Data Transfer Addendum to the EU Standard Contractual Clauses, plus each provider's own published transfer safeguards, to make sure your data continues to be protected to UK GDPR standards.

Where you ship an order outside the UK, your delivery address is shared with carriers and customs authorities in the destination country to deliver the goods.

↑ Back to top

6. Cookies & tracking

We use cookies and similar technologies for three reasons: to make the site work (cart, checkout, login), to remember your preferences, and (with your consent) to measure how the site performs and run our advertising.

When you first visit the site, you'll see a cookie banner asking what you consent to. You can change your choices at any time. Full details of every cookie we set are in our Cookie Policy.

↑ Back to top

7. Emails from us

We send three types of email:

Service emails connected to an order you've placed (order confirmations, dispatch notices, delivery updates, refund confirmations). These are part of fulfilling our contract with you and are sent regardless of any marketing preferences. You can't opt out of these for an active order.

Post-purchase review requests. After an order is delivered we may send you a short email asking how it went and inviting you to leave a review. We send these under the "soft opt-in" allowed by Regulation 22(3) of the Privacy and Electronic Communications Regulations 2003, because you're an existing customer and the request relates to the products you bought. Every review-request email includes a one-click link to opt out, and once you opt out we won't send you any more.

Marketing emails. We may also send occasional marketing or promotional emails (new product launches, seasonal offers, related products). We'll only send these where you've actively opted in (for example by ticking a subscribe box) or where the soft opt-in above applies. Every marketing email includes a one-click unsubscribe link, and once you unsubscribe we'll stop sending you marketing.

If we add or change the platform we use to send these emails (for example Mailchimp or another email provider), we'll update this policy to name it and to explain any change to international transfers.

↑ Back to top

8. Your rights under UK GDPR

You have the following rights in relation to the personal data we hold about you:

  • Access — request a copy of the data we hold on you
  • Rectification — ask us to correct anything inaccurate
  • Erasure — ask us to delete your data, subject to legal retention obligations (we have to keep order records for tax purposes)
  • Restriction — ask us to limit how we use your data while a query is resolved
  • Portability — ask for a machine-readable copy of data you've provided
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — for anything we process on the basis of your consent, at any time

To exercise any of these rights, get in touch via our contact page. We'll respond within one month.

If you're not happy with how we've handled your data, you have the right to complain to the Information Commissioner's Office (ICO), the UK regulator: ico.org.uk or by phone on 0303 123 1113. We'd appreciate the chance to put things right first.

↑ Back to top

9. Children's data

Our site is intended for general audiences. We don't knowingly collect personal data from children under 13 in the UK (the age below which a child cannot consent to information society services without parental authority under UK GDPR). If you believe a child has provided us with personal data, contact us and we'll delete it.

↑ Back to top

10. Automated decision-making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects for you. A human reviews any decision that meaningfully affects your order, account, or refund.

Stripe and our hosting provider may run automated fraud-detection checks on payments and traffic. Where those checks flag a transaction, a member of our team reviews it before any action that affects you is taken.

↑ Back to top

11. Security

We protect your data with technical and organisational measures appropriate to the risk, including: HTTPS encryption on the site, restricted admin access, secure UK hosting, payment processing on Stripe's PCI-DSS Level 1 infrastructure (no card data ever touches our servers), regular backups, and security-hardening tools at the network edge.

No system is 100% secure. If we ever became aware of a personal data breach that posed a high risk to your rights, we'd notify you and the ICO without undue delay and within the timeframes required by UK GDPR.

↑ Back to top

12. Changes & how to contact us

We may update this policy from time to time. The latest version is always posted on this page with the revision date at the top. Material changes will be highlighted prominently. If a change affects how we use data you've already given us, we'll contact you before it takes effect where the law requires us to.

For any question about your data, this policy, or to exercise any of your rights:

Send us a message via our contact page.
Phone: +44 20 7737 3128
Post: Goldmine Souvenirs Ltd, Eurolink Business Centre, 49 Effra Road, London SW2 1BZ, United Kingdom.

↑ Back to top