Xtransit Records

Legal

Privacy policy

Last updated: April 2026. This document is a practical template for a small UK online shop. It is not legal advice; have it reviewed by a qualified adviser before relying on it.

1. Who we are

The data controller is SoundOnShape.com Ltd (company no. 16464812), trading as Xtransit Records (“we”, “us”). We decide how and why your personal data is used when you use this website and buy from us.

Contact (privacy): privacy@xtransit.uk (if this inbox is not live yet, use the phone number in the site footer or your order confirmation route).

2. What personal data we collect

  • Account: email address and password (stored securely; we do not store passwords in plain text).
  • Shop use: basket contents, catalogue searches, and technical logs (e.g. IP address, browser type, timestamps) needed to run the service and prevent abuse.
  • Orders: name, email, phone (if collected at checkout), delivery address, payment reference and amounts. Card details are processed by Stripe; we do not store your full card number on our servers.
  • Communications: messages you send us and transactional emails related to your order.
  • Analytics (optional): if enabled, usage data may be sent to Google Analytics 4 using a measurement ID configured on the site.

3. Why we use your data and lawful bases (UK GDPR)

We use personal data only where we have a lawful basis, including:

  • Contract — to take orders, process payment via Stripe, ship goods, and manage your account and basket.
  • Legitimate interests — to secure the site, prevent fraud, improve the service, keep basic records, and (where proportionate) analyse traffic if you have not opted out where an opt-out applies.
  • Legal obligation — to meet accounting, tax, or regulatory requirements.
  • Consent — where we ask for consent (for example non-essential cookies or marketing, if we offer them), you may withdraw consent at any time without affecting the lawfulness of earlier processing.

4. Recipients and processors

We share data with service providers who process it on our instructions, including:

  • Stripe — payment processing and fraud prevention (Stripe privacy policy).
  • Email delivery (e.g. Resend) — to send operational messages such as merchant order notifications, if configured.
  • Hosting and infrastructure — where the site and database are hosted.
  • Google (Analytics) — if GA4 is enabled, as described in Google’s documentation.

5. International transfers

Some processors may be based outside the UK. Where personal data is transferred outside the UK/EEA, we rely on appropriate safeguards such as the UK International Data Transfer Agreement / Addendum, UK adequacy regulations, or the provider’s approved transfer mechanisms, as applicable.

6. How long we keep data

We keep personal data only as long as needed for the purposes above — for example order and tax records for the period required by law, account data while your account is open (and a short period after closure unless we must retain longer for legal reasons), and security logs for a limited retention window.

7. Your rights

Under UK data protection law you may have the right to:

  • Access your personal data and receive certain information about processing.
  • Rectify inaccurate data.
  • Erase data in certain circumstances.
  • Restrict processing in certain circumstances.
  • Object to processing based on legitimate interests, where applicable.
  • Data portability for information you provided, where processing is automated and based on consent or contract.
  • Withdraw consent at any time, where we rely on consent.

To exercise your rights, contact us using the details in section 1. We may need to verify your identity. You may also complain to the Information Commissioner’s Office (ICO) in the UK.

8. Security

We use appropriate technical and organisational measures to protect personal data. No method of transmission over the internet is completely secure; we follow good practice and rely on reputable payment and hosting providers.

9. Cookies and similar technologies

We use cookies or similar technologies as needed for the site to function (for example sessions or security). If we use non-essential analytics cookies, we will align collection with applicable law (including consent banners where required). You can control cookies through your browser settings.

10. Children

The shop is not directed at children under 13 (or under 16 where a higher age applies). We do not knowingly collect personal data from children for marketing.

11. Changes

We may update this policy from time to time. The “Last updated” date will change; continued use of the site after changes may be subject to the updated policy where permitted by law.

Back to home