Privacy Policy
Last updated: 12 April 2026
1. Data controller
The data controller is Pacavita, operated by Giuseppe Giona, based in Saltaire, West Yorkshire, England. Contact: hello@pacavita.com. We process your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), Part 2, Chapter 2.
2. What we collect and the lawful basis
Under UK GDPR Article 6, we process personal data on the following lawful bases:
| Data type | What we collect | Lawful basis (Art. 6) | Retention |
|---|---|---|---|
| Contact form | Name, email, phone, message | 6(1)(f) Legitimate interest | 24 months |
| Order data | Business name, brief details, payment reference | 6(1)(b) Contract performance | 6 years |
| Account data | Email address, login sessions | 6(1)(b) Contract performance | Duration of account + 6 years |
| Payment data | Handled entirely by Stripe; we store only transaction reference | 6(1)(b) Contract performance | 6 years (HMRC requirement) |
| Analytics | Anonymised page views, device type, referrer | 6(1)(f) Legitimate interest | Indefinite (anonymised) |
| Consent records | Cookie consent, cooling-off waiver evidence | 6(1)(c) Legal obligation | Permanent |
We retain order and account data for 6 years to comply with HMRC record-keeping requirements (Income Tax (Trading and Other Income) Act 2005). Contact form data is retained for 24 months to manage ongoing enquiries and is deleted automatically thereafter.
3. Data processors and international transfers
We share personal data with the following processors, all of which are bound by Data Processing Agreements (DPAs) in accordance with UK GDPR Article 28:
| Processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Stripe Payments UK Ltd | Payment processing | UK / US | UK GDPR Art. 46 SCCs |
| Supabase Inc | Database, authentication | EU (Frankfurt) | UK adequacy decision |
| Resend Inc | Transactional email | US | UK GDPR Art. 46 SCCs |
| Cloudflare Inc | CDN, DDoS protection | Global edge | UK GDPR Art. 46 SCCs |
| Vercel Inc | Website hosting, deployment | US / EU edge | UK GDPR Art. 46 SCCs |
We do not sell, rent or trade your personal data to any third party. Data is shared with processors solely for the purpose of delivering our Services.
4. Your rights under UK GDPR
Under UK GDPR Articles 12–22, you have the right to:
- Access your personal data (Article 15)
- Rectification of inaccurate data (Article 16)
- Erasure (“right to be forgotten”) where applicable (Article 17)
- Restriction of processing (Article 18)
- Data portability in a structured, machine-readable format (Article 20)
- Object to processing based on legitimate interest (Article 21)
- Withdraw consent at any time where processing is based on consent (Article 7(3)); withdrawal does not affect lawfulness of prior processing
To exercise any right, email hello@pacavita.com with “Data rights request” in the subject line. We will verify your identity and respond within one calendar month, as required by UK GDPR Article 12(3). If the request is complex, we may extend this by a further two months with notice.
5. Automated decision-making
We do not use automated decision-making or profiling as defined by UK GDPR Article 22. No decisions with legal or significant effects are made about you without human involvement.
6. Children’s data
Our Services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided personal data without parental consent, we will delete it promptly. If you believe a child’s data has been collected, contact hello@pacavita.com.
7. Security measures
We implement the following technical and organisational measures to protect your data:
- Encryption in transit via HTTPS with HSTS preload
- Encryption at rest via AES-256 (Supabase)
- Content Security Policy, X-Frame-Options, Referrer-Policy and Permissions-Policy headers on all pages
- PCI DSS SAQ-A compliance for payment processing (card data never touches our server)
- Role-based access controls with audit logging
- Automated daily backups with 30-day retention and tested restore procedures
- External uptime monitoring with alerting
- No shared hosting — each site runs in an isolated deployment
8. Data breach notification
In the event of a personal data breach, we will: (a) notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware, as required by UK GDPR Article 33, unless the breach is unlikely to result in a risk to your rights and freedoms; and (b) notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms, as required by UK GDPR Article 34.
9. Complaints
If you believe your data has been mishandled, please contact us first at hello@pacavita.com. We take all complaints seriously and aim to resolve them within 30 days. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO): ico.org.uk, telephone 0303 123 1113.
10. Changes to this policy
We may update this policy to reflect changes in law or our practices. Material changes will be communicated by email. The “last updated” date at the top of this page indicates when the policy was last revised.