Privacy Policy
Last updated: 9 June 2026
1. Data Controller and Contact
Identity: Byron-Butler Corporation Ltd
Registered address: 41 Baddow Close, Woodford Green, London, IG8 7JE, United Kingdom
Company number: 08918733 (England & Wales)
ICO registration number: ZA911972
Email (general): reine@reinoz.art
Email (data protection): legal@byronbutler.com
It is not mandatory to appoint a Data Protection Officer (DPO) under Art. 37 UK GDPR, given the nature, scope and volume of our processing activities. For any matters relating to your personal data, you may contact us at the addresses above.
The data controller is established in the United Kingdom. The applicable legislation is the UK General Data Protection Regulation (UK GDPR). The UK benefits from an adequacy decision by the European Commission (Art. 45 GDPR), so transfers of personal data from the European Economic Area to the UK are permitted without additional safeguards. For any complaints, users resident in Spain may contact the Agencia Española de Protección de Datos (AEPD).
2. Purposes, Data Collected and Legal Bases
Contact and support: responding to enquiries submitted through the contact form.
- Data: name, email address, message, IP address, date and time.
- Legal basis: consent (Art. 6(1)(a) UK GDPR) or contractual necessity if arising from an order (Art. 6(1)(b)).
- Retention: 1 year from the last communication.
Commercial and orders: order management, shipping and invoicing.
- Data: name, email address, shipping address, payment data (processed by Stripe — we do not store card numbers), order history.
- Legal basis: performance of a contract (Art. 6(1)(b) UK GDPR).
- Retention: order data 4 years (tax obligations); invoicing 5 years.
Analytics (Google Analytics 4): audience measurement and browsing behaviour analysis to improve the site.
- Data: anonymised IP address, pages visited, visit duration, browser type, operating system, language, anonymous browsing data.
- Legal basis: prior consent for analytics cookies (Art. 6(1)(a) UK GDPR together with PECR reg. 6). Anonymised data without cookies may be used under legitimate interest (Art. 6(1)(f)).
- Retention: 14 months at user level.
Audience profiling (Google Analytics): Google Analytics 4 may create anonymous audience profiles (interests, aggregated demographic data, behaviour) based on user browsing. These profiles have no legal effects on the data subject and are not used for individual automated decision-making (Art. 22 UK GDPR).
Legal compliance: tax and accounting obligations arising from the sale of products.
- Data: order data, tax and invoicing data.
- Legal basis: legal obligation (Art. 6(1)(c) UK GDPR).
- Retention: as required by applicable law (4-5 years depending on the matter).
We do not make automated decisions or create profiles with legal effects on data subjects (Art. 22 UK GDPR).
3. Cookies and Consent (PECR + UK GDPR / EU ePrivacy)
No non-essential cookies are activated before obtaining your consent. The cookie banner allows you to accept or reject analytics cookies with equal prominence. We use Google Analytics 4 (GA4) with IP anonymisation enabled by default and data retention set to 14 months.
Strictly necessary technical cookies (no consent required):
| Cookie | Purpose | Duration |
|---|---|---|
PHPSESSID |
Maintains user session during navigation | Session |
lang |
Remembers the selected language (es_ES / en_UK) | 1 year |
cookie_consent |
Records whether you accepted or rejected analytics cookies | 2 years |
Analytics cookies (require consent):
| Cookie | Purpose | Duration |
|---|---|---|
_ga |
Distinguishes users (anonymous identifier) | 2 years |
_ga_<ID> |
Maintains session state | 2 years |
_gid |
Distinguishes users (anonymous identifier) | 24 hours |
_gat |
Throttles request rate | 1 minute |
You may withdraw your consent at any time using the "Change cookie preferences" link in the site footer, from your browser settings (by deleting the cookies), or by contacting us. Blocking analytics cookies does not affect the functioning of the site.
4. International Transfers
For Google and Stripe services, data may be transferred to the United States. The legal basis is the Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914) and, for the UK, the International Data Transfer Agreement (IDTA) / UK Addendum (version B1.0 issued by the ICO).
You can consult the SCCs at: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
Supplementary measures have been implemented: TLS 1.3 encryption in transit, data minimisation, and IP anonymisation before transmission to Google. A documented Transfer Impact Assessment (TIA) has been carried out, concluding that these measures guarantee a level of protection equivalent to that of the European Economic Area and the United Kingdom. The TIA is available for review by competent authorities.
5. Processors and Sub-processors
Your data may be processed by the following data processors, with whom we maintain contracts under Art. 28 UK GDPR / EU GDPR:
- Stripe, Inc. (US / Ireland): payment processor. Privacy policy
- Google LLC (US): Google Analytics. Privacy policy
- Hosting provider: servers where the website and data are hosted.
- Email provider: for sending communications arising from contact or orders.
All processors are prohibited from processing your data for their own purposes and must notify us of any change of sub-processor.
6. Retention
We retain your data for the following periods, after which they are securely deleted or anonymised:
- Analytics (Google Analytics): 14 months at user level.
- Contact enquiries: 1 year from the last communication.
- Order data: 4 years (tax obligations, UK Finance Act).
- Invoicing: 5 years (UK Companies Act / Code de Commerce).
- Consent cookie (
cookie_consent): 2 years.
7. Your Rights and Procedures
You have the right to:
- Access: know what data we process about you (Art. 15 UK GDPR)
- Rectification: correct inaccurate data (Art. 16)
- Erasure: request deletion of your data (Art. 17)
- Restriction: restrict processing (Art. 18)
- Portability: receive your data in a structured format (Art. 20)
- Objection: object to processing (Art. 21)
- Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal (Art. 7(3))
To exercise your rights, email us at reine@reinoz.art specifying the right you wish to exercise. We will respond within 1 month, extendable to 2 months for complex requests (Art. 12(3) UK GDPR). We may request a copy of an identification document to verify your identity.
If you are not satisfied with our response, you have the right to lodge a complaint with the competent supervisory authority:
- Spain: Agencia Española de Protección de Datos (AEPD) — www.aepd.es
- United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
8. Security and Data Breaches
We have implemented the necessary technical and organisational measures to ensure the security of your data (Art. 32 UK GDPR): TLS 1.3 encryption for all communications, role-based access control, backup procedures, and pseudonymisation where possible.
In the event of a personal data breach, we will notify the competent supervisory authority within 72 hours of becoming aware of it (Art. 33 UK GDPR). If the breach poses a high risk to your rights and freedoms, we will inform you without undue delay (Art. 34).
9. Minors
This service is directed at individuals aged 18 or over. We do not knowingly collect personal data from minors without parental or guardian consent (Art. 8 UK GDPR). If you become aware that a minor has provided us with data without such consent, please contact us so we can delete the information.