EdenLily Legal
Privacy Policy
Last updated: March 2026
EdenLily (“we”, “us”, “our”) is committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
The data controller for your personal information is EdenLily, contactable at hello@edenlily.co.uk.
1. What Data We Collect
a) Account & Order Data
- Name and email address
- Delivery address and telephone number
- Order history (items, personalisation text, QR add-ons)
- Account login credentials (password stored as a one-way bcrypt hash — never plain text)
b) QR Memory Page Data
- Photos, captions, event titles and dates you upload to your memory page
- Page type (Memory, Biography, Medical Details, Forwarding Link)
- Privacy settings (Public / PIN-Protected / Owner Only)
- Visitor-uploaded photos (if you enable that feature)
- Medical information you voluntarily enter (allergies, blood type, emergency contacts)
c) Payment Data
Payment is processed by Stripe or Revolut. We receive only a transaction reference and order total. We never store full card numbers, CVV codes or other sensitive payment details.
d) Technical & Usage Data
- IP address and browser/device type (used for server logs and security)
- Pages visited and actions taken on the Site (via aggregated analytics — see Cookie Policy)
- QR code scan events (time of scan; no personally identifiable scanner data is stored)
2. How We Use Your Data
| Purpose | Legal basis (UK GDPR) |
|---|---|
| Processing and fulfilling your order | Contract performance (Art. 6(1)(b)) |
| Sending order confirmation and dispatch emails | Contract performance |
| Providing and hosting your QR memory page | Contract performance |
| Sending account credentials after purchase | Contract performance |
| Marketing emails (newsletter, promotions) | Consent (Art. 6(1)(a)) — you can unsubscribe at any time |
| Fraud prevention and security | Legitimate interests (Art. 6(1)(f)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
3. Medical Information (Special Category Data)
If you choose to store medical details on your QR page, this constitutes special category data under UK GDPR (Art. 9). We process it solely for the purpose of displaying that data when your QR code is scanned. We will never share, sell or use medical data for any other purpose. Medical pages default to “Owner Only” privacy. The legal basis for processing is your explicit consent (Art. 9(2)(a)), which you can withdraw at any time by deleting the content from your dashboard.
4. Who We Share Your Data With
- Stripe / Revolut — payment processing (their own privacy policies apply)
- Email service provider (Resend / SMTP host) — to send transactional emails
- Hosting provider — our web server provider stores order and upload data
We do not sell or rent your personal data to third parties, and we do not use it for targeted advertising on other platforms.
5. Data Retention
- Order data — retained for 7 years for legal and tax compliance, then deleted.
- QR memory page content — retained for 24 months from the date your QR page is first claimed. See the QR & Memory Page Storage Policy for full details including renewal and expansion options.
- Account data — retained while your account is active. Request deletion at any time.
- Marketing consent — retained until you unsubscribe or withdraw consent.
6. Your Rights
Under UK GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure (“right to be forgotten”) — request deletion of your data, subject to legal retention obligations.
- Restriction — ask us to restrict processing in certain circumstances.
- Portability — receive your data in a structured, machine-readable format.
- Object — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.
To exercise any of these rights, email hello@edenlily.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
7. Security
We use HTTPS encryption for all data in transit. Passwords are hashed with bcrypt. Uploaded images are stored on our servers with access controls. No method of transmission over the internet is 100% secure; we will notify you promptly in the event of a data breach that is likely to affect your rights and freedoms.
8. Cookies
We use cookies for session management, cart persistence and aggregate analytics. See our Cookie Policy for full details.
9. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Site.
10. Contact
Data protection queries: hello@edenlily.co.uk