Privacy policy

Last updated: 23 February 2026

The Needle Store (“we”, “us”, “our”) is committed to protecting your privacy. This policy explains how we collect, use, share, and protect your personal information when you visit www.theneedlestore.com (the “Site”) or make a purchase.

We are the data controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our contact details are at the end.

1. What personal information do we collect?

We collect two main types:

Device Information (automatically collected when you visit the Site):

• Web browser type, IP address, time zone, and some cookies on your device.
• Pages/products viewed, referral sites/search terms, and how you interact with the Site.

We collect this using:

• Cookies (small data files with a unique anonymous ID). See our cookie banner on the Site to manage consent. For more on cookies, visit www.allaboutcookies.org.
• Log files (track actions like IP address, browser, ISP, referring/exit pages, date/time).
• Web beacons, tags, and pixels (electronic files that record browsing behaviour).

Order Information (when you purchase or attempt to purchase):

• Name, billing address, shipping address, payment details (credit/debit card numbers), email address, phone number.

Together, we call this “Personal Information”.

2. Why do we collect and use your Personal Information? (Lawful bases)

We process Personal Information on these UK GDPR lawful bases:

• To perform a contract with you (e.g., process orders, payments, shipping, invoices, confirmations).
• Legitimate interests (our or third parties'): fraud/risk screening (especially IP address), Site improvement/analytics, marketing communications about our products (where not requiring consent), targeted ads.
• Consent (where we ask, e.g., for certain cookies or marketing emails). You can withdraw consent anytime.
• Legal obligations (e.g., VAT/tax reporting).

We use Order Information to:

• Fulfil and communicate about orders.
• Screen for fraud/risk.
• Send information or ads about our products/services (based on preferences/legitimate interests or consent).

We use Device Information to:

• Help prevent fraud.
• Improve/optimise the Site (e.g., analytics on browsing, marketing campaign success).

3. Marketing Communications (including SMS/Text Messaging)

• We may collect your mobile phone number (as part of Order Information or directly via opt-in forms) to send you promotional or informational SMS/text messages, but only with your prior explicit consent.
• This processing is based on your consent (as required under PECR and UK GDPR for electronic marketing). We will not send marketing SMS without your clear, affirmative opt-in (e.g., via an unchecked checkbox or keyword confirmation).
• For details on the SMS program itself, including message types (promotions, offers, cart reminders), frequency, opt-out (reply STOP), help (reply HELP), data rates, and that consent is not required for purchase. Please see our Terms of Service - Section 10: SMS Marketing Communications.
• Your mobile number will be used solely for the consented purposes and may be shared with trusted third-party service providers (e.g., SMS platforms) under strict data processing agreements to facilitate delivery.
• You can withdraw consent at any time (as easily as it was given) without affecting your purchases or other services. Withdrawal can be done via SMS opt-out, by updating preferences, or contact.us@theneedlestore.com.
• For more on your rights regarding this data (access, erasure, etc.), see Section 8: Your rights under UK GDPR.
• We retain mobile numbers used for marketing only as long as your consent is active or as needed for legal/record-keeping purposes (see Section 9: Data retention).

4. Who do we share your Personal Information with?

We share Personal Information only as needed:

• Shopify (our e-commerce platform) – processes orders/payments. See Shopify's privacy policy: https://www.shopify.com/legal/privacy.
• Google Analytics – for Site usage analytics. See Google's policy: https://www.google.com/intl/en/policies/privacy/. Opt out: https://tools.google.com/dlpage/gaoptout.
• EAS Project (EU VAT compliance service) – collects limited sales/transaction data (e.g., product/amount, billing/shipping address, VAT number if given) solely for calculating/reporting VAT to EU authorities. We have a data processing agreement with them. Data is not used for marketing or shared otherwise. See easproject.com or contact support@easproject.com.
• Professional advisers - (e.g., our accountant or bookkeeper) – to handle our business accounts, tax compliance, and financial reporting. They act as processors under a data processing agreement and only access data necessary for these purposes.
• Shipping and delivery providers (such as Royal Mail or other carriers we use), to fulfil and deliver your orders, provide tracking information, and handle any delivery-related communications (e.g., notifications or updates). This may include sharing your name, delivery address, telephone number (for contact if needed), order details, and any relevant tracking/reference information. These providers act as our data processors under strict agreements that require them to protect your data in line with UK GDPR.
• Other third parties – only to comply with laws, respond to legal requests (e.g., subpoenas), or protect our rights.

We do not sell your Personal Information.

5. Behavioural / targeted advertising

We may use your information for targeted ads/marketing. For more on how this works, see the Network Advertising Initiative: http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work.

Opt out via:

• Facebook: https://www.facebook.com/settings/?tab=ads
• Google: https://www.google.com/settings/ads/anonymous
• Bing: https://advertise.bingads.microsoft.com/en-us/resources/policies/personalized-ads
• Digital Advertising Alliance: http://optout.aboutads.info/

6. Cookies and tracking signals

We use cookies and similar technologies (as described above). We ask for your consent via our cookie banner for non-essential ones (e.g., analytics/ads). Essential cookies (for Site function) do not require consent.

We do not change our practices for “Do Not Track” (DNT) browser signals (they are not legally binding in the UK). However, if your browser sends a Global Privacy Control (GPC) signal (a valid opt-out preference), we will honour it as an objection to certain processing (e.g., targeted advertising) where applicable.

7. International transfers

Your Personal Information may be transferred outside the UK (e.g., to Canada and the US via Shopify, Google). These transfers are protected because:

• Canada has UK adequacy regulations (equivalent protection).
• The US uses the EU-US/UK-US Data Privacy Framework (adequacy for participating companies like Shopify) and/or appropriate safeguards (e.g., standard contractual clauses).

8. Your rights under UK GDPR

You have rights including:

• Access your data.
• Correct inaccurate data.
• Delete data (in certain cases).
• Restrict or object to processing.
• Data portability.
• Withdraw consent (where we rely on it).

To exercise these, email contact.us@theneedlestore.com. We respond within one month (extendable if complex).

If unhappy, complain to the Information Commissioner's Office (ICO): www.ico.org.uk.

9. Data retention

We keep Order Information as long as needed for our records (e.g., tax/legal purposes) unless you ask us to delete it. Device Information is kept for shorter periods (analytics needs).

10. Changes to this policy

We may update this policy for changes in practices, law, or operations. Check back here; we'll note the last update date.

11. Contact us

Email: contact.us@theneedlestore.com

The Needle Store
Privacy Compliance Officer
Camberwell Units
49-65 Southampton Way
London
SE5 7SW
United Kingdom