NM
NM Legends

Legal

Privacy Policy

Last updated: [DATE — update before go-live]

DRAFT — This policy must be reviewed by a UK-qualified solicitor and completed with accurate business details before this site processes live orders.

1. Who we are

NM Legends (“we”, “us”, “our”) is a UK-based independent trading card game retailer. [REGISTERED ADDRESS]. [COMPANIES HOUSE NUMBER if limited company / sole trader details].

We are registered with the Information Commissioner’s Office (ICO) as a data controller. ICO reference number: [ICO REFERENCE — obtain before go-live at ico.org.uk/registration].

Contact for data matters: privacy@[DOMAIN]

2. What data we collect and why

Customer name, email, and delivery & billing address

Collected by Stripe at checkout. When you complete an order, we retrieve this information from Stripe and store it in our order management system. Lawful basis: contract (Article 6(1)(b) UK GDPR) — necessary to fulfil your order. Retention: 6 years from transaction date (HMRC requirement).

Payment card details

We never see or store your card details. Payment is processed entirely by Stripe (our payment processor). Stripe is PCI DSS compliant. See Stripe’s privacy policy for how they handle this data.

Stripe payment fingerprint

A card identifier supplied by Stripe that is unique per card number. We store this to detect and prevent fraud. It does not allow us to reconstruct your card number. Lawful basis: legitimate interests (Article 6(1)(f) UK GDPR) — fraud prevention. Retention: 2 years from last order.

Delivery and billing address hash

We store a one-way cryptographic hash of your delivery and billing address for fraud prevention purposes. We cannot reverse this hash to recover your address. Lawful basis: legitimate interests — fraud prevention. Retention: 2 years from last order.

Email domain (not your full email)

We record the domain portion of your email address (e.g. “gmail.com”) as a secondary fraud signal. Your full email address is held by Stripe and our order management system for order communication only. Lawful basis: legitimate interests. Retention: 2 years.

IP address

We log your IP address at checkout as low-weight fraud context. We do not use IP addresses as a primary identification signal. Retention: 90 days, then automatically deleted.

Order details (SKUs, quantities, amounts)

Stored in our order management system. Lawful basis: contract. Retention: 6 years (HMRC requirement).

Queue session token

During high-demand periods, we operate a virtual waiting room. A session token stored in an httpOnly browser cookie manages your place in the queue. This token does not identify you personally. Lawful basis: strictly necessary for site operation. Retention: 90 days after expiry.

Cart cookie

A browser session cookie holds the contents of your cart. It is deleted when you close your browser or complete / abandon checkout. Lawful basis: strictly necessary.

3. How we use your data

  • To process and fulfil your order (dispatch, shipping confirmation, tracking updates).
  • To detect and prevent fraud, buy-limit circumvention, and abusive ordering patterns.
  • To comply with our legal obligations (HMRC financial record-keeping).

We do not use your data for marketing without your explicit consent. We do not sell your data.

4. Who we share your data with

We share data only with the following processors, all bound by data processing agreements:

  • Stripe — payment processing and customer PII at checkout. Stripe’s privacy policy: stripe.com/gb/privacy.
  • Zoho — transactional email delivery (order confirmation, tracking). Zoho’s privacy policy: zoho.com/privacy.html.
  • Royal Mail / courier — your name and delivery address are provided on the shipping label only. Not stored by us beyond the order record.

No other third parties receive your personal data. We do not share data for advertising or profiling.

5. How long we keep your data

DataRetention
Order records (name, email, address, items)6 years from transaction (HMRC)
IP address90 days — then automatically deleted
Payment fingerprint & address hash2 years from last order
Queue tokens90 days after expiry
Storefront order rows90 days after shipment (full record retained in our order management system)

6. Your rights under UK GDPR

You have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data. Note: we are legally required to retain financial records for 6 years under HMRC rules. Where erasure is not possible for this reason, we will anonymise the record instead.
  • Restriction — ask us to restrict processing in certain circumstances.
  • Portability — receive your data in a machine-readable format.
  • Objection — object to processing based on legitimate interests.

7. How to exercise your rights

Email privacy@[DOMAIN] with your request. We will respond within one calendar month (UK GDPR Article 12(3)).

8. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

We would appreciate the opportunity to address your concern before you contact the ICO.

9. Cookies

We use only essential cookies. See our Cookie Policy for full details.

10. Changes to this policy

We may update this policy from time to time. Material changes will be noted on this page with an updated date. Continued use of the site after changes constitutes acceptance of the updated policy.