Privacy Policy
Version 1 — current · Published 2 July 2026
1. Who we are
This Privacy Policy explains how Lloyd Digital UK ("we", "us"), operating the Wicked Exotics platform (the "Service"), handles personal data. It applies to:
- Customers (businesses subscribing to the Service);
- End users (staff of Customers who log in to use it);
- Website visitors to any tenant storefront hosted on the platform.
For personal data of a Customer's own customers, suppliers or staff that they enter into the Service (animal records, sales register, contact form submissions, etc.), the Customer is the data controller and we are the data processor. See our Data Processor Addendum in §9.
2. What we collect
About a Customer / their users:
- Business name, address, contact number, email
- Names, work email addresses, and hashed passwords of user accounts
- IP address and login timestamps for security auditing
- Card details are handled entirely by Stripe — we never see or store the full card number. We do store the last four digits, brand and expiry for display
About end-shoppers using a tenant storefront:
- Only what they submit via forms (name, email, phone, message)
- Their IP is available in server logs but not linked to their submission
3. How we use it
- To operate, maintain and support the Service
- To process subscription payments
- To send transactional emails (receipts, failed-payment notices, security alerts)
- To detect and prevent abuse
- To comply with our own legal obligations (accounting, tax)
We do not sell personal data. We do not use it for marketing to end shoppers.
4. Legal basis (UK GDPR)
- Contract — for anything necessary to deliver the Service you subscribed to
- Legitimate interest — for security logging, abuse detection and service improvements
- Legal obligation — for accounting, tax and law-enforcement disclosure duties
- Consent — for optional communications (currently none — we'll ask if that ever changes)
5. Sharing
We share personal data only with:
- Stripe Payments Europe, Ltd. — to process card payments (see Stripe's privacy notice)
- Our infrastructure provider — for hosting on their UK-based servers
- Our email provider — for transactional emails (SMTP over the domain configured in your Settings)
- Authorities where required by law
We do not transfer personal data outside the UK / EEA in a way that requires additional safeguards, other than to Stripe (which operates under standard contractual clauses).
6. How long we keep it
- Active accounts — for as long as your subscription is live
- Cancelled accounts — 30 days after cancellation, at which point we delete or anonymise (accounting-required records are kept for 6 years as required by HMRC)
- Server logs — 90 days
- Billing log — 3 years for audit trail
7. Your rights (UK GDPR)
You can ask us to:
- Access the personal data we hold about you (Right of Access)
- Correct inaccurate data (Right of Rectification)
- Delete data (Right of Erasure) — subject to accounting retention requirements
- Restrict or object to processing
- Port data to another provider (Right of Data Portability)
Contact admin@lloyddigitaluk.co.uk for any of the above. We will respond within 30 days. You have the right to complain to the ICO (ico.org.uk) if you're unhappy with how we handle your data.
8. Security
- All web traffic is over HTTPS/TLS
- Passwords are stored using bcrypt (12 rounds)
- Payment data is tokenised via Stripe (PCI-DSS Level 1)
- Access to the production database is limited to the platform operator
- We keep a full audit log of billing events per subscription
We test for common vulnerabilities but no system is 100% secure. If you discover a vulnerability please report it responsibly to the address above.
9. Data Processor Addendum (summary)
Where you (Customer) enter personal data about your own customers, staff or suppliers into the Service:
- You are the controller; we are the processor
- We only process that data on your documented instructions (which include your use of the Service)
- We ensure our staff with data access are bound by confidentiality
- We help you meet data-subject requests forwarded via us to the extent practical
- We notify you without undue delay of any security incident affecting your data
- On termination, we delete or return the data at your choice (see §6)
REVIEW: enterprise customers may require a signed DPA. If you plan to sell to organisations that ask for one, we should upgrade this section into a stand-alone signable document.
10. Cookies
The Service uses one cookie (we_admin, session-scoped, HttpOnly, SameSite=Lax) to keep you logged in. Tenant storefronts do not currently set marketing cookies. See §11 if that changes.
11. Changes to this Policy
We may update this Policy. Material changes are announced by email 30 days before they take effect. The full history of versions is visible on this page.
12. Contact
Lloyd Digital UK — data protection: admin@lloyddigitaluk.co.uk.
_Last updated: 2 July 2026 — Version 1_
© 2026 Lloyd Digital UK Ltd
Lloyd Digital UK Ltd · Registered in England & Wales · Company No. 17291164