Data Protection Policy

Policy owner: Lizzy Grayson (Co-Founder)
Approved by: Lizzy Grayson & Tina Grayson (Co-Founders)
Applies to: An’du directors, workers, contractors and processors handling personal data on An’du’s behalf (e.g., e-commerce, email marketing, fulfilment partners).
Effective date: 04/01/2026
Next review: 04/01/2027

1. Purpose

An’du is committed to protecting personal data and complying with UK data protection law (including the UK GDPR and Data Protection Act 2018).

2. What data we may handle

Depending on the activity, An’du may process personal data such as:

  • customer contact details (name, email, address, phone)
  • order and payment records (An’du does not store full card details if processed by a payment provider)
  • customer service communications
  • marketing preferences/consent status
  • business contacts at retailers and suppliers

3. Core principles we follow

We process data in line with:

  • lawfulness, fairness and transparency
  • purpose limitation
  • data minimisation
  • accuracy
  • storage limitation
  • integrity and confidentiality
  • accountability

4. Roles and responsibilities

  • Lizzy Grayson is the main point of contact for data protection matters.
  • Anyone handling personal data for An’du must follow this policy and protect data from loss, misuse, or unauthorised access.

5. Security measures

An’du uses proportionate controls appropriate to a small business, including:

  • strong passwords and (where available) multi-factor authentication
  • limiting access to personal data to those who need it
  • using reputable service providers
  • keeping devices and software updated
  • secure storage of files and careful handling of exports/spreadsheets
  • deleting data when no longer needed

6. Using manufacturers and service providers (processors)

Where third parties process personal data for An’du (e.g., fulfilment, email marketing platforms), we will:

  • choose reputable suppliers
  • put appropriate contractual terms in place where required
  • share only the minimum data necessary
  • require appropriate security standards

7. Data retention

We retain personal data only as long as needed for business operations and legal requirements (e.g., accounting/tax). We securely delete or anonymise data when it is no longer needed.

8. Individual rights

Individuals may have rights including access, rectification, erasure, restriction, objection, and data portability (where applicable). Requests should be sent to:
Email: lizzy@an-du.co.uk

9. Data breaches

A data breach includes accidental or unlawful loss, disclosure, alteration, or access to personal data.
If a breach is suspected, it must be reported immediately to lizzy@an-du.co.uk. We will assess risk and, where required, report to the ICO and/or affected individuals.