Menu Close
Close
0 items - £0.00 0
Tiktok
0 items - £0.00 0

PRIVACY POLICY

roosma.com

Last updated: 28 March 2026

1. Introduction

Welcome to roosma.com. We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal information when you visit or make a purchase from our website.

Please read this policy carefully. By using our website, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, please do not use our website.

 

2. Who We Are (Data Controller)

Roosma.com is the data controller responsible for your personal data. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller is:

 

Company: Roosma Ltd

Company number: 16149621 (registered in England and Wales)

Address: 220 Legrams Lane, Bradford, BD7 2EH, United Kingdom

Website: roosma.com

Email: hello@roosma.com

 

If you have any questions about this Privacy Policy or our data practices, please contact us using the details above or those provided in Section 17 of this policy.

 

3. What Personal Data We Collect

We collect and process the following categories of personal data:

 

3.1 Information You Provide to Us

  • Full name
  • Email address
  • Billing address and delivery/shipping address
  • Phone number
  • Account login credentials (username and encrypted password)
  • Order history and preferences
  • Communications you send to us (e.g. enquiries, support requests)

 

3.2 Payment Information

All payment transactions on our website are processed securely by Stripe, Inc. We do not store your full card details on our servers. Stripe may collect and process payment card data, billing addresses, and fraud-prevention data directly. Please refer to Stripe’s Privacy Policy for details of their data practices.

 

3.3 Technical & Usage Data

When you visit our website, we may automatically collect certain technical data, including:

  • IP address
  • Browser type and version
  • Device type and operating system
  • Pages visited and time spent on each page
  • Referring website (where you came from)
  • Date and time of your visit

 

3.4 Cookie Data

We use cookies and similar tracking technologies to enhance your experience on our website. Please see Section 11 (Cookies) for full details.

 

4. How We Collect Your Data

We collect personal data through the following means:

  • Directly from you when you create an account, place an order, complete a checkout form, or contact us
  • Automatically through cookies and tracking technologies when you browse our website
  • Through third-party services such as Stripe (payment processing) and WordPress/WooCommerce analytics

 

5. How We Use Your Personal Data

We use your personal data for the following purposes:

 

  • Order Fulfilment: Processing and fulfilling your orders, including sending confirmation and dispatch notifications
  • Account Management: Managing your customer account and login credentials
  • Payment Processing: Processing payments and refunds securely via Stripe
  • Customer Support: Responding to your enquiries, complaints, or support requests
  • Transactional Communications: Sending transactional emails (e.g. order confirmations, shipping updates)
  • Marketing: Sending marketing emails and promotional offers where you have given consent or we have a legitimate interest (you can opt out at any time)
  • Website Improvement: Improving our website performance, product offerings, and user experience
  • Fraud Prevention & Security: Detecting and preventing fraud, abuse, and security incidents
  • Legal Compliance: Complying with our legal and regulatory obligations

 

6. Legal Basis for Processing (UK GDPR)

Under the UK GDPR, we rely on the following legal bases to process your personal data:

 

  • Contract (Article 6(1)(b)): Processing your orders and managing your customer account — we need your data to fulfil the contract with you
  • Legitimate Interests (Article 6(1)(f)): Improving our services, fraud prevention, and sending marketing to existing customers — we have a legitimate business interest in doing so, balanced against your rights
  • Consent (Article 6(1)(a)): Sending marketing communications to new contacts or using non-essential cookies — we will ask for your explicit consent, which you can withdraw at any time
  • Legal Obligation (Article 6(1)(c)): Retaining financial records and complying with applicable UK law

 

7. Who We Share Your Data With

We do not sell your personal data to third parties. We may share your data with trusted third parties only as necessary and in accordance with this policy:

 

  • Stripe (Payment Processing): Stripe, Inc. — to process your payments securely. Stripe operates as an independent data controller for payment data. Please review Stripe’s Privacy Policy at stripe.com/gb/privacy
  • WooCommerce / WordPress: WooCommerce / Automattic, Inc. — our ecommerce platform, which powers order management, product listings, and customer accounts
  • Hosting Providers: Hosting and infrastructure providers — who host and operate our website on our behalf
  • Email Providers: Email service providers — used to send you order confirmations and communications
  • Shipping Couriers: Delivery and logistics partners — who fulfil and ship your orders (your name and address will be shared as necessary)
  • Legal & Regulatory Bodies: Regulatory authorities, law enforcement, or courts — where we are legally required to disclose your data

 

All third-party service providers are required to process your data only on our instructions and in compliance with applicable data protection laws.

 

8. Stripe Payment Processing

All card payments on roosma.com are processed by Stripe, Inc., a PCI-DSS compliant payment processor. When you make a purchase, you will enter your payment details directly into Stripe’s secure payment form. We never receive or store your full card number, CVV, or expiry date on our systems.

Stripe may process your data in the United States and other countries. Stripe implements appropriate safeguards, including Standard Contractual Clauses, to protect transfers of personal data outside the UK. For more information, please visit:

https://stripe.com/gb/privacy

 

9. International Data Transfers

Some of our third-party service providers (including Stripe and Automattic/WooCommerce) are based outside the United Kingdom. When we transfer your personal data internationally, we ensure that appropriate safeguards are in place, such as:

  • UK adequacy decisions
  • Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office (ICO)
  • Other lawful transfer mechanisms under the UK GDPR

 

10. How Long We Keep Your Data

We retain your personal data only for as long as necessary to fulfil the purposes set out in this policy, or as required by law. Our general retention periods are:

 

  • Order and financial records: Retained for 6 years after the end of the tax year in which the transaction occurred, in accordance with HMRC requirements
  • Customer account data: Retained while your account remains active, and for up to 2 years after your last login or purchase
  • Marketing preferences and communications: Retained for up to 2 years from the date of your last communication
  • Technical and usage data: Retained for up to 12 months

 

When your data is no longer required, we will securely delete or anonymise it.

 

11. Cookies

Our website uses cookies — small text files stored on your device — to provide core functionality and improve your experience. We use the following types of cookies:

 

  • Strictly Necessary Cookies: Essential for the website to function (e.g. shopping cart, login session). These cannot be disabled.
  • Analytics Cookies: Help us understand how visitors interact with our website (e.g. pages visited, time on site). We use this data in aggregate to improve our website.
  • Functional Cookies: Used by WooCommerce to remember items in your cart, your login status, and your preferences.
  • Payment & Security Cookies: Used by Stripe to detect fraudulent activity and ensure secure payment processing.

 

You can manage or disable non-essential cookies through your browser settings or our cookie consent banner. Please note that disabling certain cookies may affect the functionality of our website.

 

12. Your Rights Under UK GDPR

As a UK resident, you have the following rights regarding your personal data:

 

  • Right of Access: To obtain a copy of the personal data we hold about you
  • Right to Rectification: To correct any inaccurate or incomplete personal data
  • Right to Erasure (‘Right to be Forgotten’): To request that we delete your personal data in certain circumstances
  • Right to Restriction of Processing: To request that we restrict the processing of your data in certain circumstances
  • Right to Data Portability: To receive your personal data in a structured, machine-readable format and transmit it to another controller
  • Right to Object: To object to processing based on legitimate interests or for direct marketing purposes
  • Right to Withdraw Consent: To withdraw your consent at any time where processing is based on consent (this will not affect the lawfulness of processing before withdrawal)
  • Right to Lodge a Complaint: To lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk

 

To exercise any of these rights, please contact us at hello@roosma.com. We will respond within one calendar month of receiving your request. We may need to verify your identity before fulfilling your request.

 

13. Data Security

We take the security of your personal data seriously. We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, alteration, or disclosure. These measures include:

  • SSL/TLS encryption for all data transmitted through our website (HTTPS)
  • Secure, encrypted storage of passwords (your password is never stored in plain text)
  • Restricted access to personal data — only authorised personnel can access your data
  • Use of PCI-DSS compliant payment processing via Stripe
  • Regular software updates and security patches to our WordPress and WooCommerce installation

 

While we take all reasonable steps to protect your data, no transmission over the internet is entirely secure. You use our website at your own risk in this respect.

 

14. Children’s Privacy

Our website is not directed at children under the age of 13, and we do not knowingly collect personal data from children. If you believe that a child has provided us with personal data without parental consent, please contact us and we will take steps to delete such data promptly.

 

15. Third-Party Links

Our website may contain links to third-party websites. This Privacy Policy applies solely to roosma.com. We are not responsible for the privacy practices of any third-party sites. We encourage you to read the privacy policy of any website you visit.

 

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the ‘Last updated’ date at the top of this page. We encourage you to review this policy periodically.

Your continued use of our website after any changes constitutes your acceptance of the updated policy.

 

17. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us:

 

Company: Roosma Ltd

Company number: 16149621 (registered in England and Wales)

Address: 220 Legrams Lane, Bradford, BD7 2EH, United Kingdom

Website: roosma.com

Email: hello@roosma.com

 

You also have the right to make a complaint to the UK’s data protection supervisory authority:

 

Information Commissioner’s Office (ICO)

https://ico.org.uk

ICO Helpline: 0303 123 1113

 

 

This Privacy Policy was last reviewed and updated on 28 March 2026.

roosma.com is committed to protecting your privacy in accordance with UK GDPR and the Data Protection Act 2018.

3. Embedded Content

Pages on this site may include embedded content, like YouTube videos, for example. Embedded content from other websites behaves in the exact same way as if you visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website. Below you can find a list of the services we use:

Facebook

The Facebook page plugin is used to display our Facebook timeline on our site. Facebook has its own cookie and privacy policies over which we have no control. There is no installation of cookies from Facebook and your IP is not sent to a Facebook server until you consent to it. See their privacy policy here: Facebook Privacy Policy .

Twitter

We use the Twitter API to display our tweets timeline on our site. Twitter has its own cookie and privacy policies over which we have no control. Your IP is not sent to a Twitter server until you consent to it. See their privacy policy here: Twitter Privacy Policy .

Youtube

We use YouTube videos embedded on our site. YouTube has its own cookie and privacy policies over which we have no control. There is no installation of cookies from YouTube and your IP is not sent to a YouTube server until you consent to it. See their privacy policy here: YouTube Privacy Policy.

4. Cookies

This site uses cookies – small text files that are placed on your machine to help the site provide a better user experience. In general, cookies are used to retain user preferences, store information for things like shopping carts, and provide anonymised tracking data to third party applications like Google Analytics. Cookies generally exist to make your browsing experience better. However, you may prefer to disable cookies on this site and on others. The most effective way to do this is to disable cookies in your browser. We suggest consulting the help section of your browser.

Necessary Cookies (all site visitors)
  • cfduid: Is used for our CDN CloudFlare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. See more information on privacy here: CloudFlare Privacy Policy.
  • PHPSESSID: To identify your unique session on the website.
Necessary Cookies (Additional for Logged in Customers)
  • wp-auth: Used by WordPress to authenticate logged-in visitors, password authentication and user verification.
  • wordpress_logged_in_{hash}: Used by WordPress to authenticate logged-in visitors, password authentication and user verification.
  • wordpress_test_cookie Used by WordPress to ensure cookies are working correctly.
  • wp-settings-[UID]: WordPress sets a few wp-settings-[UID] cookies. The number on the end is your individual user ID from the users database table. This is used to customize your view of admin interface, and possibly also the main site interface.
  • wp-settings-[UID]:WordPress also sets a few wp-settings-{time}-[UID] cookies. The number on the end is your individual user ID from the users database table. This is used to customize your view of admin interface, and possibly also the main site interface.

5. Who Has Access To Your Data

If you are not a registered client for our site, there is no personal information we can retain or view regarding yourself.

If you are a client with a registered account, your personal information can be accessed by:

  • Our system administrators.
  • Our supporters when they (in order to provide support) need to get the information about the client accounts and access.

6. Third Party Access to Your Data

We don’t share your data with third-parties in a way as to reveal any of your personal information like email, name, etc. The only exceptions to that rule are for partners we have to share limited data with in order to provide the services you expect from us. Please see below:

Ticksy

Ticksy provides the support ticketing platform we use to handle support requests. The data they receive is limited to the data you explicitly provide and consent to being set when you create a support ticket. Ticksy adheres to the EU/US “Privacy Shield” and you can see their privacy policy here: Ticksy Privacy Policy.

7. How Long We Retain Your Data For

When you submit a support ticket or a comment, its metadata is retained until (if) you tell us to remove it. We use this data so that we can recognize you and approve your comments automatically instead of holding them for moderation.

If you register on our website, we also store the personal information you provide in your user profile. You can see, edit, or delete your personal information at any time (except changing your username). Website administrators can also see and edit that information.

8. Security Measures

We use the SSL/HTTPS protocol throughout our site. This encrypts our user communications with the servers so that personally identifiable information is not captured/hijacked by third parties without authorization.

In case of a data breach, system administrators will immediately take all needed steps to ensure system integrity, will contact affected users and will attempt to reset passwords if needed.

9. Your Data Rights

General Rights

If you have a registered account on this website or have left comments, you can request an exported file of the personal data we retain, including any additional data you have provided to us.

You can also request that we erase any of the personal data we have stored. This does not include any data we are obliged to keep for administrative, legal, or security purposes. In short, we cannot erase data that is vital to you being an active customer (i.e. basic account information like an email address).
If you wish that all of your data is erased, we will no longer be able to offer any support or other product-related services to you.

GDPR Rights

Your privacy is critically important to us. Going forward with the GDPR we aim to support the GDPR standard. ThemeREX permits residents of the European Union to use its Service. Therefore, it is the intent of ThemeREX to comply with the European General Data Protection Regulation. For more details please see here: EU GDPR Information Portal.

10. Third Party Websites

ThemeREX may post links to third party websites on this website. These third party websites are not screened for privacy or security compliance by ThemeREX, and you release us from any liability for the conduct of these third party websites.

All social media sharing links, either displayed as text links or social media icons do not connect you to any of the associated third parties unless you explicitly click on them.

Please be aware that this Privacy Policy, and any other policies in place, in addition to any amendments, does not create rights enforceable by third parties or require disclosure of any personal information relating to members of the Service or Site. ThemeREX bears no responsibility for the information collected or used by any advertiser or third party website. Please review the privacy policy and terms of service for each site you visit through third party links.

11. Release of Your Data for Legal Purposes

At times it may become necessary or desirable to ThemeREX, for legal purposes, to release your information in response to a request from a government agency or a private litigant. You agree that we may disclose your information to a third party where we believe, in good faith, that it is desirable to do so for the purposes of a civil action, criminal investigation, or other legal matter. In the event that we receive a subpoena affecting your privacy, we may elect to notify you to give you an opportunity to file a motion to quash the subpoena, or we may attempt to quash it ourselves, but we are not obligated to do either. We may also proactively report you, and release your information to, third parties where we believe that it is prudent to do so for legal reasons, such as our belief that you have engaged in fraudulent activities. You release us from any damages that may arise from or relate to the release of your information to a request from law enforcement agencies or private litigants.

Any passing on of personal data for legal purposes will only be done in compliance with laws of the country you reside in.

Cart0
Cart0