Last updated: April 15, 2026
1. Data Controller
The data controller responsible for your personal data is:
Digital Florists Ltd
7 Booker Avenue, Liverpool, England, L18 4QY
Company number: 15423324
Email:
ICO registration reference: ZB653672
We have not appointed a Data Protection Officer as we are a small business that does not carry out large-scale processing of special category data. For all data protection enquiries, please contact us at the email address above.
2. Introduction
Digital Florists Ltd ("we," "our," or "us") operates the Florist Toolbox service. We are committed to protecting your privacy. This Privacy Policy outlines how we collect, use, disclose, and safeguard your information in accordance with UK GDPR and applicable data protection laws.
3. Information We Collect
We may collect and process the following types of personal information:
- Identity and contact details (e.g. name, email address)
- Account credentials and profile data
- Billing and payment information (processed by Stripe)
- Business or professional information (e.g. florist type, company name, website)
- Technical data such as IP address, browser type, device information, and usage activity
- Session replay data including mouse movements, clicks, scrolls, and page interactions (collected via Microsoft Clarity)
- In-app feedback responses (e.g. exit survey answers about your experience)
- Referral and affiliate tracking data including referral codes and conversion information
- Association membership data including membership codes redeemed and the name of the partner association (e.g. British Florist Association, Institute of Flowers Ireland)
Providing your identity, contact, and billing data is necessary to enter into and perform your subscription contract. If you do not provide this data, we cannot provide the Service.
4. How We Use Your Information and Our Lawful Basis
We process your personal data for the following purposes, each with a stated lawful basis under UK GDPR Article 6(1):
| Purpose | Lawful Basis |
|---|---|
| To operate and maintain the Service, process transactions, and manage your account | Performance of a contract |
| To communicate with you about service updates | Performance of a contract |
| To send marketing communications | Consent (you can withdraw at any time) |
| To improve and optimise our Service through analytics, session replay, and user experience research | Legitimate interest (improving usability and service quality) |
| To collect in-app feedback (exit surveys) | Legitimate interest (understanding user needs) |
| To operate our affiliate and referral programs and calculate commissions | Legitimate interest (operating partner programs) |
| To verify and manage association membership access granted via partner organisations | Consent (given when you redeem a membership code) |
| To share your name, company name, and email with the partner association for membership verification | Consent (given when you redeem a membership code; you can withdraw by contacting us, however we will no longer be able to verify your eligibility and your access to member tools on Florist Toolbox will be removed) |
| To comply with legal obligations | Legal obligation |
Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights. Our legitimate interests include improving service usability, preventing fraud, operating analytics, and managing partner programs.
5. Third-Party Services and Data Sharing
We share your personal data with the following third-party processors:
| Processor | Purpose | Country | Transfer Safeguard |
|---|---|---|---|
| Stripe | Payment processing, billing, and subscription management | United States | UK-US Data Bridge |
| Microsoft Clarity | Session replay, heatmaps, and behavioural analytics linked to your account for UX improvement. See Microsoft's Privacy Statement. | United States | UK-US Data Bridge |
| Google Analytics | Website traffic analysis and usage statistics | United States | UK-US Data Bridge |
| Fathom Analytics | Privacy-focused website analytics and event tracking. All data processed on EU servers via EU isolation. | European Union | EU adequacy decision (no international transfer) |
| Refgrow | Affiliate tracking, referral attribution, and commission calculations. Email and user ID may be shared. | United States | UK-US Data Bridge |
| Meta (Facebook Pixel) | Advertising conversion tracking and attribution | United States | UK-US Data Bridge |
| LinkedIn (Insight Tag) | Advertising conversion tracking | United States | UK-US Data Bridge |
| Ahrefs | SEO and web analytics | Singapore | Standard contractual clauses |
| Loops.so | Transactional email, lifecycle email campaigns, and engagement tracking | United States | UK-US Data Bridge |
If you redeem an association membership code, we may share your name, company name, and email address with the partner association that issued the code. This may happen at the point of redemption and periodically thereafter as part of a member list provided to the association for verifying membership eligibility. We will not share any other personal data, tool usage data, or business data with partner associations.
We may also share data with hosting providers, content delivery networks, and caching services as necessary to operate the Service. You may request a copy of the relevant transfer safeguards by contacting us.
6. Cookies and Tracking Technologies
We use cookies and similar technologies to analyse traffic and enhance your experience. This includes:
- Essential cookies - Required for website functionality and security (e.g. session authentication, CSRF protection)
- Analytics cookies - To understand how visitors use our site, including cookies set by Microsoft Clarity (_clck, _clsk) for session replay and behavioural analytics, and Google Analytics (_ga, _gid) for usage statistics
- Advertising cookies - Set by Meta Pixel and LinkedIn Insight Tag for ad conversion tracking
- Referral tracking cookies - To track affiliate referrals and attribute conversions correctly (including cookies set by Refgrow)
For detailed information about the cookies we use, including names, purposes, and durations, please refer to our Cookie Policy.
7. Affiliate and Referral Program
If you participate in or are referred through our affiliate program:
- We store referral codes in cookies and your browser's local storage
- Your email address and user ID may be shared with Refgrow for tracking purposes
- We track your referral activity and conversion events
- This data is used to calculate and distribute commissions to referring partners
If you are a referred user, your referral data originates from the referring partner and Refgrow's tracking system.
8. Data Security
We use technical and organisational measures to protect your personal data, including encryption in transit (TLS), access controls, and regular security reviews. However, no system is completely secure, and we cannot guarantee the absolute security of your data.
9. Data Retention
We retain your personal data for the following periods:
| Data Type | Retention Period |
|---|---|
| Account and profile data | Until you delete your account, then removed within 30 days |
| Arrangements, flowers, sundries, and business data | Until you delete your account, then removed within 30 days |
| Billing and payment records | 7 years after last transaction (legal obligation for tax records) |
| User activity logs and analytics | 12 months, then deleted or anonymised |
| Exit survey responses | 12 months, then deleted or anonymised |
| Session replay data (Microsoft Clarity) | 30 days (retained by Microsoft) |
| Referral tracking data | Up to 3 months after account creation |
10. Your Rights
Under UK data protection laws, you have the right to:
- Access the personal data we hold about you
- Rectification - request correction of inaccurate data
- Erasure - request deletion of your data ("right to be forgotten")
- Restriction - request we restrict certain processing
- Data portability - request a copy of your data in a structured, commonly used, machine-readable format
- Object to processing based on legitimate interest
- Withdraw consent where processing is based on consent. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.
Exercising these rights is free of charge. We will respond to your request within one month. In complex cases, we may extend this by up to two further months, and we will inform you if this is the case.
To exercise any of these rights, contact us at:
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO): Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Website: ico.org.uk
11. Automated Decision-Making
We do not use automated decision-making, including profiling, that produces legal or similarly significant effects on you.
12. Updates to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "last updated" date and, where appropriate, notify you of any significant changes.