PRIVACY POLICY

SUKE Clothing is the data controller responsible for your personal data. If you have any questions about this policy or how we handle your data, please contact us at: privacy@suke.com

We are in the process of registering with the Information Commissioner's Office (ICO) as a data controller under the UK Data Protection Act 2018.

We collect the following categories of personal data:

• Account data: your name, email address, and a securely hashed version of your password (we use bcrypt — your password is never stored in plain text and is unreadable to us).
• Order data: your full name, delivery address (street, city, region, postcode, country), contact email, items purchased, quantities, sizes, and order totals.
• Saved bag: product identifiers, names, prices, and sizes of items you choose to save to your account between sessions.

We do not collect or store payment card data. All payment information is handled exclusively by Stripe Payments UK Ltd on their PCI-DSS compliant infrastructure. Card details never reach our servers.

We process your personal data under the following legal bases (UK GDPR Article 6):

• Contract performance (Art. 6(1)(b)): processing your orders, managing your account, and providing the services you have requested.
• Legitimate interests (Art. 6(1)(f)): saving your shopping bag across sessions for your convenience, and maintaining the security of our systems.
• Legal obligation (Art. 6(1)(c)): retaining order and financial records for six years as required by HMRC and UK tax law.

We share your data with the following third-party processors, who are contractually bound to handle it only on our behalf and in accordance with UK GDPR:

• Stripe Payments UK Ltd — payment processing. Receives your email address and order line items to facilitate checkout. Stripe Privacy Policy →
• MongoDB Atlas — cloud database hosting for your account and order data.
• Vercel Inc. — hosting and deployment of this website.

MongoDB Atlas and Vercel are US-based companies. Any transfer of personal data outside the UK to these processors is governed by Standard Contractual Clauses (SCCs) included in their data processing agreements, satisfying UK GDPR Chapter V (international transfers). This arrangement simultaneously meets the requirements of EU GDPR, CCPA (California), PIPEDA (Canada), LGPD (Brazil), and the Australian Privacy Act.

• Orders: retained for six years from the order date, as required by HMRC and UK Companies Act financial record-keeping obligations. After account deletion, order records are anonymised (personal identifiers removed) but financial data is preserved for this period.
• Account data: retained until you delete your account. You can do this at any time from your Account Settings.
• Saved bag: cleared automatically when an order is placed or when your account is deleted.

Under UK GDPR you have the following rights:

• Art. 15 — Right of access: request a copy of all personal data we hold about you. Use the "Download My Data" button in your Account Settings for instant self-service export.
• Art. 16 — Right to rectification: request correction of inaccurate data. Contact us at privacy@suke.com.
• Art. 17 — Right to erasure: request deletion of your account and personal data. Use the "Delete My Account" button in Account Settings. Note: anonymised order records are retained for the legally required six-year period.
• Art. 18 — Right to restriction: request that we restrict processing of your data in certain circumstances.
• Art. 20 — Right to portability: receive your data in a structured, machine-readable format. Use the "Download My Data" button in Account Settings — exports a JSON file.
• Art. 21 — Right to object: object to processing based on legitimate interests. Contact us at privacy@suke.com.

We will respond to all rights requests within one calendar month as required by UK GDPR Article 12.

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the UK's data protection supervisory authority:

We use one strictly necessary cookie: the NextAuth.js session cookie, which keeps you signed in to your account during your visit.

This cookie is essential for the website to function correctly and does not require your consent under the UK Privacy and Electronic Communications Regulations (PECR). It does not track you across other websites and contains no advertising or analytics data.

We do not use analytics, advertising, tracking, or any third-party cookies.

We may update this Privacy Policy from time to time. The date at the top of this page reflects the most recent revision. For material changes, we will notify registered users by email before the changes take effect.