We are experiencing some small delays in dispatch due to order volume right now.
    Spend £75 save 5% · Spend £150 save 10%

    Free UK Shipping on Orders Over £50

    Privacy Policy

    Last updated: April 2026

    1. Who We Are

    Deep Time Fossils ("we", "us", "our") operates the website deeptimefossils.co.uk and sells fossils, replicas, and related items. We are the data controller responsible for your personal data under the UK GDPR and the Data Protection Act 2018. For any data protection enquiries, contact us at james@deeptimefossils.co.uk.

    2. What We Collect

    We collect the following categories of personal data:

    • Account data: name, email address, password (stored hashed), and optional phone number.
    • Order & delivery data: billing and shipping address, items purchased, order value, and order history.
    • Payment data: handled directly by Stripe, our payment processor. We do not see or store your full card number — we only receive a transaction reference, the last 4 digits, and the card brand.
    • Communications: messages you send via our contact form, review submissions, and email correspondence.
    • Marketing preferences: whether you have opted in to our newsletter and your subscription status.
    • Technical data: IP address, browser type, device information, and pages visited, used to keep the site secure and functional.

    3. How We Use Your Data & Lawful Basis

    • To fulfil your order — processing payment, dispatching items, sending order updates, and handling returns. Lawful basis: performance of a contract.
    • To manage your account — login, order history, saved addresses, wishlist. Lawful basis: performance of a contract.
    • To send marketing emails — newsletters, promotions, and product updates. Lawful basis: your consent, which you can withdraw at any time.
    • To request reviews — sending a one-off review request after delivery. Lawful basis: legitimate interests (improving our service).
    • To meet legal obligations — keeping accounting and tax records. Lawful basis: legal obligation.
    • To prevent fraud and secure the site — abuse detection and rate-limiting. Lawful basis: legitimate interests.

    4. Who We Share Your Data With

    We never sell your personal data. We share it only with trusted service providers who help us run the business:

    • Stripe — payment processing.
    • Royal Mail and other couriers — order delivery.
    • Resend — sending transactional and marketing emails.
    • Supabase — secure hosting of our database, authentication, and file storage (servers located in the EU).
    • Cloudflare — content delivery and DDoS protection.
    • Our accountant and HMRC — to meet tax and accounting obligations.

    All processors are bound by data processing agreements and may only use your data for the purposes we instruct.

    5. International Transfers

    Some of our processors (e.g. Stripe, Resend, Cloudflare) may transfer data outside the UK/EEA. Where this happens, transfers are protected by UK-approved safeguards such as the UK International Data Transfer Addendum or Standard Contractual Clauses.

    6. Cookies

    We use a small number of essential cookies to keep you logged in, remember your basket, and maintain site security. We do not currently use third-party advertising or tracking cookies. Our cookie banner records your acknowledgement so we don't show it again. You can clear cookies at any time via your browser settings.

    7. Data Retention

    • Order and invoice records: retained for 6 years after the order date, as required by HMRC.
    • Account data: retained while your account is active. You can request deletion at any time (see section 8).
    • Newsletter subscriptions: retained until you unsubscribe.
    • Contact form messages: retained for up to 2 years to handle follow-up queries.

    8. Your Rights Under UK GDPR

    You have the right to:

    • Access the personal data we hold about you.
    • Request correction of inaccurate data.
    • Request erasure ("right to be forgotten"), subject to our legal obligation to keep order records.
    • Restrict or object to processing.
    • Receive your data in a portable format.
    • Withdraw consent for marketing at any time — click "unsubscribe" in any email or email us.

    To exercise any of these rights, email james@deeptimefossils.co.uk. We aim to respond within 30 days.

    9. Complaints

    If you are unhappy with how we handle your data, please contact us first so we can put it right. You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

    10. Changes to This Policy

    We may update this policy from time to time. The "Last updated" date at the top reflects the latest version. Material changes will be notified to account holders by email.

    11. Contact

    Deep Time Fossils
    Email: james@deeptimefossils.co.uk

    We use essential cookies to run this site. With your consent we may add analytics later. See our Cookie Policy · Privacy · Terms.