Data Privacy Policy

1. Overview and Scope

This Privacy Policy applies to the internal IT dispatch services operated by Codsall & Wergs Garden Centre. We act as a Data Processor for the transactional data (e.g., POS receipts, table bookings) generated by our primary physical and digital operations.

2. Data We Process

To facilitate instantaneous transactional delivery, our APIs process:

• Routing Information: Email addresses provided explicitly at checkout or booking.
• Transactional Payloads: Content of digital receipts (items purchased) or reservation details.
• Telemetry Data: IP addresses of initiating servers, timestamps, and delivery success/bounce statuses.

3. Strict Data Retention Limits

We do not store transactional payloads indefinitely. Our infrastructure is configured to comply with the principle of data minimization:

• Message bodies (containing receipt data or booking PII) are purged from our MTA queues immediately upon successful delivery, or after 72 hours in case of retries.
• Anonymized delivery metadata (bounces, opens for SLA tracking) is retained for 90 days for technical audit purposes.

4. Third-Party Infrastructure Sub-Processors

We do not sell data. We only share necessary routing information with vetted Tier-1 Infrastructure Providers (e.g., Mailgun/Sinch, AWS) purely for the purpose of ensuring high-deliverability of our system alerts. These providers are strictly bound by Data Processing Agreements (DPA) under UK GDPR.

5. Contact Information

For data subject requests (DSAR) or privacy concerns related to our system operations, please contact the IT Operations Privacy Officer.