Legal

Privacy Policy

Last updated: January 2025

1. Who We Are

BRM Jewellery Ltd ("BRM", "we", "us", "our") is a company registered in England and Wales. Our registered address is Hatton Garden, London, EC1N 8HN. We operate the website brmjewellery.com.

For questions about this policy, contact us at: privacy@brmjewellery.co.uk

2. Data We Collect

We collect the following personal data when you use our website:

  • Account data: name, email address, password (hashed), and optionally a phone number when you create an account.
  • Order data: delivery address, payment method (not card numbers), and order history.
  • Enquiry data: name, contact details, and messages submitted via contact or bespoke forms.
  • Newsletter data: email address when you subscribe.
  • Technical data: IP address, browser type, and pages visited, collected automatically via server logs.

3. How We Use Your Data

  • To process and fulfil your orders, including sending invoices and tracking updates.
  • To respond to enquiries and bespoke commission requests.
  • To send transactional emails (order confirmations, shipping notifications).
  • To send marketing emails if you have opted in (you may unsubscribe at any time).
  • To improve our website and customer experience.
  • To comply with our legal obligations under UK law.

4. Legal Basis for Processing

We process your data under the following legal bases as defined by the UK GDPR:

  • Contract: processing necessary to fulfil orders you have placed.
  • Legitimate interests: fraud prevention, security, and improving our services.
  • Consent: marketing communications (you may withdraw consent at any time).
  • Legal obligation: retaining financial records as required by HMRC.

5. Data Sharing

We do not sell your personal data. We share data only with trusted third parties where necessary:

  • Payment processors: PayPal, Klarna, Afterpay/Clearpay — who process payments on our behalf.
  • Courier services: DHL, FedEx, Royal Mail — to fulfil deliveries.
  • Email provider: for transactional and marketing emails.

All third parties are contractually required to protect your data in accordance with UK GDPR.

6. Data Retention

We retain your data for as long as necessary:

  • Account data: for the life of your account plus 2 years after deletion.
  • Order records: 7 years (HMRC requirement).
  • Marketing consent: until you unsubscribe.
  • Enquiry data: 2 years from submission.

7. Your Rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request erasure ("right to be forgotten").
  • Object to processing or request restriction.
  • Data portability (receive your data in a structured format).
  • Withdraw consent for marketing at any time.

To exercise any right, contact us at privacy@brmjewellery.co.uk. We will respond within 30 days.

8. Cookies

We use only essential cookies required for the website to function (session management, cart persistence). We do not use tracking or advertising cookies. No third-party analytics scripts are loaded without your consent.

9. Security

We use industry-standard security measures including SSL/TLS encryption, hashed passwords, and access controls. Payment card data is never stored on our servers — all card processing is handled by PCI-DSS compliant providers.

10. Changes to This Policy

We may update this policy periodically. Significant changes will be communicated by email to registered account holders. The "last updated" date at the top of this page reflects the most recent revision.

11. Complaints

If you are unhappy with how we handle your data, you have the right to complain to the UK's data protection authority, the Information Commissioner's Office (ICO) at ico.org.uk.