Privacy Policy
Last updated: 16 February 2026
Element & Oak is a trading name of James AG Smith Consulting Ltd, registered in England & Wales.
Registered address: 10 Turnbrook Close, Irthlingborough, Wellingborough, Northamptonshire, NN9 5GB.
Website: https://elementandoak.co.uk
Privacy contact: sales@elementandoak.co.uk
1. Who We Are
James AG Smith Consulting Ltd (“we”, “us”, “our”) is the Data Controller responsible for handling personal information collected through the Element & Oak website, checkout, email forms, events, and any interactions with our brand.
If you are unhappy with how we handle your data, you have the right to contact the UK regulator, the Information Commissioner’s Office (ICO):
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
2. The Data We Collect and Why
We only collect data necessary for providing our services, operating our store, and complying with UK law. The table below explains what we collect, why, and the lawful basis we rely on.
| Purpose | Data Collected | Lawful Basis | Notes |
|---|---|---|---|
| Website operation & security | IP address, browser/device info, security logs | Legitimate interests | To run a secure and functional website. |
| Customer accounts | Name, email, hashed password | Contract | To create and maintain your account. |
| Order processing & fulfilment | Billing/delivery address, contact details, orders | Contract | Required to deliver your purchase. |
| Payments (PayPal & future Stripe use) | Tokenised payment IDs, billing info | Contract + Legitimate interests | We never store full card numbers or CVVs. |
| Customer service | Messages, order history, attachments | Legitimate interests | To respond to enquiries and support requests. |
| Legal & financial compliance | Invoices, order records, refund data | Legal obligation | Required for accounting and HMRC compliance. |
| Email communications | Name, email, order details | Contract | Sent via GoDaddy or HubSpot. |
| Marketing emails | Email, name, purchase history | Consent or soft opt‑in | Only for similar products; always includes opt-out. |
| Analytics & performance | Site usage data | Consent | Set only after cookie consent. |
| Future SMS marketing | Phone number (if provided) | Consent | SMS is optional and strictly opt-in only. |
3. Where We Get Data From
- Directly from you (checkout, forms, enquiries)
- Device/browser information
- Trusted processors such as PayPal, HubSpot, and security tools
4. Who We Share Data With
We share data only with trusted service providers who help us operate our business:
- PayPal (current payment processor)
- Stripe (may be used in future)
- GoDaddy (email sending)
- HubSpot (email + CRM)
- WooCommerce (store management)
- Delivery couriers (to fulfil your order)
- Hosting, security & anti‑fraud providers
We require all processors to follow UK GDPR rules and act only on our instructions.
5. International Transfers
Some service providers may process data outside the UK. Where this happens, we use legally approved mechanisms such as:
- The UK–US Data Bridge (for certified US organisations)
- The UK International Data Transfer Agreement (IDTA)
- The SCC Addendum + Transfer Risk Assessment (TRA)
6. Cookies
For full details about the cookies we use and your options, please see our https://elementandoak.co.uk/cookie-policy/Cookie Policy.
We use cookies to operate our store and understand how customers use our site. Non‑essential cookies (analytics, marketing) are only used with your consent.
Your options will appear in our cookie banner:
- Accept all
- Reject all
- Manage preferences
A full list of cookies is available in our Cookie Policy.
7. Marketing Communications
You will only receive marketing emails if you:
- have given us explicit consent, or
- purchased from us before and did not opt-out (soft opt‑in)
Every email includes a clear “unsubscribe” link. SMS marketing (if launched) will require separate opt‑in consent.
8. How Long We Keep Your Data
| Data Type | Retention Period |
|---|---|
| Order & invoice records | 6 years (tax & accounting) |
| Customer service messages | Up to 24 months |
| Marketing subscriptions | Until you unsubscribe or after inactivity review |
| Security logs | Up to 12 months |
9. Your Rights
You have the right to request:
- Access to your data
- Correction of inaccurate data
- Deletion of your data
- Restriction of processing
- Objection to marketing
- Data portability
If you submit a request, we may need to confirm your identity before acting on it.
10. Children’s Information
Our products and website are not intended for children under 18. We do not knowingly collect or profile children’s data.
11. Complaints
You can contact us at: [insert privacy email].
If you are not satisfied, you can complain to the ICO (details above).
12. Changes to This Policy
We may update this Privacy Policy occasionally. The “Last Updated” date at the top of the page will always show the latest version.