Privacy Policy
Last updated: 3 July 2026
Page title: Privacy Policy · Shopify slug: privacy-policy
At NOVIRA ("we", "us", "our"), the responsible handling of your personal data is something we take very seriously. This Privacy Policy explains in clear and accessible terms what personal data we gather, the purposes it serves and how we look after it. The applicable legal frameworks are the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR) and the Data Protection Act 2018.
1. Data Controller
The data controller within the meaning of the UK GDPR is the operator of the website novira.com. Any enquiries about this policy or about the way your personal data is handled may be sent to contact@novira.com. Full provider details are available in our Legal Notice.
2. Types of Data We Process
In connection with an order or a contact enquiry, we may process the following categories of data:
- First name, surname and email address
- Delivery and billing address
- Telephone number (optional — used exclusively for delivery status notifications)
- Payment details (managed securely by our payment partners — card information is never stored by us)
- Your order and purchase history
- Technical data relating to your device and browsing behaviour (IP address, browser type, pages visited)
3. Purposes of Processing and Legal Bases
- Handling your order — name, address, email and payment details are required to fulfil the sales agreement concluded with you (Art. 6(1)(b) UK GDPR).
- Buyer correspondence — including order confirmations, dispatch notifications and customer service replies (Art. 6(1)(b) UK GDPR).
- Enhancing our shop — usage data enables us to improve our website on a continuous basis (Art. 6(1)(f) UK GDPR — legitimate interest).
- Compliance with legal duties — business records are stored in line with applicable UK tax and commercial legislation (Art. 6(1)(c) UK GDPR).
4. Payment Processing
All payments are handled by our accredited partners — including Stripe, PayPal, Klarna and Viva Wallet — each of which holds PCI DSS Level 1 certification. Card credentials are entered directly in their protected environments; the full card number, security code and expiry date are never seen or stored by NOVIRA.
5. Data Retention Period
Order data is held for between 6 and 10 years in accordance with UK tax and accounting law — in particular HMRC requirements and the Companies Act 2006. Marketing preferences are retained until you choose to opt out. Any data no longer needed for its original purpose is deleted or anonymised promptly.
6. Recipients of the Data
Personal data is disclosed to third parties only to the extent required to fulfil your order:
- Shipping providers (e.g. Royal Mail, DHL, DPD, Evri, UPS) for the delivery of your goods
- Payment partners for the secure processing of transactions
- Email service providers for transactional communications
- Hosting companies for the technical running of the website
- Accountants and legal advisers, where required to fulfil statutory obligations
Appropriate data processing agreements have been concluded with all processors in accordance with Art. 28 UK GDPR.
7. Data Transfers to Third Countries
Personal data is transferred to countries outside the United Kingdom or the European Economic Area (EEA) only where an adequacy decision is in place, or where suitable safeguards — such as the Standard Contractual Clauses approved by the UK or EU Commission — are operative pursuant to Art. 45 ff. UK GDPR.
8. Cookies and Tracking
Our website makes use of cookies and comparable tracking technologies. Full details are provided in our Cookie Policy. Non-essential cookies may be declined or adjusted at any time through the cookie banner or your browser preferences.
9. Your Rights as a Data Subject
You are entitled to the following rights regarding your personal data:
- Right of access (Art. 15 UK GDPR) — you may ask what data we hold about you
- Right to rectification (Art. 16 UK GDPR) — inaccurate data may be corrected
- Right to erasure (Art. 17 UK GDPR) — where no statutory retention requirement applies
- Right to restriction of processing (Art. 18 UK GDPR)
- Right to data portability (Art. 20 UK GDPR)
- Right to object (Art. 21 UK GDPR) — to processing on the grounds of legitimate interest
- Right to withdraw consent at any time (Art. 7(3) UK GDPR)
- Right to lodge a complaint with a supervisory authority (Art. 77 UK GDPR)
To exercise any of the above, simply send a short message to contact@novira.com.
10. Security of Your Data
We maintain appropriate technical and organisational safeguards to protect your personal data from unauthorised access, loss or misuse. These include SSL/TLS encryption, secured server environments, tightly controlled access rights and scheduled security reviews.
11. Automated Decision-Making
We do not carry out automated decision-making or profiling within the meaning of Art. 22 UK GDPR.
12. Right to Complain
If you believe that our processing of your personal data infringes the UK GDPR, you have the right to raise a complaint with a supervisory authority — in particular the Information Commissioner's Office (ICO) in the United Kingdom (www.ico.org.uk), or with any supervisory authority in the EU member state where you are habitually resident, where you work, or where the alleged infringement took place.
13. Updates to This Policy
We may revise this Privacy Policy from time to time to reflect legislative changes or developments in our business. The version currently in force is always available on this page.