Privacy Policy

Privacy Policy

Last updated: 25 March 2026

Who I am

I’m Andrew Seaford, a sole trader running Stitching By Andrew at https://stitching.andrew-seaford.co.uk. It’s a small shop selling cross-stitch patterns, just me running it. If anything in this policy isn’t clear, email me at sales@andrew-seaford.co.uk and I’ll sort it out.

What information I collect and why

When you place an order, I collect your name, email address, and billing address. I use that to process your order and deliver the pattern to you by email. That’s genuinely all I need it for.

You don’t need to create an account to buy. I won’t add you to a mailing list or send you promotional emails just because you made a purchase. The legal basis for processing this information is contract: I need it to fulfil the order.

Payments

Stripe and PayPal handle all payments. I never see your card details, and I don’t store any payment information on my own systems. When you check out, you’re dealing directly with those providers.

Because your payment goes through their platforms, their privacy policies apply alongside this one. Stripe’s is at https://stripe.com/gb/privacy and PayPal’s is at https://www.paypal.com/uk/legalhub/privacy-full.

Analytics

I use Google Analytics to understand how people use this site — which pages get visited, where traffic comes from, how purchases flow through the shop. It sets cookies on your device. My lawful basis for this is legitimate interests: I have a genuine need to understand how the shop is working, and using aggregated browsing data for that purpose doesn’t meaningfully intrude on your privacy.

WooCommerce, the platform the shop runs on, also shares anonymised usage data about this store with Automattic (WooCommerce’s parent company) to help them improve the software. Nothing in that data identifies individual customers. Again, the lawful basis is legitimate interests. Automattic’s privacy policy is at https://automattic.com/privacy/.

How long I keep your information

I keep order records for six years. HMRC requires that for financial records, so it’s not optional on my end. After six years, your data is deleted.

Your rights

Under UK GDPR, you have real control over your data. You can ask me for a copy of everything I hold on you, ask me to correct anything that’s wrong, or ask me to delete it. You can also ask me to put a hold on processing while something’s in dispute — for example, if you’re waiting for me to verify accuracy or deal with a deletion request — or ask me to hand your data to you in a portable format. If I’m relying on legitimate interests to process your data, you can object to that, and I’ll stop unless I have compelling grounds to continue.

One honest note on erasure: in some cases I’ll need to hold on to certain records (like order details) for the full six-year period to meet my legal obligations to HMRC. I’ll always be upfront about that if it applies.

To exercise any of these rights, email sales@andrew-seaford.co.uk. If you’re not satisfied with how I’ve handled things, you can complain to the Information Commissioner’s Office at https://ico.org.uk.

Get in touch

Questions about this policy? Email sales@andrew-seaford.co.uk.