Order tracking
Moyses Stevens

Privacy policy

How we look after your information

Last updated May 2026

This policy covers how Moyses Stevens Flowers Ltd collects, uses and protects the personal information you share when you visit our website, place an order, sign up for an account, or contact us. We have tried to write it the way we would want a privacy policy written for us: clearly, specifically, and without legal hedging.

If anything below is unclear, or you want to know something we have not covered, write to gdpr@moysesflowers.co.uk and we will get back to you.

What we collect, and why

We only collect information we genuinely need. The categories we hold are:

  • Order details. Your name, billing address, the recipient’s name and address, your email, your phone number, any card message and any delivery instructions. We need these to take and fulfil your order, and to contact you if something goes wrong.
  • Account details. If you choose to register an account: the email and password you set, and any addresses or preferences you save. You can delete your account at any time.
  • Payment information. When you pay, your card details go directly from your browser to our payment processor. We never see or store your full card number ourselves. We only retain the last four digits and the card type so you can identify the card on later orders.
  • Loyalty programme data. If you join Garden Society: your points balance, tier, badges earned, referral activity, and your spending history with us. This lives in our own database so we can reward you properly.
  • Browsing information. Pages visited, products viewed, what is in your basket, device and browser type, approximate location from your IP address. We use this to make the site work (you stay logged in, your basket persists between visits) and to understand which parts of the site are useful.
  • Marketing preferences. Whether you have asked to hear from us, and what you have unsubscribed from. We never assume consent.
  • Calls and emails. When you contact us, we keep a record of the conversation so we can help and so colleagues can pick up where the last one left off.

Who we share it with

We do not sell your data. We share it only with the companies we use to actually run the business, and only what each one needs. The current list is:

  • Shopify. Our e-commerce platform. It hosts the store, processes payments, handles checkout, and stores order and customer records. Shopify International is based in Ireland and Canada and is GDPR-compliant.
  • Resend. Sends our transactional emails — order confirmations, delivery notifications, subscription renewal reminders, password resets. Based in the United States, GDPR-compliant.
  • Neon. Our database provider for the loyalty programme, email preferences, and operational records. EU-hosted.
  • Awin. If you arrive at our site via an affiliate or partner link, Awin tracks the referral and we send them an anonymised confirmation when the order completes. Awin is UK-based.
  • Courier partners. Including DPD UK and other delivery providers we work with to get your order to the right address. They receive only what they need to deliver: name, address, phone number for delivery contact.
  • HMRC and law enforcement. Where we are legally required to share information, such as for tax records or in response to a valid legal request.

We do not share your information with anyone else for their own marketing purposes. We do not pass your email or phone number to other retailers.

Cookies and tracking

We use a small number of cookies, each for a specific reason:

  • Cart and session. Keep your basket and your login active as you move around the site. Without these the site does not work.
  • Awin affiliate cookie. Set when you arrive via a partner link, so the right affiliate is credited if you order. Expires after 90 days.
  • Referral cookie. Set if you arrive via a friend’s referral code, so both of you get the reward when you order. Expires after 90 days.
  • Analytics. Tells us anonymously which pages and products are most visited. We never link this to you personally.

You can clear cookies any time through your browser settings. If you do, you will need to sign in again and any affiliate or referral credit will be lost.

Your rights

Under UK and EU data protection law you have the following rights, all of which we will respect without delay:

  • Access. Ask us what information we hold about you and we will send you a copy.
  • Correction. Ask us to correct anything that is wrong.
  • Erasure. Ask us to delete your data. Some records (tax, fraud prevention) we may have to keep for legal reasons, but we will remove anything we are not required to retain.
  • Portability. Ask us to send your data to you, or to another company you have chosen, in a structured format.
  • Objection. Tell us to stop using your information for marketing, or for any specific purpose, and we will stop.
  • Withdrawal of consent. Where we relied on your consent (such as marketing emails), you can withdraw it at any time.

You can exercise any of these by emailing gdpr@moysesflowers.co.uk. We aim to respond within five working days and complete requests within thirty.

How long we keep it

Order records: seven years, because HMRC requires us to keep them for tax purposes.

Account records: as long as your account is active. If you delete your account we remove your personal details and keep only what is required for the order records above.

Marketing data: until you unsubscribe.

Loyalty programme data: as long as the programme is active and you are a member. Points themselves expire eighteen months after they are earned, but the underlying record stays with your account until you close it.

Cookies: each has its own expiry, listed above.

Security

We follow current best practice for protecting your data: TLS encryption on every page, password hashing on accounts, two-factor authentication on internal systems, and regular access reviews. Our payment processor is PCI-DSS certified so card details are handled to the strictest industry standard.

If a breach were ever to occur that affected your information, we would tell you and the Information Commissioner’s Office within seventy-two hours, as the law requires.

Children

Our products and services are not directed at children under sixteen, and we do not knowingly collect data from anyone in that age group. If you believe a child has provided us with personal information, please get in touch and we will remove it.

Complaints

If you are unhappy with how we have handled your data, please raise it with us first — we will always try to put it right. If you remain unhappy, you have the right to complain to the Information Commissioner’s Office at ico.org.uk.

Updates to this policy

If we make a meaningful change to how we handle your data, we will update this page and note the new date at the top. For significant changes we will also tell you by email if you have given us one.

Contact

Moyses Stevens Flowers Ltd
53 Elizabeth Street, London, SW1W 9PP
Company registered in England & Wales: 07906162
VAT: 128 444 511

Privacy: gdpr@moysesflowers.co.uk
General: info@moysesflowers.co.uk
Phone: 020 8772 0094

Privacy policy | Moyses Stevens · Moyses Stevens