Privacy policy
This Privacy Policy describes how the site collects, uses, and discloses your Personal Information when you visit or make a purchase from the site.
Contact
After reviewing this policy, if you have additional questions, want more information about our privacy practices, or would like to make a complaint, please contact us by e-mail at shop@best4trade.co.uk or by mail using the details provided below:
Costwise Limited, Costwise Group Merrivale Road, Exeter Road Industrial Estate, Okehampton EX20 1UD, United Kingdom
Collecting Personal Information
When you visit the Site, we collect certain information about your device, your interaction with the Site, and information necessary to process your purchases. We may also collect additional information if you contact us for customer support. In this Privacy Policy, we refer to any information about an identifiable individual (including the information below) as “Personal Information”. See the list below for more information about what Personal Information we collect and why.
- Device information
- Purpose of collection: to load the Site accurately for you, and to perform analytics on Site usage to optimize our Site.
- Source of collection: Collected automatically when you access our Site using cookies, log files, web beacons, tags, or pixels.
- Disclosure for a business purpose: shared with our processor Shopify.
- Personal Information collected: version of web browser, IP address, time zone, cookie information, what sites or products you view, search terms, and how you interact with the Site.
- Order information
- Purpose of collection: to provide products or services to you to fulfill our contract, to process your payment information, arrange for shipping, and provide you with invoices and/or order confirmations, communicate with you, screen our orders for potential risk or fraud, and when in line with the preferences you have shared with us, provide you with information or advertising relating to our products or services.
- Source of collection: collected from you.
- Disclosure for a business purpose: shared with our processor Shopify, order management system Linnworks, internal service software for post order customer service and relevant postage courier.
- Personal Information collected: name, billing address, shipping address, payment information (including credit/debit card numbers, email address, and phone number.
Sharing Personal Information
We share your Personal Information with service providers to help us provide our services and fulfill our contracts with you, as described above. For example:
- We use Shopify to power our online store. You can read more about how Shopify uses your Personal Information here: https://www.shopify.com/legal/privacy.
- We may share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights.
- We share your name, address, and order details with our fulfilment partner(s) solely for the purpose of delivering your order.
Behavioural Advertising
As described above, we may use your Personal Information to provide you with targeted advertisements or marketing communications we believe may be of interest to you. For example:
- We may use Google Analytics to help us understand how our customers use the Site. You can read more about how Google uses your Personal Information here: https://www.google.com/intl/en/policies/privacy/. You can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.
- We may use Shopify Audiences to help us show ads on other websites with our advertising partners to buyers who made purchases with other Shopify merchants and who may also be interested in what we have to offer. We also share information about your use of the Site, your purchases, and the email address associated with your purchases with Shopify Audiences, through which other Shopify merchants may make offers you may be interested in.
For more information about how targeted advertising works, you can visit the Network Advertising Initiative’s (“NAI”) educational page at https://www.networkadvertising.org/understanding-online-advertising/how-does-it-work.
You can opt out of targeted advertising by
- FACEBOOK - https://www.facebook.com/settings/?tab=ads
- GOOGLE - https://www.google.com/settings/ads/anonymous
- BING - https://advertise.bingads.microsoft.com/en-us/resources/policies/personalized-ads]
Additionally, you can opt out of some of these services by visiting the Digital Advertising Alliance’s opt-out portal at: https://optout.aboutads.info/.
Using Personal Information
We use your personal Information to provide our services to you, which includes: offering products for sale, processing payments, shipping and fulfillment of your order, and keeping you up to date on new products, services, and offers.
Lawful basis
Pursuant to the General Data Protection Regulation (“GDPR”), if you are a resident of the European Economic Area (“EEA”), we process your personal information under the following lawful bases:
- Your consent;
- The performance of the contract between you and the Site;
- Compliance with our legal obligations;
- To protect your vital interests;
- To perform a task carried out in the public interest;
- For our legitimate interests, which do not override your fundamental rights and freedoms.
Retention
When you place an order through the Site, we will retain your Personal Information for our records unless and until you ask us to erase this information. For more information on your right of erasure, please see the ‘Your rights’ section below.
Automatic decision-making
If you are a resident of the EEA, you have the right to object to processing based solely on automated decision-making (which includes profiling), when that decision-making has a legal effect on you or otherwise significantly affects you.
Our processor Shopify uses limited automated decision-making to prevent fraud that does not have a legal or otherwise significant effect on you.
Services that include elements of automated decision-making include:
- Temporary blacklist of IP addresses associated with repeated failed transactions. This blacklist persists for a small number of hours.
- Temporary blacklist of credit cards associated with blacklisted IP addresses. This blacklist persists for a small number of days.
Your rights
GDPR
If you are a resident of the EEA, you have the right to access the Personal Information we hold about you, to port it to a new service, and to ask that your Personal Information be corrected, updated, or erased. If you would like to exercise these rights, please contact us through the contact information above.
Your Personal Information will be initially processed in Ireland and then will be transferred outside of Europe for storage and further processing, including to Canada and the United States. For more information on how data transfers comply with the GDPR, see Shopify’s GDPR Whitepaper: https://help.shopify.com/en/manual/your-account/privacy/GDPR.
Cookies
A cookie is a small amount of information that’s downloaded to your computer or device when you visit our Site. We use a number of different cookies, including functional, performance, advertising, and social media or content cookies. Cookies make your browsing experience better by allowing the website to remember your actions and preferences (such as login and region selection). This means you don’t have to re-enter this information each time you return to the site or browse from one page to another. Cookies also provide information on how people use the website, for instance whether it’s their first time visiting or if they are a frequent visitor.
We use the following cookies to optimize your experience on our Site and to provide our services.
[Be sure to check this list against Shopify’s current list of cookies on the merchant storefront: https://www.shopify.com/legal/cookies ]
Cookies Necessary for the Functioning of the Store
| Name | Function | Duration |
|---|---|---|
| _ab | Used in connection with access to admin. | 2y |
| _secure_session_id | Used in connection with navigation through a storefront. | 24h |
| _shopify_country | Used in connection with checkout. | session |
| _shopify_m | Used for managing customer privacy settings. | 1y |
| _shopify_tm | Used for managing customer privacy settings. | 30min |
| _shopify_tw | Used for managing customer privacy settings. | 2w |
| _storefront_u | Used to facilitate updating customer account information. | 1min |
| _tracking_consent | Tracking preferences. | 1y |
| c | Used in connection with checkout. | 1y |
| cart | Used in connection with shopping cart. | 2w |
| cart_currency | Used in connection with shopping cart. | 2w |
| cart_sig | Used in connection with checkout. | 2w |
| cart_ts | Used in connection with checkout. | 2w |
| cart_ver | Used in connection with shopping cart. | 2w |
| checkout | Used in connection with checkout. | 4w |
| checkout_token | Used in connection with checkout. | 1y |
| dynamic_checkout_shown_on_cart | Used in connection with checkout. | 30min |
| hide_shopify_pay_for_checkout | Used in connection with checkout. | session |
| keep_alive | Used in connection with buyer localization. | 2w |
| master_device_id | Used in connection with merchant login. | 2y |
| previous_step | Used in connection with checkout. | 1y |
| remember_me | Used in connection with checkout. | 1y |
| secure_customer_sig | Used in connection with customer login. | 20y |
| shopify_pay | Used in connection with checkout. | 1y |
| shopify_pay_redirect | Used in connection with checkout. | 30 minutes, 3w or 1y depending on value |
| storefront_digest | Used in connection with customer login. | 2y |
| tracked_start_checkout | Used in connection with checkout. | 1y |
| checkout_one_experiment | Used in connection with checkout. | session |
| checkout_session_lookup | Used in connection with checkout. | 3w |
| checkout_session_token_<<token>> | Used in connection with checkout. | 3w |
| identity-state | Used in connection with customer authentication. | 24h |
| identity-state-<<token>> | Used in connection with customer authentication. | 24h |
| identity_customer_account_number | Used in connection with customer authentication. | 12w |
Reporting and Analytics
| Name | Function | Duration |
|---|---|---|
| _landing_page | Track landing pages. | 2w |
| _orig_referrer | Track landing pages. | 2w |
| _s | Shopify analytics. | 30min |
| _shopify_d | Shopify analytics. | session |
| _shopify_s | Shopify analytics. | 30min |
| _shopify_sa_p | Shopify analytics relating to marketing & referrals. | 30min |
| _shopify_sa_t | Shopify analytics relating to marketing & referrals. | 30min |
| _shopify_y | Shopify analytics. | 1y |
| _y | Shopify analytics. | 1y |
| _shopify_evids | Shopify analytics. | session |
| _shopify_ga | Shopify and Google Analytics. | session |
| customer_auth_provider | Shopify analytics. | session |
| customer_auth_session_created_at | Shopify analytics. | session |
The length of time that a cookie remains on your computer or mobile device depends on whether it is a “persistent” or “session” cookie. Session cookies last until you stop browsing and persistent cookies last until they expire or are deleted. Most of the cookies we use are persistent and will expire between 30 minutes and two years from the date they are downloaded to your device.
You can control and manage cookies in various ways. Please keep in mind that removing or blocking cookies can negatively impact your user experience and parts of our website may no longer be fully accessible.
Most browsers automatically accept cookies, but you can choose whether or not to accept cookies through your browser controls, often found in your browser’s “Tools” or “Preferences” menu. For more information on how to modify your browser settings or how to block, manage or filter cookies can be found in your browser’s help file or through such sites as: www.allaboutcookies.org.
Additionally, please note that blocking cookies may not completely prevent how we share information with third parties such as our advertising partners. To exercise your rights or opt-out of certain uses of your information by these parties, please follow the instructions in the “Behavioural Advertising” section above.
Do Not Track
Please note that because there is no consistent industry understanding of how to respond to “Do Not Track” signals, we do not alter our data collection and usage practices when we detect such a signal from your browser.
Changes
We may update this Privacy Policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal, or regulatory reasons.
Complaints
As noted above, if you would like to make a complaint, please contact us by e-mail or by mail using the details provided under “Contact” above.
If you are not satisfied with our response to your complaint, you have the right to lodge your complaint with the relevant data protection authority. You can contact your local data protection authority, or our supervisory authority here: https://ico.org.uk/make-a-complaint/]
Privacy policy relating to B2B orders, specifically dropshipping orders:
UK GDPR and the Data Protection Act 2018
As a UK online business, we are legally required to follow data protection laws when collecting, storing and using personal data.
Dropshipping must comply with UK data protection laws, even though you don’t physically handle the product. You do handle personal data which makes your business legally responsible as a data controller. As a dropshipper, the data that you are typically collecting includes: Customer name, Email address, Shipping address, Phone number (sometimes), Payment info (via a third-party processor). Even though you're passing this on to a supplier (the dropshipper), it still counts as personal data collection, and you are responsible for how it's handled.
1. As a dropshipper, you are the “Data Controller”. You decide what customer data is collected and who you send it to (e.g. suppliers, delivery services, email platforms). That makes you the data controller under UK GDPR.
We are your supplier and tools like Shopify or email platforms are typically considered to be the data processors. Your duties as a controller: Be transparent (have a privacy policy), choose trustworthy processors, respond to user data requests, keep data secure
2. You Must Disclose Third-Party Sharing. Your privacy policy must explain that customer data is shared with third parties (like your supplier) for the purpose of fulfilling orders. For Example: “We share your name, address, and order details with our fulfilment partner(s) solely for the purpose of delivering your order.”
3. You Need a Privacy Policy. Your website must clearly state: what personal data you collect, why you collect it (e.g. order processing), who you share it with (suppliers, email tools), how users can access, correct, or delete their data and contact details for data protection queries
4. Cookie Consent Is Still Required. If your site uses: Analytics tools (Google Analytics, etc.), advertising pixels (Meta/Facebook, TikTok, etc.), session trackers or pop-ups. Then you need a cookie banner and a cookie policy, and users must be able to opt in or out.
5. Register with the ICO. If you're processing personal data as a business, you may need to register with the ICO (UK’s data authority) and pay the annual fee. You can check if you are eligible to pay the fee via the ICO website.
6. Choose Trusted Suppliers. You must ensure your dropshipping supplier handles data responsibly. If they mishandle customer information (e.g. share it or lose it), your business could still be held liable. Our terms as a dropshipping supplier are outlined below.
Data Processing Agreement (DPA) – Terms Between Supplier and Dropshipper:
Please read these terms and conditions carefully, these terms and conditions form part of our Data Processing Agreement (DPA) between us and the dropshipper.
This Data Processing Agreement forms a legally binding part of the terms between us (‘Processor’) and the Dropshipper (‘Controller’). By continuing to use our services, you accept and agree to be bound by the terms of this DPA. By using our website as a dropshipping platform, establishing a direct integration with our order management systems, and/or utilising the support panel software to manage order issues and returns, you hereby acknowledge and agree to be bound by the terms set forth in these Terms and Conditions and confirm acceptance of this Data Processing Agreement.
UK data protection laws from our perspective as a dropshipping supplier (fulfilment partner):
Our role as a dropshipping supplier is different from that of the dropshipper (who sells to the customer) — we the supplier physically fulfil orders and receive personal data (e.g. names, addresses) from the dropshipper.
As a dropshipping supplier, we are considered a “data processor” under UK GDPR. This means that we process personal data on behalf of the dropshipper (the “data controller”). In doing so, we must follow the data controller’s instructions and we still have legal duties of our own.
By using our website as a dropshipping platform or establishing a direct integration with our systems, you expressly acknowledge and authorise us to assume responsibility for the management and fulfilment of customer orders on your behalf.
We will only handle the personal data for the purposes agreed with the dropshipper — this means: Receiving orders, packing and shipping goods, tracking deliveries and handling returns. All personnel authorised to process personal data are under confidentiality obligations. We will not use customer data for our own marketing, sell or share data with others or store data longer than reasonably needed unless required by law. We process personal data under the lawful bases of (i) contract – to fulfil customer orders; (ii) legal obligation – for tax and accounting purposes; and (iii) consent – for optional marketing or analytics where applicable
We share relevant personal data with third-party service providers who assist in order processing, inventory management, customer service, and fulfilment. These providers only process your data on our behalf and in accordance with our instructions.
Where customer data is transferred or stored outside the UK, we ensure that appropriate safeguards are in place in accordance with UK data protection laws. This includes ensuring that any third-party service providers we use are contractually bound to comply with the UK General Data Protection Regulation (UK GDPR) and provide an adequate level of data protection. We remain responsible for protecting your personal data when it is processed on our behalf, including by third-party platforms used for order fulfilment and customer service.
To facilitate the management of returns and order-related issues, authorised dropshippers are granted access to our secure support portal. This platform is protected by appropriate technical and organisational measures, including password-protected access controls. Dropshippers are responsible for maintaining the confidentiality of their login credentials and must ensure that access is limited strictly to personnel who require it for the purposes of fulfilling customer service obligations.
As a dropshipping supplier we must keep data secure. We will only use data for agreed purposes (i.e. order fulfilment). We will never repurpose this data without written consent. We implement technical and organisational measures to protect customer data, this may include but is not limited to, securing order data (password-protected systems, secure backups), restricting access to data (only staff who need it), encrypting sensitive data and regularly auditing access and logs to ensure the data is kept secure. In the event of a personal data breach, we will notify the dropshipper without undue delay and provide sufficient information for them to assess whether the breach must be reported to the ICO within the 72-hour timeframe required by UK GDPR.
We are legally required to help the dropshipper meet their own obligations under GDPR, including: Helping them respond to data subject access requests (if a customer wants to see, change, or delete their data), cooperating with audits or compliance checks, and assisting with data deletion upon request (We will respond to data deletion requests within one month, in line with Article 12(3) of the UK GDPR).
Data retention policy: We reserve the right to retain full customer order data for 6 years, in line with following UK GDPR principles, specifically, UK GDPR Article 5 (1). Six years is the designated timeframe that we adhere to due to the limitation period (e.g. 6 years for breach of contract or faulty goods claims) which defines how long a customer can bring a legal claim.
To act in accordance with the UK GDPR principles,
All order data from 0-2 years of the order being placed, we will have full access to the order data. This is an operational need so that we can provide warranty and customer service.
All order data from 2-6 years of the order being placed, will be in an archived or restricted state. This limited access is due to a reduced need for accessing the data and risk minimisation, whilst remaining somewhat accessible during the limitation period.
In effect, we retain order-related personal data for up to six years to comply with legal obligations and for potential contract-related claims. After this period, the data is securely deleted.
Last updated: 28/08/2025