RATED 4.8 ★ WORN EVERY DAY - SHOP NOW FREE UK SHIPPING OVER £125 NEW IN: SS26 A SUMMER DRIFT - SHOP NOW RATED 4.8 ★ WORN EVERY DAY - SHOP NOW FREE UK SHIPPING OVER £125 NEW IN: SS26 A SUMMER DRIFT - SHOP NOW RATED 4.8 ★ WORN EVERY DAY - SHOP NOW FREE UK SHIPPING OVER £125 NEW IN: SS26 A SUMMER DRIFT - SHOP NOW RATED 4.8 ★ WORN EVERY DAY - SHOP NOW FREE UK SHIPPING OVER £125 NEW IN: SS26 A SUMMER DRIFT - SHOP NOW RATED 4.8 ★ WORN EVERY DAY - SHOP NOW FREE UK SHIPPING OVER £125 NEW IN: SS26 A SUMMER DRIFT - SHOP NOW RATED 4.8 ★ WORN EVERY DAY - SHOP NOW FREE UK SHIPPING OVER £125 NEW IN: SS26 A SUMMER DRIFT - SHOP NOW RATED 4.8 ★ WORN EVERY DAY - SHOP NOW FREE UK SHIPPING OVER £125 NEW IN: SS26 A SUMMER DRIFT - SHOP NOW RATED 4.8 ★ WORN EVERY DAY - SHOP NOW FREE UK SHIPPING OVER £125 NEW IN: SS26 A SUMMER DRIFT - SHOP NOW RATED 4.8 ★ WORN EVERY DAY - SHOP NOW FREE UK SHIPPING OVER £125 NEW IN: SS26 A SUMMER DRIFT - SHOP NOW RATED 4.8 ★ WORN EVERY DAY - SHOP NOW FREE UK SHIPPING OVER £125 NEW IN: SS26 A SUMMER DRIFT - SHOP NOW
Privacy Policy – Black Tulip Studio

Privacy Policy

(Last updated: 12 May 2026)

Data Controller: Black Tulip Retail Ltd (Company No. 14569140)

ICO Registration No: ZC144582

Registered address: 1st Floor Kirkland House, 11–15 Peterborough Road, Harrow, Middlesex, HA1 2AX

EU Representative (Art. 27 EU GDPR): Black Tulip Retail Ltd, 1st Floor Kirkland House, 11–15 Peterborough Road, Harrow, Middlesex, HA1 2AX

Registered trademark: 'Black Tulip' and 'Black Tulip Studio' are registered trade marks of Black Tulip Retail Ltd (UK IPO)

1. Who We Are and How to Contact Us

Black Tulip Retail Ltd ('Black Tulip', 'we', 'our', 'us') is the data controller responsible for your personal data under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the EU General Data Protection Regulation (EU GDPR 2016/679) where applicable.

UK data controller:

  • Black Tulip Retail Ltd
  • 1st Floor Kirkland House, 11–15 Peterborough Road, Harrow, Middlesex, HA1 2AX, United Kingdom
  • Email: customercare@blacktulipstudio.com
  • ICO registration number: ZC144582
  • Data protection contact: Sumit Joshan

EU Representative (Article 27 EU GDPR):

Because we offer goods to individuals in the European Union and monitor their behaviour (for example, through advertising cookies), we are subject to EU GDPR as well as UK GDPR. As we have no establishment in an EU member state, we have appointed an EU representative as required by Article 27 EU GDPR:

2. The Personal Data We Collect

We collect personal data from customers in the United Kingdom, the European Union and European Economic Area, the United States, and other countries. The categories of personal data we collect and the sources are as follows:

2.1 Data you provide directly

  • Identity data: first name, last name
  • Contact data: billing address, delivery address, email address, telephone number
  • Financial data: payment card type and last four digits only (full payment card details are processed by our payment processors and are not stored by us)
  • Transaction data: details of products you have ordered, order history, returns, and refund requests
  • Account data: username and hashed password if you create an account
  • Communications data: your messages to our customer care team and any feedback you provide
  • Marketing preferences: your choices about receiving marketing emails or WhatsApp marketing messages

2.2 Data collected automatically

  • Technical data: internet protocol (IP) address, browser type and version, operating system, device identifiers
  • Usage data: pages viewed, time spent on pages, links clicked, referring URL, and shopping cart activity
  • Location data: country-level location derived from your IP address
  • Cookie and tracking data: as set out in detail in Section 5 below

2.3 Data received from third parties

  • Payment processors (Shopify Payments, Klarna): transaction confirmation and payment status
  • Analytics and advertising platforms (Google Analytics 4, Meta, Pinterest, Microsoft Clarity, Google Ads): aggregated and pseudonymised analytics and advertising performance data
  • Delivery providers (Royal Mail, DPD, and other couriers): delivery confirmation and tracking information

We do not intentionally collect special category personal data as defined by Article 9 UK GDPR and Article 9 EU GDPR (such as health, biometric, racial or ethnic origin data). We do not knowingly collect data from anyone under 18 years of age.

3. How We Use Your Personal Data and Our Lawful Bases

We must have a lawful basis to process your personal data. Under Article 6 UK GDPR and Article 6 EU GDPR, the lawful bases we rely on are set out below. Where we serve EU/EEA customers, the same bases apply under EU GDPR.

Purpose of processing Type of data Lawful basis (Art. 6 UK GDPR / EU GDPR)
Process and fulfil your order (payment, delivery, returns) Identity, Contact, Financial, Transaction Performance of a contract (Art. 6(1)(b))
Send order confirmations, dispatch notifications, and return updates Identity, Contact, Transaction Performance of a contract (Art. 6(1)(b))
Manage your customer account Identity, Contact, Account Performance of a contract (Art. 6(1)(b))
Send email marketing (where you have opted in) Identity, Contact, Marketing Preferences Consent (Art. 6(1)(a)) – withdrawable at any time
Send WhatsApp marketing messages (where you have explicitly consented) Identity, Contact, Marketing Preferences Consent (Art. 6(1)(a)) – withdrawable at any time
Improve our Site and customer experience Usage, Technical, Cookie Legitimate interests (Art. 6(1)(f))
Show relevant advertising on Meta, Google, Pinterest Identity, Contact, Usage, Technical Consent (Art. 6(1)(a)) for marketing cookies; Legitimate interests (Art. 6(1)(f)) for pseudonymised audience matching
Detect and prevent fraud and misuse Identity, Contact, Financial, Technical Legitimate interests (Art. 6(1)(f))
Comply with legal obligations (tax, financial reporting) Identity, Contact, Financial, Transaction Legal obligation (Art. 6(1)(c))
Respond to customer support queries Identity, Contact, Communications Legitimate interests (Art. 6(1)(f))
Analyse site performance using analytics tools Usage, Technical, Cookie Consent (Art. 6(1)(a)) for analytics cookies; Legitimate interests (Art. 6(1)(f)) for aggregated non-identifiable analysis

Where we rely on legitimate interests, we have conducted and documented Legitimate Interests Assessments (LIAs) in accordance with ICO and EDPB guidance to confirm our interests are not overridden by your rights and freedoms. Copies of our LIAs are available on written request to customercare@blacktulipstudio.com.

4. WhatsApp Business Messaging

We operate a WhatsApp Business account via the WhatsApp Business API to send you transactional messages about your orders and, where you have given your explicit consent, marketing messages.

  • Platform provider: WATI (Nametag Inc.), acting as our data processor under a Data Processing Agreement
  • Messages are delivered via the WhatsApp Business API, operated by Meta Platforms Ireland Ltd (EU) and Meta Platforms Inc. (US)
  • Your mobile number and message content are shared with WATI and Meta solely to deliver messages to you
  • You may opt out of WhatsApp marketing at any time by replying STOP to any marketing message, or by contacting customercare@blacktulipstudio.com
  • Opting out of marketing messages will not affect transactional messages relating to an existing order
  • Consent to WhatsApp marketing is not a condition of purchase and is entirely voluntary

5. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our Site. Our use of cookies is governed by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) (UK customers) and the EU ePrivacy Directive 2002/58/EC as implemented in relevant EU member states (EU/EEA customers). Our cookie consent tool is managed by Consentmo.

You can accept, reject, or customise your cookie preferences at any time by clicking 'Cookie Settings' at the bottom of any page on our Site. Rejecting non-essential cookies is as easy as accepting them. Strictly necessary cookies cannot be rejected as they are essential for the Site to function.

Category Cookie / Tool Purpose Provider Duration
Strictly Necessary _shopify_session, _shopify_y, cart Checkout, session management, cart functionality Shopify Ltd Session / 2 years
Strictly Necessary cookieyes-consent Records your cookie consent choices (PECR / ePrivacy compliant) Consentmo / CookieYes 1 year
Performance / Analytics _ga, _ga_[ID] Measures site traffic and behaviour (Google Analytics 4) Google LLC (USA) 2 years
Performance / Analytics CLID, _clck, _clsk Session recordings and heatmaps (Microsoft Clarity) Microsoft Corp. (USA) 1 year / Session
Marketing _fbp, _fbc Conversion tracking and retargeting – Meta (Facebook/Instagram) Meta Platforms Ireland Ltd (EU) / Inc. (USA) 90 days
Marketing _pin_unauth, _pinterest_sess Conversion tracking and retargeting – Pinterest Pinterest Europe Ltd (IE) 1 year
Marketing _gcl_au, _gcl_aw Conversion tracking from Google Ads campaigns Google LLC (USA) 90 days
Functional recently_viewed, customer_currency Remembers recently viewed products and currency preferences Shopify Ltd 30 days

Full details of Shopify's cookies are available at https://www.shopify.com/legal/cookies.

6. How We Share Your Personal Data

We do not sell your personal data to any third party. We share your data only in the following circumstances, and only to the extent necessary for the stated purpose:

  • Service providers acting as data processors: We share data with companies that provide services on our behalf, with whom we have Data Processing Agreements in place as required by Article 28 UK GDPR and Article 28 EU GDPR. These include: Shopify Ltd (website platform and payment processing), Klarna Bank AB (UK branch) (buy now/pay later), WATI / Nametag Inc. (WhatsApp Business messaging), instant.ai (email marketing), Royal Mail Group Ltd and DPD Group (delivery), and Google LLC, Meta Platforms Ireland Ltd, Pinterest Europe Ltd, and Microsoft Corporation (analytics and advertising).
  • Business transfers: If Black Tulip Retail Ltd is sold, merged, or reorganised, your personal data may transfer to the new entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.
  • Legal requirements: We may disclose your data to law enforcement, regulatory bodies, or courts where required by applicable law in the UK, EU, or other relevant jurisdictions, or where necessary to protect the rights, property, or safety of Black Tulip, our customers, or others.

7. International Transfers of Personal Data

We are based in the United Kingdom and primarily process personal data in the UK. Some of our third-party processors are located in the United States and other countries outside the UK and EU/EEA. Where we transfer personal data outside the UK, we rely on the mechanisms set out in Chapter V UK GDPR. Where we transfer EU/EEA personal data outside the EU/EEA, we rely on the equivalent mechanisms under Chapter V EU GDPR.

  • Shopify Inc. (Canada / USA): UK–Canada transfers benefit from the ICO's adequacy assessment of Canada. UK–USA transfers are covered by a UK International Data Transfer Agreement (IDTA). EU–USA transfers are covered by Standard Contractual Clauses (SCCs) under EU GDPR.
  • Google LLC (USA): Transfers covered by Standard Contractual Clauses with a UK Addendum (UK GDPR) and EU Standard Contractual Clauses (EU GDPR).
  • Meta Platforms Inc. (USA): Transfers covered by Standard Contractual Clauses with a UK Addendum (UK GDPR) and EU Standard Contractual Clauses (EU GDPR).
  • Microsoft Corporation (USA): Transfers covered by Standard Contractual Clauses with a UK Addendum (UK GDPR) and EU Standard Contractual Clauses (EU GDPR).
  • WATI / Nametag Inc.: Transfers covered by Standard Contractual Clauses with a UK Addendum (UK GDPR) and EU Standard Contractual Clauses (EU GDPR).

You may request a copy of the applicable transfer mechanism for any specific transfer by contacting customercare@blacktulipstudio.com.

8. How Long We Retain Your Data

Data category Retention period Legal basis
Order records, invoices, and financial transactions Six years from the end of the tax year of the transaction (UK HMRC requirement; GDPR Art. 17(3)(b)) Legal obligation – Companies Act 2006; HMRC VAT Notice 700/21
Customer account data Until you request account deletion, plus 6 months for dispute resolution. Financial records created during the account are retained for six years. Contract / Legitimate interests
Returns and exchange correspondence and records 28 days (our commercial returns window) plus six years for any financial records arising from the transaction Legal obligation / Legitimate interests
Email marketing consent records For the duration of the marketing relationship, plus 3 years after unsubscribe (to evidence consent if challenged by ICO or EU supervisory authority) Legitimate interests / Legal obligation
WhatsApp marketing consent records For the duration of the marketing relationship, plus 3 years after opt-out Legitimate interests / Legal obligation
Customer support communications 3 years from the date of the interaction Legitimate interests
Cookie and analytics data As per the individual cookie durations in Section 5. Google Analytics 4 data is auto-deleted after 14 months. Consent / Legitimate interests
Fraud and security logs Six years from the relevant event Legal obligation / Legitimate interests
Competition entry data 90 days after the closing date; six years for prize-winner financial records Legitimate interests / Legal obligation

9. Your Rights

Your rights depend on where you are based. Both UK GDPR and EU GDPR grant substantively similar rights, which we honour for all customers regardless of location. The rights are identical in substance; the applicable supervisory authority differs.

  • Right of access (Art. 15): Request a copy of the personal data we hold about you (Subject Access Request / SAR). We will respond within one calendar month.
  • Right to rectification (Art. 16): Ask us to correct inaccurate or incomplete data. We will act within one calendar month.
  • Right to erasure (Art. 17): Ask us to delete your data. This right is not absolute where legal retention obligations apply (for example, HMRC record-keeping).
  • Right to restriction of processing (Art. 18): Ask us to restrict processing in certain circumstances (for example, while a dispute is investigated).
  • Right to data portability (Art. 20): Receive data you have provided to us in a structured, machine-readable format, where we process it by automated means on the basis of consent or contract.
  • Right to object (Art. 21): Object to processing based on legitimate interests, including profiling for direct marketing. Where you object to direct marketing we will cease immediately with no exceptions.
  • Rights related to automated decision-making (Art. 22): We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.
  • Right to withdraw consent: Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.

To exercise any right, email customercare@blacktulipstudio.com (subject: 'Data Rights Request') or write to us at our address in Section 1. We will respond within one calendar month. In complex cases we may extend by two further months (three months total) and will notify you within the first month.

10. Security

We apply appropriate technical and organisational measures to protect your personal data, including HTTPS encryption site-wide, access controls, Data Processing Agreements with all processors, and PCI DSS-compliant payment processing via Shopify Payments and Klarna. No internet transmission is completely secure; transmission is at your own risk.

11. Children

Our Site and services are intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we become aware of such collection, we will delete that data immediately. Contact us at customercare@blacktulipstudio.com if you believe we hold data about a person under 18.

12. Your Right to Complain to a Supervisory Authority

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the relevant supervisory authority:

  • UK customers – Information Commissioner's Office (ICO): www.ico.org.uk | Tel: 0303 123 1113 | Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
  • EU/EEA customers: You may complain to the supervisory authority in the EU member state where you live, work, or where the alleged infringement occurred. A list of EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en

We ask that you contact us first so we have the opportunity to resolve your concern before you escalate it.

13. Changes to This Policy

  • The updated policy will be posted on this page with a revised 'Last updated' date
  • Where changes are material – meaning they significantly affect how we use your data or your rights – we will notify you by email before they take effect
  • Your continued use of our Site after the effective date constitutes acceptance of the updated policy

14. Contact Us

  • Email: customercare@blacktulipstudio.com
  • Post: Black Tulip Retail Ltd, 1st Floor Kirkland House, 11–15 Peterborough Road, Harrow, Middlesex, HA1 2AX, United Kingdom.
Shopping Basket 0

Need fitting help? View our Size Guide

Size Guide
Add to Bag

SIZE