Security Policy
1. Our Commitment to Security
At Tali.london, the security of your personal and payment data is a priority. We implement technical and organisational measures appropriate to the risk, in line with our obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
We regularly review and update our security practices to respond to evolving threats.
2. Data We Collect & Why
When you shop with us, we may collect:
- Contact and delivery details (name, address, email, phone number)
- Order and transaction history
- Payment information (processed securely — see Section 3)
- Technical data (IP address, browser type, cookies — see Cookie Policy)
We collect only the minimum personal data necessary to fulfil your order and comply with our legal obligations. We do not sell your personal data to third parties.
3. Payment Security
We do not store your card details. All payment transactions on Tali.london are processed by a PCI DSS-compliant payment provider. Card data is encrypted in transit and never stored on our servers. Look for the padlock icon and "https://" in your browser address bar when checking out.
Our website uses Transport Layer Security (TLS) encryption across all pages to protect data transmitted between your browser and our servers.
4. Technical Safeguards
We employ the following measures to protect our systems and your data:
- SSL/TLS encryption: All pages on Tali.london are served over HTTPS.
- Access controls: Internal access to customer data is restricted to authorised personnel on a need-to-know basis.
- Regular updates: Our platform and third-party dependencies are kept up to date to address security vulnerabilities.
- Secure hosting: Our website is hosted on infrastructure that maintains its own security certifications and conducts regular penetration testing.
- Password protection: Customer account passwords are stored using strong one-way hashing. We never store passwords in plain text.
5. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including satisfying any legal, accounting, or reporting requirements. In general:
| Data type | Retention period | Legal basis |
|---|---|---|
| Order and transaction records | 7 years | Legal obligation (HMRC / tax law) |
| Customer account data | Duration of account + 3 years | Legitimate interest / contract |
| Marketing preferences | Until withdrawn | Consent |
| Website logs | Up to 12 months | Legitimate interest (security) |
6. Third-Party Processors
We may share your data with trusted third-party service providers who process data on our behalf, such as payment processors, delivery partners, and email platforms. All third-party processors are required to:
- Process data only on our documented instructions
- Maintain appropriate security measures
- Comply with UK GDPR obligations
We do not transfer your personal data outside the UK or European Economic Area (EEA) without ensuring adequate protections are in place as required by UK data protection law.
7. Your Rights Under UK GDPR
As a data subject under UK GDPR, you have the following rights:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete data.
- Right to erasure: Request deletion of your data, subject to legal retention obligations.
- Right to restrict processing: Ask us to pause processing your data in certain circumstances.
- Right to data portability: Receive your data in a structured, machine-readable format.
- Right to object: Object to processing based on legitimate interests, including direct marketing.
- Rights related to automated decision-making: Not be subject to decisions made solely by automated means that significantly affect you.
To exercise any of these rights, please contact us using the details below. We will respond within one calendar month as required by UK GDPR.
8. Data Breach Procedures
In the event of a personal data breach, we will:
- Assess the risk to individuals affected
- Notify the Information Commissioner's Office (ICO) within 72 hours if the breach is likely to result in a risk to individuals' rights and freedoms
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms
9. Keeping Your Account Secure
If you create an account with us, you are responsible for keeping your login credentials confidential. We recommend using a strong, unique password and enabling two-factor authentication if available. Please notify us immediately if you suspect any unauthorised use of your account.
10. Reporting a Security Concern
If you discover a potential security vulnerability on Tali.london, please disclose it responsibly by contacting us at hello@tali.london. We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to investigate and address it.
Data protection enquiries
Email: hello@tali.london
Tali London Ltd, United Kingdom
You have the right to lodge a complaint with the Information Commissioner's Office (ICO):
ico.org.uk · 0303 123 1113