PRIVACY POLICY
Company: NTHING Limited ("we," "us," or "our")
Trading As: Orbitcrafts
Registered Address: 71-75 Shelton Street, London, United Kingdom, WC2H 9JQ
Contact Email: carmellasteffi@gmail.com
Last Updated: June 2025
Effective Date: June 2025
This Privacy Policy explains how NTHING Limited collects, uses, stores, and protects your personal data when you visit or make a purchase from our online store. By using our website, you acknowledge that you have read and understood this policy.
We are committed to protecting your privacy and handling your personal data in a transparent, lawful, and responsible manner. This policy applies to all customers and visitors regardless of location, with specific provisions for customers in the United States (including California), Canada, Australia, and New Zealand.
1. WHO WE ARE AND HOW TO CONTACT US
NTHING Limited is a company registered in England and Wales. We operate the online store trading as Orbitcrafts. We are the data controller responsible for your personal information.
For any privacy-related questions, requests, or complaints, please contact us at:
Email: carmellasteffi@gmail.com
Postal Address: 71-75 Shelton Street, London, United Kingdom, WC2H 9JQ
We aim to respond to all legitimate privacy requests within 30 days. For complex requests, we may require up to 60 days and will notify you if an extension is needed.
2. WHAT PERSONAL DATA WE COLLECT
We collect personal data in two ways: information you provide directly to us, and information collected automatically when you use our website.
2.1 Information You Provide
Full name and email address when placing an order or signing up for marketing
Billing and shipping address
Phone number (if provided at checkout)
Payment information — note: we do not store your full card details; these are processed securely by Shopify Payments
Communications you send us, including customer service enquiries
2.2 Information Collected Automatically
IP address and approximate geographic location
Browser type, device type, and operating system
Pages viewed, time spent on site, and browsing behaviour
Referring website or source (e.g. how you found us)
Cookie identifiers and session data (see Section 7)
2.3 Information From Third Parties
Meta (Facebook/Instagram) may share aggregated audience and engagement data via the Meta Pixel installed on our website
Shopify provides us with order and transaction data through their platform
3. HOW WE USE YOUR PERSONAL DATA
We use your personal data only for the purposes described below, and only where we have a lawful legal basis to do so.
3.1 To Fulfil Your Order (Contract)
Process and confirm your purchase
Arrange shipping and delivery of your order
Send order confirmation and shipping notifications
Handle returns, refunds, or exchanges
Communicate with you about issues relating to your order
3.2 Marketing Communications (Consent / Legitimate Interest)
Send promotional emails, new product announcements, and special offers via Omnisend
You may opt out of marketing emails at any time by clicking the unsubscribe link in any email, or by contacting us at carmellasteffi@gmail.com
We do not send marketing communications without your consent where consent is required by applicable law
3.3 Website Analytics and Advertising (Legitimate Interest / Consent)
We use the Meta Pixel to track website visits and measure the effectiveness of our advertising campaigns on Facebook and Instagram
This may result in you seeing advertisements for our products on Meta platforms based on your visit to our website
You can opt out of this tracking via your browser cookie settings or through Meta's ad preferences
3.4 Legal Compliance
To comply with legal obligations including tax, accounting, and fraud prevention requirements
To respond to lawful requests from courts, regulators, or law enforcement
4. HOW WE SHARE YOUR DATA
We do not sell, rent, or trade your personal data to third parties for their own marketing purposes. We share your data only in the following limited circumstances:
4.1 Service Providers
Shopify Inc. — our e-commerce platform provider, which processes payments and hosts our store (Shopify is certified PCI DSS Level 1 compliant)
Shopify Payments — for secure payment processing
Omnisend — our email marketing platform, which stores your email address and engagement data for marketing communications
Our product supplier — your shipping name and address are shared with our fulfilment supplier solely for the purpose of shipping your order
Meta Platforms Inc. — aggregated behavioural data is shared via the Meta Pixel for advertising purposes
4.2 Legal Requirements
We may disclose your data if required to do so by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of NTHING Limited, our customers, or others.
4.3 Business Transfers
In the event that NTHING Limited is acquired, merged, or undergoes a significant business transfer, your data may be transferred as part of that transaction. You will be notified via email and/or a prominent notice on our website if this occurs.
5. INTERNATIONAL DATA TRANSFERS
As a UK-registered business selling internationally, your data may be transferred to and processed in countries outside the United Kingdom, including the United States (Shopify, Meta, Omnisend are US-based).
Where we transfer data outside the UK, we ensure appropriate safeguards are in place, including reliance on standard contractual clauses approved by the UK Information Commissioner's Office (ICO), or adequacy decisions where applicable.
6. HOW LONG WE RETAIN YOUR DATA
Order and transaction records: 7 years from the date of purchase (required for UK tax and accounting compliance)
Marketing opt-in records: retained for as long as you remain subscribed, plus 3 years after unsubscription for compliance purposes
Customer service communications: 3 years from the date of the interaction
Website analytics data: up to 26 months from collection
Once data is no longer required, it is securely deleted or anonymised.
7. COOKIES
Cookies are small text files stored on your device when you visit our website. We use the following categories of cookies:
Essential Cookies — required for the website to function (e.g. shopping cart, checkout session). These cannot be disabled.
Analytics Cookies — used to understand how visitors use our site (via Shopify analytics)
Marketing Cookies — used by the Meta Pixel to track visits and enable targeted advertising on Facebook and Instagram
You can control non-essential cookies through your browser settings or via a cookie consent tool. Please note that disabling certain cookies may affect your experience on our website.
8. YOUR RIGHTS
Depending on your location, you may have the following rights regarding your personal data. To exercise any of these rights, please contact us at carmellasteffi@gmail.com.
8.1 Rights Under UK GDPR (All Customers)
Right of Access — request a copy of the personal data we hold about you
Right to Rectification — request correction of inaccurate or incomplete data
Right to Erasure ("Right to be Forgotten") — request deletion of your data where there is no lawful basis for continued processing
Right to Restriction — request that we limit the processing of your data in certain circumstances
Right to Data Portability — receive your data in a structured, machine-readable format
Right to Object — object to processing based on legitimate interests or for direct marketing
Rights Related to Automated Decision-Making — we do not make solely automated decisions with legal or significant effects
8.2 Additional Rights for California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
Right to Know — request disclosure of the categories and specific pieces of personal information we have collected about you
Right to Delete — request deletion of personal information we have collected, subject to certain exceptions
Right to Opt-Out of Sale — we do not sell personal information. However, our use of the Meta Pixel may constitute "sharing" of data for cross-context behavioural advertising under California law. You may opt out by contacting us or adjusting your Meta ad preferences
Right to Non-Discrimination — we will not discriminate against you for exercising your CCPA rights
Right to Correct — request correction of inaccurate personal information
To submit a verifiable consumer request under CCPA, contact us at carmellasteffi@gmail.com. We will respond within 45 days. We may need to verify your identity before processing your request.
8.3 Rights for Canadian Customers (PIPEDA)
Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to access your personal information and to challenge its accuracy. You also have the right to withdraw consent for non-essential processing. Contact us at carmellasteffi@gmail.com to exercise these rights.
8.4 Rights for Australian Customers (Privacy Act 1988)
Under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs), you have the right to access and correct the personal information we hold about you. If you believe we have interfered with your privacy, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
8.5 Rights for New Zealand Customers (Privacy Act 2020)
Under New Zealand's Privacy Act 2020, you have the right to access and correct personal information we hold about you. Complaints may be directed to the Office of the Privacy Commissioner at www.privacy.org.nz.
9. DATA SECURITY
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, alteration, or disclosure. These measures include:
All data transmission on our website is encrypted using SSL/TLS technology
Payment processing is handled by Shopify Payments, which is PCI DSS Level 1 certified
Access to personal data is restricted to authorised personnel only, on a need-to-know basis
We regularly review and update our security practices
While we take all reasonable steps to protect your data, no method of transmission over the internet is 100% secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by applicable law.
10. CHILDREN'S PRIVACY
Our website and products are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at carmellasteffi@gmail.com.
11. LINKS TO THIRD-PARTY WEBSITES
Our website may contain links to third-party websites. This Privacy Policy does not apply to those websites. We encourage you to read the privacy policies of any external sites you visit. We are not responsible for the privacy practices or content of third-party websites.
12. CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The "Last Updated" date at the top of this page will be revised accordingly. We encourage you to review this policy periodically. For material changes, we will notify you via email or a prominent notice on our website.
13. HOW TO LODGE A COMPLAINT
If you have a complaint about how we handle your personal data, please contact us first at carmellasteffi@gmail.com and we will do our best to resolve your concern.
If you remain dissatisfied, you have the right to lodge a complaint with the relevant supervisory authority:
UK: Information Commissioner's Office (ICO) — ico.org.uk
USA (California): California Privacy Protection Agency — cppa.ca.gov
Canada: Office of the Privacy Commissioner of Canada — priv.gc.ca
Australia: Office of the Australian Information Commissioner — oaic.gov.au
New Zealand: Office of the Privacy Commissioner — privacy.org.nz