5%
Blastoys
Legal

Privacy Policy

Last updated: 27 May 2026

Blastoys Ltd ("Blastoys", "we", "us") is committed to protecting your personal data. This policy explains what we collect when you use blastoys.uk, why we collect it, and the rights you have under UK GDPR and the Data Protection Act 2018.

1. Who we are

Blastoys Ltd is a company registered in England and Wales. For any privacy questions contact our data team at privacy@blastoys.uk.

2. Information we collect

  • Account data: name, email address, password hash, and display name when you create a Blastoys account.
  • Order data: billing and delivery address, items purchased, order value and payment confirmation reference. We do not store card numbers — payments are handled by Shopify Payments and Stripe.
  • Usage data: pages visited, device type, approximate location (city level) and referrer, collected via privacy-friendly analytics.
  • Communications: messages you send us via email or the contact form, and your newsletter preferences.

3. How we use your data

  • To fulfil and ship your orders.
  • To provide customer support and respond to enquiries.
  • To send order updates and (with consent) marketing emails.
  • To improve the website and detect fraud or abuse.
  • To meet our legal and tax obligations.

4. Legal basis

We process data under the following lawful bases: contract (to deliver your orders), consent (for marketing emails and non-essential cookies), legal obligation (tax and accounting records), and legitimate interests (site security and fraud prevention).

5. Sharing your data

We only share data with trusted processors that help us run the shop:

  • Shopify — e-commerce platform and payments.
  • Royal Mail and DPD — order fulfilment.
  • Supabase — secure account storage (EU-hosted).
  • Resend — transactional email delivery.

We never sell your personal data.

6. Cookies

We use a small number of cookies: essential cookies for the cart and login session, and optional analytics cookies that only load with your consent. You can change your preferences at any time via the cookie banner.

7. Data retention

Order records are kept for 7 years to meet HMRC requirements. Marketing data is kept until you unsubscribe. Account data is deleted within 30 days of an account-deletion request.

8. Your rights

Under UK GDPR you can request to:

  • Access a copy of the data we hold about you.
  • Correct inaccurate data.
  • Delete your data ("right to be forgotten").
  • Restrict or object to processing.
  • Receive your data in a portable format.

Email privacy@blastoys.uk to exercise any of these. You can also complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

9. Children

Blastoys is intended for use by adults (16+) buying toys for children. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

10. Changes to this policy

We may update this policy occasionally. Material changes will be announced on this page and, where appropriate, by email.