Privacy Policy

Last updated: 29 April 2026

This Privacy Policy explains how A MACKAY (PUBLISHER) LTD (“we”, “us”, “our”) collects and uses personal data when you visit charlesmackaybooks.com or place an order with us. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data controller

The data controller is:

• A Mackay (Publisher) Ltd (trading as Charles Mackay Books)
• Companies House registration: SC858624 (registered in Scotland). View public company record.
• Postal address available on request via info@charlesmackaybooks.com.
• Contact: info@charlesmackaybooks.com

We are a small private limited company. We are working through registration with the UK Information Commissioner's Office (ICO) as a data controller. If you would like our ICO registration number please email the address above.

2. Personal data we collect

• Order data: name, billing and delivery address, email address, phone number (optional), order contents and order history.
• Account data (if you create one): email address, hashed password (or magic-link token), saved addresses and wishlist.
• Payment metadata: we do not see or store your full card number. Card payments are processed by Stripe Payments UK Limited; we receive only a transaction reference, the last four digits, the card brand and country, and the billing postcode.
• Communications: the content of any email or contact-form message you send us.
• Technical data: IP address, browser, device, referrer, and usage statistics, collected via cookies and similar technologies (see Cookie Policy) only with your consent where consent is required.

3. Legal bases for processing

• Contract (UK GDPR Article 6(1)(b)): to take and fulfil your order, deliver your books, and handle returns.
• Legal obligation (Article 6(1)(c)): to keep tax and accounting records as required by HMRC.
• Consent (Article 6(1)(a)): for non-essential cookies (analytics, marketing) and for any marketing emails. You can withdraw consent at any time.
• Legitimate interests (Article 6(1)(f)): for security, fraud prevention, and aggregated internal reporting. Our legitimate interests are balanced against your rights and freedoms.

4. How we use your data

• Process orders, take payment, ship goods and handle returns.
• Communicate with you about your order (dispatch confirmation, tracking, refunds).
• Maintain your account and wishlist (if you have created one).
• Comply with tax, accounting, and consumer-protection law.
• Improve the site and detect fraud or abuse.
• Send marketing emails, only if you have explicitly opted in.

5. Recipients and sub-processors

We share personal data only with the following service providers, each acting as a processor under contract:

• Stripe Payments UK Limited (United Kingdom; Stripe, Inc. in the United States): payment processing.
• Royal Mail Group Limited (United Kingdom): shipping and tracking.
• Supabase Inc. (data hosted in EU, eu-west region): database, authentication and file storage.
• Netlify, Inc. (United States): website hosting and CDN.
• Google LLC / Google Ireland Limited (Ireland and United States): Google Analytics 4 and Google Customer Reviews, only if you have consented to analytics cookies.

We do not sell your personal data and we do not share it for third-party advertising.

6. International transfers

Some of our processors are based outside the UK. Where personal data is transferred outside the UK or EEA we rely on the UK's International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or an applicable adequacy decision. Copies of the safeguards are available on request.

7. Retention

• Order, invoice and tax records: 6 years from the end of the financial year, as required by HMRC.
• Account data: until you delete your account, then up to 30 days in backups.
• Marketing consent: until you withdraw it; suppression list kept indefinitely to honour opt-outs.
• Analytics data (Google Analytics 4): default retention of 14 months for event-level data; aggregate reports may be kept longer.
• Support email: up to 3 years from last contact.

8. Your rights

Under UK GDPR you have the right to:

• access a copy of the personal data we hold about you;
• have inaccurate data rectified;
• have your data erased (“right to be forgotten”), subject to legal retention obligations;
• restrict or object to processing, including direct marketing;
• data portability for data you provided to us under contract or consent;
• withdraw consent at any time, including for cookies and marketing emails.

To exercise any of these rights, email us at info@charlesmackaybooks.com. We will respond within one month.

9. Cookies

We use cookies and similar technologies as described in our Cookie Policy. No analytics or marketing cookies are set until you have given consent through the banner shown on first visit. You can change your choice at any time using the “Cookie preferences” link in the footer.

10. Security

We use HTTPS across the entire site, encrypt data in transit, hash account passwords, restrict database access to authenticated services, and enforce row-level security on customer data. Stripe is PCI-DSS certified and handles all card data in their environment.

11. Children

Our site is not directed at children under 13 and we do not knowingly collect their data. If you believe a child has provided personal data, contact us and we will delete it.

12. Complaints

If you are unhappy with how we have handled your personal data you may complain to the UK Information Commissioner's Office at ico.org.uk/make-a-complaint, by phone on 0303 123 1113, or by post to: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

13. Changes to this policy

We may update this policy from time to time. The latest version will always be at this URL with the “Last updated” date at the top.