Privacy Policy
On this page
1. Who we are and what this policy covers
Season 28 Ltd operates Season 28 Connect, a customer-engagement platform for garden and plant retailers. It comprises a Shopify-embedded app, a web console (console.season28.co.uk), a backend API (api.season28.co.uk), and a branded customer mobile app that retailers offer to their shoppers.
This policy explains what personal data the platform collects, why, how we protect it, who we share it with, and the rights available to individuals.
2. Our role: controller vs processor
- When we act as a processor. For personal data belonging to a retailer's customers — processed so the retailer can run loyalty, CRM, marketing, care reminders and click-and-collect — the retailer is the data controller and Season 28 Ltd is a data processor acting on the retailer's documented instructions. This processing is governed by our Data Processing Agreement (DPA), which forms part of the Terms of Service.
- When we act as a controller. For the personal data of retailer account holders (the merchant's staff who use the console), for platform security, billing, and service administration, Season 28 Ltd is the controller.
3. What data we collect, and from where
3.1 Retailer account holders (merchant staff)
- Name, email address, hashed password, role, and organisation details.
- Support and billing correspondence.
3.2 A retailer's customer data received from Shopify
When a retailer installs the app, we process the following from their Shopify store, only as needed to provide the service:
- Customer email, first name and last name — to create and match the customer's record in the retailer's CRM/loyalty account and to send transactional and consented marketing email. We do not read customer phone numbers or addresses from Shopify.
- Marketing-consent state (
email_marketing_consent/accepts_marketing) — so we honour the customer's consent and only send marketing to those who have opted in. - Order data — order identifiers, line items, totals and status — to award/adjust loyalty points and to produce aggregate demand analytics for the retailer.
- Customer tags — read and written back to keep CRM tags in sync (no additional personal data is read).
- Public store brand assets (logo, brand colours via the Storefront API) — public shop data only, used to match the app's branding to the retailer's store.
3.3 End-customer data provided directly in the branded app
When a retailer's customer registers in the branded mobile app, we process, on the retailer's behalf:
- Registration details: name, email, hashed password, and (optionally) garden postcode.
- Phone number — only if the customer opts in to SMS.
- Device push token — only if the customer enables push notifications.
- App activity: owned plants, journal entries, plant-identification photos, care reminders, reservations, loyalty balance and transactions, and support messages.
- Postcode is used to retrieve local weather for care alerts; it is not used to identify the individual.
3.4 Technical data
Standard log and device data (IP address, app/browser type, timestamps) for security, diagnostics and abuse prevention. Error diagnostics are sent to Sentry with personal data scrubbed.
4. Why we process it (purposes) and legal bases
| Purpose | Legal basis (UK GDPR) |
|---|---|
| Provide the console, app, loyalty, CRM, care reminders, click-and-collect, demand analytics | Contract (with the retailer); for end-customers, the retailer's contract/legitimate interests |
| Send transactional messages (verification, password reset, order/reservation updates) | Contract / legitimate interests |
| Send marketing (email, push, SMS) | Consent — only where the customer has opted in; withdrawable at any time |
| Security, fraud/abuse prevention, service reliability | Legitimate interests |
| Billing and account administration | Contract / legal obligation |
| Comply with legal and regulatory obligations | Legal obligation |
We do not sell personal data, and we do not use it for any purpose incompatible with the above.
5. Consent and opt-out
- Marketing is sent only to individuals who have consented, per-channel.
- Email marketing includes one-click unsubscribe (RFC 8058); SMS marketing honours the STOP keyword; push can be disabled in-app. Opting out is immediate and applies to future marketing.
- No legally or similarly significant decisions are made about individuals by automated means; segmentation is marketing-only and reversible.
6. Sub-processors
We use the following sub-processors to run the service. They process personal data only as needed to provide their function and under contractual data-protection obligations:
| Sub-processor | Purpose | Data involved |
|---|---|---|
| MongoDB Atlas | Primary database (encrypted at rest) | All stored personal data |
| Railway | Backend/API hosting | Data in transit/processing |
| Vercel | Web console hosting | Console session data |
| Cloudinary | Image hosting | Uploaded/plant/journal images |
| OpenAI | Plant identification, content enrichment, marketing generation | Plant photos, typed plant names, marketing inputs |
| Replicate (Google Imagen) | Marketing/seasonal image generation | Prompt text (no customer PII) |
| Perplexity | Answer-engine visibility checks (AEO) | Non-personal gardening queries |
| Resend | Transactional + marketing email | Email address, name |
| Twilio | SMS (opt-in only) | Phone number |
| Expo | Push notification delivery | Device push token |
| Stripe | Billing for direct (non-Shopify) sign-ups | Merchant billing details |
| Shopify | App platform + billing (Managed Pricing) + source of order/customer data | Order/customer data, billing |
| Sentry | Error monitoring (PII scrubbed) | Diagnostic data |
| postcodes.io / Open-Meteo | Postcode-to-weather lookup for care alerts | Postcode only |
A current sub-processor list is available on request; we give retailers notice of material changes.
7. International transfers
Some sub-processors are located outside the UK/EEA (for example, in the United States). Where personal data is transferred internationally, we rely on appropriate safeguards — UK adequacy regulations, the UK International Data Transfer Agreement / Addendum, or EU Standard Contractual Clauses — so the data receives an equivalent level of protection.
8. Data sharing
We share personal data only with: the sub-processors above; the relevant retailer (as controller of their customers' data); and authorities or advisers where required by law or to protect our rights. We do not sell personal data or share it for third-party advertising.
9. Retention
- Retailer account data is kept for the life of the account and deleted or anonymised after closure, subject to legal retention (e.g. billing records).
- End-customer data is retained while the customer's account is active. On account deletion, or on a customer redaction request (
customers/redact), we delete or anonymise the individual's personal data. - When a retailer uninstalls the app, their store data is erased following Shopify's
shop/redactflow (approximately 48 hours after uninstall). Aggregate, non-identifying analytics may be retained.
10. Security
We protect personal data with encryption in transit (TLS) and at rest (including encrypted backups), role-based access controls, least-privilege staff access with strong authentication and 2FA, audit logging of customer-data changes, and a documented security incident-response process. See our Security Policy for detail. No system is perfectly secure, but we take reasonable and appropriate measures to protect your data.
11. Your rights
Subject to UK GDPR, individuals have the right to access, rectify, erase, restrict, port, and object to processing of their personal data, and to withdraw consent at any time.
- End-customers: because the retailer is the controller of your data, please contact the retailer first; we will support them (or you) in fulfilling the request. Shopify's data-request and redaction flows are supported.
- Retailer account holders and general queries: contact privacy@season28connect.co.uk.
You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.
12. Children
The service is intended for retailers and adult customers. It is not directed at children, and we do not knowingly collect personal data from children.
13. Cookies
The web console uses strictly necessary cookies/session tokens to keep you signed in and secure. It does not use advertising cookies. Any optional analytics are disclosed and, where required, consented.
14. Changes
We may update this policy; material changes will be notified to retailers and reflected by the "last updated" date above.
15. Contact
Season 28 Ltd — privacy@season28connect.co.uk. Postal address: [add registered company address].