Poncho by MammyPoncho by Mammy

Privacy Policy

Last updated: 26 April 2026

This Privacy Policy explains how Poncho by Mammy ("we", "us", "our") collects and uses your personal data when you visit our website or place an order. We are the data controller for the personal information we hold about you.

For any privacy questions, contact us at foryout99@gmail.com.

1. What we collect

We collect the following categories of personal data:

  • Order data — name, delivery address, email, phone number, items purchased, order total. Required to fulfil your order.
  • Account data (if you register) — email, name, phone, default delivery address, order history.
  • Payment data — handled directly by Stripe. We never see or store your full card number; we only receive a payment confirmation token.
  • Availability requests — if you ask us to notify you when a product is back in stock, we store your email and/or phone, the product, and your message until we reply or you ask us to delete it.
  • Analytics data — anonymised usage data via Google Analytics 4 (pages viewed, device, country). Only collected if you accept analytics cookies.
  • Technical data — IP address, browser type, referring URL. Used for security and to deliver the site reliably.

2. Legal basis (UK GDPR)

  • Contract — to take your order, deliver it and handle returns.
  • Legal obligation — to keep tax and accounting records (HMRC requires we keep order records for at least 6 years).
  • Consent — for analytics cookies and any marketing emails. You can withdraw consent at any time.
  • Legitimate interest — to keep the site secure and improve our products.

3. Who we share data with

We share data only with processors who help us run the shop:

  • Stripe (payment processing) — Stripe Payments Europe Ltd, Ireland.
  • Supabase (database and authentication) — order and account data is stored on Supabase EU infrastructure.
  • Resend (transactional email) — used to send you order confirmations and stock-availability replies.
  • Vercel (hosting) — serves the website to your browser.
  • Google Analytics — only if you accept analytics cookies.
  • Royal Mail (or another carrier we choose) — to deliver your parcel.

We never sell your personal data.

4. International transfers

Some of our processors (Stripe, Resend, Vercel, Google) may transfer data outside the UK/EU. Where this happens, transfers are protected by the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or an adequacy decision.

5. How long we keep data

  • Order records — 6 years (HMRC requirement).
  • Account data — until you delete the account.
  • Availability requests — up to 12 months after we reply or close them.
  • Analytics data — 14 months (Google Analytics default).

6. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you;
  • Have inaccurate data corrected;
  • Have your data deleted (where we are not required to keep it by law);
  • Restrict or object to processing;
  • Receive your data in a portable format;
  • Withdraw consent at any time.

To exercise any of these, email foryout99@gmail.com. We will reply within 30 days.

You also have the right to complain to the UK Information Commissioner's Office — ico.org.uk.

7. Cookies

We use the following types of cookies:

  • Strictly necessary — keep your shopping cart, log you in, remember which cookies you accepted. These cannot be disabled.
  • Analytics — Google Analytics 4 to understand how the site is used. Only loaded if you click Accept on the cookie banner.

You can change your choice at any time by clearing your browser's site data for this domain — the banner will reappear.

8. Children

Our products are for children, but the site is intended for adult purchasers (18+). We do not knowingly collect data from children.

9. Changes to this policy

We may update this policy occasionally. The "Last updated" date at the top tells you when. Material changes will be flagged on the homepage.