This Privacy Policy governs the manner in which Penguin Internet Ltd collects, uses, maintains and discloses information collected from users (each, a "User") of the https://www.penguin-uk.com website ("Site"). This privacy policy applies to the Site and all products and services offered by Penguin Internet Ltd.
1.0 Legal Framework
This policy is designed to comply with:
- The UK General Data Protection Regulation (UK GDPR), incorporated into UK law under the Data Protection Act 2018;
- The EU General Data Protection Regulation (EU GDPR) (Regulation (EU) 2016/679), where applicable;
- The Privacy and Electronic Communications Regulations (PECR);
- The Children’s Code (Age-Appropriate Design Code), where applicable.
2.0 Your Data Rights
You have the following rights under data protection law:
- Right of access – Request a copy of your personal data.
- Right to rectification – Ask us to correct any inaccurate or incomplete data.
- Right to erasure – Request deletion of your data, subject to legal retention.
- Right to restrict processing – Ask us to limit how we use your data.
- Right to data portability – Request your data in a machine-readable format.
- Right to object – Object to processing based on our legitimate interests or for direct marketing.
- Right to withdraw consent – Withdraw consent at any time (e.g. marketing, cookies).
- Rights related to automated decision-making and profiling – Request human intervention in fully automated decisions.
To exercise any of these rights, contact our Data Protection Lead at: support@penguin-uk.com
We respond within one month. This may extend by two months for complex requests.
3.0 Lawful Basis for Processing
We only process and share your data when we have a lawful basis. Examples include:
| Purpose | Lawful Basis | Details |
|---|---|---|
| Account registration | Contract | Needed to provide services |
| Payment processing (Stripe) | Contract | Required to process transactions |
| Domain registration (Nominet, Enom, etc.) | Contract | Required for domain ownership |
| Marketing emails | Consent | Only sent if you opt-in |
| Website analytics (Google Analytics) | Consent | Used only with opt-in cookie consent |
| Fraud prevention (MaxMind) | Legitimate Interests | To protect against abuse and fraudulent activity |
| Legal compliance (e.g. HMRC) | Legal Obligation | For financial and tax records |
4.0 International Data Transfers
Where we transfer personal data outside the UK or EEA, we ensure one of the following safeguards is in place:
- UK International Data Transfer Agreement (IDTA)
- EU Standard Contractual Clauses (SCCs)
- Participation in the UK or EU–US Data Privacy Framework
5.0 Children’s Data
Our services are not intended for anyone under the age of 18. We do not therefore knowingly collect their data.
If processing data from users aged 13–17:
- We apply the Children’s Code;
- Limit data collection to what is strictly necessary;
- Use clear, age-appropriate language;
- Require parental consent where legally required.
6.0 Data Security and Breaches
We apply appropriate security measures including:
- Encryption of data in transit and at rest
- Multi-factor authentication for administrative systems
- Regular monitoring and system updates
We notify the ICO and affected individuals within 72 hours if a breach poses a risk to your rights and freedoms.
7.0 Retention Periods
We only keep data as long as necessary. Below are typical retention periods:
| Data Type | Retention Period |
|---|---|
| Account and billing data | 6 years after account closure (to meet tax and accounting duties) |
| Support tickets / contact-form enquiries | 2 years |
| Marketing records (email lists, consent logs) | Until consent is withdrawn or 2 years of inactivity |
| Analytics cookies and usage data (e.g. Google Analytics) | 14 months (standard retention period) |
| Server and security logs | 3–12 months, depending on log type |
| Encrypted backups | 60 days, then automatically overwritten |
8.0 Automated Decision-Making
We use automated tools (e.g. MaxMind) to assess order risk based on IP, location, and patterns.
High-risk orders may be flagged for manual review. You may request a human review and object to automated decisions.
9.0 Changes to This Policy
We post all updates to this page. For major changes, we’ll notify you directly via email or through your customer portal.
9.1 Policy Changelog
15/05/2025 Policy updated following routive review against legislation changes
04/04/2018 Policy rewritten to incorporate GDPR required changes
20/10/2014 Initial policy published