Skip to main content
Sensible Man Antiques logo
Sensible Man Antiques

Privacy Policy

Last updated: 28 April 2026

1. Introduction

Sensible Man Antiques (“we”, “us”, “our”) is committed to protecting your privacy and handling your personal data transparently. This policy explains what data we collect, why we collect it, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data controller

The data controller responsible for your personal data is Sensible Man Antiques, operated by Steve Brooker in the United Kingdom. If you have any questions about this policy or your data, contact us at info@sensiblemanantiques.com.

3. Information we collect

a) Information you provide

  • Account registration: Full name, email address, and optionally a phone number.
  • Profile details: Postal address, if you choose to add it.
  • Orders: Collector name and contact details when you place an order. These fields are encrypted at rest using database-level encryption.
  • Enquiries: Name, email, and message when you submit a contact or enquiry form.
  • Newsletter: Email address if you subscribe to our mailing list.

b) Information collected automatically

  • Analytics (consent only): If you accept analytics on the cookie banner, we collect anonymised page view data including page path, device type, and approximate country. IP addresses are cryptographically hashed with a daily rotating salt and cannot be reversed to identify you. If you choose “Essential only” we do not collect any of this.
  • Chargeback evidence: When you place an order we store a peppered SHA-256 hash of your IP address (never the raw IP) alongside your terms acceptance, condition acknowledgement, and digital signature. The hash is automatically deleted 180 days after the order is placed.
  • Essential cookies: We use cookies required for authentication, session management, your basket, and remembering your cookie preferences. These do not require consent because the site cannot function without them.
Current choice:

4. Legal basis for processing

We process your personal data on the following lawful bases under Article 6 of the UK GDPR:

  • Contract: To process your orders, manage reservations, and fulfil purchases and deliveries.
  • Consent: To send marketing emails such as new item alerts and newsletters. You can withdraw consent at any time.
  • Legitimate interest: To improve our website, prevent fraud, and respond to enquiries.
  • Legal obligation: To retain order records for accounting and tax purposes.

5. How we use your data

  • To create and manage your account.
  • To process orders, generate invoices, and manage reservations.
  • To send transactional emails (order confirmations, status updates, payment receipts).
  • To respond to your enquiries and support requests.
  • To send marketing communications where you have opted in (new item alerts, newsletters).
  • To analyse anonymised usage patterns and improve our website.

6. Who we share your data with

We do not sell, rent, or trade your personal data. We share data only with the following service providers who process it on our behalf:

  • Supabase — database hosting and authentication (EU data centres).
  • Resend — transactional and marketing email delivery.
  • Vercel — website hosting and content delivery.
  • Stripe — payment processing. Processes card details, name, and email address for secure card payments. See Stripe’s privacy policy.
  • Google (Gemini AI) — we use Google’s Gemini API for several features, all under Google Cloud’s enterprise terms which prohibit the use of our data to train Google’s models:
    • Match My Room (customer): if you upload a room photo, it is sent to Gemini for analysis. The photo is processed in memory only and is never stored by us or by Google beyond the duration of the request.
    • Steve Bot chat (customer): messages you send to the chatbot are processed by Gemini to generate replies. Conversations are retained for up to 90 days (see Section 8) and may be reviewed by us to improve the assistant.
    • Item description review (admin only, internal): item titles, descriptions, and listing photos are sent to Gemini to validate listings. No customer data is involved.
    • Lifestyle photo generation (admin only, internal): item photos and descriptions are sent to Gemini to generate illustrative environment scenes. No customer data is involved.
  • Cloudflare — invisible bot detection (Turnstile) on auth and contact forms. Cloudflare receives your IP and minimal browser characteristics to score the request. See Cloudflare’s privacy policy.
  • Upstash — distributed rate limiting (only when configured). Receives a hashed identifier and request counts to prevent abuse. No personal data is shared.
  • Royal Mail — when you choose tracked postage, your name and delivery address are shared with Royal Mail for fulfilment.

We display our public Instagram feed on the homepage. No personal data is shared with Meta for this purpose.

All processors are bound by written Data Processing Agreements (DPAs) and, where data is transferred outside the UK, by Standard Contractual Clauses (SCCs) or an equivalent UK adequacy mechanism.

7. How we protect your data

  • All data is transmitted over HTTPS with TLS encryption.
  • Sensitive fields (collector contact details) are encrypted at rest using database-level column encryption.
  • Passwords are hashed using industry-standard algorithms and are never stored in plain text.
  • Access to your data is controlled by Row Level Security (RLS) policies — you can only view your own data.
  • Administrative access is restricted to authorised personnel using role-based access controls.

8. Data retention

We only keep data for as long as we need it. The specific retention periods are:

  • Account data: Retained for as long as your account is active. Deleted on request (normally within 30 days of a deletion request), subject to the order-records exception below.
  • Order records: Retained for 6 years after the transaction date to comply with HMRC record-keeping obligations (Section 386 of the Companies Act 2006 and VAT Notice 700/21). After this period they are permanently deleted or irreversibly anonymised.
  • Payment records: Card details are never stored on our servers. Transaction metadata retained by Stripe is governed by Stripe’s privacy policy.
  • Enquiry & contact messages: Retained for up to 12 months, then deleted automatically.
  • Newsletter subscriptions: Retained until you unsubscribe. After unsubscribing we keep a suppression record (your email address only) so we don’t accidentally re-enrol you.
  • Raw analytics events: Automatically deleted 90 days after collection. Only aggregated, non-identifiable counts are retained beyond that.
  • Aggregated analytics: Anonymised counts (page views, device type, referrer) are retained indefinitely. They cannot be linked back to any individual.
  • Server logs & security events: Retained for up to 90 days for fraud prevention and incident response.
  • Chargeback evidence: Digital signature, hashed IP, photos-acknowledged count, and terms/condition timestamps are retained alongside the order for 6 years. Hashed IPs are automatically redacted (set to NULL) 180 days after the order is placed, since the Stripe dispute window has closed by then.
  • Chat conversations & chatbot data: Retained for up to 90 days, after which messages and the associated session metadata are deleted automatically.
  • Recently viewed items: Retained for up to 90 days to support the “recently viewed” feature in your account, then automatically deleted.

Where we are required by law to retain information (e.g. tax records) we do so in a restricted, access-controlled form and delete it as soon as the legal retention period ends.

9. Your rights

Under the UK GDPR, you have the following rights:

  • Right of access — You can request a copy of all personal data we hold about you. Use the “Download My Data” feature in your account settings or email us.
  • Right to rectification — You can update your personal details at any time through your account profile.
  • Right to erasure — You can request deletion of your account and personal data. Order records may be retained in anonymised form for legal obligations.
  • Right to restrict processing — You can ask us to limit how we use your data.
  • Right to data portability — You can download your data in a structured, machine-readable format (JSON).
  • Right to object — You can object to processing based on legitimate interest.
  • Right to withdraw consent — You can unsubscribe from marketing emails at any time using the link in any email, or through your account notification settings.

To exercise any of these rights, email info@sensiblemanantiques.com or use the data controls in your account settings. We will respond to all requests within 30 days.

10. International data transfers

Our service providers may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses or UK adequacy decisions, as required by the UK GDPR.

11. Children’s privacy

Our services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Complaints

If you are unhappy with how we handle your personal data, please contact us first at info@sensiblemanantiques.com. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113.

13. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify registered users by email before the changes take effect. The “last updated” date at the top of this page indicates when the policy was last revised.