This privacy policy (“Policy”) describes how we collect, use  and disclose personal data when you visit, register for an account or make a purchase from our website (“Sites”).

The Sites are operated by The Italian Secrets Limited (UK company number 12830687 – “us” or “we) and we are committed to protecting and respecting your privacy. If you have any comments or questions regarding your personal data please contact us via:

For additional information on how we use cookies, please refer to our Cookie Policy. For all other information regarding our services, please refer to our Terms & Conditions.

We are responsible for ensuring that your personal data is held securely, that you are given accurate information about how your data is used, and that your rights regarding your data are respected. Neither our Sites or the products we sell are aimed specifically at individuals under the age of 18, we do not promote our products to this market and we cannot identify individuals of this age and under, on our database. Please refer to our Terms & Conditions for more information.

Collecting Personal Information

We are the data controller and responsible for our Sites and for your personal data.

When you visit our Sites, we collect certain information about your device, your interaction with the Sites, and information necessary to process your purchases. We may also collect additional information if you contact us for customer support.

In this Policy, we refer to any information that can uniquely identify an individual (including the information below) as “personal data”.

Personal data is collected when you place an order, contact us, register for an account with us, opt in to our marketing communications, browse our Sites and use other services offered by our Sites. The personal data we collect is used to take your order, process payment and deliver your purchase to you.

We also use it to deliver marketing communications, give access to services for registered users, personalise your visit to our Site and provide assistance via our Customer Care team:

Device information

  • Examples of Personal Information collected: version of web browser, IP address, time zone, cookie information, language preferences, what sites or products you view, search terms, and how you interact with the Site.
  • Purpose of collection: to load the Site accurately for you, and to perform analytics on Site usage to optimize our Site.
  • Source of collection: Collected automatically when you access our Site using cookies, log files, web beacons, tags, or pixels.
  • Disclosure for a business purpose: shared with our sub-processor Shopify

Order information

  • Examples of Personal Information collected: name, date of birth, billing address, shipping address, payment information (including credit card numbers), email address, and phone number.
  • Purpose of collection: to create a user account and to provide products or services to you to fulfil our contract, to process your payment information, arrange for shipping, and provide you with invoices and/or order confirmations, communicate with you, screen our orders for potential risk or fraud, and when in line with the preferences you have shared with us, provide you with information or advertising relating to our products or services.
  • Source of collection: collected from you and your interactions with our Sites, or via social media platforms when you engage with us (i.e. Facebook, Twitter, Instagram, Google Ads).
  • Disclosure for a business purpose: shared with our processor Shopify, Social Media (such as  Facebook, Instagram, etc), payments gateways, shipping company and suppliers.

Customer support information

  • Examples of Personal Information collected: name, billing and shipping address, email address, telephone number,  payment information (including creditor or debit card numbers), and any social media account details used to contact us.
  • Purpose of collection: to provide customer support.
  • Source of collection: collected from you and your interactions with our Sites, or via social media platforms when you engage with us (i.e. Facebook, Twitter, Instagram, Google Ads).
  • Disclosure for a business purpose: shared with our processor Shopify, Social Media (such as  Facebook, Instagram, etc), payments gateways (such as Shopify Payments, PayPal, Sage or WorldPay), shipping company (for example, UPS) and suppliers.

Marketing Information

  • Examples of Personal Information collected: name, date of birth, billing address, shipping address, payment information (including credit card numbers), email address, and phone number, social media accounts.
  • Purpose of collection: to provide you with information via email, text/SMS, mail or telephone about products or services you are interested, or which are similar to ones you have previously purchased or engaged with.
  • Source of collection: collected from you and your interactions with our Sites, or via social media platforms when you engage with us (i.e. Facebook, Twitter, Instagram, Google Ads).
  • Disclosure for a business purpose: shared with any sub-processor we may use for marketing purposes (such as the social media platforms we use, or managed marketing communication platforms such as Mailchimp).


Our Sites are not intended for individuals under the age of 18. We do not intentionally collect Personal Information from children. If you are the parent or guardian and believe your child has provided us with Personal Information, please contact us at the address below to request deletion.

Sharing Personal Information

We share your personal data with service providers to help us provide our services and fulfil our contracts with you, as described above, these are our personal data sub-processors. For example:

  • We use Shopify to power our online store. You can read more about how Shopify uses your personal data here:
  • We use order information to process and fulfil your order however we do not have direct access to any payment information, which is managed securely via Shopify payment.
  • We may share your personal data to comply with applicable laws and regulations, to respond to a lawful request for information we receive, or to otherwise protect our rights.

Lawful Basis

As a UK-based business we are subject to the Data Protection Act 2018 (DPA 2018), and for so long as it applies to us, the General Data Protection Regulation (GDPR). 

Under the DPA 2018 (and GDPR) we rely on four lawful reasons to collect, use and disclose your personal data: Performance of a Contract (for example, to supply purchases made by you), our Legitimate Interests as a business (for example, to monitor and improve our performance of services to you), a Legal Obligation we are required to follow (for example, to protect your data security rights) and Consent which you provide to us (for example, for marketing and to tell you about new products and services).


If you have given your consent to our use of your personal data (for example, for email marketing purposes), you are entitled to withdraw this consent at any time. We will seek your express opt-in consent before we share your personal data with any company outside of The Italian Secrets for marketing purposes.

You can ask us or third parties to stop sending you marketing messages at any time, including  by following the opt-out or unsubscribe links in any marketing message sent to you or by contacting us.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, registration, or other transaction, or where we need to keep your contact details or make contact with you for contractual performance or legitimate interest purposes, or compliance with a legal obligation.

Behavioural Advertising

As described above, we may use your personal data to provide you with targeted advertisements or marketing communications we believe may be of interest to you. For example:

  • We use Google Analytics to help us understand how our customers use our Sites.

You can read more about how Google uses your Personal Information here:

You can also opt-out of Google Analytics here:

  • We may share information about your use of the Site, your purchases, and your interaction with our ads on other websites with our advertising partners. We collect and share some of this information directly with our advertising partners, and in some cases through the use of cookies or other similar technologies (which you may consent to, depending on your location), including through social media (i.e. Facebook, Twitter, Instagram).

For more information about how targeted advertising works, you can visit the Network Advertising Initiative’s (“NAI”) educational page at

Third Parties

Your personal data will also be transmitted to third parties that we use to provide our services; these parties have been rigorously assessed for the way in which they manage personal data and may only use your data for the exact purposes that we specify in the contract with them (as sub-processors they give us promises about how they will and will not use any personal data provided to them). 

The third parties in question belong to the following categories:

  • Companies such as payment service providers that help us to process your order (such as PayPal, Sage or WorldPay).


  • Companies that help us to deliver your purchases such as couriers and parcel delivery companies (such as UPS) who deliver your goods.


  • Professional service providers, such as email delivery suppliers, IT software providers, marketing and research agencies, analytics companies and website hosts who help us to run our business,


  • Credit reference agencies, law enforcement and fraud prevention agencies, so we can help tackle fraud.


  • Governmental bodies and regulators to comply with our legal obligations.


  • Our product suppliers.


Aggregated data that does not identify individuals is shared with internal teams, relevant service providers and brand partners for business planning purposes.

We may also transfer your Personal Information to a purchaser or potential purchaser of our business or if our assets are acquired by another organisation. The purchaser will be required by law to use your Personal Information only as described in this Privacy Policy.

Personal Information collected via our Sites will be initially processed in Ireland and then will be transferred outside of Europe for storage and further processing, including to Canada and the United States. We will send details of any orders made to our suppliers (predominantly in Italy) to enable them to fulfil your order.

For more information on how data transfers comply with the GDPR, see Shopify’s GDPR Whitepaper:

Data Retention

When you register with us, contact us or place an order through our Sites, we will only collect as much personal data as we require. In any event we will retain your personal data for our records for a maximum of six years in line with our legal and accounting obligations, unless and until you ask us to erase this information.

After this period, your data will be permanently erased or otherwise irreversibly rendered anonymous. We may anonymise personal data collected by us or for us for statistics and analytical purposes only.

For more information on your right of erasure, please see the ‘Your rights’ section below.

Automatic decision-making

Under the DPA 2018 (and GDPR) you have the right to object to processing based solely on automated decision-making (which includes profiling), when that decision-making has a legal effect on you or otherwise significantly affects you.

We do not engage in fully automated decision-making that has a legal or otherwise significant effect using customer data.

Our processor Shopify uses limited automated decision-making to prevent fraud that does not have a legal or otherwise significant effect on you.

Services that include elements of automated decision-making include:

  • Temporary denylist of IP addresses associated with repeated failed transactions. This denylist persists for a small number of hours.
  • Temporary denylist of credit cards associated with denylisted IP addresses. This denylist persists for a small number of days.

Your rights

Under the DPA 2018 (and GDPR) you have certain legal rights in relation to our collection, storage and disclosure of the personal data we hold about you:

Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you would like to exercise these rights, please contact us by email at: .

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. 

Data Security

We are committed to taking appropriate technical and organisational measures to protect personal information against unauthorised access, unlawful processing, accidental loss or damage, and unauthorised destruction of personal data.

In particular, where available we use security measures that employ pseudonymisation or encryption of your data to ensure the confidentiality, integrity, and availability of your personal data as well as the resilience of the systems and services that process them. We have the ability to restore the availability and access to personal data in the event of a physical or technical incident.

Changes to this notice

We keep this Policy under regular review in order to reflect changes in our services and in privacy regulation. This Privacy Policy was last updated in November 2020.

You should check this page to keep up-to-date on any changes we may make to this policy and our processes.

If you believe that we are processing your personal data illegally, you have the right to lodge a complaint with the relevant supervisory authority. In the UK, this is the ICO:

Cookie Policy

Our Sites use cookies to distinguish you from other users. This helps us to provide you with a good experience when you use our Sites and also allows us to improve our Sites. By continuing to use the Site, and accepting our cookie notifications, you are agreeing to our use of cookies.

Further information on the cookies we use can be found within our Cookie Policy.