Instagram Linkedin

Privacy Policy

  1. Overview & principles

We respect your privacy. This Policy explains how we collect, use, store, and share personal data and your rights under the EU General Data Protection Regulation (GDPR) and Irish law.

  1. Personal data we collect 
  • Identity & contact: name, postal address, email, telephone.
  • Order & payment: billing address, order history, payment transaction identifiers (payment card details are processed by our secure payment processor and are not stored by us).
  • Communications: messages you send to us, including customer service enquiries.
  • Cookies & analytics: see our Cookie Policy below.
  1. Purposes & lawful bases
  • To fulfil contracts: process orders, dispatch certificates, and provide the Service (lawful basis: performance of a contract).
  • Legal obligations: record-keeping for tax and accounting (legal obligation).
  • Marketing & updates: where you opt in, we may send newsletters and offers (consent). You can withdraw consent at any time.
  • Legitimate interests: preventing fraud, improving our website, and communicating important administrative messages (we ensure these do not override your rights).
  1. Sharing data
  • Third-party service providers (payment processors, delivery companies, IT and hosting providers) – only as needed and under contractual obligations to protect your data.
  • Where required by law (e.g., court orders, legitimate authority requests) we will share data.
  • We will not sell your personal data.
  1. International transfers

Some third-party processors may be located outside the EEA. We ensure appropriate safeguards (standard contractual clauses or adequacy decisions) before any data transfer.

  1. Retention

We retain order and transactional data for as long as required by law (usually 6–7 years for tax) and for legitimate business purposes. Marketing consents are retained until withdrawn.

  1. Your rights

You have rights under GDPR including the right to: access, rectify, erase (in certain circumstances), restrict processing, object to processing, data portability, and to withdraw consent. To exercise your rights contact hello@grownforest.ie You also have the right to lodge a complaint with the Irish Data Protection Commission: https://www.dataprotection.ie/.

  1. Security

We use appropriate technical and organisational measures to safeguard personal data. However, no internet transmission is 100% secure; we cannot guarantee absolute security.

  1. Contact & updates

Questions about this Policy: contact hello@grownforest.ie 

We may update this Policy; the effective date will be posted above.