Privacy policy


Last updated: 14 April 2026

Taro's Wish ("we," "our," or "us") is a vintage clothing store based in the United Kingdom. We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, share and safeguard your information when you visit taros-wish.com (the "Site"), place an order with us, or interact with us on social media.

This Policy is written in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR).

1. Who We Are (Data Controller)

Taro's Wish is the data controller responsible for your personal data.

If you have any questions about this Policy or wish to exercise your rights, please contact us at the email address above.

2. Information We Collect

We collect and process the following categories of personal data:

a) Identity & Contact Data. Name, billing and shipping addresses, email address, and phone number that you provide when creating an account, placing an order, or contacting customer service.

b) Transaction Data. Details about products you have viewed or purchased, order history, and payment confirmation details. Full payment card information is NOT stored by us — it is processed securely by our payment providers (Shopify Payments, PayPal, Apple Pay, Google Pay, etc.).

c) Account & Loyalty Data. Login credentials (stored in hashed form), Taro Points balance, optional date of birth (used for birthday rewards), referral information, and profile details if you choose to sign in via a social media account.

d) Communications Data. Messages, emails, reviews, product questions, and other correspondence you send to us, including via email, contact forms, or social media direct messages.

e) Technical & Usage Data. IP address, device type, browser type and version, time zone setting, operating system, pages visited, referring URLs, and browsing behaviour on our Site. This is collected automatically via cookies and similar technologies.

f) Marketing & Preferences Data. Your consent choices, marketing preferences, and feedback or survey responses.

As a vintage clothing retailer, we do NOT knowingly collect special category data (such as health, biometric, or political data). Please do not send such information to us.

3. How We Collect Your Information

We collect personal data:

  • Directly from you, when you register an account, place an order, subscribe to our newsletter, contact us, or enter a giveaway.
  • Automatically, when you browse the Site (via cookies, server logs, and analytics tools).
  • From third parties, such as payment processors, delivery partners, social media platforms (if you connect an account), and analytics/advertising providers.

4. Why We Process Your Information (Legal Bases)

Under UK GDPR, we only process your data when we have a lawful basis to do so:

  • Performance of a contract: to process orders, take payment, ship your vintage items, handle returns and exchanges, and provide customer support.
  • Legitimate interests: to prevent fraud, secure our Site, improve our products and services, operate the Taro Points loyalty programme, analyse shopping trends, and showcase our vintage inventory.
  • Consent: to send marketing emails, to set non-essential cookies, and to contact you about products you have shown interest in. You may withdraw consent at any time.
  • Legal obligation: to comply with UK tax, accounting, consumer protection, and other regulatory requirements.

5. Product Photography — A Note About Our Images

Because we sell one-of-a-kind vintage pieces, the photographs on our Site are taken by our team (including by the owner of the store). These images may occasionally feature the photographer modelling or holding the item. They are intended solely to display the product and are not linked to any customer's personal data.

We do NOT publish photographs of our customers unless you have expressly given us permission to do so (for example, by tagging us in a post on social media that you have consented to be re-shared).

6. Who We Share Your Data With

We share personal data only with trusted service providers who help us run the Site and fulfil your orders. These include:

  • Shopify Inc. — our e-commerce platform provider, which hosts the Site, stores order and account data, and provides built-in marketing and analytics tools. Shopify acts as a data processor on our behalf. See Shopify's privacy policy at https://www.shopify.com/legal/privacy.
  • Payment providers — Shopify Payments, PayPal, Apple Pay, Google Pay and similar gateways process your payment. They are independent data controllers for payment data.
  • Delivery & logistics partners — such as Royal Mail, Evri, DPD, FedEx and other carriers we use to ship your order. We share only the information needed to deliver your parcel (name, address, phone, email).
  • Smile.io — to operate our Taro Points loyalty rewards programme.
  • Email marketing providers — such as Shopify Email or Klaviyo, used to send newsletters and transactional emails (only with the relevant legal basis).
  • Analytics & advertising partners — such as Google Analytics and Meta (Facebook/Instagram), where you have consented to non-essential cookies.
  • Professional advisers — accountants, auditors, and legal advisers where necessary.
  • Government authorities or law enforcement — where we are legally required to do so.

We do NOT sell your personal data to third parties.

7. International Data Transfers

Some of our service providers (including Shopify, Google, and Meta) are based outside the United Kingdom. Where we transfer personal data outside the UK, we ensure an adequate level of protection by relying on:

  • UK adequacy regulations, where available; or
  • Standard Contractual Clauses with the UK International Data Transfer Addendum; or
  • Other safeguards permitted by UK GDPR.

8. Cookies & Tracking Technologies

We use cookies and similar technologies to remember your cart, keep you signed in, understand how the Site is used, and (with your consent) show relevant advertising.

We use the following cookie categories:

  • Strictly necessary cookies — required for the Site to function (e.g. checkout, login). These cannot be switched off.
  • Performance & analytics cookies — help us understand how visitors use the Site.
  • Functional cookies — remember preferences such as currency or language.
  • Marketing cookies — used by us and partners to measure and personalise advertising.

Depending on your location, a cookie consent banner will appear when you first visit the Site, allowing you to accept, reject, or customise non-essential cookies. You can change your choices at any time via the cookie preferences link in the footer.

Note: Disabling strictly necessary cookies may affect key Site functions such as checkout.

9. Data Security

We have implemented appropriate organisational and technical measures to protect your personal data against unauthorised access, alteration, disclosure or destruction. These include encryption of data in transit (TLS/HTTPS), restricted access to personal data, and use of trusted, security-audited service providers such as Shopify.

No method of transmission over the Internet is 100% secure, but we work hard to protect your information and will notify you and the ICO where required by law in the event of a data breach.

10. How Long We Keep Your Data

We only retain your data for as long as necessary for the purposes for which it was collected, including:

  • Order and transaction records: 6 years, to comply with UK tax and accounting law (HMRC).
  • Account data: for as long as your account is active; we may delete inactive accounts after a prolonged period of no activity.
  • Marketing data: until you withdraw consent or unsubscribe.
  • Customer service correspondence: typically up to 3 years after the matter is resolved.
  • Cookie data: retention varies by cookie — see our cookie banner for details.

After these retention periods, your data is securely deleted or anonymised.

11. Your Rights Under UK GDPR

You have the following rights in relation to your personal data:

  • Right of access — to request a copy of the personal data we hold about you.
  • Right to rectification — to have inaccurate or incomplete data corrected.
  • Right to erasure ("right to be forgotten") — to have your data deleted where there is no legitimate reason to keep it.
  • Right to restrict processing — to limit how we use your data in certain circumstances.
  • Right to data portability — to receive your data in a structured, commonly used, machine-readable format.
  • Right to object — to object to processing based on legitimate interests, or to direct marketing.
  • Right to withdraw consent — where we rely on consent, you may withdraw it at any time.

To exercise any of these rights, email us at ops@taros-wish.com. We will respond within one month, as required by UK GDPR. We may ask you to verify your identity before fulfilling your request.

12. Marketing Communications

We will only send you marketing emails where you have opted in, or where you are an existing customer and we are marketing similar vintage products in line with PECR's "soft opt-in" rule. You can unsubscribe at any time using the link in any marketing email, or by emailing ops@taros-wish.com.

13. Children's Privacy

Our Site is not intended for children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take steps to delete it.

14. Third-Party Links

Our Site may contain links to third-party websites, plug-ins, or services (for example, social media platforms). We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy notices before interacting with them.

15. Complaints

If you are unhappy with how we have handled your personal data, please contact us first at ops@taros-wish.com so we can try to resolve the issue.

You also have the right to lodge a complaint with the UK supervisory authority:

  • Information Commissioner's Office (ICO)
  • Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
  • Website: https://ico.org.uk
  • Helpline: 0303 123 1113

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The "Last updated" date at the top of this Policy shows when it was last revised. Significant changes will be highlighted on the Site or notified to you by email.

17. Contact Us

If you have any questions, requests, or concerns about this Privacy Policy or about how we handle your personal data, please contact us: