Privacy Policy

Privacy Policy

Last updated: 20 May 2026

1. Introduction

This Privacy Policy explains how ROSTTYA LTD (“ROSTTYA”, “we”, “us”, “our”) collects, uses and protects your personal data when you use the website at rosttya.com (the “Website”) and when you purchase our products.

ROSTTYA LTD is the data controller for the personal data described in this Policy. We are a company registered in England and Wales, Company Number 16632288, with our registered office at 5c Forster Road, London, N17 6QD, United Kingdom. The sole director of ROSTTYA LTD is Rostislav Dimitrov Rusinov.

This Policy is issued under the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018, together with the Privacy and Electronic Communications Regulations 2003 (“PECR”) in respect of cookies and electronic marketing.

You may contact us about your personal data at hello@rosttya.com.

2. What Personal Data We Collect

We collect the following categories of personal data:

  • Account and contact information: name, email address, phone number
  • Order information: billing address, delivery address, items purchased, order value, order history
  • Payment information: we do not store full card numbers; payment details are processed and stored by our payment processor Stripe, which provides us with a payment reference token and the last four digits of the card
  • Communication records: emails you send to us and our responses
  • Marketing preferences: whether you have subscribed to our newsletter and which categories of content you prefer to receive
  • Website usage data: limited technical data from strictly necessary cookies (see our Cookie Policy) such as session identifiers and consent records. We do not currently use Google Analytics, Meta Pixel or any third-party analytics or advertising trackers

We do not collect or process special category data (such as health, race, religion or biometric data). We do not knowingly collect personal data from anyone under the age of 16.

3. Lawful Basis for Processing

We rely on the following lawful bases under UK GDPR Article 6:

  • Performance of a contract: processing your order, taking payment, arranging delivery, processing returns and refunds. Without this data we cannot fulfil your order
  • Legitimate interests: fraud prevention, record-keeping for our internal business analytics (in aggregated form), and responding to customer service queries
  • Legal obligation: retaining records of sales for 6 years for HMRC tax compliance, and complying with our consumer-law obligations under CCR 2013 and CRA 2015
  • Consent: sending you marketing emails (opt-in newsletter), and setting non-essential cookies. You may withdraw consent at any time

4. How We Use Your Data

We use your personal data to:

  • Process and fulfil your orders, including dispatch to your delivery address
  • Take payment via Stripe and issue refunds where applicable
  • Respond to your customer service queries
  • Process returns, refunds and complaints in accordance with our Returns & Refunds Policy
  • Send you order updates and dispatch notifications (this is contract performance, not marketing)
  • Send you marketing emails about new collection drops and seasonal lookbooks — only if you have opted in
  • Meet our legal record-keeping obligations to HMRC and other UK authorities
  • Investigate suspected fraud or misuse of the Website

5. Who We Share Your Data With

We share your personal data only with the following third parties, and only to the extent necessary:

  • Stripe (payment processor): billing details and payment amount are shared with Stripe Payments Europe Ltd, which processes payments on our behalf. Stripe’s privacy policy is available at https://stripe.com/privacy
  • Courier (Royal Mail or DPD): your name, delivery address and phone number (for delivery notifications) are shared with the courier we use to deliver your order
  • HMRC and other UK regulators: aggregated sales data and order records as required by law
  • Our hosting and email service providers: data is stored on servers operated by our website hosting provider; transactional emails are sent via standard email infrastructure

We do not share your data with any marketing third party, data broker, or advertising platform. We do not sell your personal data to anyone, ever.

6. International Data Transfers

Stripe is headquartered in the United States and some payment processing may involve transfer of data to the US. These transfers are made under the UK Addendum to the EU Standard Contractual Clauses, which provide an adequate level of protection under UK GDPR. Stripe also self-certifies under the UK extension to the EU-US Data Privacy Framework.

Couriers and other operational service providers used by us are based within the United Kingdom; no transfer of delivery address data outside the UK takes place for these services.

7. How Long We Keep Your Data

We retain your personal data for the following periods:

  • Order records (invoices, receipts, customer details associated with sales): 6 years from the date of order, in accordance with HMRC requirements under the Value Added Tax Act 1994 and Companies Act 2006 (record-keeping obligations apply regardless of our VAT status)
  • Marketing data (newsletter subscription): until you unsubscribe, after which we delete your contact details from our marketing list within 30 days
  • Customer service emails: 2 years from the date of last correspondence, unless they relate to an ongoing dispute
  • Account inactivity: if you have a Website account and do not use it for 3 years, we may delete the account after sending you a notification email

8. Your Rights

Under UK GDPR you have the following rights in respect of your personal data:

  • Right of access: you can request a copy of the personal data we hold about you
  • Right to rectification: you can ask us to correct inaccurate or incomplete data
  • Right to erasure (“right to be forgotten”): you can ask us to delete your data, subject to our legal obligation to retain order records for 6 years
  • Right to restriction of processing: you can ask us to limit how we use your data in certain circumstances
  • Right to data portability: you can request a copy of your data in a structured, machine-readable format
  • Right to object: you can object to processing based on legitimate interests, and to direct marketing at any time
  • Right to withdraw consent: where we rely on consent (e.g. marketing), you can withdraw consent at any time without affecting prior processing
  • Right not to be subject to automated decision-making: we do not currently make decisions about you using automated processing

To exercise any of these rights, email us at hello@rosttya.com. We will respond within one month of receiving a valid request, and may extend this by a further two months for complex requests (we will tell you if so).

9. Cookies

The Website uses only strictly necessary cookies at present (session identifiers, checkout cart state, and consent records). We do not use third-party analytics, advertising or tracking cookies. Full details, including a list of specific cookies, are set out in our Cookie Policy.

10. Security

We take appropriate technical and organisational measures to protect your personal data:

  • HTTPS encryption for all Website pages
  • Payment data encrypted at rest and in transit by Stripe; we do not store full card details on our own servers
  • Access controls on administrative accounts
  • Regular software updates
  • No third-party tracking scripts at this stage

No system is perfectly secure. If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office (“ICO”) within 72 hours of becoming aware of it, and we will notify affected customers without undue delay.

11. Children

The Website and our products are intended for adult customers. We do not knowingly market to or collect personal data from children under 16. If you believe we have inadvertently collected data from a minor, please contact hello@rosttya.com and we will delete it promptly.

12. Changes to This Policy

We may update this Policy from time to time. Any material change will be communicated to subscribed customers by email and posted on this page with a revised “Last updated” date. The version applicable to data we hold is the version in effect at the time the data was collected, unless we have obtained fresh consent under a newer version.

13. Contact for Privacy Queries

Email: hello@rosttya.com
Postal address:
ROSTTYA LTD
5c Forster Road
London, N17 6QD
United Kingdom

For the avoidance of doubt, all privacy queries should be addressed to ROSTTYA LTD using the email address above; we will route them internally to the relevant team.

14. Your Right to Complain to the ICO

If you are not satisfied with our handling of your personal data or our response to a request you have made, you have the right to complain to the Information Commissioner’s Office:

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Website: https://ico.org.uk/

We would, however, appreciate the opportunity to address your concerns first, so please consider contacting us at hello@rosttya.com before approaching the ICO.

Scroll to Top
ROSTTYA · UK contemporary women's shirts
© 2026 ROSTTYA LTD · Company No. 16632288 · Director: Rostislav Dimitrov Rusinov
Registered office: 5c Forster Road, London, N17 6QD, United Kingdom
Prices include all applicable taxes.
Contact: hello@rosttya.com · +44 7972107661