🔒 Legal Document

Privacy Policy

Last updated: 30 June 2026
Effective: 30 June 2026
Applies to: shoplist.uk and all associated services
Data Controller: ShopList (shoplist.uk)

Plain English summary: We collect only what we need to run ShopList. We never sell your data. We never share it with advertisers. You can delete your account and all your data at any time.

1. Who We Are

ShopList is operated by ShopList (shoplist.uk), a UK-based service. We are the data controller for personal information collected through shoplist.uk.

For any privacy queries, contact us at: contact@shoplist.uk

2. What Data We Collect

2.1 Account Information

Your name and email address (provided when you register)
A hashed (encrypted) version of your password — we never store passwords in plain text
Account creation date and last login time
Whether you are a Pro subscriber

2.2 Shopping Data

Shopping lists you create (item names, quantities, estimated prices)
Which items you tick off as purchased
Completed shop totals and spending history
Your preferred supermarket and weekly budget setting

2.3 Payment Data (Pro subscribers only)

We use Stripe to process payments. We do not store your card details.
We store your Stripe Customer ID and Subscription ID to manage your subscription.
Stripe's privacy policy applies to payment processing: stripe.com/gb/privacy

2.4 Technical Data

Session identifiers (stored as cookies) to keep you logged in
CSRF tokens to protect against security attacks
Server logs (IP address, request type) retained for up to 30 days for security purposes

2.5 Data We Do NOT Collect

We do not use advertising cookies or tracking pixels
We do not use Google Analytics or similar third-party tracking
We do not collect location data
We do not collect device identifiers

3. Legal Basis for Processing (UK GDPR)

Purpose	Legal Basis
Providing the ShopList service (account, lists, sync)	Contract — necessary to perform the service you signed up for (Article 6(1)(b))
Processing Pro subscription payments	Contract — necessary to fulfil your paid subscription (Article 6(1)(b))
Security (session management, CSRF protection, server logs)	Legitimate interests — protecting users and the service from attacks (Article 6(1)(f))
Sending transactional emails (welcome, password reset, subscription confirmation)	Contract / Legitimate interests (Article 6(1)(b) and (f))
Complying with legal obligations	Legal obligation (Article 6(1)(c))

We do not process any special category data (health, religion, biometrics, etc.).

4. How We Use Your Data

To provide and maintain your ShopList account
To sync your shopping lists across devices
To send you transactional emails (account confirmation, password reset, subscription receipts)
To process and manage your Pro subscription via Stripe
To protect our service from fraud and abuse
To improve ShopList based on aggregated, anonymous usage patterns

We will never: sell your data, share it with advertisers, use it for behavioural profiling, or send you unsolicited marketing without your explicit consent.

5. Sharing Your Data

We share data only in these limited circumstances:

5.1 Service Providers

Stripe — payment processing for Pro subscriptions (UK/EU data processor)
Namecheap / Web hosting provider — our server infrastructure (data stored in the USA, under Standard Contractual Clauses)
Cloudflare — bot protection via Turnstile on registration forms

5.2 Shared Lists Feature

If you choose to share a list via a WhatsApp link, anyone with that link can view your list and add items. You control this — sharing is off by default and you can disable it at any time.

5.3 Legal Requirements

We may disclose your data if required to do so by law, court order, or to protect the rights, property, or safety of ShopList, our users, or the public.

5.4 We Do NOT Share With

Advertisers or marketing companies
Data brokers
Social media companies
Any third party for their own marketing purposes

6. Cookies

We use only essential cookies required to operate the service:

Cookie	Purpose	Duration
PHPSESSID	Keeps you logged in during your session	30 days
cf_clearance	Cloudflare security (bot protection)	1 year

We do not use analytics cookies, advertising cookies, or any non-essential cookies. You do not need to accept a cookie banner to use ShopList because we only use strictly necessary cookies.

7. Data Retention

Account data: retained while your account is active. Deleted within 30 days of account deletion.
Shopping lists and history: retained while your account is active. Deleted with your account.
Server logs: automatically deleted after 30 days.
Payment records: retained for 7 years as required by UK financial regulations (HMRC).
Password reset tokens: expire after 1 hour and are then deleted.

8. Your Rights Under UK GDPR

As a UK resident, you have the following rights regarding your personal data:

Right of access — request a copy of all data we hold about you
Right to rectification — correct inaccurate data (you can do this in Settings)
Right to erasure — request deletion of your account and all associated data
Right to restriction — ask us to stop processing your data in certain circumstances
Right to data portability — receive your data in a machine-readable format
Right to object — object to processing based on legitimate interests
Right to withdraw consent — where processing is based on consent

To exercise any of these rights, email us at contact@shoplist.uk. We will respond within 30 days as required by UK GDPR.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk · Phone: 0303 123 1113

9. Data Security

All data is transmitted over HTTPS (TLS encryption)
Passwords are hashed using bcrypt with a work factor of 12 — industry standard
Database access is restricted to our server only — not publicly accessible
CSRF tokens protect all form submissions against cross-site request forgery
Session cookies are HttpOnly and SameSite=Lax to prevent theft
Admin access is restricted to authorised personnel only

Despite these measures, no internet transmission is 100% secure. We will notify you and the ICO within 72 hours in the event of a data breach that poses a risk to your rights and freedoms, as required by UK GDPR Article 33.

10. International Data Transfers

Our web hosting provider may store data outside the UK. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the ICO, in accordance with UK GDPR Chapter V.

11. Children's Privacy

ShopList is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at contact@shoplist.uk and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify registered users by email and update the "Last updated" date at the top of this page. Continued use of ShopList after changes constitutes acceptance of the revised policy.

13. Contact Us

🔒 Data Controller Contact

ShopList
Email: contact@shoplist.uk
Website: shoplist.uk

For data protection queries, subject access requests, or to exercise your rights under UK GDPR, please email us with "Privacy Request" in the subject line. We aim to respond within 30 days.