No. XXIII · Friday, 29 May Open Tuesday — Saturday, 10.00 — 17.00 · Bath, Somerset Bookmark0 Satchel0
Milly & Willy A small private cabinet of curious games & curiosities, kept in Bath since MMXVII
Cabinet document II.

Privacy notice

UK GDPR & Data Protection Act 2018 · effective 26 May 2026

1. The data controller

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller is:

Eleanor Whitmore, trading as Milly Willy
14 Henrietta Mews, Bath BA2 6LR
E-mail: [email protected]

2. What we collect and why

  • Order details — your name, postal address, e-mail, telephone (if supplied) and the order ledger reference. We need these to perform the contract of sale (Article 6(1)(b) UK GDPR).
  • Correspondence — the content of any e-mails or letters you send us. Held on the basis of our legitimate interest in answering you (Article 6(1)(f)).
  • Functional cookies — the contents of your satchel and bookmark, and your cookie-consent choice. These are strictly necessary within the meaning of regulation 6(4) of the Privacy and Electronic Communications Regulations 2003 (PECR), so no consent is required.
  • Server logs — IP address, user agent and the URL requested, kept for 30 days, used for the legitimate interest of detecting fraud and abuse.

We do not use advertising trackers, analytics scripts or third-party social pixels on this site.

3. Who else sees the data

Our hosting provider sees the server logs (data processor). Royal Mail sees the delivery address (recipient/controller in its own right, for the purpose of delivery). Our bank sees the payment reference. HMRC sees what tax law requires. That is the entire list — no other recipients.

4. International transfers

The website is hosted in the United Kingdom; no personal data is transferred outside the UK by us. Where you choose to pay by a card-processing service (offered in our order-confirmation e-mail), that processor's privacy notice will apply to the card data you submit to them.

5. How long we keep it

  • Order records: 6 years after the tax year of the transaction, as required by HMRC.
  • Correspondence: 3 years after the last exchange, unless it relates to a warranty or complaint, in which case 6 years.
  • Server logs: 30 days.
  • Functional cookies: until you clear them (typically 1 year).

6. Your rights

Under the UK GDPR you have the right to: access the personal data we hold about you; ask us to correct inaccurate data; ask us to erase data we no longer need to hold; restrict or object to certain processing; receive your data in a portable format; and (where consent is the lawful basis) withdraw that consent at any time. To exercise any of these, write to [email protected]. We will respond within one calendar month.

7. The supervisory authority

If you believe we have not handled your data properly, you have the right to complain to the Information Commissioner's Office (ICO). The ICO can be reached at ico.org.uk/make-a-complaint (web form) or on 0303 123 1113 (helpline, weekdays 09.00–17.00). Their postal address is the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

8. Cookies in detail

The site uses four functional cookies and one local-storage entry:

  • PHPSESSID — session identifier, expires on browser close. Holds the satchel and CSRF token.
  • mw_consent — your cookie-banner choice (local storage), 1 year.
  • mw_satchel / mw_bookmark — your basket and saved-entry lists, held in the PHP session.

9. Children

The cabinet is intended for adult consumers. We do not knowingly process the data of anyone under 16 without the consent of a parent or guardian.

10. Changes to this notice

Material changes are flagged on the front page of the cabinet for 30 days following the revision. The effective date at the top of this page is updated each time.