Complete Interiors. Endless Possibilities.

 

Privacy Policy

How we collect, use, protect, and share your personal data — and your rights under UK GDPR

Effective Date: 1 June 2026  |  Version 1.0

 

This Privacy Policy explains how Anamorphic & Co. (trading as CasaVera) collects, uses, stores, and protects your personal data. We are committed to handling your information lawfully, fairly, and transparently in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Please read this policy carefully. By using our Website or engaging with our services, you confirm that you have read and understood this policy.

 

The data controller for all personal data collected through the CasaVera website (www.casavera.co.uk) and via our services is:

 

Legal Entity	Anamorphic & Co.
Trading Brand	CasaVera
Company Number	12784775 (Registered in England & Wales)
Registered Office	17 Rambler Lane, Slough, SL3 7RR
Trading / Experience Centre	Unit 129, Clock Tower Road Industrial Estate, Isleworth, TW7 6GF
Website	www.casavera.co.uk
Data Protection Contact	enquiries@casavera.co.uk

 

We are registered with the Information Commissioner's Office (ICO) as a data controller. If you have any queries about how we process your personal data, please contact us at enquiries@casavera.co.uk.

 

We collect and process the following categories of personal data, depending on how you interact with us:

 

2.1   Data You Provide to Us Directly

–     Identity data: full name, title, company name (for Trade Customers)

–     Contact data: email address, telephone number, postal address, delivery address

–     Order and design data: project requirements, design preferences, product specifications, room measurements, and any personal or aesthetic preferences you share with us

–     Financial data: payment card details (processed securely via our payment provider — we do not store full card numbers), billing address

–     Communications data: enquiries, consultation notes, complaints, warranty claims, and any correspondence you send us

–     Account data: username and password if you create an account on the Website

–     Event and appointment data: consultation booking details, visit preferences, and scheduling information

 

2.2   Data We Collect Automatically When You Use Our Website

–     Technical data: IP address, browser type and version, device type, operating system, time zone, and location data

–     Usage data: pages visited, links clicked, time spent on pages, referring URLs, and browsing behaviour on the Website

–     Cookie data: information collected via cookies and similar tracking technologies (see Section 9 — Cookie Policy)

 

2.3   Data We Receive From Third Parties

–     Analytics providers (such as Google Analytics): aggregated and anonymised data about Website usage

–     Payment processors: transaction confirmation data (we do not receive or store full payment card details)

–     Social media platforms: publicly available information where you engage with our social media accounts (Instagram, Facebook, Pinterest, LinkedIn, X)

–     Referral data: if you are referred to us by a Trade Customer, architect, or interior designer

 

2.4   Special Category Data

We do not intentionally collect any special category personal data (such as health, race, religion, or political views). Please do not submit such data to us. If you inadvertently share such data (for example, in design notes or correspondence), we will treat it with additional care and delete it where it is not necessary for us to retain.

 

Under the UK GDPR, we are required to identify a lawful basis for every purpose for which we process your personal data. The table below sets out the purposes for which we use your data and the lawful basis for each:

 

Purpose	Type of Data Used	Lawful Basis	Retention
To respond to your enquiry or consultation request	Identity, Contact, Communications	Legitimate interests / Pre-contractual steps	3 years from last contact
To prepare design work and specifications for your project	Identity, Contact, Order & Design	Performance of contract / Pre-contractual steps	7 years from project completion
To process your Order and manage the contract	Identity, Contact, Order & Design, Financial	Performance of contract	7 years from Order completion
To process payments and prevent fraud	Identity, Financial, Technical	Performance of contract / Legal obligation	7 years (statutory)
To arrange delivery and installation	Identity, Contact, Order & Design	Performance of contract	3 years from delivery
To manage warranty claims and complaints	Identity, Contact, Communications	Performance of contract / Legal obligation	7 years from claim
To send you transactional communications (order updates, delivery notifications)	Identity, Contact	Performance of contract	Duration of contract
To send you marketing communications (where you have consented or we have a legitimate interest)	Identity, Contact	Consent / Legitimate interests	Until withdrawal of consent or opt-out
To improve our Website, products, and services	Technical, Usage, Cookie	Legitimate interests	26 months (analytics)
To comply with legal and regulatory obligations	All categories as necessary	Legal obligation	As required by law (minimum 6 years)
To enforce our Terms of Business and protect our legal rights	All categories as necessary	Legitimate interests / Legal obligation	Duration of any dispute + 6 years

 

4.1   We will only send you marketing emails, newsletters, product updates, event invitations, or promotional communications where you have:

–     Actively opted in to receive marketing from us (e.g. by subscribing on the Website or completing a consultation booking form); or

–     Purchased from us or made an enquiry, and we are marketing similar products or services to you, and you have not opted out (soft opt-in under UK PECR rules)

 

4.2   You can withdraw your consent to marketing, or opt out of marketing communications, at any time by:

–     Clicking the 'unsubscribe' link in any marketing email we send you

–     Emailing us at customerservices@casavera.co.uk with the subject 'Marketing Opt-Out'

–     Updating your preferences in your online account (if applicable)

 

4.3   Opting out of marketing communications will not affect the delivery of transactional communications relating to your active Orders, consultations, or warranty matters.

 

We do not sell, rent, or trade your personal data. We share your data only in the following circumstances and only to the extent necessary:

 

5.1   Service Providers and Data Processors

We engage third-party service providers who process personal data on our behalf and under our instruction. These include:

–     Payment processors: to securely process card payments (e.g. Stripe, PayPal, or equivalent)

–     Delivery and logistics partners: to arrange despatch and delivery of Goods to your address

–     Installation subcontractors: to carry out installation services at your property

–     IT and hosting providers: to host and maintain the Website and our systems

–     Email and CRM platforms: to manage customer communications and bookings (e.g. HubSpot)

–     Analytics providers: to analyse Website usage and improve our services (e.g. Google Analytics)

–     Accounting and legal advisers: where necessary for legal or financial compliance

 

Where we engage data processors, we take reasonable steps to select reputable providers and, where practicable, we enter into data processing agreements that require processors to maintain appropriate technical and organisational security measures. However, many of our third-party service providers — including payment processors, analytics platforms, CRM systems, email marketing platforms, and social media operators — are global businesses that operate under their own independent terms of service, privacy policies, and data governance frameworks. These providers operate outside the United Kingdom and are subject to the laws and regulatory regimes of their own jurisdictions, which may differ from UK law.

 

Anamorphic & Co. cannot be held liable for the data protection practices, UK GDPR compliance, or any data processing activities of third-party operators, platform providers, or suppliers who operate independently outside the United Kingdom. Our liability is limited to the reasonable steps we take in selecting and instructing our processors. Where a third-party platform or supplier independently determines the purposes and means of processing personal data, they act as an independent data controller and are solely responsible for their own compliance. We encourage you to review the privacy policies of all third-party services you interact with.

 

5.2   Legal and Regulatory Disclosure

We may disclose personal data to law enforcement agencies, regulatory authorities, courts, or other third parties where we are legally required to do so, or where we reasonably believe disclosure is necessary to:

–     Comply with a legal obligation, court order, or regulatory requirement

–     Protect and defend the Company's legal rights

–     Prevent or detect fraud, crime, or a threat to safety

 

5.3   Business Transfers

In the event of a merger, acquisition, sale of assets, or restructuring of the Company, personal data held by us may be transferred to the relevant acquirer or successor entity as part of that transaction. We will notify affected individuals of any such transfer where required by law.

6.1   Some of our service providers, platform operators, and suppliers are based or operate outside the United Kingdom.

• — When your personal data is transferred to or processed by organisations outside the UK 
• — including in the European Economic Area, the United States, and other international territories
•  — different data protection laws apply. The UK GDPR requires that we only transfer personal data outside the UK where appropriate safeguards are in place.

 

6.2   Where we are able to do so, we rely on the following safeguards for international data transfers:

–     Transfers to countries that have received an adequacy decision from the UK Secretary of State, confirming that the country provides an equivalent level of data protection to the UK

–     International Data Transfer Agreements (IDTAs) or the UK Addendum to the EU Standard Contractual Clauses, which contractually require the overseas recipient to protect personal data to UK GDPR standards

–     Binding Corporate Rules, where applicable

 

6.3   However, many third-party platform operators and technology providers we use

•  — including social media platforms (Meta/Instagram/Facebook, Pinterest, LinkedIn, X/Twitter), analytics providers (Google Analytics), payment processors, and CRM or email marketing platforms
• — are global businesses that operate under their own independent terms and privacy frameworks. These operators function as independent data controllers in respect of the data they collect and process through their own platforms. They are not acting on our instructions when processing data through their own systems and interfaces.

 

IMPORTANT LIMITATION OF LIABILITY: Anamorphic & Co. cannot be held responsible or liable for the data protection compliance, UK GDPR compliance, security practices, or data handling of any third-party operator, platform provider, website operator, or supplier that operates independently outside the United Kingdom — including but not limited to social media platforms, payment gateways, analytics providers, and logistics partners. Once data passes to an independent third-party controller operating under its own terms, that controller is solely responsible for its own compliance. Our responsibility is limited to the reasonable steps we take in selecting reputable providers and putting in place appropriate contractual protections where we act as data controller instructing a processor.

6.4   We encourage you to review the privacy policies of any third-party platform or service you use in connection with CasaVera

 

–    including the social media platforms through which you may contact or follow us. Each platform's privacy policy will explain how that platform collects and uses your data independently of us.

–     Staff training on data protection and information security

 

6.5   You may contact us at customerservices@casavera.co.uk if you have a specific query about international data transfers relating to data we directly control.

 

7.1   We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it from unauthorised access, loss, destruction, or disclosure. These measures include:

–     Encryption of data in transit using SSL/TLS technology

–     Access controls limiting data access to authorised personnel only, on a need-to-know basis

–     Regular security assessments and reviews of our systems and procedures

–     Secure payment processing via PCI-DSS compliant payment providers — we do not store full payment card details

–     Staff training on data protection and information security

 

7.2   Whilst we take all reasonable steps to protect your personal data, no method of internet transmission or electronic storage is entirely secure. We cannot guarantee absolute security and encourage you to take precautions with any personal data you share online.

 

7.3   In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and, where required, notify affected individuals without undue delay.

 

As a data subject under UK GDPR, you have the following rights in relation to your personal data. We will respond to all valid requests within one calendar month (or up to three months for complex requests, with notice given).

 

Right of Access (Subject Access Request)

You have the right to request a copy of the personal data we hold about you, together with information about how we use it. Requests are free of charge and can be submitted to customerservices@casavera.co.uk.

Right to Rectification

You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.

 

Right to Erasure ('Right to be Forgotten')

You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent (where consent was the lawful basis), or where you object to processing and we have no overriding legitimate grounds. This right is subject to legal retention obligations — we cannot erase data we are legally required to retain.

 

Right to Restriction of Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as where you contest the accuracy of the data or where processing is unlawful but you prefer restriction to erasure.

 

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

 

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing for that purpose immediately.

 

Rights Related to Automated Decision-Making

You have the right not to be subject to solely automated decisions that produce legal or similarly significant effects. We do not currently carry out automated decision-making of this kind.

 

Right to Lodge a Complaint

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at any time if you believe we have processed your personal data unlawfully. The ICO can be contacted at:

–     Website: www.ico.org.uk

–     Telephone: 0303 123 1113

–     Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

 

We encourage you to contact us in the first instance at customerservices@casavera.co.uk, as we will endeavour to resolve your concern directly and promptly.

 

9.1   Our Website uses cookies and similar tracking technologies to improve your browsing experience, analyse Website traffic, and support our marketing activities. This section explains what cookies are, which cookies we use, and how you can control them.

What Are Cookies?

Cookies are small text files that are stored on your device when you visit a website. They enable the website to recognise your device and remember information about your visit.

 

Cookies We Use

 

Cookie Type	Purpose	Examples	Duration
Strictly Necessary	Essential for the Website to function — cannot be disabled	Session cookies, shopping cart, login authentication	Session / Short-term
Functional	Remember your preferences and settings (e.g. language, region)	Preference cookies	Up to 12 months
Analytics & Performance	Help us understand how visitors use the Website so we can improve it (data is anonymised/aggregated)	Google Analytics (_ga, _gid)	Up to 26 months
Marketing & Targeting	Track your browsing to deliver relevant advertising on other platforms (only with your consent)	Meta Pixel, LinkedIn Insight, Pinterest Tag	Up to 13 months

 

Managing Your Cookie Preferences

9.2   When you first visit our Website, you will be presented with a cookie consent banner allowing you to accept or decline non-essential cookies. You can change your cookie preferences at any time by:

–     Clicking the 'Cookie Settings' link in the footer of the Website

–     Adjusting your browser settings to block or delete cookies (please note this may affect the functionality of the Website)

–     Using browser extensions or privacy tools to manage tracking

 

9.3   Strictly necessary cookies cannot be disabled as they are essential for the Website to operate. All other cookie categories require your consent, which you can withdraw at any time without affecting the lawfulness of processing before withdrawal.

 

9.4   For more information about managing cookies, please visit www.allaboutcookies.org or www.youronlinechoices.com.

 

10.1   We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Our general retention periods are:

 

–     Customer and Order data (including design files): 7 years from the date of project completion, in accordance with HMRC requirements and the Limitation Act 1980

–     Financial and payment records: 7 years from the end of the financial year in which the transaction occurred

–     Warranty and complaint records: 7 years from the date of the claim or complaint

–     Website analytics data: 26 months from the date of collection (standard Google Analytics retention period)

–     Marketing and email subscriber data: until you opt out or withdraw consent, or until we determine the data is no longer accurate or relevant

–     Enquiry and consultation data (where no Order placed): 3 years from the date of last contact

–     CCTV footage at the Experience Centre (if applicable): 31 days, unless retained for a specific security or legal purpose

 

10.2   When personal data is no longer required, it will be securely deleted or anonymised.

 

Our Website and services are not directed at children under the age of 18. We do not knowingly collect personal data from children. If you believe that a child under 18 has provided personal data to us, please contact us at customerservices@casavera.co.uk and we will take prompt steps to delete the information.

 

Our Website may contain links to third-party websites, social media platforms, and partner sites. This Privacy Policy applies solely to our Website. We are not responsible for the privacy practices of any third-party websites. We encourage you to review the privacy policies of any website you visit via links on our Website.

 

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or regulatory guidance. The date of the most recent revision is stated at the top of this document. Where material changes are made, we will notify you by email (if we hold your email address) or by displaying a prominent notice on the Website. We encourage you to review this policy periodically.

 

If you have any questions about this Privacy Policy, wish to exercise any of your data subject rights, or have a concern about how we handle your personal data, please contact us:

 

–     By email: customerservices@casavera.co.uk

–     By post: Data Protection, Anamorphic & Co., Unit 129, Clock Tower Road Industrial Estate, Isleworth, TW7 6GF

–     By telephone: +44 (0)20 8068 2000

 

We will respond to all data protection queries and Subject Access Requests within one calendar month of receipt. Where a request is particularly complex or numerous, we may extend this period by a further two months, and will notify you accordingly.

 

 

This Privacy Policy is effective from 1 June 2026 (Version 1.0) and supersedes all previous versions.

CasaVera is a brand of Anamorphic & Co. | Registered in England & Wales No. 12784775