Legal
Privacy Policy
Last updated: 10/06/2026
FORBAY LTD ("FORBAY", "we", "us", "our") is the data controller for personal data collected through forbayai.com and related services. This Privacy Policy explains what information we collect, how we use it, who we share it with, how long we keep it, and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who we are
FORBAY LTD is a company registered in England & Wales under company number 16976893, with its registered office at 128 City Road, London, EC1V 2NX, United Kingdom. You can contact us about any privacy matter using the contact details on our Contact page.
2. Information we collect
We collect the following categories of personal data: • Identity data: first name, last name, title, date of birth where required. • Contact data: billing address, delivery address, email address and telephone numbers. • Account data: username, password (stored hashed), preferences and saved addresses. • Transaction data: details of products you have purchased, order history, payment confirmations and refund records. We do not store full payment card details. • Technical data: IP address, browser type and version, time zone setting, operating system, device identifiers and pages viewed on our site. • Marketing and communications data: your preferences in receiving marketing from us, and your communication history with our support team. • Usage data: how you interact with our website, products and emails.
3. How we collect your data
We collect data when you create an account, place an order, contact customer support, subscribe to marketing emails, complete a survey, leave a review, or interact with our website through cookies and similar technologies. We may also receive data from third parties such as payment processors, shipping carriers, analytics providers and fraud-prevention services.
4. How we use your data
We process your personal data on the following legal bases: • Performance of a contract – to register your account, process orders, accept payments, deliver goods, manage returns and provide customer support. • Legitimate interests – to operate, improve and secure our website, prevent fraud, analyse aggregated usage, and send service announcements. • Consent – to send marketing emails about new products, offers and content, and to set non-essential cookies. You can withdraw consent at any time. • Legal obligation – to comply with tax, accounting, consumer protection and other applicable laws.
5. Sharing your data
We share personal data only with trusted third parties who provide services on our behalf, including: payment processors (e.g. Stripe), shipping and fulfilment partners, email delivery providers (e.g. Resend), cloud hosting providers, analytics providers, and professional advisers such as auditors and lawyers. We require all processors to maintain appropriate technical and organisational security measures and to process data only on our documented instructions. We may also disclose data where required by law, court order, or to protect our rights or those of our customers.
6. International transfers
Some of our service providers are located outside the United Kingdom. Where personal data is transferred outside the UK, we rely on UK adequacy regulations or appropriate safeguards such as the International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum.
7. Data retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting or reporting requirements. Order and transaction records are typically retained for 7 years to meet HMRC requirements. Marketing data is retained until you unsubscribe. Inactive accounts may be deleted after 3 years of inactivity.
8. Your rights
Under UK GDPR you have the right to: access your personal data; request correction of inaccurate data; request erasure; object to or restrict processing; request data portability; and withdraw consent at any time. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk. To exercise your rights, please contact us via our Contact page.
9. Security
We use industry-standard technical and organisational measures including TLS encryption in transit, encryption at rest for sensitive fields, role-based access control, regular security reviews and audited third-party processors.
10. Children
Our services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. The "last updated" date at the top of the page indicates when it was last revised. Material changes will be notified to registered customers by email.