Privacy Policy

Last updated: 16 April 2026

Background

Jade Roselli Cosmetologist Ltd, trading as Roselli & Co., understands that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of everyone who visits this website, https://roselliand.co (“Our Site”), and will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the law.

Please read this Privacy Policy carefully and ensure that you understand it. Your acceptance of this Privacy Policy is requested when you submit an enquiry through our contact form, submit an application through our join-the-team form, or otherwise provide personal data to us through Our Site.

1. Definitions and Interpretation

In this Policy the following terms shall have the following meanings:

  • “Cookie” means a small text file placed on your computer or device by Our Site when you visit certain parts of Our Site and/or when you use certain features of Our Site. Details of the Cookies used by Our Site are set out in Part 14, below.
  • “Cookie Law” means the relevant parts of the Privacy and Electronic Communications (EC Directive) Regulations 2003.
  • “UK GDPR” means the UK General Data Protection Regulation, which together with the Data Protection Act 2018 forms “the Data Protection Legislation”.

2. Information About Us

Our Site is owned and operated by Jade Roselli Cosmetologist Ltd, a limited company registered in England and Wales under company number 14289885, trading as Roselli & Co.

  • Registered office: 32 Hanbury Road, Innsworth, Gloucester, GL3 1PU.
  • Contact email for data protection enquiries: chris@roselliand.co.

We have not appointed a formal Data Protection Officer. The company falls well below the thresholds in Article 37 of the UK GDPR that would require one. Please direct any data protection questions or data-subject rights requests to the email address above, which is monitored by Chris Ball.

3. What Does This Policy Cover?

This Privacy Policy applies only to your use of Our Site. Our Site may contain links to other websites. Please note that we have no control over how your data is collected, stored, or used by other websites, and we advise you to check the privacy policies of any such websites before providing any data to them.

4. What Is Personal Data?

Personal data is defined by the UK GDPR and the Data Protection Act 2018 (collectively, “the Data Protection Legislation”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.

Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.

5. What Are My Rights?

Under the Data Protection Legislation, you have the following rights, which we will always work to uphold:

  • The right to be informed about our collection and use of your personal data. This Privacy Policy should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using the details in Part 15.
  • The right to access the personal data we hold about you. Part 13 will tell you how to do this.
  • The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete. Please contact us using the details in Part 15 to find out more.
  • The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we hold. Please contact us using the details in Part 15 to find out more.
  • The right to restrict (i.e. prevent) the processing of your personal data.
  • The right to object to us using your personal data for a particular purpose or purposes.
  • The right to withdraw consent. This means that, if we are relying on your consent as the legal basis for using your personal data, you are free to withdraw that consent at any time.
  • The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business in many cases.
  • Rights relating to automated decision-making and profiling. We do not use your personal data in this way.

For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in Part 15.

It is important that your personal data is kept accurate and up to date. If any of the personal data we hold about you changes, please keep us informed as long as we have that data.

Further information about your rights can also be obtained from the Information Commissioner’s Office or your local Citizens Advice Bureau.

If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office. We would welcome the opportunity to resolve your concerns ourselves, however, so please contact us first, using the details in Part 15.

6. What Data Do You Collect and How?

Depending upon your use of Our Site, we may collect and hold some or all of the personal and non-personal data set out below, using the methods also set out below. Please also see Part 14 for more information about our use of Cookies and similar technologies. We do not collect any special category or sensitive personal data, personal data relating to children, or data relating to criminal convictions and offences.

  • Identity information including your name. Collected directly from you when you submit our contact form on the Contact page or our join-the-team form on the Join page.
  • Contact information including your email address. Collected directly from you when you submit either of the forms described above.
  • Wedding enquiry information including your wedding date, venue, party size, and the free-text content of your message. Collected directly from you when you submit the contact form.
  • Recruitment information including details of your relevant experience and the free-text content of your message. Collected directly from you when you submit the join-the-team form.
  • Technical information including your IP address (anonymised by our analytics provider), browser type and version, device type, operating system, referrer, and pages viewed. Collected automatically by our analytics provider when you browse Our Site, subject to your cookie consent. See Part 14 for details.

7. How Do You Use My Personal Data?

Under the Data Protection Legislation, we must always have a lawful basis for using personal data. The following describes how we will or may use your personal data, and our lawful bases for doing so:

  • Responding to wedding and bridal enquiries. We use your name, email address and enquiry details (wedding date, venue, party size, message) to reply to you, discuss availability, and prepare a quote or proposal. Lawful basis: taking steps at your request prior to entering into a contract (UK GDPR Article 6(1)(b)).
  • Managing bookings and providing our services. If your enquiry progresses to a booking, we use the same information to administer your booking and deliver the bridal hair and makeup services you have booked. Lawful basis: performance of a contract with you (UK GDPR Article 6(1)(b)).
  • Reviewing join-the-team applications. We use the information submitted via the join form (name, email, experience and message) to assess whether to invite you to the next stage of our recruitment process and to respond to you. Lawful basis: our legitimate interests in recruiting and evaluating prospective team members (UK GDPR Article 6(1)(f)). Our legitimate interest is building and maintaining the Roselli & Co. team.
  • Communicating with you. We use your name and email address to reply to messages you send us and to follow up on active enquiries or applications. Lawful basis: Article 6(1)(b) for pre-contract and contract-related communications, and Article 6(1)(f) (our legitimate interest in responding to people who contact us) in all other cases.
  • Administering and improving Our Site. We use technical information and aggregate analytics data to understand how Our Site is used, diagnose problems, protect against abuse, and improve the content and user experience. Lawful basis: your consent for analytics cookies (UK GDPR Article 6(1)(a)), which you may withdraw at any time. See Part 14.
  • Protecting Our Site from spam and abuse. We use submitted form data and technical information (such as your IP address and user agent) to detect and block spam and fraudulent submissions. Lawful basis: our legitimate interests in the security and integrity of Our Site and our business (UK GDPR Article 6(1)(f)).
  • Complying with legal obligations. Where we are required by law to retain or disclose certain records, we will do so. Lawful basis: compliance with a legal obligation (UK GDPR Article 6(1)(c)).

We do not carry out automated decision-making or profiling. We do not sell your personal data to anyone, and we do not share it with third parties for their own marketing purposes. We do not send marketing emails or newsletters from Our Site.

We will only use your personal data for the purpose(s) for which it was originally collected unless we reasonably believe that another purpose is compatible with that or those original purpose(s) and need to use your personal data for that purpose. If we do use your personal data in this way and you wish us to explain how the new purpose is compatible with the original, please contact us using the details in Part 15.

If we need to use your personal data for a purpose that is unrelated to, or incompatible with, the purpose(s) for which it was originally collected, we will inform you and explain the legal basis which allows us to do so.

In some circumstances, where permitted or required by law, we may process your personal data without your knowledge or consent. This will only be done within the bounds of the Data Protection Legislation and your legal rights.

8. How Long Will You Keep My Personal Data?

We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Your personal data will therefore be kept for the following periods:

  • Wedding and bridal enquiry data (name, email, wedding date, venue, party size, message): retained for 2 years from your wedding date. If your enquiry does not progress to a booking, we retain the enquiry for 2 years from the date you submitted it. After this period the records are deleted or anonymised.
  • Join-the-team application data (name, email, experience, message): retained for 12 months from the date of your application, after which it is deleted. If we progress your application into an ongoing working relationship, that information becomes subject to separate employment or contractor privacy terms.
  • Email correspondence relating to enquiries or applications: retained in line with the periods above, and then deleted or anonymised.
  • Technical and analytics information: retained by our analytics provider for a maximum of 14 months from collection, in line with Google Analytics 4’s data retention setting. Aggregated, non-identifiable analytics reports may be retained for longer.
  • Records we are legally required to keep (for example for tax or accounting purposes): retained for the period required by the relevant law, typically 6 years.

9. How and Where Do You Store or Transfer My Personal Data?

Some of your personal data is stored outside the UK. Specifically, data submitted through the contact and join-the-team forms is processed by our website host, Cloudflare, Inc., which is based in the United States. Form submissions are also transmitted to Resend, Inc. (United States) solely for the purpose of delivering an email notification to us; Resend does not store your form data after delivery. Our content management system, Sanity.io (see Part 10 for details), stores data within the European Economic Area, but importantly Sanity does not receive any personal data submitted through our forms, only content authored by Jade Ball for publication on Our Site.

The United States is classed as a “third country” under the UK GDPR. We rely on the following safeguard for transfers of personal data to the United States: Cloudflare, Inc. and Resend, Inc. are each certified under the EU-US Data Privacy Framework and the UK Extension to the EU-US Data Privacy Framework (commonly known as the “UK-US Data Bridge”). This is an adequacy-based transfer mechanism recognised by the UK Government as providing an adequate level of protection for personal data transferred to participating US organisations. For further information about adequacy decisions and adequacy regulations, please refer to the Information Commissioner’s Office.

Please contact us using the details in Part 15 for further information about the particular data protection safeguards used by us when transferring your personal data to a third country.

The security of your personal data is essential to us, and to protect your data, we take a number of important measures, including the following:

  • limiting access to your personal data to those employees, agents, contractors, and other third parties with a legitimate need to know, and ensuring that they are subject to duties of confidentiality;
  • procedures for dealing with data breaches (the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, your personal data) including notifying you and/or the Information Commissioner’s Office where we are legally required to do so;
  • serving Our Site exclusively over HTTPS, so that data submitted through forms is encrypted in transit;
  • using reputable, security-accredited suppliers for hosting, form storage and analytics (detailed in Part 10);
  • protecting the accounts used to manage Our Site with strong, unique passwords and, where available, two-factor authentication;
  • verifying form submissions using Cloudflare Turnstile, a challenge-based system that confirms the visitor is genuine before the submission is processed, reducing the risk of malicious or fraudulent processing.

10. Do You Share My Personal Data?

We do not sell your personal data, and we do not share it with third parties for their own marketing purposes. We do, however, use a small number of trusted third-party service providers (“data processors”) who process personal data on our behalf, strictly under our instructions, in order to deliver Our Site and our services.

The current recipients of personal data are:

  • Cloudflare, Inc. (data processor). Activity: hosting Our Site via Cloudflare Pages; processing submissions from our contact and join-the-team forms via Cloudflare Workers; verifying that form submissions are made by genuine visitors via Cloudflare Turnstile. Sector: web infrastructure and security. Location: United States. Safeguard: EU-US Data Privacy Framework and UK Extension (UK-US Data Bridge), as described in Part 9.
  • Resend, Inc. (data processor). Activity: delivering transactional email notifications of form submissions to us. Resend receives only the data contained in the submission for the purpose of email delivery and does not retain it after delivery. Sector: transactional email infrastructure. Location: United States. Safeguard: EU-US Data Privacy Framework and UK Extension (UK-US Data Bridge), as described in Part 9.
  • Sanity.io (operated by Sanity AS, data processor). Activity: content management system used to author and store the content displayed on Our Site (for example blog posts, gallery images, testimonials and site settings). Sanity does not process any personal data submitted through our forms. Sector: content infrastructure. Location: European Economic Area.
  • Google Ireland Limited (data processor, acting for Google LLC). Activity: providing Google Analytics 4, which collects pseudonymous usage data about visitors to Our Site (see Part 14). Sector: analytics and advertising technology. Location: Ireland, with onward transfer to Google LLC in the United States. Safeguard: Google LLC is certified under the EU-US Data Privacy Framework and UK Extension.

If any of your personal data is shared with a third party, as described above, we will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, our obligations, and the third party’s obligations under the law, as described above in Part 9.

If any personal data is transferred outside of the UK, we will take suitable steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK and under the Data Protection Legislation, as explained above in Part 9.

If we sell, transfer, or merge parts of our business or assets, your personal data may be transferred to a third party. Any new owner of our business may continue to use your personal data in the same way(s) that we have used it, as specified in this Privacy Policy.

In some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.

11. How Can I Control My Personal Data?

In addition to your rights under the Data Protection Legislation, set out in Part 5, when you submit personal data via Our Site you may be given options to restrict our use of your personal data. In particular, we aim to give you strong controls on our use of your data, including the ability to refuse or withdraw consent to analytics cookies at any time through the cookie banner on Our Site (see Part 14).

We do not operate a marketing mailing list and do not send marketing emails from Our Site, so there is no marketing opt-out to manage. If you have sent us an enquiry or application and would prefer we stop corresponding with you, simply reply to the relevant email thread or contact us using the details in Part 15 and we will delete your personal data in line with Part 8.

You may also wish to sign up to one or more of the preference services operating in the UK: The Telephone Preference Service (“the TPS”), the Corporate Telephone Preference Service (“the CTPS”), and the Mailing Preference Service (“the MPS”). These may help to prevent you receiving unsolicited marketing from third parties. Please note, however, that these services will not prevent you from receiving marketing communications that you have consented to receiving.

12. Can I Withhold Information?

You may access Our Site without providing any personal data at all. Our Site is primarily a brochure website: you can browse the home, about, services, bridal, gallery, blog and join pages, and view content, without submitting any personal data. However, if you wish to send an enquiry through the contact form or submit a join-the-team application, you will need to provide the information requested on those forms so that we can respond to you.

You may restrict our use of Cookies. For more information, see Part 14.

13. How Can I Access My Personal Data?

If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.

All subject access requests should be made in writing and sent to the email or postal addresses shown in Part 15. Please include enough detail for us to identify you and the data you are asking about.

There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.

We will respond to your subject access request within one month of receiving it. Normally, we aim to provide a complete response, including a copy of your personal data, within that time. In some cases, however, particularly if your request is more complex, more time may be required, up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.

14. How Do You Use Cookies?

Our Site may place and access certain first-party Cookies on your computer or device. First-party Cookies are those placed directly by us and are used only by us. We use Cookies to facilitate and improve your experience of Our Site and to provide and improve our services. We have carefully chosen these Cookies and have taken steps to ensure that your privacy and personal data is protected and respected at all times.

By using Our Site, you may also receive certain third-party Cookies on your computer or device. Third-party Cookies are those placed by websites, services, and/or parties other than us. At the time of writing, Our Site does not use any third-party Cookies other than the analytics Cookies described below. We do not embed social media widgets, video players, advertising networks, chat tools, or payment processors that would set their own Cookies.

All Cookies used by and on Our Site are used in accordance with current Cookie Law.

Before non-essential Cookies (including analytics Cookies) are placed on your computer or device, you will be shown a cookie banner requesting your consent to set those Cookies. By giving your consent you are enabling us to better understand how Our Site is used and to improve it over time. You may, if you wish, deny consent to the placing of Cookies. Your use and experience of Our Site will not be impaired by refusing consent to analytics Cookies.

Certain features of Our Site may depend on strictly necessary Cookies to function (for example to remember your cookie preference itself). Cookie Law deems these Cookies to be “strictly necessary”. Your consent will not be sought to place these Cookies, but it is still important that you are aware of them. You may still block these Cookies by changing your internet browser’s settings as detailed below, but please be aware that Our Site may not work properly if you do so.

First-party Cookies

The following first-party Cookies may be placed on your computer or device:

  • cookie-consent: records your cookie consent choice so that the banner is not shown again on every page load. Strictly necessary: yes.
  • _ga: set by Google Analytics 4 (operating as a first-party Cookie on Our Site) to distinguish unique users. Used for analytics. Strictly necessary: no.
  • _ga_<container-id>: set by Google Analytics 4 (operating as a first-party Cookie on Our Site) to persist session state. Used for analytics. Strictly necessary: no.

Third-party Cookies

At the time of writing, no third-party Cookies are placed on your computer or device by Our Site. The Google Analytics 4 Cookies described above run as first-party Cookies on the roselliand.co domain. Our spam protection, Cloudflare Turnstile, verifies visitors via a lightweight client-side widget and does not set any Cookies on your device in its default configuration.

Analytics

Our Site uses analytics services provided by Google (Google Analytics 4). Website analytics refers to a set of tools used to collect and analyse anonymous usage information, enabling us to better understand how Our Site is used. This, in turn, enables us to improve Our Site and the services offered through it.

Google Analytics 4 uses Cookies to gather the required information. IP addresses are anonymised before being stored. You do not have to allow us to use these Cookies, and they will only be set if you give consent through our cookie banner. Our use of them does not pose any risk to your privacy or your safe use of Our Site; it simply helps us continually improve Our Site.

The analytics service used by Our Site uses the following Cookies:

  • _ga: first-party, provider Google LLC, purpose: distinguishes unique users over a 2-year rolling window for analytics reporting.
  • _ga_<container-id>: first-party, provider Google LLC, purpose: persists session state for Google Analytics 4 (the container ID is unique to our analytics property).

In addition to the controls that we provide, you can choose to enable or disable Cookies in your internet browser. Most internet browsers also enable you to choose whether you wish to disable all Cookies or only third-party Cookies. By default, most internet browsers accept Cookies, but this can be changed. For further details, please consult the help menu in your internet browser or the documentation that came with your device.

You can choose to delete Cookies on your computer or device at any time. However, you may lose any information that enables you to access Our Site more quickly and efficiently, including your saved cookie preference.

It is recommended that you keep your internet browser and operating system up to date, and that you consult the help and guidance provided by the developer of your internet browser and manufacturer of your computer or device if you are unsure about adjusting your privacy settings.

15. How Do I Contact You?

To contact us about anything to do with your personal data and data protection, including to make a subject access request, please use the following details (for the attention of Jade Roselli):

  • Email address: chris@roselliand.co.
  • Postal address: Jade Roselli Cosmetologist Ltd, 32 Hanbury Road, Innsworth, Gloucester, GL3 1PU, England.

This Privacy Policy is governed by the laws of England and Wales, and any disputes relating to it will be subject to the exclusive jurisdiction of the courts of England and Wales.

16. Changes to this Privacy Policy

We may review and update this Privacy Policy from time to time to ensure continued compliance with the law and best practice. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection.

Any changes will be immediately posted on Our Site, and you will be deemed to have accepted the terms of the Privacy Policy on your first use of Our Site following the alterations. We recommend that you check this page regularly to keep up to date. This Privacy Policy was last updated on 16 April 2026.