Customer Privacy Notice
Registered name: JDWorks LTD
We are the controller of your personal data. This privacy notice tells you what to expect us to do with your personal information.
Contact details
Email: hello@getmestra.com
What information we collect, use, and why
To provide services and goods, including delivery
- Names and contact details
- Addresses
- Purchase or account history
- Account information
- Website user information (including user journeys and cookie tracking)
- Photographs or video recordings (e.g. images of your space shared for design purposes)
- Call recordings
- Records of meetings and decisions
- Information relating to compliments or complaints
For the operation of customer accounts and guarantees
- Names and contact details
- Addresses
- Purchase history
- Account information, including registration details
- Information used for security purposes
- Marketing preferences
- Information relating to loyalty programmes
To prevent, detect, investigate or prosecute crimes
- Names and contact information
- Customer or client accounts and records
For service updates or marketing purposes
- Names and contact details
- Addresses
- Marketing preferences
- Purchase or viewing history
- Website and app user journey information
- Records of consent, where appropriate
To comply with legal requirements
- Name
- Contact information
For dealing with queries, complaints or claims
- Names and contact details
- Address
- Account information
- Purchase or service history
- Call recordings
- Relevant information from previous investigations
- Customer or client accounts and records
- Correspondence
Lawful bases and data protection rights
Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. You can find out more about lawful bases on the ICO's website.
Your data protection rights:
- Right of access— you can ask for copies of your personal information
- Right to rectification— you can ask us to correct inaccurate or incomplete information
- Right to erasure— you can ask us to delete your personal information
- Right to restriction of processing— you can ask us to limit how we use your information
- Right to object to processing— you can object to the processing of your personal data
- Right to data portability— you can ask us to transfer your information to another organisation
- Right to withdraw consent— where we rely on consent, you can withdraw it at any time
If you make a request, we must respond within one month. To make a data protection rights request, please contact us using the details above.
Our lawful bases for providing services and goods
Contract— we have to collect or use the information to carry out a contract with you. All data protection rights may apply except the right to object.
Legitimate interests— our legitimate interests are: retaining customer order information, contact details and purchase history to maintain accurate business records, prevent fraud, resolve disputes, and provide after-sales support (including handling returns, replacements or warranty issues). This processing benefits customers by enabling us to deliver a higher quality of service. The information is held only as long as necessary and is not shared with third parties for marketing purposes.
Our lawful bases for operating customer accounts and guarantees
Contract— we have to collect or use the information to carry out a contract with you.
Legal obligation— we have to collect or use your information to comply with the law.
Our lawful bases for preventing, detecting, investigating or prosecuting crimes
Legitimate interests— our legitimate interests are:
- Flagging suspicious orders
- Chargeback protection
- Blocking known fraudulent addresses/emails
Our lawful bases for service updates or marketing purposes
Consent— we have permission from you after giving you all the relevant information. You have the right to withdraw your consent at any time.
Legitimate interests— our legitimate interests are:
- Emailing existing customers about similar products (the “soft opt-in” rule under PECR)
- Service updates such as order confirmations and dispatch notifications
Our lawful bases for legal requirements
Legal obligation— we have to collect or use your information to comply with the law.
Our lawful bases for dealing with queries, complaints or claims
Contract— we have to collect or use the information to carry out a contract with you.
Legal obligation— we have to collect or use your information to comply with the law.
Where we get personal information from
- Directly from you
- Publicly available sources
How long we keep information
Data must not be kept longer than necessary for its original purpose. When the retention period expires, data is securely deleted or anonymised.
| Data category | Examples | Retention period | Legal basis |
|---|---|---|---|
| Transaction & financial records | Orders, invoices, payment confirmations | 6 years from transaction date | HMRC legal requirement |
| Customer order data | Name, delivery address, items ordered | 6 years from order date | Matches financial records |
| Warranty / guarantee records | Product faults, replacements, claims | Duration of warranty + 2 years | Consumer Rights Act 2015 |
| Customer account data | Login details, saved addresses, order history | Duration of account + 2 years after closure | Contract |
| Marketing consent records | Email opt-ins, preferences | While active + 2 years after unsubscribe | Proof of consent (PECR) |
| Complaint & dispute records | Emails, chat logs relating to disputes | 6 years from resolution | Limitation Act 1980 |
| Website enquiries / contact forms | General enquiries not leading to a sale | 2 years | Legitimate interest |
| Supplier / B2B contact data | Supplier names, emails, contracts | 6 years from end of relationship | Legal obligation / contract |
For more information on how long we store your personal information, please contact us using the details above.
Who we share information with
Data processors
Stripe, Inc.
Stripe processes customer payment data on our behalf to facilitate secure online transactions. All payment card details are entered directly into Stripe's systems — MESTRA does not store or have access to customers' card or banking information. Stripe is a financial technology company based in the United States, operating under PCI DSS compliance.
Convex, Inc.
Convex stores and processes customer order data, account information and application data on our behalf as our backend database and application infrastructure provider. Convex is a cloud technology / backend-as-a-service company based in the United States, with data hosted in the EU (Europe West).
Resend, Inc.
Resend processes customer email addresses on our behalf to deliver transactional emails, including order confirmations, dispatch notifications and account-related communications. Resend is an email delivery service provider based in the United States.
Google LLC
Google Analytics 4 processes consented analytics events, page views and conversion data on our behalf to help us understand website performance. Analytics processing is controlled by your cookie consent preferences.
Meta Platforms, Inc.
Meta Pixel and Conversions API process consented advertising and conversion measurement data on our behalf. Marketing processing is controlled by your cookie consent preferences.
Vercel, Inc.
Vercel hosts and serves our website and web application on our behalf. As our frontend infrastructure provider, Vercel may process personal data such as IP addresses and usage data as part of delivering the website to users. Vercel is a cloud hosting / platform-as-a-service company based in the United States.
Others we share personal information with
- Professional or legal advisors
- Relevant regulatory authorities (including HMRC and the ICO)
- Organisations we are legally obliged to share personal information with
Sharing information outside the UK
Where necessary, we transfer personal information outside of the UK. When doing so, we comply with the UK GDPR and ensure appropriate safeguards are in place.
| Organisation | Category | Country | Transfer mechanism |
|---|---|---|---|
| Stripe, Inc. | Payment processing | United States | International Data Transfer Agreement (IDTA) |
| Convex, Inc. | Database / backend hosting | United States | Addendum to EU Standard Contractual Clauses (SCCs) |
| Resend, Inc. | Email delivery | United States | International Data Transfer Agreement (IDTA) |
| Vercel, Inc. | Website / frontend hosting | United States | International Data Transfer Agreement (IDTA) |
Our data processors may also transfer personal information outside of the UK under the same mechanisms listed above.
For further information or to obtain a copy of the appropriate safeguard, please contact us using the details above.
How to complain
If you have any concerns about our use of your personal data, please contact us at hello@getmestra.com.
If you remain unhappy after raising a complaint with us, you can complain to the ICO:
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Website: make a complaint to the Information Commissioner
Last updated: 16 March 2026