Hestoria

    Privacy Policy

    Last updated: April 2026

    1. Who We Are

    Hestoria is a luxury dining furniture brand operated by The Marble Group Ltd, a company based in the United Kingdom, specialising in premium stone dining tables, chairs, and coordinated dining sets. References to "we", "us", and "our" in this policy refer to The Marble Group Ltd trading as Hestoria.

    The Marble Group Ltd (trading as Hestoria) is the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. As data controller, we are responsible for deciding how and why your personal data is processed. We are committed to protecting your personal data and respecting your privacy.

    For any data protection queries, please contact us at: privacy@hestoria.co.uk

    2. What Data We Collect

    We may collect the following categories of personal data:

    • Identity data: first name, last name
    • Contact data: email address, telephone number, postal address
    • Transaction data: details about the products you have enquired about or ordered
    • Technical data: browser type, IP address, pages visited, and referring website (collected automatically via our website)
    • Usage data: information about how you use our website
    • Communications data: the content of any messages you send us through our enquiry form

    We do not collect or process any special categories of sensitive personal data (such as health, racial origin, or political opinions).

    3. How We Collect Your Data

    We collect data in the following ways:

    • Directly from you when you complete the enquiry form or checkout on our website
    • Automatically through cookies and similar technologies when you browse our website

    4. How We Use Your Data

    We use your personal data for the following purposes, relying on the lawful bases indicated:

    PurposeLawful Basis
    To respond to your enquiry or questionConsent / Legitimate interests
    To process and fulfil your orderContract performance
    To manage our business and websiteLegitimate interests
    To comply with legal obligationsLegal obligation
    To protect our website and forms from automated abuseLegitimate interests

    We do not use your personal data for marketing purposes. We will never send you unsolicited marketing emails, share your data with third parties for marketing, or use your contact details for any purpose other than responding to your specific enquiry or order.

    5. Cookies

    Our website uses cookies to improve your browsing experience and to help us understand how visitors use the site. We use:

    • Strictly necessary cookies: Required for the website to function (e.g. your shopping basket and session). These cannot be disabled.
    • Functional cookies: Remember your preferences (e.g. saved items). These are only set with your consent.
    • Security cookies: When you submit a form on our website, Cloudflare Turnstile (our bot-detection service) may set a cookie or use local storage to verify you are a human. This is a strictly necessary security measure and cannot be disabled.

    You can withdraw your optional cookie consent at any time by clearing your browser cookies or contacting us. Please note that disabling certain cookies may affect website functionality.

    6. Data Sharing

    We do not sell, rent, or trade your personal data to third parties. We may share your data with:

    • Service providers who assist us in operating our website and delivering orders (bound by confidentiality agreements)
    • Regulatory authorities or law enforcement where required by law

    All third parties are required to respect the security of your data and to treat it in accordance with UK GDPR.

    7. Third-Party Service Providers

    We use the following third-party services to operate our website and communicate with you:

    Replit: Our website is hosted on Replit, a US-based cloud platform. As our hosting provider, Replit's infrastructure processes all data that passes through our website — including any information submitted via our forms — before it is handled by our other services. Replit acts as a data processor on our behalf and is subject to appropriate data processing agreements. For more information, see Replit's Privacy Policy.

    Resend: We use Resend as our email service provider to deliver form submission notifications and confirmation emails. All data you enter into our forms — including your name, email address, phone number, physical address, and any uploaded documents — is processed and stored on Resend's secure servers in the United States. Resend is certified under the EU–US Data Privacy Framework to ensure compliant international data transfers. Email logs are accessible in our account for up to 30 days. Resend may retain data beyond this period in accordance with their own privacy policy.

    Cloudflare Turnstile: We use Cloudflare Turnstile as a bot-detection and human-verification service on our enquiry, quote, and checkout forms. When you submit a form, your IP address and certain browser signals are sent to Cloudflare's servers to verify that you are a human and not an automated script. Cloudflare is a US-based company and processes this data on servers that may be located outside the United Kingdom. Cloudflare participates in the EU–US Data Privacy Framework and has appropriate safeguards in place. This processing is a strictly necessary security measure carried out on the basis of our legitimate interests in protecting our services from abuse. For more information, see Cloudflare's Privacy Policy.

    8. Data Retention

    We retain your personal data for as long as necessary to fulfil the purposes set out in this policy, including to maintain a record of your enquiries and orders should you return to us in the future. In practice, this means we may retain your data indefinitely unless you request its deletion.

    You have the right to request deletion of your personal data at any time (see Section 9). Where we are required by law to retain certain records — for example, financial or contractual information — we will retain only what is legally necessary and for the minimum period required.

    9. Your Rights

    Under UK GDPR, you have the following rights:

    • Right of access: Request a copy of the personal data we hold about you
    • Right to rectification: Request correction of inaccurate or incomplete data
    • Right to erasure ("right to be forgotten"): Request deletion of your data in certain circumstances
    • Right to restriction: Request that we limit how we use your data
    • Right to data portability: Receive your data in a structured, commonly used format
    • Right to object: Object to processing based on legitimate interests
    • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time

    To exercise any of these rights, please contact us at privacy@hestoria.co.uk. We will respond within one month. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

    10. Data Security

    We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction. Our website uses HTTPS encryption for all data in transit. Access to personal data is restricted to authorised personnel only.

    11. International Transfers

    We primarily process your data in the United Kingdom. However, as described in Section 7, three of our third-party service providers may process your data outside the UK: Replit (our hosting provider), Resend (our email provider), and Cloudflare (our security provider) all operate servers in the United States. Each is subject to appropriate safeguards for international data transfers in accordance with UK GDPR, including certification under the EU–US Data Privacy Framework where applicable.

    12. Automated Decision-Making

    We use Cloudflare Turnstile on our forms, which makes automated decisions about whether a form submission is likely to come from a human or an automated bot. If Turnstile determines a submission is likely automated, it will be blocked and your form will not be processed.

    This automated check is based on signals such as your IP address and browser behaviour. It does not involve profiling for marketing purposes and has no other legal or similarly significant effect on you beyond determining whether your form submission is accepted. It is carried out on the basis of our legitimate interests in protecting our services from abuse.

    If you believe your form submission has been incorrectly blocked, you can contact us directly at sales@hestoria.co.uk.

    13. Changes to This Policy

    We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated date. We encourage you to review this page periodically. Continued use of our website after changes constitutes acceptance of the updated policy.

    14. Contact Us

    If you have any questions about this Privacy Policy or how we handle your data, please contact us:

    Hestoria

    Email: privacy@hestoria.co.uk