Privacy Policy
Last modified on 08-10-2025
Introduction
This Privacy Statement is issued by the Company (« we », « us », « our ») and applies to information collected and processed about individuals (« you », « your ») who interact with our services. We are committed to protecting and respecting your privacy in compliance with the (UK) General Data Protection Regulation and other relevant EU privacy laws (hereinafter collectively referred to as “GDPR”).
Our Privacy Statement explains how we collect, use, share, and protect your personal information when you use our services, visit our website, or interact with us. It also describes your rights regarding your personal information and how you can exercise them.
Identity and Contact Details of the Data Controller
In accordance with the GDPR, the Data Controller responsible for the processing of personal data under this Privacy Statement is the Company (« Data Controller »). The Data Controller can be contacted via the following means:
Email: [Insert Email Address]
Physical Address: [Insert Physical Address]
Phone Number: [Insert Phone Number]
Data Subjects, as defined under GDPR, have the right to contact the Data Controller for any inquiries or concerns regarding the processing of their personal data.
Privacy Policy
The Website’s Privacy Policy outlines the way the Company collects, uses, and protects the personal data of Consumers. The Company is committed to ensuring that the privacy of Consumers is protected in accordance with applicable data protection laws, including but not limited to the (UK) GDPR.
Personal data collected by the Company includes IP address, email address, physical address details, and payment information. The Company also processes special category data including medical history, weight, and height, only with explicit consent and where strictly necessary. This data is collected and processed solely for the specific purposes of processing transactions, delivering Products, and improving the Consumer experience on the Platform, in accordance with Article 6 and Article 9 of the UK GDPR.
Consumers have all rights granted under the UK GDPR, including: the right to be informed about the collection and use of their personal data; the right to access their data; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object to processing; and rights relating to automated decision making and profiling. The Company will obtain explicit consent from Consumers before processing any special category data such as health data, and maintain records of such consent in compliance with Article 7 of the UK GDPR. Consumers may exercise their rights at any time by contacting our Data Protection Officer at [DPO contact details].
The Company implements appropriate technical and organizational measures as required by Article 32 of the UK GDPR to ensure the security of personal data, including: encryption of personal data; ensuring ongoing confidentiality, integrity, availability and resilience of processing systems; the ability to restore availability and access to personal data in a timely manner in the event of an incident; and regular testing and evaluation of security measures. The Company maintains detailed records of these security measures and regularly reviews their effectiveness.
By using the Platform, Consumers consent to the collection and use of their personal data as described in this Privacy Policy. Consumers have the right to withdraw their consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
For any questions or concerns regarding this Privacy Policy or the handling of personal data, Consumers may contact the Company directly through the contact information provided on the Platform.
Purposes of Processing
The Data Controller processes personal data of the Data Subject for the following purposes:
To fulfil contractual obligations between the Data Controller and the Data Subject, including but not limited to the provision of products or services requested by the Data Subject.
To comply with legal requirements applicable to the Data Controller under the laws of England and Wales, including but not limited to tax and reporting obligations.
To communicate with the Data Subject regarding transactions, security, privacy, and administrative issues related to their use of the Data Controller’s services.
To improve and personalize the experience of the Data Subject on the Data Controller’s platforms, including the use of data analytics to better understand the preferences and behaviour of the Data Subject.
To protect the rights, property, or safety of the Data Controller, the Data Subject, or others, including the prevention and investigation of fraud and other illegal activities.
To market and advertise the Data Controller’s products or services to the Data Subject, subject to obtaining explicit consent from the Data Subject where required by applicable law.
This processing is carried out on the legal bases of contract performance, legal obligation, legitimate interests pursued by the Data Controller, and consent of the Data Subject, as applicable and in accordance with the GDPR.
Legal Basis for Processing
The Data Controller processes the personal data of the Data Subject based on the following legal bases, in accordance with the GDPR:
Consent: The Data Subject has given clear consent for the Data Controller to process their personal data for a specific purpose.
Contract: The processing is necessary for the performance of a contract to which the Data Subject is party, or to take steps at the request of the Data Subject prior to entering into a contract.
Legal Obligation: The processing is necessary for compliance with a legal obligation to which the Data Controller is subject.
Vital Interests: The processing is necessary to protect the vital interests of the Data Subject or of another natural person.
Public Task: The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.
Legitimate Interests: The processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data, particularly where the Data Subject is a child.
Categories of Personal Data
The Data Controller may collect and process the following categories of personal data about the Data Subject:
Identification data, such as names, addresses, and date of birth;
Contact information, including email addresses and telephone numbers;
Financial information, like bank account numbers and transaction history;
Technical data, which may include IP addresses, browser types, and log information;
Usage data, detailing how the Data Subject interacts with services provided by the Data Controller;
Medical history, weight, and height, if relevant and with explicit consent from the Data Subject;
Any other personal data that the Data Subject chooses to share with the Data Controller.
This personal data is collected for the purposes outlined in the Privacy Statement and is processed in accordance with applicable laws and regulations of England and Wales.
Recipients of Personal Data
In accordance with this Privacy Statement, the Data Controller may share the Data Subject’s personal data with the following categories of recipients:
Service providers and subcontractors who perform services on behalf of the Data Controller, including but not limited to payment processing, data analysis, email delivery, hosting services, customer service, and marketing assistance.
Partners and affiliates of the Data Controller for the purposes of providing products, services, or offers that may be of interest to the Data Subject, subject to the Data Subject’s consent where required by applicable law.
Regulatory authorities, law enforcement agencies, and other governmental bodies when required by law or in response to a valid request related to a criminal investigation or alleged illegal activity.
Third parties in connection with a merger, sale of company assets, financing, or acquisition of all or a portion of the Data Controller’s business by another company, where the Data Subject’s personal data may be among the assets transferred.
The Data Controller ensures that all recipients of personal data are bound by confidentiality obligations and applicable data protection laws to protect the Data Subject’s personal data.
Transfer of Data Outside the European Union
In compliance with the UK GDPR and UK Data Protection Act 2018, the Data Controller may transfer personal data collected from the Data Subject to countries outside the United Kingdom only if adequate protection measures are in place. These measures include, but are not limited to, the use of standard contractual clauses approved by the European Commission, adherence to an approved code of conduct or certification mechanism, or ensuring the recipient is under an adequacy decision by the European Commission.
Before any transfer takes place, the Data Controller will assess the level of protection provided by the receiving country, territory, or specified sector, including the security measures applied by the data recipient. The Data Controller will provide the Data Subject with information regarding the transfer, including the legal basis for the transfer and the protective measures in place, upon request.
The Data Subject has the right to obtain a copy of the documents evidencing the protection measures by contacting the Data Controller directly. The Data Controller will take all necessary steps to ensure that the personal data of the Data Subject is treated securely and in accordance with this Privacy Statement and the GDPR, irrespective of the geographical location of the data processing.
Data Retention Period
In compliance with the GDPR, the Data Controller will retain the personal data of the Data Subject only for as long as necessary to fulfil the purposes for which it was collected or as required by applicable law. The retention period may vary depending on the nature of the data and the purposes for which it is processed. Specific retention periods are determined based on the following criteria:
The necessity to retain the personal data for the fulfilment of the contractual and pre-contractual obligations between the Data Controller and the Data Subject.
The need to comply with legal obligations and regulatory requirements, including but not limited to tax and commercial laws.
The importance of retaining the data for the establishment, exercise, or defence of legal claims.
Any consent provided by the Data Subject for a longer retention period.
Upon the expiration of the retention period, the personal data will be securely deleted or anonymized, so it can no longer be associated with the Data Subject. The Data Controller will also take appropriate measures to ensure that any third parties acting on its behalf adhere to similar data retention practices.
Data Subject’s Rights
In compliance with the GDPR, the Data Subject is granted the following rights concerning their personal data processed by the Data Controller:
Right to Access: The Data Subject has the right to obtain confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.
Right to Rectification: The Data Subject has the right to obtain the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the Data Subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to Erasure (‘Right to be Forgotten’): The Data Subject has the right to obtain the erasure of personal data concerning them without undue delay under certain conditions, such as when the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; if the Data Subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) GDPR, and where there is no other legal ground for the processing; if the Data Subject objects to the processing pursuant to Article 21(1) GDPR, and there are no overriding legitimate grounds for the processing, or the Data Subject objects to the processing pursuant to Article 21(2) GDPR.
Right to Restriction of Processing: The Data Subject has the right to obtain restriction of processing under certain conditions, such as when the accuracy of the personal data is contested by the Data Subject, for a period enabling the Data Controller to verify the accuracy of the personal data; if the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead; if the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise, or defence of legal claims; if the Data Subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the Data Controller override those of the Data Subject.
Right to Data Portability: The Data Subject has the right to receive the personal data concerning them, which they have provided to the Data Controller, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without hindrance from the Data Controller to which the personal data have been provided, as long as the processing is based on consent pursuant to point (a) or point (b) of Article 6(1) or point (a) of Article 9(2) GDPR, or on a contract pursuant to point (b) of Article 6(1), and the processing is carried out by automated means.
Right to Object: The Data Subject has the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. The Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
Right to Not be Subject to a Decision Based Solely on Automated Processing, Including Profiling: The Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless such decision is necessary for entering into, or performance of, a contract between the Data Subject and a data controller, or is authorised by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests, or is based on the Data Subject’s explicit consent.
Right to Withdraw Consent: Where the processing of personal data is based on consent, the Data Subject has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
Right to Lodge a Complaint with a Supervisory Authority: The Data Subject has the right to lodge a complaint with a supervisory authority, particularly in the country of their habitual residence, place of work or place of the alleged infringement if the Data Subject considers that the processing of personal data relating to them infringes the GDPR.
Right to Withdraw Consent
In accordance with the GDPR, the Data Subject has the right to withdraw their consent at any time where the Data Controller relies on their consent to process personal data. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
To withdraw consent, the Data Subject may contact the Data Controller using the contact information provided in this Privacy Statement. Upon receipt of a withdrawal request, the Data Controller will cease processing the personal data for the purposes for which consent was given, unless another legal basis for processing exists.
The Data Subject is informed that the withdrawal of consent may affect the ability of the Data Controller to provide certain services for which the processing of personal data is necessary.
Automated Decision Making and Profiling
In accordance with the GDPR, the Data Controller informs the Data Subject that it does not engage in automated decision-making processes, including profiling, that would have a legal or similarly significant effect on the Data Subject. The Data Controller is committed to ensuring transparency and fairness in all its data processing activities.
Should the Data Controller decide to introduce such automated decision-making processes in the future, it will provide the Data Subject with information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject. Prior to implementing such processes, the Data Controller will also seek explicit consent from the Data Subject, in compliance with the GDPR requirements.
Data Security Measures
In compliance with the GDPR, the Data Controller commits to implementing and maintaining comprehensive data security measures to protect the personal data of the Data Subject against unauthorized or unlawful processing and against accidental loss, destruction, or damage. Such measures include, but are not limited to:
Ensuring that personal data is encrypted during transmission and storage.
Implementing access control measures to ensure that only authorized personnel have access to personal data.
Maintaining up-to-date cybersecurity protocols to protect against hacking, viruses, and other malicious software attacks.
Conducting regular security assessments and audits to ensure the effectiveness of the data security measures.
Providing training to employees and contractors on data protection and privacy to ensure compliance with GDPR.
The Data Controller shall promptly notify the Data Subject in the event of a data breach that is likely to result in a risk to the rights and freedoms of the Data Subject. Such notification will be made in accordance with GDPR requirements.
Changes to the Privacy Statement
In the event of any amendments to this Privacy Statement, the Data Controller will provide the Data Subject with a revised version. The revised Privacy Statement will be made available on the Data Controller’s website and, where applicable, communicated to the Data Subject via email or other direct communication methods. The date of the latest update will be clearly indicated within the document.
The Data Subject is advised to regularly review the Privacy Statement for any changes. Continued use of the Data Controller’s services after any changes to the Privacy Statement have been made will constitute acceptance of those changes by the Data Subject.
Complaints Procedure
In the event that the Data Subject has any complaints regarding the processing of their personal data by the Data Controller, they are encouraged to contact the Data Controller directly to seek resolution. If the Data Subject feels that their complaint has not been adequately resolved, they have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s data protection authority, or the relevant supervisory authority in their country of residence. The Data Subject can contact the Domestic Data Protection Authority directly through their official website or by other means provided by the Authority.
Limitation of Liability
Neither the Company nor its directors, employees, agents, or other representatives shall be liable for any direct, indirect, special, incidental, consequential, or punitive damages, including but not limited to, loss of data, income, profit, or goodwill, loss of or damage to property and claims of third parties, arising out of or in connection with the use of the Platform or the purchase of Products through the Platform, whether or not such damages were foreseeable and even if the Company has been advised of the possibility of such damages. The foregoing limitation of liability shall apply to the fullest extent permitted by law in the applicable jurisdiction.
Notwithstanding the foregoing, nothing in these Terms & Conditions shall exclude or limit the Company’s liability for death or personal injury caused by its negligence, fraud or fraudulent misrepresentation, or any other liability which cannot be excluded or limited under applicable law. The Consumer’s statutory rights under the current consumer protection law are not affected.
Intellectual Property Rights
The Company and the Consumer acknowledge that all intellectual property rights in the Products, including but not limited to copyrights, trademarks, patents, trade secrets, and any other proprietary rights, are and shall remain the exclusive property of the Company or its licensors. The Consumer agrees not to copy, modify, distribute, sell, or create derivative works from the Products without the explicit written consent of the Company.
The Consumer further acknowledges that the Platform and all related graphics, logos, and service marks are trademarks of the Company or its licensors and are protected under EU law and international treaties. The use of these trademarks by the Consumer is strictly limited to what is expressly permitted under the Terms & Conditions or with the prior written consent of the Company.
Any unauthorized use of the intellectual property of the Company may result in legal action and the enforcement of rights under EU law and applicable international treaties. The Consumer is advised to respect the intellectual property rights of the Company to avoid any potential legal disputes.
Governing Law and Jurisdiction
This Terms & Conditions, including any disputes arising out of or in connection with the agreement between the Company and the Consumer, shall be governed by and construed in accordance with the laws of England and Wales. Any disputes, controversies, or claims arising out of or relating to this agreement, including the interpretation, violation, invalidity, non-performance, or termination, shall be exclusively settled by the competent courts of London.
The Consumer acknowledges that by agreeing to these Terms & Conditions, they are submitting to the jurisdiction of the London courts for the resolution of any disputes that may arise under this agreement.
Amendment and Termination
The Company reserves the right to amend these Terms & Conditions at any time without prior notice to the Consumer. Any amendments will be effective immediately upon posting of the revised Terms & Conditions on the Platform. The Consumer’s continued use of the Platform following any amendments indicates their acceptance of the new Terms & Conditions.
The Company may terminate these Terms & Conditions and deny the Consumer access to the Platform at any time, without prior notice, for any reason, including but not limited to, breach of these Terms & Conditions by the Consumer. Upon termination, the Consumer must cease all use of the Platform and destroy any copies of materials obtained from the Platform.
The Consumer may terminate their agreement to these Terms & Conditions at any time by ceasing to use the Platform and notifying the Company of their decision to terminate. Termination by the Consumer does not affect any liabilities or obligations incurred prior to the termination date, including the obligation to pay for Products ordered.
Miscellaneous
This Terms & Conditions document, including all its provisions and the rights and obligations herein, shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising out of or in connection with this agreement, including disputes on its conclusion, binding effect, amendment, and termination, shall be resolved by the competent courts of London.
The failure of the Company to enforce any right or provision of these Terms & Conditions will not be considered a waiver of those rights. If any provision of these Terms & Conditions is held to be invalid or unenforceable by a court, the remaining provisions of these Terms & Conditions will remain in effect.
These Terms & Conditions constitute the entire agreement between the Company and the Consumer regarding the Platform, and supersede and replace any prior agreements we might have between us regarding the Platform.
The Company reserves the right to amend these Terms & Conditions at any time. We will notify you of any material changes to these Terms & Conditions at least 30 days before they take effect. Such notification will be made via email or prominent notice on our Platform. Your continued use of or access to the Platform following the effective date of any changes constitutes acceptance of those changes. If you do not agree with the amended Terms & Conditions, you must stop using our services.
These Terms & Conditions do not create any agency, partnership, joint venture, employment, or franchisee relationship between the Company and the Consumer.