Privacy Statement

1.4 Supervisory Authority

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. We encourage you to contact us first so we can try to resolve your concerns directly.

---

2. The Data We Collect About You

We may collect, use, store, and transfer the following categories of personal data:

Category of Data	What It Includes	Purpose/Source
Identity Data	Name, title, account username, *DOB	Collected when you place an order or register an account. *Used to provide automatic bonus loyalty points on user’s birthday.
Contact Data	Billing address, delivery address, email address, and telephone number.	Necessary for order fulfilment and communication.
Transaction Data	Details about payments, purchases, order history, and refund requests.	Generated by your purchases via WooCommerce.
Financial Data	Payment card details are tokenised and processed by our Payment Processors (Stripe/WooPayments). We do not store full card details.	Processed securely by third-party payment gateways.
Technical Data	Internet protocol (IP) address, browser type, device information, and time zone setting.	Collected automatically via server logs, Jetpack, and analytics tools.
Profile & Rewards Data	Your username, password (encrypted), purchases, marketing preferences, and loyalty/rewards points.	Collected via WooCommerce and the Points and Rewards for WooCommerce plugin.
Usage & Tracking Data	Information about how you navigate and interact with our website (e.g., page views, link clicks).	Collected via Google Analytics and TikTok Pixel (subject to your consent).
Marketing Data	Your preferences in receiving marketing from us and interaction with our emails.	Collected via the checkout checkbox and footer sign-up (managed by MailPoet).

Children’s Data Policy

Our website is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a minor, we will take steps to delete that information immediately.

---

3. Lawful Basis and Purpose for Processing

We rely on the following lawful bases under UK GDPR to process your personal data:

Purpose of Processing	Type of Data Used	Lawful Basis
Order Fulfilment & Delivery	Identity, Contact, Transaction, Financial	Performance of a Contract (to complete your purchase and ship products).
Account Management	Identity, Contact, Profile	Performance of a Contract and Legitimate Interests (to manage your account efficiently).
Direct Marketing	Identity, Contact, Marketing	Consent (for emails, provided via the checkout checkbox or newsletter signup).
Website Security & Maintenance	Technical, Usage	Legitimate Interests (to ensure network security, detect fraud, and troubleshoot issues).
Personalised Advertising	Usage, Technical, Profile	Consent (collected via the cookie banner for services like Google and TikTok).
Financial & Legal Compliance	Transaction, Identity	Legal Obligation (to comply with tax, financial, and consumer protection laws).

---

4. Disclosures of Your Personal Data (Third-Party Processors)

We share your personal data with the following specific categories of third-party service providers who act as data processors on our behalf:

A. Payment & Finance Providers

These parties receive and process your Financial and Transaction Data to complete the payment:

Stripe, Inc. (via WooCommerce Stripe Gateway and WooPayments): Processes credit/debit card payments, including Apple Pay and Google Pay.

Klarna and Clearpay: Provide financing options (where chosen by you).

Meshut Digital (MZR Buy X Pay Y): Enhances transactional data for discount and promotion processing.

B. Shipping & Logistics Providers

These parties receive your Identity and Contact Data to deliver your order:

Royal Mail

Evri

Devnet (Free Shipping Label plugin): Connects our WooCommerce store to the carrier APIs to generate shipping labels.

C. Analytics, Advertising & Performance Tools

These parties process your Technical and Usage Data to track site performance and deliver targeted ads (all based on your prior consent):

Google (via Google Analytics and Google Ads): For website traffic analysis and advertising.

TikTok (via TikTok Pixel): For advertising and campaign measurement.

RankMath (SEO Tool): Processes some usage data for search engine optimisation.

D. Core Platform & Support Tools

These parties assist in the day-to-day operation of the website:

Automattic Inc. (WooCommerce, Jetpack, WooPayments): Core e-commerce and site functionality.

MailPoet: Manages and delivers your opted-in marketing emails.

Complianz: Records and manages your cookie consent preferences.

WP-Swings (Points and Rewards for WooCommerce): Manages customer loyalty and rewards data.

FluentSMTP: Handles secure email delivery for transactional and account updates.

E. International Transfers

Some of our processors, including Stripe, Google, and TikTok, are based outside the UK/EEA. Where data is transferred to a country that does not have “adequacy” status from the ICO, we ensure your data is protected by implementing approved mechanisms, such as the use of UK International Data Transfer Agreements (IDTAs) or Addendums to Standard Contractual Clauses (SCCs).

F. Additional Personal Data Collection

Loyalty Rewards Program Data Collection

We operate a Loyalty Rewards Program using the Points and Rewards for WooCommerce plugin developed by WP Swings. This program requires the collection of specific data points to function and award bonuses.

Date of Birth (DOB) Collection: If you choose to provide your Date of Birth during account registration, this information is collected and stored solely for the purpose of automating the Birthday Gift loyalty bonus.

We do not use your Date of Birth for marketing purposes, user profiling, or any other internal or external analytics.

The data is used exclusively to trigger the points reward on the user’s registered birth date.

Third-Party Data Handling: Data related to the Loyalty Rewards Program, including your points balance and, if provided, your Date of Birth, is processed and stored within the infrastructure provided by the third-party plugin. For details on how the plugin developer handles and secures data, please refer to the WP Swings Privacy Policy.

---

5. Data Security and Retention

5.1 Data Security

We have implemented appropriate security measures to prevent your personal data from being accidentally lost, used, accessed, altered, or disclosed in an unauthorised way. We also limit access to your personal data to employees and third parties who have a business need to know and who are subject to a duty of confidentiality.

5.2 Data Retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for.

We retain all transactional and financial records for a minimum of six (6) years following the end of the tax year they relate to, to comply with UK legal and tax obligations.

We keep marketing data (email addresses) until you unsubscribe, after which it is deleted from the active mailing list promptly.

---

6. Your UK GDPR Rights

As a data subject, you have the right to:

Request access to your personal data.

Request correction of your personal data.

Request erasure of your personal data (the ‘right to be forgotten’).

Object to processing of your personal data (e.g., stopping direct marketing).

Request restriction of processing of your personal data.

Request the transfer of your personal data to you or a third party (data portability).

Withdraw consent at any time where we are relying on consent to process your personal data (e.g., opting out of marketing emails or adjusting cookie settings).

To exercise any of these rights, please submit your request directly to gdpr@smell.fit. We aim to respond to all legitimate requests within one month.