Privacy Policy
PRIVACY POLICY
Brands In Ltd
UK & European GDPR Compliant | DTC Webstore & Third-Party Marketplaces
|
Effective Date |
30th April 2026 |
|
Last Reviewed |
30th April 2026 |
|
Data Controller |
Brands In Ltd — Company No. 07957270 |
|
Registered Address |
℅ Kingswood Allotts Limited, SIdings COurt, Lakeside, Doncaster DN4 5NU |
|
Contact / DPO |
sales@brandsin.co.uk |
LEGAL NOTICE: This document constitutes a legally binding privacy policy. All bracketed placeholders [ ] must be completed before publication. This policy has been drafted to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the EU General Data Protection Regulation (Regulation 2016/679) where applicable. Always seek qualified legal advice before publishing.
1. Introduction and Who We Are
Welcome to the privacy policy of Brands In Ltd (referred to in this document as "we", "us", "our", or "the Company"). We are committed to protecting your personal data and to being transparent about how we collect, use, store, and share it.
We are a brand and licensing apparel business that sells products directly to consumers through our own webstore(s) and through third-party marketplace platforms, including but not limited to Amazon, eBay, Etsy, TikTok Shop, and any other platforms on which we operate from time to time (collectively, "Marketplace Platforms").
Brands In Ltd is registered in England and Wales under Company Number 07957270. Our registered office is at [Registered Address].
We act as a Data Controller in respect of your personal data. This means we are responsible for deciding how and why we hold and use your personal data.
This Privacy Policy applies to:
-
All visitors to our website(s) at [www.yourdomain.com] and any related subdomains
-
All customers who purchase products from us via our own webstores
-
All customers who purchase from us through third-party Marketplace Platforms
-
All individuals who contact us, subscribe to our mailing lists, enter our competitions, or engage with us on social media
-
Licensed brand partners, wholesale enquirers, and business contacts
2. The Personal Data We Collect
We may collect, use, store, and transfer different types of personal data about you, which we have categorised as follows:
2.1 Identity Data
-
Full name, title, username or similar identifier
-
Date of birth (where required for age-restricted products or promotions)
-
Gender (where voluntarily provided)
-
Profile photographs (where you create an account with us)
2.2 Contact Data
-
Billing address and delivery address(es)
-
Email address
-
Telephone number(s)
-
Social media handles (where provided)
2.3 Financial and Transaction Data
-
Payment card details (last four digits only — full card data is processed by PCI DSS-compliant third-party payment processors and is never stored by us)
-
Bank account details for refund purposes (where applicable)
-
Details of purchases made and items returned
-
Transaction history and order values
2.4 Technical Data
-
Internet Protocol (IP) address
-
Browser type and version, device type and operating system
-
Cookie identifiers and similar tracking technologies
-
Time zone setting and geolocation data
-
Pages visited, traffic data, weblogs, and other communication data
-
Referral source and search terms used to find us
2.5 Profile Data
-
Your account username and password (stored in encrypted form)
-
Purchases made, returns, and wish lists
-
Your interests, preferences, and survey responses
-
Feedback and review content you submit
2.6 Usage Data
-
How you interact with our website, products, and marketing communications
-
Email open rates and click-through data
-
Cart abandonment data
2.7 Marketing and Communications Data
-
Your preferences regarding receiving marketing from us and our partners
-
Your communication preferences and channel preferences
2.8 Special Categories of Data
We do not intentionally collect any Special Category Data (previously known as sensitive personal data) such as information about your race, ethnicity, religious beliefs, health, or sexual orientation. Please do not submit such information to us. Where Special Category Data is inadvertently provided — for example, in a customer service communication — we will delete it as soon as practicable.
2.9 Data Relating to Children
Our products are not intentionally directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided personal data to us without appropriate parental or guardian consent, please contact us immediately at [privacy@yourbrand.com] so we can delete it.
3. How We Collect Your Personal Data
3.1 Direct Interactions
You may provide us with your personal data when you:
-
Create an account on our webstore
-
Place an order for products from our webstore
-
Subscribe to our email newsletter or marketing communications
-
Contact us by email, telephone, live chat, or social media
-
Request a return, exchange, or refund
-
Enter a competition, promotion, or survey
-
Submit a review or testimonial
-
Apply for a wholesale or licensing agreement
-
Attend an event or trade show where we are present
3.2 Automated Technologies
When you visit our website, we may automatically collect Technical Data about your equipment, browsing actions, and patterns. We collect this data using cookies, server logs, and similar tracking technologies. Please see Section 11 (Cookies) for more detail.
3.3 Third-Party Marketplace Platforms
When you purchase from us via third-party Marketplace Platforms, those platforms share with us the data necessary to fulfil your order and manage our trading relationship. The data shared typically includes your name, delivery address, order details, and marketplace-assigned identifiers. Each Marketplace Platform is an independent Data Controller in respect of data collected on its own platform. We encourage you to review their privacy policies:
-
Amazon: https://www.amazon.co.uk/gp/help/customer/display.html?nodeId=468496
-
eBay: https://www.ebay.co.uk/help/policies/member-behaviour-policies/user-privacy-notice-privacy-policy
-
Etsy: https://www.etsy.com/uk/legal/privacy/
-
TikTok Shop: https://www.tiktok.com/legal/page/row/privacy-policy/en
-
Debenhams: https://www.debenhams.com/
-
https://www.matalan.co.uk/
We operate as an independent Data Controller in relation to the order and fulfilment data shared with us by these platforms.
3.4 Third Parties
We may receive data about you from third parties, including:
-
Analytics providers such as Google Analytics
-
Advertising networks and social media platforms (e.g., Meta, Google Ads, Pinterest)
-
Search information providers
-
Credit reference agencies (for fraud prevention purposes)
-
Delivery and logistics partners
-
Licensing partners and brand collaborators (where you have provided consent to them to share your data with us)
4. How We Use Your Data and Our Legal Basis
We will only use your personal data when the law allows us to. Under the UK GDPR and EU GDPR, we rely on one or more of the following legal bases:
-
Contract: Processing is necessary to perform a contract with you (e.g., processing your order)
-
Legal Obligation: Processing is necessary to comply with a legal obligation (e.g., VAT and accounting records)
-
Legitimate Interests: Processing is necessary for our legitimate business interests, provided these are not overridden by your rights
-
Consent: You have given your freely given, specific, informed, and unambiguous consent
The table below sets out the primary purposes for which we use your data and the legal basis for each:
|
Purpose |
Legal Basis |
Details |
|
Process and fulfil orders |
Contract |
Includes dispatch, delivery notifications, and managing returns |
|
Manage customer accounts |
Contract |
Maintain account records and preferences |
|
Send order confirmations and service communications |
Contract / Legal Obligation |
Essential transactional communications |
|
Process payments and prevent fraud |
Contract / Legal Obligation |
Passed to PCI DSS-compliant payment processors |
|
Comply with tax and accounting obligations |
Legal Obligation |
Retain financial records for minimum 6 years |
|
Respond to customer enquiries and complaints |
Contract / Legitimate Interests |
Customer service and relationship management |
|
Send marketing emails and newsletters |
Consent |
Opt-in only; unsubscribe available at all times |
|
Display targeted and retargeted advertisements |
Consent / Legitimate Interests |
Based on browsing and purchase data |
|
Analyse website performance and user behaviour |
Legitimate Interests |
Improve our products and services |
|
Manage licensing and brand partner relationships |
Contract / Legitimate Interests |
Business-to-business relationships |
|
Detect and prevent fraud and abuse |
Legal Obligation / Legitimate Interests |
Security and platform integrity |
|
Comply with legal claims or regulatory requests |
Legal Obligation |
Respond to court orders and regulatory requests |
We will always tell you when we rely on Legitimate Interests as our legal basis, and you have the right to object to such processing. Please see Section 8 for your rights.
5. Marketing Communications
We may use your Identity, Contact, Technical, Profile, Usage, and Marketing Data to form a view of what products and offers might be relevant and interesting to you, and to tailor our marketing communications accordingly.
5.1 Consent-Based Marketing
We will only send you direct marketing communications by email, SMS, or push notification if you have given us your explicit opt-in consent to do so. You may withdraw your consent at any time by:
-
Clicking the "unsubscribe" link in any marketing email we send
-
Contacting us at sales@brandsin.co.uk
-
Updating your preferences in your online account
5.2 Soft Opt-In (Existing Customers)
Where permitted by applicable law (including Regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR)), we may send you marketing communications about similar products and services to those you have previously purchased, unless you have opted out. You can opt out at any time using the methods described above.
5.3 Third-Party Marketing
We will never sell your personal data to third parties for their own marketing purposes. We may share aggregated, anonymised data with brand licensing partners, but this will not identify you individually.
5.4 Targeted Advertising
We may use services provided by social media platforms and advertising networks to display targeted advertisements to you based on your browsing behaviour and purchase history. Where this involves the use of cookies and similar tracking technologies, we will obtain your consent via our cookie management tool before activating such tracking. Please see Section 11 for further detail.
6. Sharing Your Personal Data
We may share your personal data with the following categories of third parties for the purposes set out in this Privacy Policy. All third parties with whom we share your data are required to respect the security of your personal data and to process it only in accordance with our instructions, and are subject to appropriate data processing agreements where required.
6.1 Service Providers and Data Processors
-
Payment processors (e.g., Stripe, PayPal, Klarna, WorldPay) — for payment processing and fraud prevention
-
Delivery and logistics providers (e.g., Royal Mail, DPD, Evri, UPS, FedEx) — for order fulfilment and delivery notifications
-
IT infrastructure and hosting providers (e.g., cloud service providers) — for website hosting and data storage
-
Email service providers (e.g., Klaviyo, Mailchimp) — for marketing and transactional email delivery
-
Customer service platform providers (e.g., Zendesk, Gorgias) — for managing customer support enquiries
-
Analytics providers (e.g., Google Analytics) — for website performance analysis
-
Returns management platforms (e.g., ZigZag, Returnly) — for processing returns
-
Print and fulfilment partners — for the manufacture and dispatch of licensed branded products
6.2 Marketplace Platforms
Where orders are placed through third-party Marketplace Platforms, we may be required to share delivery status, return, and refund information with those platforms in accordance with our seller agreements. We may also receive seller feedback and dispute data from these platforms.
6.3 Brand Licensing Partners
Where our products are developed under licence from brand or IP holders, we may be required under our licensing agreements to share aggregate sales data and, in limited circumstances, order fulfilment data with those licensors. We will not share your personally identifiable information with licensors without your consent, except where required by law or our contractual obligations.
6.4 Professional Advisers
We may share your data with lawyers, accountants, auditors, and insurers in the course of professional services they provide to us, under obligations of confidentiality.
6.5 Regulatory and Law Enforcement Authorities
We may disclose your personal data to regulators, courts, law enforcement agencies, or other public authorities where we are legally obliged to do so, or where we reasonably believe such disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend the rights or property of the Company; (c) prevent or investigate potential wrongdoing in connection with our business; or (d) protect the personal safety of users or the public.
6.6 Business Transfers
In the event of a merger, acquisition, reorganisation, or sale of all or part of our business, your personal data may be transferred to the relevant third party. We will use reasonable endeavours to notify you of any such transfer and to ensure that any acquiring entity applies privacy protections at least as rigorous as those set out in this policy.
7. International Transfers of Personal Data
We primarily store and process your personal data within the United Kingdom and European Economic Area (EEA). However, some of our third-party service providers may be based in, or process data in, countries outside the UK and EEA. Where this is the case, we ensure appropriate safeguards are in place to protect your data, including:
-
Transfers to countries that have received an adequacy decision from the UK Secretary of State (for UK GDPR purposes) or the European Commission (for EU GDPR purposes)
-
Use of the UK's International Data Transfer Agreement (IDTA) or Addendum to the EU Standard Contractual Clauses (SCCs)
-
Use of the European Commission's approved Standard Contractual Clauses (SCCs) (Regulation 2021/914)
-
Binding Corporate Rules (BCRs) where the recipient organisation has obtained regulatory approval
A current list of the countries to which we transfer data and the safeguards applicable is available on request from sales@brandsin.co.uk.
8. Your Data Subject Rights
Under UK GDPR and EU GDPR, you have a number of important rights in relation to your personal data. These are summarised below. To exercise any of these rights, please contact us at sales@brandsin.co.uk. We will respond within one calendar month of receiving your request (with a possible extension of a further two months for complex requests, of which we will notify you).
We do not charge a fee for exercising your rights unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to comply.
8.1 Right of Access (Subject Access Request — SAR)
You have the right to request a copy of the personal data we hold about you, along with information about how we use it and with whom we share it. We will provide this free of charge, unless the request is repetitive or excessive.
8.2 Right to Rectification
You have the right to request that we correct any inaccurate personal data we hold about you, or complete any incomplete data.
8.3 Right to Erasure ('Right to be Forgotten')
You may ask us to delete or remove your personal data where there is no compelling reason for its continued processing. This right is not absolute and does not apply where we need to retain your data for legal or contractual compliance purposes (for example, financial records).
8.4 Right to Restrict Processing
You have the right to ask us to suspend processing of your data in certain circumstances — for example, where you contest the accuracy of the data, or where you have objected to processing and we are verifying the grounds for doing so.
8.5 Right to Data Portability
Where we process your data on the basis of your consent or to perform a contract, and the processing is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and, where technically feasible, to have it transferred directly to another organisation.
8.6 Right to Object
You have the right to object at any time to the processing of your personal data where we rely on Legitimate Interests as our legal basis. You also have the right to object to processing for direct marketing purposes at any time, and we will comply with your objection without requiring you to give a reason.
8.7 Rights Relating to Automated Decision-Making and Profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We do not currently use such automated decision-making in a manner that significantly affects your rights. If this changes, we will update this policy and implement appropriate safeguards.
8.8 Right to Withdraw Consent
Where we rely on your consent as the legal basis for processing, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing that took place before withdrawal.
8.9 Right to Lodge a Complaint
If you are located in the UK, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
|
ICO Website |
https://ico.org.uk |
|
ICO Helpline |
0303 123 1113 |
|
ICO Address |
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF |
If you are located in the EU and your complaint concerns EU GDPR compliance, you may also lodge a complaint with the supervisory authority in the EU member state where you live, work, or where the alleged infringement occurred.
9. Data Retention
We will only retain your personal data for as long as is necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting obligations. The following retention periods represent our standard approach:
|
Purpose |
Legal Basis |
Details |
|
Order and transaction records |
6 years from date of transaction |
Required by HMRC and Companies Act 2006 |
|
Customer account data (active) |
Duration of account relationship |
Necessary to maintain the customer account |
|
Customer account data (inactive) |
3 years from last login/interaction |
Then deleted or anonymised |
|
Marketing preferences and opt-in records |
5 years from consent, or until withdrawal |
Required to demonstrate consent under PECR |
|
Customer service communications |
3 years from resolution of enquiry |
For managing complaints and disputes |
|
Returns and refund records |
6 years from date of return |
Required by consumer law and financial obligations |
|
Technical / analytics data (anonymised) |
26 months maximum |
Google Analytics standard retention |
|
CCTV footage (where applicable in warehouse) |
31 days unless required for investigation |
ICO guidance on CCTV retention |
At the end of the applicable retention period, we will securely delete or anonymise your personal data so that it can no longer be associated with you.
10. Data Security
We have implemented appropriate technical and organisational security measures to protect your personal data from accidental loss, unauthorised access, alteration, or disclosure. These measures include:
-
Encryption of data in transit using Transport Layer Security (TLS 1.2 or higher) across all our web properties
-
Encryption of sensitive data at rest (including payment data)
-
Access controls and role-based permissions to limit who can access personal data within our organisation
-
Regular security assessments and penetration testing of our IT infrastructure
-
Staff training on data protection and security awareness
-
Secure password policies and multi-factor authentication (MFA) on key internal systems
-
Contractual requirements for all third-party processors to implement equivalent security measures
-
An incident response procedure for identifying, containing, and reporting personal data breaches
Where we have given you (or where you have chosen) a password to access certain parts of our website, you are responsible for keeping that password confidential. We ask you not to share a password with anyone.
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and will report the breach to the ICO (and relevant EU supervisory authorities where applicable) within 72 hours of becoming aware of it, as required by UK GDPR and EU GDPR.
11. Cookies and Similar Tracking Technologies
11.1 What Are Cookies?
Cookies are small text files placed on your device when you visit a website. They allow us to recognise your device, remember your preferences, and analyse how you use our site. Similar technologies such as web beacons, pixel tags, and local storage objects may also be used.
11.2 Types of Cookies We Use
-
Strictly Necessary Cookies: Essential for the website to function — e.g., maintaining your shopping basket, processing your payment, and managing your login session. These do not require your consent.
-
Performance and Analytics Cookies: Help us understand how visitors interact with our website (e.g., Google Analytics). These require your consent.
-
Functional Cookies: Allow us to remember your preferences and personalise your experience (e.g., saved delivery address, currency preference). These require your consent.
-
Targeting and Advertising Cookies: Used to serve targeted advertisements and track the effectiveness of our marketing campaigns (e.g., Meta Pixel, Google Ads, TikTok Pixel, Pinterest Tag). These require your explicit consent.
11.3 Managing Your Cookie Preferences
When you first visit our website, you will be presented with a cookie consent banner. You can accept all cookies, reject non-essential cookies, or manage your preferences by category. You can change your preferences at any time by clicking the [Cookie Settings] link in the footer of our website.
You may also control cookies via your browser settings. Most browsers allow you to block or delete cookies. Please note that blocking strictly necessary cookies may affect the functionality of our website.
For more information about cookies and your choices, please visit: https://www.allaboutcookies.org or https://ico.org.uk/for-the-public/online/cookies/
12. Third-Party Websites and Links
Our website and Marketplace Platform listings may contain links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.
13. Brand Licensing and Intellectual Property Partners
As a brand and licensing apparel business, we operate under licences granted by various brand and intellectual property owners ("Licensors"). Our obligations under those licensing agreements may require us to:
-
Maintain and share certain business records (including aggregate sales data) with Licensors for royalty calculation and audit purposes
-
Display Licensor branding and copyright notices on our products, packaging, and digital channels
-
Share limited fulfilment data with Licensors where products include licensee-specific fulfilment obligations
Where we share data with Licensors, we will do so only to the extent required by our licensing agreements, and we will ensure appropriate data processing agreements are in place. We will not share your personal data with Licensors for their own independent marketing purposes without your consent.
14. Changes to This Privacy Policy
We keep our Privacy Policy under regular review. This version was last reviewed on 30th April 2026. We may update this policy from time to time to reflect:
-
Changes in applicable law or regulatory guidance
-
New features or services we introduce
-
Changes in the third parties we work with
-
New Marketplace Platforms on which we operate
We will notify you of material changes to this Privacy Policy by posting a prominent notice on our website, updating the Effective Date at the top of this document, and, where we hold your email address and the changes are significant, by sending you an email notification. We encourage you to review this policy periodically.
15. How to Contact Us
We welcome questions, comments, and requests regarding this Privacy Policy and our data protection practices. If you wish to exercise any of your rights, raise a concern, or simply learn more about how we handle your data, please contact us:
|
Data Controller |
Brands In Ltd |
|
|
sales@brandsin.co.uk |
|
Postal Address |
Data Protection Team, Brands In Ltd, 5 Horseshoe Close, London NW2 7JJ |
|
Telephone |
[+44 (0) 2084524795 |
|
Website |
www.brandsin.co.uk |
We aim to respond to all legitimate requests within one calendar month. Occasionally it may take us longer than a month if your request is particularly complex or if you have made a number of requests. In that event, we will notify you within one month and keep you updated.
Schedule A — Data Processing Schedule (Third-Party Processors)
The following table summarises the key third-party processors we currently engage, the data they process on our behalf, and the safeguards in place. This schedule is updated periodically and was last reviewed on 30th April 2026.
|
Purpose |
Legal Basis |
Details |
|
[Payment Processor — e.g., Stripe] |
Financial / transaction data |
DPA + SCCs / UK IDTA |
|
[Logistics Partner — e.g., Royal Mail] |
Name, delivery address |
DPA / UK-based processor |
|
[Email Platform — e.g., Klaviyo] |
Contact, marketing, profile data |
DPA + SCCs / UK IDTA |
|
[Analytics — Google Analytics] |
Technical, usage data |
DPA + SCCs / Adequacy |
|
[Cloud Hosting — e.g., AWS / GCP] |
All categories |
DPA + SCCs / UK IDTA |
|
[Returns Platform] |
Identity, contact, transaction |
DPA + SCCs |
|
[Customer Service — e.g., Gorgias] |
Identity, contact, communications |
DPA + SCCs |
|
[Social / Ad Platforms — Meta, TikTok] |
Technical, targeting data (with consent) |
DPA + SCCs / Consent |
Schedule B — Glossary
|
UK GDPR |
The UK General Data Protection Regulation — retained EU law as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 |
|
EU GDPR |
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data |
|
DPA 2018 |
The Data Protection Act 2018 — the UK's national implementation legislation supplementing the UK GDPR |
|
ICO |
Information Commissioner's Office — the UK's independent supervisory authority for data protection |
|
Data Controller |
The entity that determines the purposes and means of processing personal data |
|
Data Processor |
A party that processes personal data on behalf of and under the instruction of a Data Controller |
|
Personal Data |
Any information relating to an identified or identifiable natural person |
|
Special Category Data |
Sensitive personal data including data on race, ethnicity, religion, health, biometrics, sexual orientation, etc. |
|
IDTA |
International Data Transfer Agreement — the UK mechanism for lawful personal data transfers to third countries |
|
SCCs |
Standard Contractual Clauses — the European Commission's approved contractual mechanism for transferring personal data to third countries |
|
PECR |
Privacy and Electronic Communications Regulations 2003 — UK rules governing electronic marketing, cookies, and similar tracking |
|
DTC |
Direct to Consumer — a retail model where brands sell directly to end consumers without intermediaries |
END OF PRIVACY POLICY
Version 1.0 | Rags&Rascals Ltd | 30.04.2026