This Privacy Policy explains how Colēre Limited ("Colēre", "we", "us", or "our") collects, uses, stores, and protects your personal data when you interact with us. It applies whenever you:

• visit or browse our website at www.clubcolere.com;

• create a customer account on our website;

• place an order with us;

• subscribe to our newsletter or marketing communications;

• contact us by email, social media, or other channels;

• leave a review of your purchase.

This policy is issued in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. If you have any questions about this policy or how we handle your personal data, please contact us using the details in Section 14.

1. Who We Are

Colēre Limited is the "data controller" responsible for your personal data. This means we determine how and why your personal data is processed.

• Company name: Colēre Limited

• Company number: 16769128 (registered in England and Wales)

• Registered office: 5a Whytecliffe Road South, Purley, Surrey, CR8 2AY

• ICO registration number: [to be inserted once ICO registration is completed]

• Email: [email protected]

• Website: www.clubcolere.com

2. The Personal Data We Collect

2.1 Information you provide directly

We collect personal data that you provide to us when you create an account, place an order, contact us, or otherwise interact with our Website. This includes:

•

Account details: your name, email address, password (stored in encrypted form), and any other information you choose to add to your customer profile;

•

Order details: billing address, delivery address, telephone number, items purchased, order history, and any delivery instructions;

•

Payment information: we do not store your full card details on our servers. Payments are processed securely by our payment provider, Stripe, which collects and processes your card details on its own secure infrastructure;

Colēre Limited — Privacy Policy

Page 2 of 7

•

Communications: the content of any emails, messages, or other communications you send to us;

•

Marketing preferences: your consent status for marketing communications and any preferences you have set;

•

Review content: any reviews you leave for our products, which are collected through our reviews partner, Trustpilot.

2.2 Information collected automatically

When you visit our Website, certain information is collected automatically by our website platform and security provider. This may include:

•

IP address;

•

browser type, version, and device information;

•

operating system and screen size;

•

pages visited, time spent on pages, items viewed, and items added to basket;

•

approximate geographic location derived from your IP address.

Further details about cookies and similar technologies are set out in our Cookie Policy, available on our Website.

2.3 Special category and sensitive data

We do not intentionally collect special category personal data (such as health information, racial or ethnic origin, religious beliefs, or biometric data). If you provide such information to us voluntarily (for example, in correspondence about a specific need), we will only process it where we have a lawful basis to do so under Article 9 of the UK GDPR.

3. How and Why We Use Your Personal Data

We process your personal data only where we have a lawful basis to do so under Article 6 of the UK GDPR. The table below sets out our purposes and the corresponding legal basis:

•

To create and manage your customer account — legal basis: performance of a contract.

•

To process your orders, take payment, and deliver products to you — legal basis: performance of a contract.

•

To respond to your enquiries and provide customer service — legal basis: performance of a contract and legitimate interests.

•

To send you order confirmations, shipping updates, and other transactional communications — legal basis: performance of a contract.

•

To send you marketing communications about our products and offers — legal basis: consent (which you may withdraw at any time).

•

To request and publish reviews of products you have purchased — legal basis: legitimate interests in obtaining feedback and demonstrating product quality.

Colēre Limited — Privacy Policy

Page 3 of 7

•

To maintain accounting, tax, and financial records — legal basis: legal obligation.

•

To detect, prevent, and investigate fraud and unauthorised use of our Website — legal basis: legitimate interests and legal obligation.

•

To improve our Website, products, and customer experience — legal basis: legitimate interests.

•

To comply with legal, regulatory, and tax obligations — legal basis: legal obligation.

Where we rely on legitimate interests, we have carried out a balancing exercise to ensure that our interests do not override your rights and freedoms. You may request further information about this assessment using the contact details in Section 14.

4. Who We Share Your Personal Data With

We do not sell your personal data. We share it only with trusted third parties who provide services on our behalf or who are necessary to deliver your order, and only to the extent required. Our key third parties are:

•

Stripe — our payment processor. Stripe collects and processes your payment card details on its own secure infrastructure under its own privacy policy. We receive transaction confirmation but do not store full card details.

•

Captivation Hub (LeadConnector / GoHighLevel) — our website platform, customer account system, and email marketing provider. Customer details, order data, and marketing preferences are processed through this platform.

•

Cloudflare — our website security and content delivery provider, which processes IP addresses and device information for security purposes.

•

Royal Mail — our UK delivery carrier. We share your name, delivery address, and contact details so they can deliver your order.

•

FedEx and DHL — our international delivery carriers. We share your name, delivery address, contact details, and customs-related information as required.

•

Trustpilot — our reviews partner. After you complete a purchase, we may share your email address and order reference with Trustpilot so they can invite you to leave a review. Trustpilot is an independent data controller and processes your data under its own privacy policy.

We may also share your personal data with:

•

our accountants and financial advisers, for invoicing, accounting, and tax purposes;

•

professional advisers (such as solicitors or insurers), where necessary to obtain advice or defend our legal rights;

•

regulatory authorities, law enforcement, or government bodies, where required by law or to protect our legal rights;

•

any successor business, in the event of a sale, merger, or restructuring of Colēre Limited.

Colēre Limited — Privacy Policy

Page 4 of 7

All third parties acting as our processors are required by contract to handle your personal data securely and in compliance with the UK GDPR.

5. International Data Transfers

Some of our service providers operate internationally, which means your personal data may be transferred to, stored, or processed in countries outside the United Kingdom — in particular:

•

United States — Stripe, Captivation Hub (GoHighLevel), and Cloudflare are all headquartered in the United States and may process data on US-based infrastructure.

•

European Union — Trustpilot is headquartered in Denmark and processes data within the EU. The UK currently recognises EU/EEA countries as providing an adequate level of data protection.

•

International delivery destinations — when you place an order to be delivered outside the UK, your name, delivery address, and contact details will be processed in the destination country by the relevant courier and, where required, by customs authorities.

Where personal data is transferred outside the UK to a country that does not have an adequacy decision, we ensure that one or more of the following safeguards is in place, as required by the UK GDPR:

•

the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses;

•

the UK Extension to the EU–US Data Privacy Framework, where the recipient is certified under it;

•

another lawful safeguard recognised under Article 46 of the UK GDPR; or

•

a derogation under Article 49, such as where the transfer is necessary for the performance of a contract with you (for example, delivering your order overseas).

If you would like further information about the safeguards we use, please contact us using the details in Section 14.

6. How Long We Keep Your Personal Data

We retain personal data only for as long as is necessary for the purposes for which it was collected, including to satisfy any legal, accounting, regulatory, or reporting obligations. Our general retention periods are:

•

Customer accounts: for as long as your account remains active. If your account is inactive for more than 3 years, we may close it and delete or anonymise the associated data.

•

Order records, invoices, and accounting data: 6 years from the end of the financial year in which the transaction took place, in line with HM Revenue & Customs requirements.

Colēre Limited — Privacy Policy

Page 5 of 7

•

Marketing preferences and unsubscribe records: for as long as is reasonably necessary to honour your preferences and to evidence your consent or withdrawal of consent.

•

Customer service communications: for up to 3 years after the matter is resolved, unless retained for longer to defend legal claims.

•

Website analytics and security logs: for the periods set by our platform and security providers, typically no longer than 24 months.

We may retain personal data for a longer period where the law requires us to do so or where it is necessary to defend or establish legal claims. Once data is no longer required, it is securely deleted or anonymised.

7. Data Security

We have implemented appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, loss, or destruction. These measures include:

•

encrypted website connections (HTTPS) through Cloudflare;

•

secure storage of customer account passwords using industry-standard hashing;

•

use of PCI-DSS-compliant payment processing through Stripe (we do not store your full card details);

•

access controls limiting who within our business can access personal data;

•

the use of reputable cloud-based service providers with their own security certifications.

No system can be guaranteed to be completely secure. While we take reasonable steps to safeguard your data, we cannot guarantee absolute security of information transmitted to us electronically. Any transmission is at your own risk.

8. Personal Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, in accordance with Article 33 of the UK GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

9. Your Data Protection Rights

Under the UK GDPR, you have the following rights in relation to your personal data:

•

Right of access — to request a copy of the personal data we hold about you;

•

Right to rectification — to ask us to correct inaccurate or incomplete data;

Colēre Limited — Privacy Policy

Page 6 of 7

•

Right to erasure ("the right to be forgotten") — to request that we delete your data in certain circumstances;

•

Right to restrict processing — to ask us to limit how we use your data;

•

Right to object — to object to processing carried out on the basis of legitimate interests, or to direct marketing;

•

Right to data portability — to receive your data in a structured, commonly used, machine-readable format;

•

Right to withdraw consent — where we rely on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing;

•

Rights in relation to automated decision-making — see Section 10.

To exercise any of these rights, please email us at [email protected]. We will respond within one month, as required by the UK GDPR. There is normally no charge, although we may charge a reasonable fee or refuse the request where it is manifestly unfounded or excessive.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

•

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

•

Helpline: 0303 123 1113

•

Website: https://ico.org.uk

10. Automated Decision-Making and Profiling

We do not use your personal data for any automated decision-making (decisions made solely by automated means without human involvement) or profiling that produces legal or similarly significant effects on you.

Our payment provider, Stripe, may carry out automated fraud-prevention checks on transactions. These checks form part of the standard, industry-wide processes used to protect both customers and merchants from fraudulent transactions, and are governed by Stripe's own privacy policy.

11. Marketing Communications

We will only send you marketing communications where you have given us your consent to do so, or where we are otherwise permitted by law. Where you are an existing customer, we may send you information about similar products in accordance with the "soft opt-in" rule under the Privacy and Electronic Communications Regulations (PECR), provided you were given a clear opportunity to opt out at the time of purchase and in every subsequent message.

You may unsubscribe from marketing communications at any time by clicking the "unsubscribe" link in any marketing email, by updating your account preferences, or by emailing us at [email protected]. Withdrawing your consent will not affect the

Colēre Limited — Privacy Policy

Page 7 of 7

lawfulness of any processing carried out before you withdrew it, and will not stop us from sending you transactional communications (such as order confirmations and shipping updates).

12. Cookies and Website Tracking

Our Website uses cookies and similar technologies to operate securely, to remember your preferences, and to understand how the Website is used. Full details, including the specific cookies used and how to manage your cookie preferences, are set out in our Cookie Policy, which is available on our Website.

We do not currently use Google Analytics, Meta (Facebook) Pixel, TikTok Pixel, or any third-party advertising trackers. If we introduce any such tracking in future, we will update our Cookie Policy and obtain your consent before such cookies are set.

13. Children's Privacy

Our Website and products are directed at adults aged 18 and over. We do not knowingly collect personal data from children under the age of 18. If you believe that we may have collected personal data from a child, please contact us so that we can take appropriate steps to delete it.

14. How to Contact Us

If you have any questions about this Privacy Policy, wish to exercise your rights, or have any concerns about how we handle your personal data, please contact us:

•

Colēre Limited

•

5a Whytecliffe Road South, Purley, Surrey, CR8 2AY

•

Email: [email protected]

•

Website: www.clubcolere.com

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, legal requirements, or for other operational reasons. Where the changes are significant, we will take reasonable steps to notify you, for example by email or by a notice on our Website. The "Last updated" date at the top of this policy indicates when it was most recently revised. We encourage you to review this policy periodically.

— End of Privacy