PRIVACY POLICY (UK VERSION)

This Privacy Policy applies to One Tribe Ltd., and was prepared in accordance with the UK GDPR and Data Protection Act 2018. It explains how we collect, use, store and protect your personal data when you use our website and services in the UK.

WHO WE ARE AND HOW TO CONTACT US – DATA CONTROLLER

• The data controller is: One Tribe Ltd.

• Company number: 12082414

• Registered office address: 37 King Henry Avenue, Wallingford, England, OX10 0FN

• VAT ID: 500 1076 61

• For any queries about your personal data, please contact: info@onetribecosmetics.com

WHAT DATA WE PROCESS

Personal data means any information about an individual from which that person can be identified. We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

Types of Data
Identity Data	Includes first name, last name, any previous names, username or similar identifier, marital status, title, date of birth and gender
Contact Data	Includes billing address, delivery address, email address and telephone numbers.
Financial Data	Includes bank account and payment card details
Transaction Data	includes details about payments to and from you and other details of products and services you have purchased from us.
Technical Data	includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access this website.
Profile Data	includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
Usage Data	includes information about how you interact with and use our website, products and services.
Marketing and Communications Data	includes your preferences in receiving marketing from us and our third parties and your communication preferences.

 

We may also collect, use and share aggregated data such as statistical or demographic data which is not personal data as it does not directly (or indirectly) reveal your identity.

PURPOSES AND LEGAL BASES OF PROCESSING

Purpose	Lawful Basis
Fulfil and administer orders	Performance of a contract
Provide customer support	Legitimate interests / contract
Payment processing	Performance of a contract
Fraud prevention & security	Legitimate interests / legal obligation
Marketing communications	Consent (can be withdrawn anytime)
Analytics & website improvement	Consent or legitimate interests

DIRECT MARKETING

You will receive marketing communications from us if you have requested information from us or purchased goods or services from us and you have not opted out of receiving the marketing.

We may also analyse your Identity, Contact, Technical, Usage and Profile Data to form a view on which products, services and offers may be of interest to you so that we can send you relevant marketing communications.

THIRD-PARTY LINKS

We will get your express consent before we share your personal data with any third party for their own direct marketing purposes.

OPTING OUT OF MARKETING

You can stop marketing communications at any time by using the opt-out links in our messages or by contacting us. You will still receive essential service-related communications.

HOW LONG WE KEEP YOUR DATA

• Accounting documents: kept for legally required periods (generally six years from the end of the tax year).

• Complaints and non-conformity data: kept until resolved and limitation periods expire.

• Client account data: stored until the account is deleted (with legally required documents retained).

• Marketing data: processed until consent is withdrawn or an objection is raised.

• Records of consent: retained up to six years for accountability.

• Security logs and technical data: typically retained for up to twelve months, longer if required for incident analysis or legal defence.

WHO WE DISCLOSE DATA TO

We only share data where necessary, with:

• Payment operators (e.g., Adyen/Stripe/PayU, PayPal, Google Pay)

• Carriers and logistics partners

• IT and hosting providers

• Security and fraud-prevention tools

• Professional advisers (legal/accounting)

• Public authorities where required by law

If data is transferred outside the UK, we use approved safeguards such as the UK Addendum to the EU Standard Contractual Clauses or the International Data Transfer Agreement (IDTA).

COOKIES

To ensure the Service operates smoothly and securely, we use cookies and similar technologies.

Necessary cookies (session, basket, checkout, language preferences) operate on legitimate interests and do not require consent.
Analytics and marketing cookies operate only with your explicit consent. They help us understand website use, limit ad repetition, measure campaign effectiveness and tailor content (e.g., abandoned-basket reminders).

On your first visit we display a banner with “Accept”, “Reject” and “Manage preferences”. You can adjust preferences at any time via the cookie settings panel.

Cookie categories:

A) Necessary (technical) – essential for core functionality and security.
B) Analytics/statistical – help us understand user navigation (consent required).
C) Marketing/advertising – personalise and measure marketing (consent required).

Both first-party and third-party cookies may operate within the Service.

Retention

Session cookies delete when you close your browser. Persistent cookies remain until expiry or manual deletion. Exact retention periods are listed in the cookie panel.

The scope and list of vendors may change. The latest list, including retention periods and information on transfers outside the EEA, is always available in the Service.

Opt-out and alternatives

You may delete or block cookies in your browser. Restricting necessary cookies may affect logging in, purchasing or saving baskets. We honour “Do Not Track” where technologically possible.

Profiling and cookies

Content tailoring may involve marketing profiling, but it does not produce legal or similarly significant effects. You may object via the contact email or the Service. If personalised pricing is used under the Omnibus Directive, you will be informed at the point of display.

EXERCISING YOUR RIGHTS

Under the UK GDPR (and where applicable, the EU GDPR) you have the following rights:

• Right of access

• Right to rectification

• Right to erasure

• Right to restriction of processing

• Right to data portability

• Right to object (including profiling/direct marketing)

• Right not to be subject to automated decision-making with legal or significant effects

Where processing is based on consent, you may withdraw consent at any time.

To exercise your rights, contact us via email or post at the addresses provided. We may ask for identity verification. We respond within one month (extendable by two months for complex requests).

UK SUPERVISORY AUTHORITY – ICO

Individuals in the UK may lodge complaints with the Information Commissioner’s Office: www.ico.org.uk

EU SUPERVISORY AUTHORITY (IF APPLICABLE)

EU/EEA individuals may complain to their local data protection authority. A list is available on the European Data Protection Board website.

If automated decisions producing legal or significant effects were taken (we do not normally take such decisions), you would have the right to obtain human intervention, express your views and contest decisions. If personalised pricing is applied, we will inform you clearly.

INFORMATION SECURITY

We use TLS encryption, access controls, data minimisation, and work with secure providers (including SCA/3-D Secure-compliant payment operators). We maintain backups and follow incident-response procedures.

UPDATING THIS PRIVACY POLICY

We will update this Policy to reflect changes in technologies, laws or services. The most current version is always available on the Service and as a downloadable PDF.

CONTACT DETAILS

For any questions, contact us at: info@onetribecosmetics.com
If you are not satisfied with our response, you may complain to the ICO.

This Privacy Policy is effective as of 5 December 2025.