Privacy

Privacy Policy

What we collect, how we use it, and your rights

Last updated: May 2026

Our commitment

We do not sell your data

Transparent processing. Accessible rights. UK GDPR, PECR and equivalent frameworks.

1. Introduction and scope

This Privacy Policy (the “Policy”) describes how Eso World Ltd (together with its affiliates, subsidiaries, successors and assigns, “we”, “us” or “our”) collects, uses, discloses, retains and otherwise processes Personal Data in connection with the website located at https://esoworld.co.uk and any related online services, applications, subdomains, mobile interfaces, landing pages, marketing channels, checkout flows, customer-account interfaces, email communications and any other digital property that links to or references this Policy (collectively, the “Services”). This Policy applies to all visitors, users, customers, subscribers, registered accounts, prospective customers and other individuals whose Personal Data we process in connection with the Services, whether directly or indirectly, and regardless of the jurisdiction from which the individual accesses the Services. By accessing, browsing, registering on, purchasing from, subscribing to, communicating with or otherwise interacting with the Services, you acknowledge that you have read, understood and, where legally required, consented to the processing described in this Policy. If you do not agree with any part of this Policy, you must discontinue use of the Services immediately. This Policy should be read together with our Terms of Service, Shipping Policy, Returns Policy and any supplementary notices we may provide from time to time. Where any inconsistency arises between this Policy and a supplementary notice, the supplementary notice shall prevail in respect of the matter it specifically addresses.

2. Who we are and how to contact us

The data controller responsible for your Personal Data under the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (“DPA 2018”), the EU General Data Protection Regulation (“EU GDPR”) where applicable, and equivalent data-protection frameworks, is Eso World Ltd, a private limited company incorporated in England and Wales under company number 14947193, whose registered office is at Unit A, 82 James Carter Road, Mildenhall, Bury St Edmunds, Suffolk, IP28 7DE. You may contact us regarding this Policy, your Personal Data, or the exercise of your rights by writing to hello@esoworld.co.uk. For data-subject requests, please include the phrase “Data Request” in the subject line to ensure timely routing to the appropriate personnel. We endeavour to acknowledge data-subject correspondence within seven (7) calendar days of receipt and to substantively respond within thirty (30) calendar days, which period may be extended by a further sixty (60) calendar days where necessary having regard to the complexity and volume of requests, in which case we shall inform you of the extension and the reasons for it.

3. Definitions

In this Policy, capitalised terms have the meanings set out below unless the context requires otherwise. “Personal Data” means any information relating to an identified or identifiable natural person, consistent with the definition in the UK GDPR. “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure or destruction. “Data Subject” means the identified or identifiable natural person to whom Personal Data relates. “Controller” means the natural or legal person who determines the purposes and means of Processing. “Processor” means a natural or legal person who Processes Personal Data on behalf of the Controller. “Third Party” means a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons authorised to Process Personal Data under the direct authority of the Controller or Processor. “Cookie” means a small text file placed on a Data Subject’s device by a web server. “Services” has the meaning given in Section 1. Other defined terms have the meanings given where they appear.

4. Categories of Personal Data we collect

We collect, receive, generate and Process the following broad categories of Personal Data, in each case only to the extent reasonably necessary for the purposes set out in this Policy and as permitted by applicable law: (a) identity data, including first name, last name, title, username, account identifiers and any other identifiers you provide; (b) contact data, including postal address, billing address, shipping address, email address, telephone number (where provided) and any other contact identifier; (c) account and profile data, including account preferences, interests, wishlist items, saved addresses, marketing preferences and communications preferences; (d) transactional data, including order history, purchase history, subscription history, returns, refunds, cancellations, delivery records, tracking identifiers and interactions with customer support; (e) payment and financial data, which is processed by our payment service providers and which we receive only in tokenised or otherwise restricted form; (f) technical data, including IP address (which may be partially or fully anonymised at collection), browser type and version, operating system, device identifiers, screen resolution, locale, time zone, language preference, referring URLs, click paths, pages visited, duration of visits, interaction events, error logs, diagnostic data and other information about your device and connection; (g) behavioural and inferred data, including aggregated or anonymised inferences about your preferences, interests, habits and engagement patterns; (h) communications data, including the content of messages you send us, customer-support tickets, chat transcripts, call recordings (where applicable and with notice), and any metadata associated with those communications; (i) user-generated content, including product reviews, ratings, testimonials, feedback, survey responses, comments and any content you submit to the Services; (j) marketing data, including whether and how you interact with marketing communications, advertising and promotional materials; (k) location data, which may be inferred from IP address or, where explicitly provided, from shipping or billing addresses; (l) social and third-party data, including information you permit us to receive from integrated third-party services such as social-media authentication providers, review aggregators, marketplaces, or marketing platforms; and (m) any other category of information that you voluntarily provide or that we generate in the course of operating the Services.

5. Information you provide directly

You provide Personal Data directly when you: create an account; place an order; subscribe to a newsletter or mailing list; submit a contact form; send us an email; request customer support; respond to a survey; participate in a promotion, competition or loyalty programme; write a product review; register for a waitlist or back-in-stock notification; submit feedback; apply for a role with us; or otherwise interact with the Services. We collect the information you voluntarily submit in each such interaction. You are under no statutory or contractual obligation to provide Personal Data to us, except where Processing is necessary to conclude or perform a contract with us (for example, we cannot ship an order without a delivery address). Where provision is optional, we will indicate this; where provision is required, we will indicate that as well. The consequences of not providing required Personal Data may include our inability to provide the Services, fulfil your order, respond to your inquiry, or otherwise accommodate your request.

6. Information we collect automatically

When you access or interact with the Services, we and our service providers may automatically collect certain Personal Data through Cookies, web beacons, pixels, tags, software development kits (“SDKs”), server logs, application programming interfaces (“APIs”), and similar tracking technologies (collectively, “Tracking Technologies”). The Personal Data collected in this way may include technical data, behavioural data and inferred data as described in Section 4. This collection may occur on a continuous basis while you interact with the Services and may persist across sessions, devices and browsers where consent and applicable law permit. We may combine information collected automatically with information you provide directly or with information we receive from third parties, in order to improve the accuracy, relevance and utility of the combined dataset and for the purposes described in Section 8.

7. Information we receive from third parties

We may receive Personal Data about you from third-party sources, including without limitation: (a) identity and authentication providers, where you choose to sign in via a third-party service; (b) payment service providers and fraud-detection partners, who may share transaction metadata, risk scores and outcomes; (c) logistics, shipping and fulfilment partners, who may share tracking events and delivery confirmations; (d) marketplaces on which our products are listed, such as Etsy, Amazon and eBay, which may share order details and buyer information necessary to fulfil marketplace orders; (e) advertising and analytics partners, who may share attribution data, audience insights and conversion events; (f) customer-review platforms and aggregators; (g) data enrichment providers, where we use such providers in compliance with applicable law; (h) publicly available sources, such as company registers, regulators, professional directories and public social-media profiles; (i) referral sources, where another Data Subject refers you to the Services; and (j) other business partners who have a lawful basis for sharing information with us. We take reasonable steps to satisfy ourselves that third parties from whom we receive Personal Data have collected it lawfully and are permitted to disclose it to us.

8. Purposes of Processing

We Process Personal Data for the following purposes, which are illustrative rather than exhaustive: (a) to provide, operate, maintain, administer and improve the Services; (b) to create, maintain and manage customer accounts; (c) to accept, process, fulfil, deliver and manage orders, subscriptions, returns, refunds, exchanges and cancellations; (d) to communicate with you about your orders, account, subscriptions, inquiries and other interactions; (e) to respond to customer-service requests, warranty claims, feedback and complaints; (f) to send transactional communications necessary to perform our contract with you; (g) to send marketing communications where you have opted in, or where permitted under the soft-opt-in regime of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) or equivalent laws; (h) to personalise and improve your experience of the Services, including by tailoring content, recommendations and advertising where appropriate; (i) to measure and analyse traffic, engagement, conversion and other usage patterns, in aggregate or individual form as appropriate; (j) to detect, prevent, investigate and remediate fraud, abuse, security incidents and violations of our terms; (k) to verify identity and eligibility where necessary; (l) to comply with legal, regulatory, tax, accounting and reporting obligations; (m) to establish, exercise or defend legal claims, including arbitration and dispute-resolution proceedings; (n) to conduct research and development, including product research, editorial research and user research; (o) to assess, negotiate, execute and perform corporate transactions, including mergers, acquisitions, reorganisations, financings, divestitures and similar transactions; (p) to enforce our agreements and policies; (q) to protect the rights, property and safety of Eso World, our customers, our personnel and the public; and (r) for any other purpose disclosed to you at the time of collection or with your consent.

9. Legal bases under UK and EU GDPR

Where the UK GDPR or EU GDPR applies, we rely on one or more of the following legal bases for Processing your Personal Data, which basis or bases we determine according to the nature of the Processing activity and the purposes it serves: (a) Performance of a contract — where Processing is necessary for the performance of a contract to which you are party, including the purchase, delivery and after-sales servicing of goods and any related contractual arrangements; (b) Legitimate interests — where Processing is necessary for the purposes of the legitimate interests pursued by us or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms; our legitimate interests include but are not limited to operating, securing, improving, marketing, administering and growing our business, understanding our customers and prospects, developing new products and services, preventing fraud, maintaining the security of the Services, conducting commercial transactions, defending our legal rights, complying with contractual and professional obligations not rising to the level of legal obligation, and engaging in reasonable business communications; (c) Consent — where you have given clear affirmative consent for Processing for one or more specific purposes, which you may withdraw at any time by the means described in this Policy; (d) Legal obligation — where Processing is necessary for compliance with a legal obligation to which we are subject, including obligations under tax legislation, consumer-protection legislation, electronic-commerce legislation, anti-money-laundering rules and similar requirements; (e) Vital interests — where Processing is necessary to protect the vital interests of you or another natural person, though we do not ordinarily rely on this basis; and (f) Public interest — where Processing is carried out in the public interest or in the exercise of official authority vested in us, though we do not ordinarily rely on this basis. Where we rely on legitimate interests, we have conducted a legitimate-interests assessment balancing our interests against your rights and freedoms; details are available on request.

10. Service providers and processors

We engage Third Parties to Process Personal Data on our behalf for the purposes described in Section 8. Each such Processor is bound by a written agreement requiring, at minimum, that they Process Personal Data only on our documented instructions, implement appropriate technical and organisational measures, ensure confidentiality, assist us with Data Subject rights requests, notify us of any personal-data breach without undue delay, and delete or return Personal Data at the end of the engagement. We use Processors across the following categories: (a) hosting, infrastructure, content-delivery and edge-compute providers; (b) e-commerce platform and checkout providers; (c) payment service providers, payment gateways, card networks, fraud-detection providers and PCI-compliant tokenisation services; (d) order-fulfilment, warehousing, packing, shipping, carrier and last-mile delivery providers; (e) customer-relationship-management and customer-support platforms, including help-desk, ticketing, live-chat and email-management tools; (f) email-marketing, transactional-email and marketing-automation platforms; (g) analytics, product-analytics, session-replay and user-behaviour platforms; (h) advertising, attribution, audience-management, measurement and conversion-tracking providers, including but not limited to search, social, display, affiliate, retargeting and marketplace advertising networks; (i) review-collection, review-moderation and user-generated-content platforms; (j) SMS, messaging, push-notification, voice and communications providers; (k) identity-verification, authentication, single-sign-on and fraud-prevention providers; (l) domain-registration, DNS, SSL and security providers; (m) search-engine indexing and submission services; (n) translation, localisation, accessibility, A/B-testing and experimentation platforms; (o) recruitment and HR-tech providers (for prospective or current personnel); (p) accounting, bookkeeping, audit, tax, insurance and legal-services providers; and (q) any other category of Processor engaged from time to time. The identity of our specific Processors may change, and we reserve the right to engage new Processors at our discretion, subject to the conditions set out above.

11. Sharing with advertising and analytics partners

We share limited Personal Data with advertising and analytics partners to measure, attribute and optimise the performance of our marketing, advertising, search and social activities and to understand aggregate usage of the Services. Such partners may include, without limitation, Google (including Google Analytics, Google Ads, Google Tag Manager, Google Merchant Center, Google Search Console and related services), Meta (Facebook and Instagram advertising and insights), X (formerly Twitter), TikTok, Pinterest, Microsoft (Bing Ads, Clarity and related services), Amazon Advertising, affiliate networks, influencer platforms and similar partners. Where we transmit Personal Data to such partners, we do so on the basis of consent where required by law, or on the basis of our legitimate interests in measuring and optimising our marketing where consent is not required. We take reasonable steps to limit the Personal Data shared to what is necessary for the relevant purpose, including through IP anonymisation, data minimisation, contractual restrictions, the use of hashed identifiers where feasible, and the implementation of consent-mode mechanisms. We do not knowingly permit third parties to use Personal Data transferred to them for their own independent commercial purposes except where you have separately consented to such use.

12. Sharing with marketplaces and retailers

Our products may be listed on third-party marketplaces and retailer platforms, including without limitation Etsy, Amazon, eBay and similar marketplaces. Where you purchase our products through such a marketplace, the marketplace is an independent Controller with respect to the Personal Data you provide to it, and its own privacy practices apply to that data. We receive from the marketplace only the Personal Data necessary to fulfil your order, which may include your name, shipping address, order contents, order identifier and limited contact information. We do not receive your payment card details from marketplaces. If you contact us directly using contact information associated with a marketplace order, we will Process that data under this Policy in addition to any marketplace terms. We may in our discretion consolidate marketplace customer records with customer records from our direct sales where doing so is necessary for a legitimate purpose and is lawful.

13. Sharing in corporate transactions

In connection with any actual or contemplated corporate transaction, including a merger, acquisition, reorganisation, sale of all or substantially all of our assets, financing, bankruptcy, liquidation, dissolution or similar event, we may share Personal Data with prospective or actual acquirers, investors, advisers, financing sources and other involved parties, subject to customary confidentiality protections. In the event of a completed transaction, the acquiring entity may continue to Process the Personal Data on substantially similar terms to those set out in this Policy, and we will provide notice of any material change in Controller or Processing practices by updating this Policy or providing such other notice as may be appropriate in the circumstances.

14. Sharing for legal and safety purposes

We may disclose Personal Data where we believe, acting reasonably, that disclosure is necessary or appropriate: (a) to comply with applicable law, regulation, legal process, court order, subpoena, governmental request or lawful demand of a public authority; (b) to enforce our Terms of Service, this Policy, or any other agreement; (c) to establish, exercise or defend legal claims; (d) to investigate, prevent or take action against illegal activity, suspected fraud, threats to the safety of any person, violations of our policies, or any other activity that exposes us, our customers or others to liability; (e) to cooperate with law-enforcement, regulators, courts and similar authorities; (f) to protect our rights, property, reputation, personnel, customers and the public; and (g) as otherwise permitted or required by law. Where legally permitted, we will endeavour to notify you before disclosure unless doing so would be prohibited or impractical.

15. International transfers

We are based in the United Kingdom. Our Processors and other recipients may be located in jurisdictions outside the United Kingdom or the European Economic Area, including in the United States, Canada, the Republic of Ireland and other countries. Where we transfer Personal Data outside the United Kingdom or the EEA, we implement one or more of the following safeguards as required by applicable law: (a) transfer to a jurisdiction that benefits from a UK adequacy regulation, EU adequacy decision or equivalent determination; (b) execution of the International Data Transfer Agreement issued by the UK Information Commissioner’s Office, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses published by the European Commission, or equivalent contractual mechanisms; (c) binding corporate rules; (d) supplementary measures such as encryption, pseudonymisation and access controls where a transfer-impact assessment indicates they are needed; and (e) any other mechanism approved under applicable law. Copies of relevant transfer mechanisms are available on request to the extent permitted by confidentiality obligations.

16. Cookies and similar technologies

We use Cookies and similar Tracking Technologies to provide, secure and improve the Services. Cookies may be “first-party” (set by us) or “third-party” (set by Processors or other parties). Cookies may be “session” (deleted when the browser is closed) or “persistent” (remaining until deletion or expiry). We use Cookies for the following broad purposes: (a) strictly necessary Cookies, which are essential to the operation of the Services, including for basket and checkout functionality, session management, security and load balancing, and which cannot be disabled without disabling the Services; (b) preference Cookies, which remember settings such as language and locale to improve your experience; (c) analytics Cookies, which help us understand how the Services are used in aggregate; (d) marketing and advertising Cookies, which help us measure the effectiveness of our campaigns, deliver relevant advertising and limit repetitive exposure; and (e) functional Cookies, which enable non-essential but useful features. Where the storage of, or access to, information on your device is not strictly necessary for the provision of a service you explicitly requested, we rely on consent under PECR and equivalent regimes. You may manage consent through any consent-management interface we provide, through your browser settings, or through opt-out mechanisms provided by the relevant Third Party. Note that disabling certain Cookies may affect the functionality of the Services. We also use similar technologies such as local storage, session storage, IndexedDB, pixel tags, web beacons, SDKs and server-side event mechanisms, which we treat as subject to the same consent, transparency and information-security standards as Cookies where applicable law requires. The table below lists the specific Cookies and similar technologies in use on the Services as at the date of this Policy; the list may change as we add or remove integrations.

Name	Provider	Purpose	Category	Duration
cart	esoworld.co.uk (first-party)	Stores your Shopify cart token so basket contents persist between page loads and across sessions.	Strictly necessary	14 days (rolling)
session	esoworld.co.uk (first-party)	Server-side session identifier for the Hydrogen storefront. Required for the site to function.	Strictly necessary	Session
_shopify_y	Shopify (shopify.com)	Shopify visitor identifier used for fraud prevention, security and checkout state.	Strictly necessary	1 year
_shopify_s	Shopify (shopify.com)	Shopify session identifier. Required for checkout to function.	Strictly necessary	Session
_shopify_d	Shopify (shopify.com)	Detects whether the visitor is on a mobile device; affects checkout layout.	Strictly necessary	Session
_secure_session_id	Shopify (shopify.com)	Hardened session identifier used during checkout to bind to the secure session.	Strictly necessary	Session
_cart_sig	Shopify (shopify.com)	HMAC signature protecting the cart token from tampering.	Strictly necessary	Session
_orig_referrer	Shopify (shopify.com)	Records the referrer at first visit so checkout displays correct context.	Strictly necessary	Session
_landing_page	Shopify (shopify.com)	Records the first page the visitor landed on so checkout can return them after authentication.	Strictly necessary	Session
country	esoworld.co.uk (first-party)	Stores the visitor’s selected country for currency and shipping.	Preferences	1 year
eso_anonymous_id	esoworld.co.uk (first-party)	HttpOnly anonymous identifier used to stitch browse and purchase activity for the same visitor without exposing identity. Mirrors Klaviyo’s anonymous_id.	Functional	2 years
eso_kx	esoworld.co.uk (first-party)	Stores the Klaviyo email-click identifier (_kx) when a subscriber arrives from an email link, so we can stitch the on-site activity onto their email profile.	Functional	90 days
eso_sub_variant	esoworld.co.uk (first-party)	Records which Subscribe & Save layout variant was shown so the same visitor sees a consistent layout across pages.	Preferences	180 days
eso_exchange_id	esoworld.co.uk (first-party)	Klaviyo exchange identifier (_kx) used to merge anonymous and email-known profiles when the visitor later identifies.	Functional	1 year
_ga	Google Analytics (google.com)	Distinguishes unique users for Google Analytics 4 (GA4) reporting.	Analytics	2 years
_ga_ZVNT72X93S	Google Analytics (google.com)	GA4 session-specific identifier for our property (G-ZVNT72X93S).	Analytics	2 years
_gid	Google Analytics (google.com)	Distinguishes users for 24-hour Google Analytics reports.	Analytics	24 hours
_clck	Microsoft Clarity (clarity.ms)	Persistent Clarity user identifier used for behavioural analytics (heatmaps, session replay).	Analytics	1 year
_clsk	Microsoft Clarity (clarity.ms)	Clarity session identifier connecting page views in a single session.	Analytics	1 day
_fbp	Meta (facebook.com)	Meta browser pixel identifier used to attribute conversions to Facebook / Instagram ads and build Custom Audiences.	Advertising	90 days
_fbc	Meta (facebook.com)	Stores the Facebook click ID (fbclid) from ad clicks; used for conversion attribution.	Advertising	90 days
_pin_unauth	Pinterest (pinterest.com)	Pinterest tag identifier for non-logged-in visitors; used for ad attribution and audience building.	Advertising	1 year
_pinterest_ct_ua	Pinterest (pinterest.com)	Pinterest conversion-tracking identifier used for cross-device attribution.	Advertising	1 year
_pinterest_sess	Pinterest (pinterest.com)	Pinterest session identifier for logged-in users; ad attribution.	Advertising	1 year
_rdt_uuid	Reddit (reddit.com)	Reddit pixel identifier used to attribute conversions and build Reddit ad audiences.	Advertising	90 days
_uetsid	Microsoft (bing.com)	Microsoft UET session identifier used for Bing Ads / Microsoft Advertising conversion tracking.	Advertising	1 day
_uetvid	Microsoft (bing.com)	Microsoft UET persistent visitor identifier used for ad attribution.	Advertising	13 months
_ttp	TikTok (tiktok.com)	TikTok pixel identifier used to attribute conversions to TikTok ad campaigns.	Advertising	13 months
__ttp	TikTok (tiktok.com)	TikTok cross-site session identifier used for ad attribution.	Advertising	13 months
__kla_id	Klaviyo (klaviyo.com)	Klaviyo profile cookie used for email-marketing attribution, abandoned-cart targeting and audience segmentation.	Advertising	2 years
Local storage: eso_click_ids_v1	esoworld.co.uk (first-party)	Stores ad-platform click identifiers (gclid, fbclid, msclkid, ttclid, epik, rdt_cid, wbraid) so conversions can be attributed back to the originating ad click. Mirrored into the Shopify cart so the order webhook can fire server-side CAPI events.	Advertising	90 days
Local storage: eso_cart_attrs_fingerprint_v1	esoworld.co.uk (first-party)	Caches the last set of click-attribution values attached to the cart so we do not re-attach on every page load.	Functional	Until cleared
Server-side webhook idempotency (Workers KV)	esoworld.co.uk (first-party)	Stores hashes of received Shopify webhook IDs for 7 days to prevent duplicate ad-platform conversion fires on webhook retries. Does not touch the browser.	Strictly necessary	7 days

17. Marketing communications

We may send you marketing communications by email, SMS, push notification, in-app message, postal mail or any other channel you have provided, where you have opted in or where we rely on the soft-opt-in regime of PECR (or its equivalent in another jurisdiction) for similar products and services following a prior purchase. Every marketing communication will contain a mechanism for you to unsubscribe or otherwise opt out, typically a link labelled “Unsubscribe” or equivalent. You may also contact hello@esoworld.co.uk at any time to withdraw consent to marketing communications. Opting out of marketing does not opt you out of transactional communications necessary to fulfil a contract, respond to a request or comply with law. If you contact us with a general inquiry, we will treat your contact information as provided for that purpose only and will not add you to marketing lists without your separate consent. Where we use third-party advertising and audience-management platforms, you may also manage your preferences through those platforms’ own opt-out interfaces.

18. Data retention

We retain Personal Data for only as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, tax, accounting, audit or reporting requirements, pursuing or defending legal claims, or for other legitimate purposes. Our retention periods are determined by reference to (a) the nature of the Personal Data, (b) the purposes for which it was collected, (c) applicable legal obligations and limitation periods, (d) the sensitivity of the information, (e) the potential risk of harm from unauthorised use or disclosure, and (f) whether the purposes can reasonably be achieved through other means. Illustrative retention periods include: transactional records and related communications for at least six years from the end of the relevant financial year, consistent with UK tax legislation; customer-support records for up to six years from the last interaction; marketing-list data until consent is withdrawn, together with a suppression record indefinitely to honour the opt-out; analytics data in aggregated or anonymised form indefinitely; security and fraud-prevention data for as long as necessary to fulfil the relevant security purpose; user-generated content such as reviews for as long as the review remains published plus a reasonable archival period; and backup copies retained under our disaster-recovery processes until overwritten in the ordinary course. We will delete, anonymise or aggregate Personal Data when it is no longer necessary to retain it in identifiable form, except where retention is required or permitted by law.

19. Security

We implement and maintain appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, taking into account the nature of the Personal Data, the risks to Data Subjects, the state of the art and the costs of implementation. These measures include, as appropriate: encryption of Personal Data in transit and at rest; access controls and principle-of-least-privilege authorisation; regular review of user access and role-based permissions; secure development and change-management practices; logging and monitoring of systems; periodic vulnerability assessment and remediation; testing of business-continuity and disaster-recovery arrangements; incident-response planning and staff training; contractual requirements on Processors; and due diligence on third-party suppliers. Notwithstanding our measures, no method of internet transmission or electronic storage is completely secure; we cannot and do not guarantee the absolute security of Personal Data. Where required by law, we will notify the Information Commissioner’s Office and affected Data Subjects of any personal-data breach within the applicable statutory timescales.

20. Your rights under the UK GDPR

Subject to applicable conditions and exemptions, you have the following rights in respect of your Personal Data: (a) the right of access — to obtain confirmation as to whether we Process your Personal Data and, where we do, to obtain a copy and prescribed additional information; (b) the right to rectification — to have inaccurate or incomplete Personal Data corrected; (c) the right to erasure — to have Personal Data erased in prescribed circumstances, sometimes referred to as the “right to be forgotten”; (d) the right to restriction of Processing — to require us to limit the ways in which we Process your Personal Data in prescribed circumstances; (e) the right to data portability — to receive Personal Data you provided to us in a structured, commonly used and machine-readable format, and to transmit it to another Controller where technically feasible; (f) the right to object — to object to Processing that we carry out on the basis of legitimate interests or in the public interest, including objecting to direct marketing at any time; (g) the right to withdraw consent — to withdraw, at any time, consent on which we rely as a legal basis, without affecting the lawfulness of Processing conducted before withdrawal; (h) the right not to be subject to solely automated decisions — including profiling — that produce legal or similarly significant effects, subject to prescribed exceptions; and (i) the right to lodge a complaint with a supervisory authority. To exercise any of these rights, please contact hello@esoworld.co.uk with “Data Request” in the subject line. We may request information to verify your identity before acting on a request, in order to protect your Personal Data against unauthorised access.

21. Complaints and supervisory authority

If you are not satisfied with our response to a data-subject request or have other concerns about our Processing, you have the right to lodge a complaint with the UK Information Commissioner’s Office. Contact details are available at https://ico.org.uk. Data Subjects in the European Economic Area or other jurisdictions may also have the right to complain to their local supervisory authority. We would, however, appreciate the opportunity to address your concerns before you contact the supervisory authority, and we encourage you to contact us first at hello@esoworld.co.uk.

22. Automated decision-making and profiling

We may use automated processes in the operation of the Services, including for fraud detection, payment verification, inventory management, personalisation, recommendations, analytics, and marketing optimisation. Where we conduct solely automated decision-making that produces legal effects or similarly significantly affects you, we will do so only where necessary for entering into or performing a contract with you, where authorised by law, or where you have provided explicit consent, and we will implement suitable measures to safeguard your rights, including the right to obtain human intervention, express your point of view and contest the decision. Routine personalisation and recommendations do not ordinarily meet this threshold, but to the extent they do, you may contact us to exercise the rights described in this section.

23. Children’s privacy

The Services are not directed to, and we do not knowingly collect Personal Data from, children under the age of sixteen (16). The age of digital consent in the United Kingdom under the Data Protection Act 2018 is thirteen (13); in other jurisdictions it may be higher or lower, and we apply the higher of sixteen (16) or the applicable local age of digital consent. If you are under the applicable age and you believe you have provided Personal Data to us, or if you are a parent or guardian and believe that your child has provided Personal Data to us, please contact hello@esoworld.co.uk and we will take reasonable steps to delete the information. If we become aware that we have Processed Personal Data of a person below the applicable age without verifiable parental consent, we will delete such information as soon as reasonably practicable.

24. California residents (CCPA/CPRA)

If you are a resident of California and the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), applies to our Processing of your Personal Data, you have additional rights. These include the right to know what Personal Information we have collected, used, disclosed and sold or shared; the right to delete Personal Information; the right to correct inaccurate Personal Information; the right to opt out of the sale or sharing of Personal Information; the right to limit the use and disclosure of Sensitive Personal Information; and the right not to receive discriminatory treatment for exercising a privacy right. We do not sell Personal Information within the meaning of the CCPA. We may share Personal Information with advertising partners in ways that could be deemed “sharing” under the CPRA’s definition; where applicable, we honour opt-out preference signals such as Global Privacy Control and provide mechanisms for you to opt out. To exercise California rights, please contact hello@esoworld.co.uk. We may require verification of identity proportionate to the sensitivity of the information and the type of request.

25. European Economic Area and other jurisdictions

Where the EU GDPR applies, rights and obligations substantially equivalent to those set out in this Policy in respect of the UK GDPR apply, and you may contact your local supervisory authority to lodge a complaint. Residents of Virginia, Colorado, Connecticut, Utah and other US states with comprehensive privacy legislation may have rights analogous to those described for California residents; we honour those rights on request to the extent applicable law requires. Residents of other jurisdictions may have rights granted by local law, which we will honour where applicable. In all cases, to exercise a right granted by local law, please contact hello@esoworld.co.uk with a description of the right and the jurisdiction of residence.

26. Third-party links, integrations and social features

The Services may contain links to third-party websites, services, applications and features. The inclusion of such links does not imply any endorsement. Third-party websites and services have their own privacy policies and terms, for which they are solely responsible, and we are not responsible for their content, security, availability or privacy practices. If you disclose Personal Data to a third-party website or service, you do so outside the scope of this Policy. When you use social-media features or integrations embedded in the Services, the relevant social-media provider may collect information about your use of such features, subject to its own privacy policy. We encourage you to review the privacy practices of any third party before disclosing Personal Data to it.

27. User-generated content and reviews

If you post reviews, ratings, comments, testimonials or other user-generated content on the Services, or through a review platform integrated with the Services, that content may be publicly visible together with any identifying information you choose to include (such as a first name, location, or profile image). You should not include Personal Data you wish to remain private. By submitting content, you grant us a non-exclusive, worldwide, royalty-free, perpetual, transferable, sublicensable licence to use, reproduce, display, adapt and distribute that content in connection with the Services and our marketing. You represent that any content you submit is accurate, does not infringe any third party’s rights, and complies with applicable law. We may moderate, edit, pseudonymise, decline to publish or remove user-generated content at our discretion.

28. Do Not Track and Global Privacy Control

Some browsers transmit “Do Not Track” (“DNT”) signals. There is currently no consensus industry standard for how to interpret and respond to DNT signals, and therefore we do not ordinarily take DNT signals into account when Processing Personal Data, except to the extent required by applicable law. Where applicable law requires us to honour Global Privacy Control (“GPC”) or similar opt-out preference signals, we will do so in respect of the rights to which such signals apply.

29. Changes to this Policy

We may update this Policy from time to time to reflect changes to our Processing activities, legal requirements, or for other operational or regulatory reasons. Where we make material changes, we will take reasonable steps to bring the changes to your attention, which may include updating the “Last updated” date at the top of this Policy, posting a prominent notice on the Services, sending you an email, or requesting renewed consent where legally required. The version of the Policy in effect at the time of your interaction with the Services will govern that interaction. Your continued use of the Services following notice of changes constitutes acceptance of the revised Policy to the extent permitted by applicable law. Prior versions of the Policy are available on request.

30. Severability and interpretation

If any provision of this Policy is found to be invalid or unenforceable under applicable law, that provision shall be deemed modified to the minimum extent necessary to make it valid and enforceable; if it cannot be so modified, it shall be severed from this Policy, and the remaining provisions shall continue in full force and effect. The headings used in this Policy are for convenience only and do not affect its interpretation. References to statutes, regulations and codes include any amendment, re-enactment or replacement of them. Words importing the singular include the plural and vice versa. References to a person include any individual, company, partnership, trust, governmental authority or other entity. This Policy does not create any contractual rights in favour of any person and shall not be construed as a binding commitment except to the extent required by applicable data-protection law.

31. Contact

For any questions, concerns, requests or feedback in relation to this Policy or our Processing of Personal Data, please contact us at hello@esoworld.co.uk or by post at Eso World Ltd, Unit A, 82 James Carter Road, Mildenhall, Bury St Edmunds, Suffolk, IP28 7DE. We will endeavour to respond within the timescales set out in this Policy and otherwise within a reasonable period having regard to the complexity and volume of the matter.

Related policies

Terms

All policies

Shipping Returns Privacy Terms

Questions about this policy?

hello@esoworld.co.uk Contact page