Privacy policy

Last updated: 20.01.2026

This Privacy Policy explains how 28club.co.uk (the “Site”) is operated by 28club (“we”, “us”, “our”) and how we collect, use, disclose, and protect your personal data when you visit our Site, create an account, place an order, contact us, or otherwise interact with us.

We act as the data controller for the personal data described in this policy under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1) CONTACT DETAILS

28club
Email: support@28club.co.uk
Address: Unit 113, The Light Bulb, 1 Filament Walk, London SW18 4GW

If you have questions about this policy or want to exercise your rights, contact us using the details above.

2) WHAT PERSONAL DATA WE COLLECT

We collect different types of personal data depending on how you interact with the Site.

A) Device and usage data (when you browse)

What we collect:
IP address, browser type, device type, time zone, pages viewed, links clicked, referring URLs, search terms, cookie identifiers, and how you interact with the Site.

Why we collect it:
To run the Site securely, detect fraud, understand performance, and improve user experience.

B) Order and checkout data (when you buy)

What we collect:
Name, billing address, delivery address, email, phone number, order contents, order history, and delivery details.

Payment data note:
Card details are processed securely by our payment providers. We do not store full card numbers.

Why we collect it:
To process your order, take payment, arrange shipping, handle returns, keep accounting records, and prevent fraud.

C) Account data (if you create an account)

What we collect:
Name, email, encrypted password, saved addresses, order history, and preferences.

Why we collect it:
To provide account functionality and faster checkout.

D) Customer support data

What we collect:
Messages you send us, images (e.g., for faults), and any information you choose to provide.

Why we collect it:
To resolve enquiries, manage returns, handle complaints, and improve service.

E) Marketing data (if you opt in)

What we collect:
Email address, consent status, and engagement with our emails (opens, clicks).

Why we collect it:
To send marketing communications where permitted and measure performance.

3) OUR LAWFUL BASES FOR PROCESSING (UK GDPR)

We process your personal data on one or more of the following lawful bases:

Contract: to fulfil your orders and provide customer service.
Legal obligation: for tax, accounting, and regulatory requirements.
Legitimate interests: for site security, fraud prevention, analytics, and service improvement (balanced against your rights).
Consent: for certain marketing and non-essential cookies.

Marketing (PECR compliance)

We will only send email marketing where:

you have given explicit consent, or
the soft opt-in applies (you purchased from us, we market similar products, and you can opt out each time).

You can unsubscribe at any time via the link in our emails or by contacting us.

4) WHO WE SHARE YOUR DATA WITH

We share personal data only with trusted service providers that help us operate the store. These act as data processors on our behalf.

We share data with:

Shopify – website hosting, checkout, orders, and customer records.
Klaviyo – email marketing, order notifications, and customer communications.
Meta (Facebook & Instagram) – advertising, conversion tracking, and retargeting (where you consent to marketing cookies).
Google Analytics – website analytics and performance tracking.
PostCo – returns, exchanges, and aftercare management.
Gorgias – customer support and enquiry management.

We may also share data with:

payment providers,
couriers and logistics partners,
fraud prevention services,
accountants or legal advisers (where necessary).

We will only share personal data where lawful and necessary.

5) INTERNATIONAL DATA TRANSFERS

Because we serve customers globally, some personal data may be transferred outside the UK (including to the USA, Canada, and the EU).

This happens mainly because we use global platforms such as Shopify, Klaviyo, Meta, Google, PostCo, and Gorgias.

Where data is transferred outside the UK, we ensure appropriate safeguards, including:

UK adequacy decisions, and/or
the UK International Data Transfer Agreement (IDTA) or the UK Addendum to Standard Contractual Clauses.

By purchasing from us or using the Site, you acknowledge that your data may be processed internationally under these protections.

6) COOKIES AND SIMILAR TECHNOLOGIES

We use cookies and pixels to:

make the store work properly (cart, checkout, security),
remember your preferences,
measure site performance, and
support advertising (where you consent).

YOUR CHOICES

Where required, we ask for your consent for non-essential cookies (e.g., marketing/advertising). You can change your preferences at any time via our cookie settings or your browser controls.

In addition to Shopify cookies, we may deploy cookies or pixels from Google, Meta, Klaviyo, PostCo, and Gorgias where necessary for analytics, advertising, and customer service.

Blocking cookies may reduce site functionality.

7) MARKETING AND TARGETED ADVERTISING

If you consent to marketing cookies, we may use your browsing and purchase data to show relevant ads via:

Meta (Facebook & Instagram)
Google advertising services

You can manage ad preferences at:

Meta: facebook.com/settings/?tab=ads
Google: google.com/settings/ads

You can also adjust or withdraw consent via our cookie settings at any time.

8) AUTOMATED DECISION-MAKING AND FRAUD PREVENTION

We use limited automated tools (via Shopify and payment providers) to detect fraud and protect the Site (e.g., risk flags on suspicious transactions).

We do not use fully automated decision-making that has legal or similarly significant effects on you without human review.

9) DATA RETENTION (HOW LONG WE KEEP DATA)

We retain personal data only as long as necessary:

Orders & invoices: up to 6 years (UK tax and legal requirements).
Customer support records: typically up to 24 months after resolution.
Marketing data: retained while you remain subscribed; after that we suppress your details to respect your preferences.
Cookie/analytics data: retained in line with our cookie settings and provider defaults.

10) YOUR RIGHTS (UK GDPR)

You have the right to:

Access your data
Correct inaccurate data
Request deletion (where applicable)
Restrict processing
Object to processing (including direct marketing)
Request data portability
Withdraw consent where processing relies on consent

To exercise any right, email support@28club.co.uk. We may need to verify your identity before responding.

11) RIGHTS OF INTERNATIONAL CUSTOMERS

If you are outside the UK, you may have additional rights under local privacy laws (e.g., EU GDPR or similar regimes).

You can still contact us at support@28club.co.uk to make a request, and we will handle it in line with applicable law.

12) MINORS

Our Site is not intended for individuals under 18. We do not knowingly collect personal data from children.

If you believe a child has provided us with personal data, contact us and we will take appropriate steps to delete it.

13) SECURITY

We use appropriate technical and organisational measures to protect personal data. No system is 100% secure, but we work with reputable platforms and safeguards to minimise risk.

14) CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in law, services, or our practices. We will update the “Last updated” date at the top of this page.