Privacy policy

Effective date: 1 June 2026

Who we are

Bodycare Retail Ltd ("we", "us", "our") is a company registered in the United Kingdom with registered address at Flat 81 Teal Court, Star Place, London, England, E1W 1AB. We are the controller of your personal data collected through our websites, apps, stores, and related services (together, the "Services"). Contact: privacy@bodycare.com.

Scope

This policy explains how we collect, use, share, and protect personal data about:

  • Website visitors, account holders, shoppers (online and in-store), loyalty members, app users, and customer service contacts.
  • Job applicants only where indicated; for employees and contractors, see our internal privacy notice.

The data we collect

We collect and process the following categories of personal data:

  • Identification and contact: name, title, postal addresses, email, phone, date of birth, account IDs, loyalty IDs, social media IDs
  • Transactional: orders, baskets, payment method type and last 4 digits, billing and delivery details, refunds, warranties. We do not store your full payment card details. Payment card information is processed securely by our payment service providers.
  • Verification and fraud prevention: device fingerprints, identity checks, sanctions/PEP screening results where required.
  • Technical and usage: IP address, device and browser data, app telemetry, log files, cookie identifiers, advertising IDs, clickstream, session recordings, heatmaps, and diagnostics.
  • Preferences and profile: marketing preferences, interests, wishlists, size/fit data, demographics (where provided or inferred), survey responses, product reviews, social media handles you share.
  • Location: general location from IP, precise location if you enable it in an app.
  • In-store systems: CCTV images in our premises, Wi-Fi analytics, smart fitting room interactions (where available).
  • Customer support content: emails, chats, call recordings.
  • User-generated content: photos, posts, or feedback you submit or tag us in.
  • Special category data: We only collect special category personal data where necessary to provide a requested service, comply with legal obligations, or where you choose to provide it. This may include limited health information relevant to piercing services or accessibility requirements.

How we obtain data

  • Directly from you when you use our Services, create an account, make a purchase, contact support, enter promotions, or interact with us on social media.
  • Automatically via cookies, pixels, SDKs, and similar technologies.
  • From third parties, such as payment providers, delivery partners, analytics and advertising partners, identity verification and fraud-prevention services, and social networks consistent with your settings.
  • Public sources and aggregated datasets for enrichment and accuracy.

Why we use your data (purposes) and lawful bases

We process personal data only where we have a lawful basis under UK GDPR. Depending on context, that may be:

  • Contract: to register your account; take and fulfill orders; process payments; provide customer service; manage returns and warranties.
  • Legitimate interests: to operate, secure, and improve our Services; prevent fraud and abuse; understand customers and market trends; personalise content; conduct direct marketing (including profiling) to our customers; measure performance; carry out business analytics and reporting; protect our legal rights. We balance these interests against your rights, freedoms and reasonable expectations.
  • Marketing: Where permitted by the Privacy and Electronic Communications Regulations (PECR), we may send marketing communications to existing customers based on our legitimate interests. Where PECR requires your consent, we will only send electronic marketing communications if you have opted in. You can opt out of marketing at any time.
  • Consent: where required for non-essential cookies and similar technologies, precise location services, processing special category personal data, and any other processing where your consent is required by law. You may withdraw your consent at any time. This will not affect the lawfulness of any processing carried out before you withdrew your consent.
  • Legal obligation and public task: to comply with tax, accounting, product safety, and consumer protection laws; respond to lawful requests from authorities.

How we use your data

Subject to applicable law and your choices, we use personal data to:

  • Provide, maintain, and improve our products and Services, websites, and apps.
  • Personalise your experience, content, and offers, including recommendations and dynamic pricing where permitted.
  • Communicate with you about your account, orders, service messages, and operational notices.
  • Market to you across channels (email, SMS, in-app, push, post, social/online ads), including audience creation, lookalikes, cross-device targeting, and measurement.
  • Conduct analytics, research, segmentation, and profiling to understand preferences, predict interests, and develop new products and features.
  • Prevent, detect and investigate fraud, suspicious transactions, security incidents and other prohibited activities. We may use automated systems to identify unusual activity or transactions that could indicate fraud or misuse of our Services.
  • Operate loyalty schemes, contests, surveys, reviews, and user-generated content programs.
  • Enable payment processing, deliveries, returns, and customer support.
  • Comply with legal obligations and enforce our terms.

Cookies and similar technologies

We use essential cookies to run our site and optional cookies/SDKs for analytics, personalisation, and advertising. For details, see our Cookie Notice. Where required, we obtain your consent via our cookie banner and honour your choices. You can change preferences at any time in "Cookie Settings" and via your browser or device controls.

Sharing your data

We share personal data with:

  • Service providers and processors: hosting, cloud, IT support, analytics, A/B testing, customer support platforms, communications, payments, fulfilment and logistics, identity verification, fraud prevention, and marketing tech partners. They act under our instructions and appropriate contracts.
  • Advertising and social media partners: to deliver and measure ads, create audiences, and find similar users, consistent with your consent and preferences and platform rules.
  • Group companies and affiliates: for consolidated reporting, operations, shared services, and cross-brand marketing where permitted.
  • Professional advisors and prospective buyers: auditors, banks, insurers, and in relation to corporate transactions (merger, acquisition, restructuring), subject to confidentiality.
  • Authorities and others: where required by law, to protect rights, safety, or prevent fraud.
  • With your direction or consent: e.g., when you link a third-party account or participate in co-branded promotions.

We do not sell personal data for money.

International transfers

Your data may be transferred to and processed in countries outside the UK. Where we transfer data internationally, we use appropriate safeguards such as UK International Data Transfer Agreements (IDTA), Addenda to the EU SCCs, or another lawful mechanism.

Data retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to meet legal, accounting, regulatory and reporting requirements. Where appropriate, we retain different categories of personal data for different periods, taking into account the nature of the data, the purposes for which it is processed and any legal or regulatory obligations.

We typically retain personal data for the following periods:

  • Account data: while your account is active and for up to 7 years after last activity.
  • Transaction records: for up to 7 years to meet tax, accounting, and legal requirements.
  • Marketing data: until you opt out or for 5 years after your last interaction, whichever occurs first.
  • Website analytics: retained only for as long as necessary to analyse website performance and improve our Services, in accordance with our cookie settings and applicable legal requirements.
  • CCTV: normally retained for up to 90 days unless required for the investigation of an incident, legal proceedings or crime prevention.
  • Piercing consultation and consent records (including any health information collected): Retained only for as long as necessary to provide the service, manage any follow-up queries or claims, and comply with our legal and regulatory obligations.
  • Children's personal data: Retained only for as long as necessary for the purpose for which it was collected and in accordance with our legal and regulatory obligations.

Your rights

Under UK data protection law, you have rights to:

  • Access your data and obtain a copy.
  • Rectify inaccurate or incomplete data.
  • Erase your data in certain circumstances.
  • Restrict or object to processing, including objecting to direct marketing and profiling for marketing.
  • Data portability for information you provided to us.
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with the UK Information Commissioner's Office (ICO) at www.ico.org.uk.

To exercise your rights, contact us at privacy@bodycare.com or via bodycare.com.

Direct marketing and choices

  • You can opt out of email or SMS marketing at any time via the unsubscribe link or STOP instructions, or by contacting us.
  • For online advertising choices, use our "Cookie Settings", your browser's controls, platform ad preferences, and tools like YourOnlineChoices.
  • We will continue to send essential service and transactional messages.

Profiling and automated decisions

We use profiling and automated systems to personalise content, offers and advertising, and to help detect and prevent fraud. These systems may identify unusual transactions or activity that require further review. We do not make decisions that produce legal or similarly significant effects based solely on automated processing without appropriate safeguards. Where this applies, we will provide meaningful information about the logic involved and your rights.

Children

Our Services are intended for a general audience, including families. We may provide certain services, such as ear piercing, to children and young people where this is permitted by law and in accordance with our company policies.

Where we collect personal data relating to a child under the age of 16, we do so only where it is necessary to provide the requested service, comply with our legal obligations, or where the consent of a parent or legal guardian has been obtained where required.

If you are a parent or guardian and believe that your child has provided us with personal data in circumstances that are not authorised or appropriate, please contact us using the details below. We will investigate your request and, where appropriate, delete or update the information in accordance with applicable data protection law.

Security

We implement technical and organisational measures appropriate to the risk, including encryption in transit, access controls, regular penetration testing where appropriate, vulnerability management, employee training, and vendor due diligence. No system is perfectly secure; we have incident response procedures and will notify you and regulators where required.

Third-party links and services

Our Services may link to third-party sites, apps, or services. Their privacy practices are governed by their own policies.

Changes to this policy

We may update this policy from time to time. We will post the updated version with a new effective date and take additional steps if required by law.

Contact us

If you have any questions about this Privacy Policy or how we process your personal data, please contact us using the details above.

This Privacy Policy is available in alternative formats upon request. Please contact us if you require a copy in a different format and we will do our best to accommodate your needs.