Privacy Policy

1. About This Policy

Your privacy matters. This policy explains what personal data we collect, why, and what we do with it.

This Privacy Policy applies to Koh Europe Ltd, company number 11333689 ("Koh", "us", "we", "our"), the data controller responsible for your personal data.

We process your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) as retained in UK law by the European Union (Withdrawal) Act 2018, and the Data Protection Act 2018 (DPA 2018).

Privacy Contact: careuk@koh.com or Koh Europe Ltd, C/O Womble Bond Dickinson (UK) LLP, The Spark, Drayman’s Way, Newcastle Helix, Newcastle Upon Tyne NE4 5DE

2. What We Collect

2.1 Information You Provide

• Name, email, postal address, phone number (account creation, orders)
• Payment details (processed securely; we do not store full card details)
• Date of birth (if provided)
• Order history and product preferences
• Communications with us (email, phone, chat, social media)
• Survey responses and feedback

2.2 Information We Collect Automatically

• IP address, browser type, operating system, device information
• Pages visited, time on site, navigation patterns
• Referring source
• Cookie and tracking technology data (see Section 9)
• Location data (derived from IP address)

2.3 Information from Third Parties

• Analytics providers (Google Analytics)
• Advertising platforms (Meta)
• Payment processors
• Fraud prevention services

3. How and Why We Use Your Data

Under the UK GDPR, we must have a lawful basis for each processing activity. The table below sets out the purposes for which we process your data, and our lawful basis for each.

Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests do not override your rights and freedoms. You can request details of these assessments by contacting us.

4. Who We Share Your Data With

4.1 Service Providers (Data Processors)

We use third-party service providers who process data on our behalf under our instructions. We have data processing agreements with all processors in accordance with Article 28 UK GDPR.

4.2 Other Recipients

• Koh group companies (including Koh Australia Pty Ltd ABN 12 139 768 219) for the purposes in this policy
• Professional advisers (lawyers, accountants, insurers) under professional obligation
• Law enforcement and regulators (where required by law)
• Potential buyers of our business (under strict confidentiality)

4.3 No Sale of Data

We do not sell your personal data to third parties.

5. International Transfers

Some of our service providers are located outside the United Kingdom. Your personal data may be transferred to countries including Australia, the United States, Canada, and the European Union.

Before transferring data outside the UK, we ensure appropriate safeguards are in place as required by Chapter V of the UK GDPR, including:

• transfers to countries with UK adequacy regulations (e.g., EEA countries);
• the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses; or
• other approved transfer mechanisms.

You can request details of the safeguards we use by contacting us.

6. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including encryption, access controls, regular security testing, and contractual data protection obligations on processors.

No system is completely secure. While we take reasonable steps, we cannot guarantee absolute security.

7. Data Retention

We retain personal data only as long as needed for the purposes in this policy, or as required by law:

• Order and transaction records: 7 years (tax and accounting)
• Account data: life of account plus a reasonable period after closure
• Marketing preferences: until you withdraw consent
• Website analytics data: retained for the default period set by our analytics platform (Google Analytics). This data is anonymised and aggregated and does not identify individual users.

When data is no longer needed, we securely delete or anonymise it.

8. Your Rights

The UK GDPR gives you specific rights over your personal data.

8.1 Right of Access (Article 15)

You can request a copy of the personal data we hold about you. We will respond within one month.

8.2 Right to Rectification (Article 16)

You can ask us to correct inaccurate or incomplete data.

8.3 Right to Erasure (Article 17)

You can ask us to delete your data where it is no longer needed, you withdraw consent, or there is no overriding legitimate reason for us to keep it. Some data may need to be retained for legal or regulatory reasons.

8.4 Right to Restrict Processing (Article 18)

You can ask us to restrict processing in certain circumstances (e.g., while we verify the accuracy of your data).

8.5 Right to Data Portability (Article 20)

Where processing is based on consent or contract performance, you can request your data in a structured, machine-readable format.

8.6 Right to Object (Article 21)

You can object to processing based on legitimate interests. We will stop unless we have compelling legitimate grounds. You can object to direct marketing at any time, and we will stop.

8.7 Right to Withdraw Consent

Where we rely on consent, you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.

8.8 Right to Complain

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Website: ico.org.uk

Telephone: 0303 123 1113

8.9 How to Exercise Your Rights

Contact us at careuk@koh.com or write to us at the address above. We may need to verify your identity. We will respond within one month (extendable by two months for complex requests, with notice to you). There is no fee unless requests are manifestly unfounded or excessive.

9. Cookies and Similar Technologies

We use cookies and similar technologies on our Site. Under the Privacy and Electronic Communications Regulations 2003 (PECR), we must obtain your consent before setting non-essential cookies.

9.1 Types of Cookies

• Essential cookies: Required for the Site to function. Cannot be disabled.
• Analytics cookies: Help us understand site usage (e.g., Google Analytics).
• Marketing cookies: Used for targeted advertising (e.g., Meta Pixel).
• Functionality cookies: Remember your preferences.

9.2 Your Choices

When you first visit our Site, we will present a cookie consent banner. You can accept or reject non-essential cookies. You can change your preferences at any time via the cookie settings on our Site or through your browser.

To opt out of Google Analytics: tools.google.com/dlpage/gaoptout.

9.3 For More Information

Visit allaboutcookies.org for general information about cookies.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• notify the ICO within 72 hours of becoming aware of the breach (Article 33 UK GDPR); and
• notify affected individuals without undue delay where the breach is likely to result in a high risk (Article 34 UK GDPR).

11. Children’s Privacy

Our Site is not directed at children under 18. We do not knowingly collect data from children. If you believe we have, please contact us and we will delete it.

12. Third-Party Links

Our Site may link to third-party websites. This policy applies only to our Site. Please read third-party privacy policies before providing data to them.

13. Changes to This Policy

We review this policy regularly. Material changes will be notified by email (if you have an account) or by prominent notice on our Site.

This Privacy Policy was last updated on 1 April 2026.

14. Contact Us

Email: careuk@koh.com

Post: Privacy Contact, Koh Europe Ltd, C/O Womble Bond Dickinson (UK) LLP, The Spark, Drayman’s Way, Newcastle Helix, Newcastle Upon Tyne NE4 5DE