Privacy policy
Effective date: 5 May 2026
1. Who we are
This Privacy Policy explains how Creative Ideas UN Ltd, trading as Vaultskin ("Vaultskin", "we", "us", "our"), collects, uses, and discloses personal information when you visit, use, or make a purchase from vaultskin.com or otherwise interact with us (the "Services").
We are the data controller of your personal information for the purposes of the UK GDPR and the EU GDPR.
Creative Ideas UN Ltd, trading as Vaultskin
Suite 93, 235 Earls Court Road, London SW5 9FE, United Kingdom
Registered in England and Wales, company no. 07991840
Email: info@vaultskin.com
2. The personal information we collect
Information you give us
- Contact details — name, email, phone, postal address.
- Order information — items purchased, billing/shipping address, order number, payment confirmation.
- Account information — username, password (securely hashed), security questions, account preferences.
- Shopping activity — items viewed, items in cart, wishlist, loyalty points, gift card balances, reviews submitted, referrals.
- Customer service correspondence — the content of emails, contact-form submissions, and any photographs or attachments you send us.
- Withdrawal/cancellation requests — name, email, order number, scope of withdrawal, declaration, submission timestamp (see our Refund & Cancellation Policy).
Information we collect automatically
- Usage data — IP address, browser type and version, device type, operating system, language, time zone, referrer URL, pages viewed, products clicked, search terms used on the site, and similar interaction data.
- Cookies and similar technologies — see Section 6 below.
- Session-replay data (Microsoft Clarity) — where you have given consent via our cookie banner, we record anonymised session interactions (mouse movements, clicks, scrolls) using Microsoft Clarity to understand how customers use the site. Sessions are processed by Microsoft on a privacy-preserving basis and you can opt out at any time via our cookie preferences.
Information we receive from third parties
- Payment information — processed by our payment provider (Shopify Payments / Stripe). We receive confirmation of payment but never see or store full card details.
- Marketing and advertising platforms — measurement and audience data from Meta, Google, Microsoft, Pinterest, TikTok and similar partners, where you have interacted with our ads or content on those platforms.
3. Why we use your information and our lawful basis
| Purpose | Lawful basis (UK / EU GDPR Art. 6) |
|---|---|
| Processing your orders, payments, deliveries, and returns; managing your account; providing customer service. | Contract performance (Art. 6(1)(b)). |
| Sending order confirmations, shipping notifications, withdrawal-receipt confirmations, and other transactional messages. | Contract performance (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c) — UK Consumer Contracts Regulations 2013 / EU Directive 2011/83/EU). |
| Sending marketing emails about our products and offers. | Your consent (Art. 6(1)(a)), captured via the unticked opt-in checkbox at signup or checkout in EU/UK regions, with double-opt-in confirmation. You can withdraw consent at any time via the unsubscribe link in every marketing email or by emailing us. |
| Storing analytics, advertising, and personalisation cookies; ad measurement; remarketing. | Your consent (Art. 6(1)(a)) given via our cookie banner. Strictly necessary cookies are set on the basis of legitimate interests (Art. 6(1)(f)) and our legal obligation to provide a functioning service. |
| Detecting, investigating, and preventing fraud, abuse, and security incidents. | Legitimate interests (Art. 6(1)(f)) — protecting our customers, our business, and the integrity of the Services. |
| Retaining records of orders, invoices, and tax documentation. | Legal obligation (Art. 6(1)(c)) — UK and EU tax/accounting law, anti-money-laundering rules where applicable. |
| Improving our products and services; understanding aggregate customer behaviour. | Legitimate interests (Art. 6(1)(f)). |
| Defending or pursuing legal claims; complying with court orders or regulator requests. | Legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)). |
4. Who we share your information with
We share personal information with the following categories of recipients, all under written data-processing agreements (Art. 28 UK/EU GDPR) where applicable:
| Recipient | Purpose | Location |
|---|---|---|
| Shopify Inc. | E-commerce platform, hosting, account and order management, transactional email, native cookie banner | Canada (UK + EU adequacy) |
| Shopify Payments / Stripe | Payment processing | Ireland (EU) / United States (with EU-US Data Privacy Framework, UK Data Bridge) |
| Resend | Sending transactional emails (e.g., withdrawal-request confirmations) | United States (UK + EU SCCs) |
| Google LLC (Tag Manager, Ads Remarketing, where applicable Analytics, Sheets) | Marketing measurement, retargeting, internal audit logs | United States (UK Data Bridge, EU-US Data Privacy Framework) |
| Meta Platforms (Facebook, Instagram) | Advertising, retargeting, conversion measurement | Ireland (EU) / United States (with adequacy mechanisms) |
| Microsoft Corporation (Bing Ads / Microsoft Channel, Microsoft Clarity) | Advertising measurement; session-replay analytics (with consent) | United States (with adequacy mechanisms) |
| Advertising and conversion measurement | Ireland (EU) / United States | |
| TikTok / ByteDance | Advertising and conversion measurement | Ireland (EU) / United States / Singapore (with SCCs) |
| Collabs (Shopify) | Creator and influencer marketplace integrations | Canada / United States |
| GOAFFPRO | Affiliate marketing programme management | India (with SCCs) |
| Rivyo (StoreSeo) | Customer reviews and loyalty | Bangladesh / United States (with SCCs) |
| Carriers (Royal Mail, USPS/UPS, Deutsche Post, DHL, etc.) | Delivery of your orders | Various, depending on destination |
| Professional advisers, auditors, regulators | Legal, accounting, tax, and regulatory compliance | UK / EU as required |
| Successor entities | In the event of a merger, acquisition, or sale of business assets | Various |
5. International transfers
Some of the recipients above are located outside the UK and the European Economic Area (EEA). When we transfer personal data outside the UK or EEA, we rely on appropriate safeguards under Article 46 UK/EU GDPR, including:
- Adequacy decisions (e.g., for transfers to Canada — Shopify);
- The EU-US Data Privacy Framework and UK-US Data Bridge (for participating US recipients);
- Standard Contractual Clauses issued by the European Commission, supplemented by the UK International Data Transfer Addendum where the transfer concerns UK personal data.
You can request a copy of the safeguards we rely on for any specific transfer by emailing info@vaultskin.com.
6. Cookies and similar technologies
We use cookies, pixels, and similar technologies on the Services. The first time you visit our website from a region where cookie consent is required (UK, EU/EEA, and others), our cookie banner asks you to choose between accepting all, declining non-essential, or managing preferences in detail. Strictly necessary cookies are always set; analytics, advertising, and personalisation cookies are only set after your consent.
You can change or withdraw your consent at any time by clicking the cookie preferences link in our footer.
For specific information about cookies set by our hosting platform, see Shopify's cookie policy.
7. How long we keep your information
| Category | Retention |
|---|---|
| Order, invoice, and tax records | 7 years from the end of the relevant tax year (UK HMRC / EU equivalent). |
| Customer accounts | For as long as the account is active, or 3 years after last activity, whichever is longer. Deleted on request, subject to overriding retention obligations. |
| Marketing email subscribers | Until consent is withdrawn, or 3 years of inactivity, whichever is sooner. |
| Withdrawal-request audit records | 6 years (UK Limitation Act 1980 — consumer claims period). |
| Customer service correspondence | 3 years from last contact, unless retained longer for a specific case (e.g., warranty claim, dispute). |
| Cookies and analytics | Per the retention policy of the relevant tool (typically 2 to 26 months). |
| Records subject to legal hold | Until the matter is concluded. |
8. Security
We use technical and organisational measures appropriate to the risk, including encryption in transit (TLS), access controls on our systems, regular review of vendor security postures, and reliance on PCI-DSS-certified payment processors. No system is perfectly secure, however, and we cannot guarantee absolute security. If you become aware of any incident affecting your personal data, please contact us immediately.
9. Your rights
Subject to applicable law, you have the following rights in relation to your personal information:
- Access — to obtain a copy of the personal data we hold about you and information about how we process it.
- Rectification — to correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — to ask us to delete your data, subject to retention obligations.
- Restriction — to ask us to restrict processing in certain circumstances.
- Portability — to receive your data in a structured, machine-readable format and have it transferred to another controller.
- Objection — to object to processing based on legitimate interests, including direct marketing.
- Withdraw consent — where we rely on consent (marketing email, non-essential cookies), you can withdraw at any time without affecting the lawfulness of processing before withdrawal.
- Automated decision-making — we do not make decisions about you based solely on automated processing that produces legal or similarly significant effects.
- Lodge a complaint — see Section 10.
To exercise any of these rights, email info@vaultskin.com. We will respond within one month of receiving your request (extendable by two further months for complex requests, with notice). We may need to verify your identity before responding.
10. Right to lodge a complaint
If you believe we have not handled your personal data properly, you have the right to complain to a data protection supervisory authority. We would, however, appreciate the chance to address your concerns first — please contact us at info@vaultskin.com.
- United Kingdom: Information Commissioner's Office (ICO), ico.org.uk, helpline 0303 123 1113.
- European Union / EEA: your local supervisory authority. A list is available from the European Data Protection Board.
11. Children
The Services are not directed to children. We do not knowingly collect personal information from anyone under 16. If we become aware that we have inadvertently collected personal information from a child, we will delete it without undue delay. If you believe a child has provided us with their personal information, contact us at info@vaultskin.com.
12. Third-party websites and links
The Services may contain links to third-party websites or services (e.g., social media platforms, partner sites). We are not responsible for the privacy practices of those sites. Please review their privacy notices before sharing personal information with them.
13. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes to our practices or for other operational, legal, or regulatory reasons. We will post the revised policy on this page and update the "Effective date" at the top. For material changes, we will give you reasonable advance notice — for example, by email if you have an account with us, or by a prominent notice on the Services.
14. California Privacy Notice
This section applies in addition to the rest of this Privacy Policy if you are a California resident. It supplements the information above with California-specific disclosures required under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA").
Categories of personal information collected and disclosed
In the past 12 months, we have collected and disclosed the following categories of personal information for business or commercial purposes (as defined in the CCPA/CPRA):
- Identifiers (name, email, postal address, IP address) — disclosed to service providers (hosting, payment, fulfillment, marketing) and to advertising partners.
- California Customer Records statute categories (contact and payment information).
- Commercial information (purchase history, products viewed) — disclosed to service providers and advertising partners.
- Internet/network activity (cookies, usage data) — disclosed to service providers and advertising partners.
- Geolocation data derived from IP address — disclosed to service providers and advertising partners.
We do not knowingly collect or disclose sensitive personal information as defined by CPRA, and we do not infer characteristics from sensitive personal information.
"Sale" and "sharing" of personal information
Under CCPA/CPRA's broad definitions, our use of advertising cookies and similar technologies (e.g., for retargeting and ad measurement) may be considered a "sale" or "sharing" of personal information. We have "shared" identifiers, commercial information, and usage data with advertising partners (e.g., Meta, Google, Microsoft, Pinterest, TikTok) for cross-context behavioural advertising in the past 12 months. We do not sell or share the personal information of consumers known to be under 16.
Your California rights
- Right to know what personal information we have collected, used, disclosed, and "sold"/"shared".
- Right to delete personal information we have collected from you.
- Right to correct inaccurate personal information.
- Right to opt out of the "sale"/"sharing" of personal information. Submit a request via the "Do Not Sell or Share My Personal Information" link in our footer, or by enabling the Global Privacy Control (GPC) signal in your browser — we honour GPC as a valid opt-out signal.
- Right to limit the use of sensitive personal information (we do not use sensitive personal information for purposes that would trigger this right).
- Right to non-discrimination for exercising any of these rights.
Submit requests to info@vaultskin.com or via the methods above. We will acknowledge requests within 10 business days and respond within 45 calendar days (extendable by 45 days with notice).
Authorised agents
You may use an authorised agent to make a request on your behalf. We will require the agent to provide proof of authorisation, and we may need to verify your identity directly with you.
15. Contact us
For any privacy-related question, request, or complaint:
Creative Ideas UN Ltd, trading as Vaultskin
Suite 93, 235 Earls Court Road
London SW5 9FE, United Kingdom
Email: info@vaultskin.com