Legal & Transparency

Privacy Policy

Version 1.0  |  Effective: 16/03/2026  |  Last reviewed: March 2026

Regulatory basis: UK GDPR (Data Protection Act 2018) as amended by the Data (Use and Access) Act 2025. Enforced by the Information Commissioner's Office (ICO). PECR applies to all direct electronic marketing and cookies.
01

Who We Are

Serenity Supplements Ltd is registered in England and Wales as a private limited company. We are the data controller for personal information collected through our website, email communications, and social media channels.

  • Company: Serenity Supplements Ltd
  • Company Registration Number: 16214868
  • Registered Address: 28 Woodrush Crescent, Locks Heath, Southampton, SO31 6UP
  • ICO Registration Number: CSN7672223
  • Data enquiries email: customercare@serenity-supplements.com
02

What Personal Data We Collect

Data you provide directly

  • Name — when you subscribe to our email list or contact us.
  • Email address — when you opt in to our mailing list via our funnel page.
  • Voluntary information — anything you include in messages sent to us via social media or email.

Data collected automatically

  • Website usage data — pages visited, time on page, referral source, approximate location, device type and browser. Collected via cookies on our Systeme.io funnel page.
  • Email engagement data — email opens, link clicks, and email client type. Collected by Kit.com (formerly ConvertKit).
  • Affiliate click data — if you click an affiliate link to Amazon, Amazon may record your IP address on their platform. We receive aggregated commission reports only.

Data we do not collect

  • We do not collect payment card data at any stage.
  • We do not collect special category data (health, biometric, or financial).
  • Our services are not directed at children under 13. We do not knowingly collect data from children.
03

How and Why We Use Your Personal Data

Purpose Data used Lawful basis
Sending our email newsletter and promotional content Name, email address, engagement data Consent (Art. 6(1)(a)) + PECR consent. Withdrawable any time.
Improving our email campaigns Email engagement data (opens, clicks) Legitimate interests (Art. 6(1)(f)) — sending relevant content.
Amazon Associates affiliate activity Aggregate reporting only — no personal data stored by us Legitimate interests (Art. 6(1)(f)) — operating our business.
Website and funnel analytics Cookie and usage data Consent (PECR) for non-essential cookies; legitimate interests for essential cookies.
Responding to enquiries and complaints Name, email, message content Legitimate interests (Art. 6(1)(f)).
Complying with legal obligations Any data required by law Legal obligation (Art. 6(1)(c)).
04

Who We Share Your Data With

We do not sell your personal data. We share it only with the following service providers who act as our data processors:

Kit.com (ConvertKit, Inc.)

Purpose Email marketing platform — stores your name and email, sends campaigns, reports on engagement. Location United States Safeguard Standard Contractual Clauses and Data Processing Agreement. See kit.com/privacy.

Amazon Associates (Amazon.com, Inc.)

Purpose Affiliate programme. Amazon processes data per their own policy if you click our links. We receive aggregated commission reports only. Location United States Safeguard Amazon's own privacy policy: amazon.co.uk/privacy.

Systeme.io

Purpose Sales funnel and landing page platform — hosts our email capture forms and funnel analytics. Location France (EU) Safeguard UK-EU adequacy decision applies. Systeme.io DPA in place.

TikTok (TikTok Technology Ltd)

Purpose Social media. TikTok processes follower and viewer data per their own policy. We have no control over TikTok's processing. Location UK / US / Singapore Safeguard TikTok's own policy: tiktok.com/legal/privacy-policy.

Meta Platforms Ireland Ltd (Instagram)

Purpose Social media. Meta processes follower and viewer data per their own policy. We have no control over Meta's processing. Location Ireland (EU) / United States Safeguard Meta's own policy: privacycenter.instagram.com.

We may also disclose your data where required by law, a court order, or a regulatory authority including the ICO.

05

International Data Transfers

Some service providers (Kit.com, Amazon) are based in the United States. Under the Data (Use and Access) Act 2025, transfers to third countries are permitted where protection is not materially lower than UK standards.

Where we transfer data to the US, we rely on the UK International Data Transfer Agreement (IDTA) or equivalent Standard Contractual Clauses agreed with each processor. Systeme.io is based in France and is covered by the UK-EU adequacy decision.

You can request a copy of the safeguards in place by contacting us using the details in Section 1.

06

How Long We Keep Your Data

Data Retention period Reason
Email subscriber records (name, email) While subscribed, plus 12 months after unsubscribe Suppression list — prevent re-addition without fresh consent.
Email engagement data (opens, clicks) 24 months from last engagement List hygiene and inactive subscriber management.
Enquiry and contact data 12 months from last contact In case of follow-up or dispute.
Website and funnel analytics cookie data 12 to 24 months (set by third-party tools) Traffic and conversion analysis.
Affiliate reporting data (aggregated only) 6 years UK tax and accounting obligations.
07

Your Data Protection Rights

Under UK GDPR and the Data (Use and Access) Act 2025, you have the following rights:

Right of Access

Request a copy of the personal data we hold about you. We respond within one calendar month.

Right to Rectification

Ask us to correct inaccurate or incomplete personal data we hold about you.

Right to Erasure

Ask us to delete your personal data where there is no overriding reason to retain it.

Right to Restrict Processing

Ask us to pause processing your data while a complaint or correction is resolved.

Right to Data Portability

Request your data in a structured, machine-readable format where processing is based on consent or contract.

Right to Object

Object to processing based on legitimate interests. We will stop unless we can demonstrate compelling grounds.

Right to Withdraw Consent

Withdraw email marketing consent at any time via the unsubscribe link in any email or by contacting us directly.

Right to Complain

Lodge a complaint with the ICO if you are unhappy with how we handle your data. See Section 8.

To exercise any right, contact us using the details in Section 1. We respond within one calendar month. There is no charge.

08

Data Protection Complaints Procedure

DUAA 2025 requirement: From 19 June 2026, organisations must operate a formal data protection complaints process, acknowledge complaints within 30 days, and respond without undue delay.
  • Step 1 — Contact us directly. Email us at the address in Section 1. We will acknowledge your complaint within 30 days.
  • Step 2 — Use our online complaints form. [INSERT link — required before 19 June 2026.]
  • Step 3 — Escalate to the ICO. ico.org.uk/make-a-complaint  |  0303 123 1113  |  Wycliffe House, Water Lane, Wilmslow, SK9 5AF.
09

Cookies

Our funnel pages hosted on Systeme.io use cookies — small text files placed on your device.

Essential cookies

Required for the page to function correctly. Do not require consent under updated PECR and DUAA rules, but can be disabled in your browser settings.

Analytics cookies

Used to understand how visitors use our pages. Under the DUAA, analytics cookies may be used without explicit consent provided you can opt out. Contact us to opt out.

Third-party social media cookies

TikTok and Meta may set cookies if you have previously visited those platforms. These are subject to their own cookie policies.

10

How We Protect Your Data

  • Access to Kit.com is protected by strong passwords and two-factor authentication.
  • We use reputable service providers with their own security certifications and data processing agreements in place.
  • We do not store financial or payment data.

In the event of a personal data breach likely to risk your rights and freedoms, we will notify the ICO within 72 hours and notify affected individuals without undue delay where required.

11

Marketing Communications

We will only send you marketing emails if you have explicitly opted in to receive them, as required by PECR. Unsubscribe at any time via the link at the bottom of any email or by emailing us directly. We retain your email on a suppression list for 12 months to prevent accidental re-addition.

12

Third-Party Links

Our emails and social media content contain affiliate links to Amazon and other third-party websites. Once you leave our communications and visit those sites, this privacy policy no longer applies. Serenity Supplements Ltd is a participant in the Amazon Associates Programme. When you click an affiliate link and make a qualifying purchase, we may earn a commission at no extra cost to you.

13

Changes to This Policy

We may update this policy from time to time. We will update the effective date at the top of this page and, where changes are material, notify active email subscribers. The current version will always be available at this URL.

14

Contact Us

Serenity Supplements Ltd
28 Woodrush Crescent, Locks Heath, Southampton, SO31 6UP
Company Registration: 16214868
ICO Registration: CSN7672223
Email: customercare@serenity-supplements.com