This site has limited support for your browser. We recommend switching to Edge, Chrome, Safari, or Firefox.

Privacy Policy

Bare Biology respects your privacy and is committed to protecting your personal data. This Privacy Policy aims to give you information on how we collect and process your personal data through your use of this website and will inform you as to how we look after your personal data and tell you about your privacy rights.

We will process and protect your personal data as set out in this Privacy Policy, so please read it carefully.

This Privacy Policy was last updated on 30th July 2024. Copies of earlier versions are available on request, please email us at info@barebiology.com.

WHO WE ARE

Controller: 
 
Bare Biology (collectively referred to as “we”, “us” or “our”) is a specialist online retailer of high quality health foods and supplements.

Bare Biology are the controller and are responsible for your personal data, which means that we determine the purposes and ways of the processing of your personal data.

Contact Details:

Our full details are:

Company name: Bare Biology Ltd

Postal address: Platform 9, Tower Point, 44 North Road, Brighton, BN1 1YR

Contact Name: Privacy Compliance Officer


If you have any general enquiries related to this Privacy Policy please email
info@barebiology.com. This email address is monitored on a regular basis and we aim to respond to your query as soon as possible.

THE DATA WE COLLECT ABOUT YOU

Personal data means any information about you from which you can be identified. It includes where you can be identified from combining different data together, but it does not include data where the identity has been removed (i.e. anonymous data).

We use different methods to collect data from and about you, including through:

  • Direct interactions. This refers to personal data you provide directly to us (for example by purchasing one of our products or by corresponding with us via email).
  • Automated interactions. As you interact with our website, we may automatically collect data about your equipment, browsing actions and patterns. For example, we collect information which may include your IP address, the browser type and your location.
    Cookies. We may receive data about you if you visit other websites employing our cookies. Please see our cookie policy for more details about this.
  • Third Parties: We may also receive data about you from third parties, as set out below.


Data Collected by Us

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Contact Data includes data such as your first name, last name, gender, age range, password, email address, phone number and delivery address;
  • Financial Data includes data such as the last 4 digits of your payment card and billing address;
  • Marketing and Communications Data includes data such as your preferences in receiving marketing from us and your email address;
  • Technical Data includes data such as your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access the website;
  • Usage Data includes data such as information about how you use our website, products and services viewed, purchases and order history; and
  • Health Data includes data such as results from a test kit you’ve bought from us, if you volunteer that information, for example if you ask us for guidance.


Data Collected From Third Parties

We may receive certain data from Shopify such as cookies, log files (which collect data such as your IP address, browser type, internet service provider, referring/exit pages and date/time stamps) and web beacons (which use tags and pixels which are electronic files used to collect data about how you browse the site). For more information about how Shopify processes and protects personal data please see the separate section below and you can read Shopify’s Privacy Policy here.

We may receive data from third party analytics providers. For example, our store may use Google Analytics to help us learn about who visits our site and what pages are being looked at. How Google Analytics collects and processes your personal data is explained here: How Google uses information from sites or apps that use our services

We may also receive data you’ve shared with our third party review provider, or from partners conducting surveys or research on our behalf. For example, when providing a product review you may choose to include a photograph or reference the health reason for purchasing one of our products or services.

DATA WE DO NOT COLLECT

Other than the health data you may volunteer, (as described above), we do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

This website is not intended for children and we do not knowingly collect data relating to children.

IF YOU FAIL TO PROVIDE PERSONAL DATA

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with our products). For example, we may have to cancel the order you have with us but we will notify you if this is the case at the time.

PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL DATA  
 
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so.
 
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.

Purpose/
Activity

Type of data Lawful basis for 
processing
Receiving your order for
product(s)
(a) Contact Data Necessary for the performance
of a contract
Processing payments

(a) Contact Data
(b) Financial Data

Necessary for the performance of a contract

Shipping the product(s) to you (a) Contact Data Necessary for the performance
of a contract
Return of product(s) (a) Contact Data
(b) Financial Data

Necessary for the performance of a contract

Sending you confirmation
email(s) and receipts
(a) Contact Data Necessary for the performance of a contract
To send service
communications
(a) Contact Data

Necessary for the performance of a contract
Legitimate interests

To administer our loyalty
programme and apply
discounts
(a) Contact Data
(b) Marketing and communications data
(c) Usage Data
Necessary for the performance
of a contract
Sending you marketing
communications
(a) Contact Data
(b) Marketing and communications data
(c) Usage Data
Legitimate interests
Consent
Screen for potential risk
and fraud
(a) Technical Data
(b) Usage Data
Legitimate interests
Improving our products and website and conducting analytics (a) Marketing and
Communications
Data
(b) Technical Data
(c) Usage Data
Legitimate interests
Consent
Publishing reviews and
verified buyer confirmation
(a) Contact Data
(b) Health Data
(c) Usage Data
Legitimate Interests
Consent
Research and surveys (a) Marketing and
Communications
Data
(b) Contact Data
Legitimate interests
Consent
Online advertising of our
products and services
(a) Contact Data
(b) Technical Data
(c) Usage Data
Legitimate interests
Consent
To maintain and retain
records in connection with complaints, legal claims or proceedings and regulatory 
investigations; and for governance & compliance purposes.
(a) Contact Data
(b) Financial Data
(c) Marketing and
Communications
Data
(d) Technical Data
(e) Usage Data
Necessary for the compliance
with a legal obligation to which
we are subject.

Where we rely on legitimate interests to send marketing communications, we have a legitimate interest in processing your personal data for that purpose so that we can keep you up to date on our latest products and any offers or special promotions we may be running with regard to our products. We will only use the personal data that we consider to be necessary for these purposes. You can unsubscribe from our emails at any time by clicking on the unsubscribe button (which is on the bottom of every marketing email we send you).

We have a legitimate interest in processing your personal data for the purposes of improving our products and website, and also conducting research and surveys because we value your feedback as one of our customers and will use this to inform how we make such improvements. We will only use the personal data that we consider to be necessary for these purposes. If you do not want us to process your data for these purposes then please email us at info@barebiology.com.

We have a legitimate interest in processing your personal data for the purposes of screening for potential risk and fraud as the protection of personal data is very important to us. We will only use the personal data that we consider to be necessary for these purposes such as Technical Data and Usage Data.

We have a legitimate interest in processing your personal data for the purposes of publishing your review of our products and services because we and our other customers value these views. Our other customers take these views into account when choosing to buy products and services from us.

We have a legitimate interest in processing your personal data in advertising our products online because we need to promote our products and services to make sales, this includes personalised advertising to tailor products and services to your interests and avoid irritation from promoting products and services you may already have purchased from us. See the section below on online advertising for further information.

HOW THIRD PARTIES PROCESS YOUR PERSONAL DATA

In order to provide you with the product(s) you have purchased from us, we may need to give your personal data to third parties who will process your data on our behalf. For example, in order to process your payment we need to give your Financial Data to Stripe via Shopify. 

We require all third parties to respect the security of your personal data and to process it in accordance with the law. We do not allow our third party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. However, see the section below on online advertising which explains when some advertising service providers become joint or independent
controllers of your personal data.

The categories of third parties who may receive your personal data when providing services to us are:

  • E-commerce providers;
  • Payment processors;
  • Warehousing and fulfilment companies;
  • Marketing platforms;
  • Website analytics providers;
  • Customer review providers;
  • Market research providers; and
  • Online advertisers.


ONLINE ADVERTISING


We use your personal data to enable online advertising of our products and services, including personalised advertising and retargeting.


To help us promote our products and services, where you have agreed to it in our Cookie settings, we will use your personal data to optimise the adverts we display on social media and on Google services, such as YouTube, Gmail and Google shopping.


We use the tools that are made available by social media platforms and Google to optimise our advertising on their platforms and products. This means that you may see advertising based on the personal data we have shared, such as the products or services you have purchased from us or viewed on our site. You may also see our advertising where your attributes fall into a group we have selected on the platform or look like a group we have shared with the platform for advertising purposes.


We take steps to ensure that we don’t give your personal data to a social media platform or Google that doesn’t already have it from you, while being able to understand if you’ve been on our website and, for example, also used Google search.

We also take steps to ensure that social media platforms and Google process the data in accordance with our instructions when they are providing services to us and that they take adequate measures to treat your personal data securely. However, in some instances they may become joint or independent controllers of your data. Where this applies, it means they also determine the purposes and ways of processing your personal data. The details for each platform
are as follows:

Google

We have a contract with Google that requires us to obtain your consent to the use of Google tags on our website to monitor activity on our website, such as a form being submitted or a page clicked on and, also, for the use of Google cookies to collect information and to the sharing of your personal data for personalised and non-personalised advertising. Google explains how it uses personal data it receives from us here: https://business.safety.google/privacy/. When Google receives your personal data from us Google becomes independent controller of your personal data.

You can see and control how Google uses your personal data to show you advertising here:
https://adssettings.google.com/anonymous?ref=ps-tech&hl=en


In this sub-section Google is Google LLC 1600 Amphitheatre Parkway Mountain View, California 94043 USA.

Meta

When we share your personal data with Meta, in some instances Meta is our data processor. However, for personal data about your activity on our website Meta becomes joint controller of this data.

The Meta products that we use are Instagram and Facebook. The information Meta is required to give you about how Meta processes your data when it becomes joint controller can be found in Meta’s Privacy Policy here: https://www.facebook.com/about/privacy.

This notice also explains the legal basis Meta relies on and the way to exercise your data subject rights against Meta. We have entered into a joint controller agreement with Meta which describes the obligations we and Meta have about the processing of your personal data. We have agreed the following:
          (i) We will provide you with the information and hyperlink link in the paragraph above; and
         (ii) Meta is responsible for ensuring you can exercise your data subject rights in respect of data held by Meta which is subject to joint processing.

TikTok

We have a contract in place with TikTok which receives data from us as data processor. 

You can opt-out from the use of your personal data in targeted online advertising in the cookie settings on our website. This website provides information about how interest based advertising works and enables you to control your preferences for the companies listed on the site https://www.youronlinechoices.com/uk/

Affiliate Networks

We may work with advertising partners to help us generate visitors to our website by advertising on our behalf. When this happens, we will track which visitors to our site come through each affiliate partner, so we can compensate the partner and, where relevant, enable them to provide you with any bonus they may provide to you for marking a purchase on our site. The information we will typically share with the parter is an identifier for you or the device you are using.

COOKIES

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our Cookie Policy.

LINKS TO OTHER WEBSITES

The website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

THIRD-PARTY MARKETING

We never share our customer list with data brokers for use by third parties for their marketing or profiling purposes.

DATA SECURITY

To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.


If you provide us with your credit card information, the information is protected as we follow all PCI-DSS requirements and implement additional generally accepted industry standards, although you should be aware that no method of transmission over the internet or electronic storage can be guaranteed to be completely secure. 

In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

INTERNATIONAL TRANSFERS

We will use third party service providers that are based outside the European Economic Area (EEA) and the UK, and this will involve the transfer of your personal data outside the EEA.
 
Whenever we transfer your personal data out of the EEA and the UK, we will endeavour to ensure a similar degree of protection is afforded to it by aiming to have at least one of the following safeguards implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission or the Secretary of State for UK adequacy;
  • Where we use certain service providers, we may use specific contracts which give personal data the same protection it has in Europe and the UK;
  • Where we use providers based in the US, we may transfer data to them under the EU-US
    Data Privacy Framework or the UK extension of that framework, which requires service providers to certify compliance with data protection principles and requirements;
  • That appropriate safeguards are in place (including contractual clauses between the controller and processor).

Please be aware that Shopify International Limited may transfer personal data to its head office in Canada (Shopify 150 Elgin Street, 8th Floor, Ottawa, ON, Canada K2P 1L4) under EU and UK adequacy decisions.

DATA RETENTION

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
 
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
 
By law we have to keep basic information about our customers (including Contact Data and Financial Data) for six years after you cease being a customer (including for tax purposes).
 
In some circumstances you can ask us to delete your data: see below for further information.

YOUR LEGAL RIGHTS

Under certain circumstances, you have rights under data protection laws in relation to your personal data, as follows, however we may need to verify your identity to do so:

To request access to your personal data (commonly known as a “Subject Access Request”). This enables you to ask us to confirm what personal data we process about you and to receive a copy of that personal data.

To request the correction of your personal data that you consider to be inaccurate. This enables you to have any incomplete or inaccurate data we hold about you corrected. However, we may need to verify your identity and the accuracy of the new data you provide to us.

To request erasure of your personal data. This enables you to ask us to delete or remove personal data, including where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons. These reasons will be notified to you at the time of your request.

To object to processing of your personal data. This enables you to object to the processing of your personal data if you feel it impacts on your fundamental rights and freedoms. In some cases, we may have compelling legitimate grounds to process your information which can override your right to object.

To request restriction of processing your personal data. This gives you the option to ask us to suspend the processing of your personal data e.g. if you want us to establish the data’s accuracy or you do not want us to erase it.

To request transfer of your personal data. If you request us to do so, we will provide to you, or a third party of your choice, your personal data in a commonly used, machine-readable format. Note that this right only applies to the information which you provided consent for us to use or is processed where we rely on performance of a contract as the legal basis.

To withdraw consent to the processing of your data. If you request us to do so, we will no longer process your data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we will not be able to provide the services for you.

To not have a decision made about you based solely on automated processing.

If you wish to exercise any of the rights set out above, in the first instance, please email us at info@barebiology.com or, if you wish to withdraw consent you have previously provided for the use of cookies, please refer to our Cookie Policy

We will respond to you within 30 days of receipt of your request. Occasionally it may take us longer than 30 days if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
 
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please email us at info@barebiology.com in the first instance.

NO FEE USUALLY REQUIRED

You will not have to pay a fee to access your personal data (or to exercise any of the other rights).
However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

WHAT WE MAY NEED FROM YOU

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
We may also contact you to ask you for further information in relation to your request to speed up our response.

CHANGES TO THIS PRIVACY POLICY

We reserve the right to modify this privacy policy at any time, so please review it frequently.

Changes and clarifications will take effect immediately upon their posting on the website. If we make material changes to this policy, where we have your email address, we will notify you by email that it has been updated.

YOUR RESPONSIBILITY TO INFORM US OF CHANGES

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us by sending an email to info@barebiology.com, or, where relevant, update your details in your account.

CHANGE OF PURPOSE

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.


For example, if our store is acquired or merged with another company, your information may be transferred to the new owners so that we may continue to sell products to you.

Please note we may disclose your personal information if we are required by law to do so.

HOW SHOPIFY PROCESS PERSONAL DATA

Our store is hosted on Shopify. They provide us with the online e-commerce platform that allows us to sell our products and services to you.

Your data is stored through Shopify’s data storage, databases and the general Shopify application. They store your data on a secure server behind a firewall.

Where a data subject is located in the European Economic Area or the UK, that data subject’s Personal Data will be processed by Shopify’s Irish affiliate, Shopify International Ltd. As part of providing the Services, this personal data may be transferred to other regions, including to Canada and the United States. Such transfers will be completed in compliance with relevant data protection legislation.

If you choose a direct payment gateway to complete your purchase, then Shopify stores your credit card data. It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). Your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that is completed, your purchase transaction information is deleted.

All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.

For more insight, you may also want to read Shopify’s Terms of Service, the Data Processing Addendum or Privacy Statement.

We use Shopify to collect and process transaction information and you can read their security policy and Payment Terms of Service to learn more.