Privacy Policy

Our CommitmentYour privacy matters to us. We collect only what we need to process your orders and improve your experience. We never sell your personal data to third parties, and we never will.

1. Who We Are

Active Bites Ltd. ("Active Bites", "we", "our", "us") is a company registered in England and Wales. We operate the website activebites.co.uk and are the data controller responsible for your personal data.

Company Name: Active Bites Ltd.
Registered Address: 42 Protein Way, London, EC2A 4NE, United Kingdom
Company Number: 15234567
ICO Registration Number: ZB123456
Data Protection Officer: [email protected]

2. Data We Collect

We collect and process the following categories of personal data:

2.1 Information You Provide Directly

Data Type	Examples	When Collected
Identity Data	Full name, title	Account creation, checkout
Contact Data	Email address, phone number, delivery address, billing address	Checkout, account creation, contact form
Financial Data	Payment card details (processed via Stripe/PayPal — we do not store full card numbers)	Checkout
Account Data	Username, password (hashed), account preferences, subscription settings	Account creation, account management
Communication Data	Emails, live chat transcripts, customer service enquiries, product reviews	When you contact us or leave a review
Preference Data	Flavour preferences, dietary requirements, marketing opt-in/out choices	Account settings, surveys, order history

2.2 Information Collected Automatically

Data Type	Examples	Purpose
Technical Data	IP address, browser type and version, device type, operating system, screen resolution	Security, website optimisation
Usage Data	Pages visited, time spent on pages, click patterns, referral source, search queries on our site	Analytics, improving user experience
Transaction Data	Order history, products purchased, order value, discount codes used, delivery method chosen	Order fulfilment, personalisation
Location Data	Approximate location derived from IP address (city-level only)	Shipping calculations, regional compliance

2.3 Information from Third Parties

Payment Processors: Stripe and PayPal may share transaction confirmation data, fraud risk assessments, and payment status updates
Social Login: If you sign in via Google or Apple, we receive your name and email address (we never receive your social media password)
Delivery Partners: Royal Mail, DPD, and other carriers may share delivery status updates and address validation data
Analytics Partners: Aggregated, anonymised website usage data from Google Analytics

3. How We Use Your Data

We use your personal data for the following purposes:

3.1 Order Fulfilment & Customer Service

Processing and fulfilling your orders, including payment processing, packaging, and dispatch
Communicating order confirmations, shipping updates, and delivery notifications
Managing returns, refunds, and exchanges in accordance with our Refund Policy
Responding to your enquiries and providing customer support via email, phone, or live chat
Detecting and preventing fraudulent transactions

3.2 Account Management

Creating and maintaining your Active Bites account
Managing your subscription preferences (Subscribe & Save)
Processing rewards points and loyalty programme benefits
Storing your delivery addresses and payment preferences for faster checkout

3.3 Marketing & Communications (with your consent)

Sending promotional emails about new flavours, offers, and product launches
Personalising product recommendations based on your purchase history
Displaying relevant advertisements on social media platforms (e.g., Meta, Google Ads)
Sending abandoned basket reminders (you can opt out at any time)

3.4 Website Improvement & Analytics

Analysing website traffic and usage patterns to improve site performance
A/B testing new features and page layouts
Monitoring website security and preventing abuse
Generating aggregated, anonymised reports on sales trends and customer demographics

4. Legal Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR), we rely on the following legal bases:

Legal Basis	Applies To
Contract	Processing necessary to fulfil your order, manage your account, and provide customer service
Consent	Marketing emails, non-essential cookies, personalised advertising. You may withdraw consent at any time.
Legitimate Interest	Fraud prevention, website security, internal analytics, improving our products and services
Legal Obligation	Tax record-keeping, responding to lawful requests from regulatory authorities

6. Cookies & Tracking Technologies

Our website uses cookies and similar technologies. Here's a summary of how we use them:

6.1 Essential Cookies

Required for the website to function. These enable core features such as your shopping basket, checkout process, and account login. You cannot opt out of essential cookies, as the site cannot operate without them.

6.2 Analytics Cookies

Help us understand how visitors interact with our website. We use Google Analytics with IP anonymisation enabled. These cookies collect aggregated, non-personally-identifiable data about page views, session duration, and navigation paths.

6.3 Marketing Cookies

Used to deliver relevant advertisements and measure campaign effectiveness. These include pixels from Meta (Facebook/Instagram), Google Ads, and TikTok. Marketing cookies are only set with your explicit consent.

6.4 Preference Cookies

Remember your settings and preferences, such as your preferred flavour, selected size, and whether you've dismissed notification banners.

You can manage your cookie preferences at any time by clicking the "Cookie Settings" link in our website footer. You can also control cookies through your browser settings.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy:

Account Data: Retained for as long as your account is active, plus 12 months after deletion request (to handle any outstanding orders or disputes)
Order Data: Retained for 7 years from the date of purchase, as required by UK tax and accounting regulations (HMRC requirements)
Marketing Data: Retained until you unsubscribe. If you haven't engaged with our emails for 24 months, we'll automatically remove you from our marketing list.
Analytics Data: Aggregated analytics data is retained indefinitely. Individual-level analytics data is automatically deleted after 26 months.
Customer Support Data: Support tickets and conversation history are retained for 3 years from the date of resolution
Cookie Data: Cookie lifespans vary — essential cookies expire at the end of your session; analytics and marketing cookies typically expire after 12 months

8. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

Right of Access: You can request a copy of all personal data we hold about you. We will respond within 30 days.
Right to Rectification: You can ask us to correct any inaccurate or incomplete data. You can also update most information directly in your account settings.
Right to Erasure ("Right to be Forgotten"): You can request deletion of your personal data, subject to our legal obligations (e.g., tax records). We will delete or anonymise your data within 30 days of your request.
Right to Restrict Processing: You can ask us to temporarily stop processing your data while we resolve a complaint or verify the accuracy of your data.
Right to Data Portability: You can request your data in a structured, commonly used, machine-readable format (e.g., CSV or JSON).
Right to Object: You can object to processing based on legitimate interests. You can also object to direct marketing at any time — we will stop immediately.
Right to Withdraw Consent: Where we rely on consent (e.g., marketing), you can withdraw it at any time. This doesn't affect processing carried out before withdrawal.
Right to Lodge a Complaint: If you're unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, email [email protected] with the subject line "Data Rights Request". We may need to verify your identity before processing your request.

9. Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures, including:

Encryption: All data transmitted between your browser and our servers is encrypted using TLS 1.3 (256-bit encryption)
Payment Security: We are PCI-DSS compliant. Full payment card details are processed directly by Stripe/PayPal and are never stored on our servers
Access Controls: Employee access to personal data is restricted on a need-to-know basis, with multi-factor authentication required for all administrative accounts
Password Storage: Passwords are hashed using bcrypt and are never stored in plain text
Regular Audits: We conduct regular security audits and penetration testing of our systems
Incident Response: We have a documented incident response plan. In the event of a data breach, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by UK GDPR

10. Children's Privacy

Our website and products are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

11. International Data Transfers

Your personal data is primarily stored and processed within the United Kingdom and the European Economic Area (EEA). Where we transfer data outside of the UK/EEA (for example, to service providers based in the United States), we ensure appropriate safeguards are in place, including:

UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs)
Adequacy decisions by the UK Secretary of State or the European Commission
Binding Corporate Rules where applicable

You can request details of the specific safeguards applied to international transfers by contacting [email protected].

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. When we make material changes, we will:

Update the "Last updated" date at the top of this page
Notify registered account holders by email at least 14 days before the changes take effect
Display a prominent notice on our website for at least 30 days following the change

We encourage you to review this policy periodically. Your continued use of our website and services after changes are posted constitutes your acceptance of the updated policy.

Questions About Your Privacy?

Our Data Protection Officer is happy to help with any questions or concerns.