Effective date:  |  Questions? privacy@eknmarketplace.com

EKN Marketplace Privacy Policy Effective Date: 28 April 2026 Your privacy at a glance Data controller: EKN Marketplace | Stamford, Lincolnshire, England Regulator: Information Commissioner's Office (ICO) | ico.org.uk Your rights: access, rectification, erasure, portability, objection, restriction Email us: privacy@eknmarketplace.com | Response time: within 30 days ICO registration number: [INSERT ICO REGISTRATION NUMBER] 1. Who We Are EKN Marketplace is an online retail store and affiliate platform operated from Stamford, Lincolnshire, England. We sell products directly to consumers through our dropshipping suppliers and also feature links to partner retailers through our affiliate programme. For the purposes of UK data protection law, EKN Marketplace is the data controller responsible for your personal data. This means we determine how and why your personal data is processed. Registered address Stamford, Lincolnshire, England Trading name EKN Marketplace Website www.eknmarketplace.com Privacy contact privacy@eknmarketplace.com ICO registration [INSERT ICO REGISTRATION NUMBER] Governing law UK GDPR and the Data Protection Act 2018 2. What Personal Data We Collect We collect personal data only where we have a clear, lawful reason to do so. Below is a full account of the categories of data we may process. 2.1 Data You Provide Directly Account and registration data • Full name and email address • Password (stored as a one-way cryptographic hash — we cannot see it) • Phone number (optional, for order delivery notifications) Order and transaction data • Delivery and billing addresses • Order contents, quantities, and values • Special delivery instructions • Gift messages Payment data Payment card details are processed directly by Stripe, Inc., our payment processor. We never store your full card number, CVV, or expiry date on our servers. We retain only the last four digits of your card, card type, and Stripe's tokenised payment reference for order reconciliation. Communications data • Messages you send us via our contact form or email • Customer service enquiries and correspondence • Product reviews and ratings you submit • Newsletter subscription and preferences 2.2 Data We Collect Automatically When you visit our website, we automatically collect certain technical data: • IP address (held in a non-identifiable hashed form for security purposes) • Browser type and version, operating system • Pages visited, time spent, and referring website • Device type and screen resolution • Cookie identifiers (see Section 9) • Clickstream data (which links you clicked) 2.3 Data From Third Parties We may receive information about you from: • Affiliate partner platforms (e.g. click-through data when you arrive from a partner link) • Our dropshipping suppliers (order fulfilment status and tracking information) • Social login providers (if you choose to sign in with Google or similar) • Fraud prevention services 3. How and Why We Use Your Data UK GDPR requires us to identify a "lawful basis" for every type of processing. The table below sets out our purposes, the data used, our lawful basis, and how long we keep it. Purpose Data categories Lawful basis Retention period Processing your order and arranging delivery Name, address, email, order details, payment token Contract (Art. 6(1)(b)) 7 years (tax / legal) Creating and managing your account Name, email, password hash Contract (Art. 6(1)(b)) Duration of account + 2 years Sending order confirmations and shipping updates Name, email, order details Contract (Art. 6(1)(b)) 7 years Processing payments securely via Stripe Payment token, last 4 digits, billing address Contract (Art. 6(1)(b)) 7 years (financial records) Sending marketing emails and newsletters Name, email, purchase history Consent (Art. 6(1)(a)) Until you unsubscribe or withdraw consent Fraud prevention and security IP hash, device data, order patterns Legitimate interests (Art. 6(1)(f)) 2 years Website analytics and performance IP hash, browser data, clickstream Consent (cookies) / Legitimate interests 26 months Affiliate click and conversion tracking Session ID, IP hash, referrer URL Legitimate interests (Art. 6(1)(f)) 13 months Customer service and dispute resolution Name, email, order details, correspondence Contract / Legal obligation 7 years Complying with tax and accounting obligations Name, address, transaction amounts Legal obligation (Art. 6(1)(c)) 7 years (HMRC requirement) Improving our products and services Anonymised order and browsing data Legitimate interests (Art. 6(1)(f)) Anonymised — indefinite Legitimate interests: Where we rely on legitimate interests, we have carried out a balancing test and are satisfied that our interests do not override your rights. You may object to this processing at any time — see Section 7. 4. Who We Share Your Personal Data With We do not sell your personal data. We share it only where necessary to operate our service or comply with legal obligations, and only with organisations that meet our data protection standards. Recipient / Category Purpose and safeguards Stripe, Inc. (USA) Payment processing. Covered by Stripe's UK-US Data Transfer Agreement and Standard Contractual Clauses. stripe.com/en-gb/privacy Dropshipping suppliers (Spocket, CJdropshipping, DSers / AliExpress) Order fulfilment: your name and delivery address are passed to the supplier who ships your order. Suppliers are bound by our data processing agreements. Printful, Inc. (USA) Print-on-demand order fulfilment. Data transfer covered by Standard Contractual Clauses. Affiliate partner platforms (e.g. Amazon Associates) Click and conversion data is shared to track commissions. Governed by their respective privacy policies. We share only anonymised or pseudonymised identifiers. SendGrid / Twilio (email provider) Transactional and marketing emails. UK/EU data residency options selected. Sentry, Inc. Error tracking and application monitoring. We configure Sentry not to capture personal data (PII disabled). Cloudflare / R2 Content delivery, media storage, and DDoS protection. UK/EU data routing. ICO and law enforcement We will disclose data where required by law, court order, or to protect the vital interests of individuals. 5. International Data Transfers Some of our third-party service providers are based outside the United Kingdom. Whenever we transfer your personal data outside the UK, we ensure an equivalent level of protection is in place by using one or more of the following safeguards: • Standard Contractual Clauses (SCCs) approved by the ICO • The UK International Data Transfer Agreement (IDTA) • Adequacy regulations (where the destination country has been deemed adequate by the UK Secretary of State) • The recipient's binding corporate rules (BCRs), where applicable You may request a copy of the transfer mechanism used for any specific provider by contacting us at privacy@eknmarketplace.com. 6. How Long We Keep Your Data We retain personal data only for as long as necessary for the purposes for which it was collected, subject to any longer retention required by law. Our key retention periods are: Data category Retention period Order and transaction records 7 years (HMRC / Companies Act requirement) Customer account data Duration of account + 2 years after closure Payment logs (tokenised) 7 years Marketing consent records Until withdrawn, then 3 years as proof of consent Customer service correspondence 7 years from resolution Affiliate click logs 13 months Website analytics data 26 months Fraud and security logs 2 years Anonymised / aggregated data Indefinitely (no longer personal data) When data reaches the end of its retention period, it is securely deleted or irreversibly anonymised. 7. Your Rights Under UK GDPR You have the following rights in relation to your personal data. These rights are not absolute and may be subject to exemptions in certain circumstances. Right of access (Subject Access Request) You may request a copy of all personal data we hold about you. We will respond within one calendar month, free of charge, for reasonable requests. Right to rectification If any data we hold about you is inaccurate or incomplete, you may ask us to correct it. We will respond within one month. Right to erasure ("right to be forgotten") You may ask us to delete your personal data where: (a) it is no longer necessary for the purpose it was collected, (b) you withdraw consent and there is no other lawful basis, (c) you object and we have no overriding legitimate grounds, or (d) the data has been unlawfully processed. Right to restriction of processing You may ask us to pause processing of your data while we consider a rectification or objection request, or where processing is unlawful but you do not want erasure. Right to data portability Where processing is based on consent or contract and is carried out by automated means, you may receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV), and transmit it to another controller. Right to object You may object at any time to processing based on legitimate interests, including profiling. We will stop unless we can demonstrate compelling legitimate grounds that override your rights, or processing is for legal claims. Rights related to automated decision-making We do not make solely automated decisions that produce significant legal or similar effects about you. If this changes, we will update this policy and provide you with the right to human review. Right to withdraw consent Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. How to exercise your rights Email: privacy@eknmarketplace.com We will verify your identity before processing your request. Response time: within 30 days (extendable by a further two months for complex requests). All rights are exercised free of charge unless requests are manifestly unfounded or excessive. 8. Marketing and Communications 8.1 Email marketing We will only send you marketing emails if you have given us clear, specific consent to do so (for example by ticking an opt-in box at checkout or when creating an account). We never add you to marketing lists as a default. You may unsubscribe at any time by clicking the "Unsubscribe" link at the bottom of any marketing email, or by emailing privacy@eknmarketplace.com. We will process your request within 10 working days. 8.2 Soft opt-in (existing customers) In accordance with the Privacy and Electronic Communications Regulations (PECR), we may send you email marketing about similar products or services to those you have previously purchased, without requiring fresh consent. You can opt out of this at any time. 8.3 Affiliate communications When you click an affiliate link on our site, you may be directed to a third-party website. That website's own privacy policy will govern any data collected from that point. We encourage you to review the privacy policy of any third-party site you visit. 9. Cookies and Tracking Technologies Our website uses cookies and similar technologies. In accordance with the Privacy and Electronic Communications Regulations (PECR) and UK GDPR, we obtain your consent before placing any non-essential cookies. Cookie type Purpose Consent required? Retention Strictly necessary Session management, shopping cart, security (CSRF) No Session / 2 weeks Functional Remembering your preferences (language, currency) Yes Up to 1 year Analytics Understanding how visitors use our site (Google Analytics / Plausible) Yes Up to 26 months Affiliate tracking Tracking clicks from partner sites Yes (via consent banner) 30–90 days Marketing / retargeting Personalised advertising (not currently active) Yes Up to 90 days You can manage your cookie preferences at any time via our Cookie Settings link in the footer of every page. You can also control cookies through your browser settings, though disabling certain cookies may affect site functionality. 10. How We Keep Your Data Secure We implement appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction. Our security measures include: • TLS encryption (HTTPS) for all data in transit • AES-256 encryption for sensitive data at rest • Password hashing using bcrypt with salting • IP address anonymisation (SHA-256 hashing before storage) • Role-based access controls — staff see only the data necessary for their role • Regular security testing and dependency auditing • Payment card data handled exclusively by Stripe (PCI DSS Level 1 certified) • Automated monitoring and alerting via Sentry In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, and notify affected individuals without undue delay where required. 11. Children's Privacy Our website and services are not directed at children under the age of 13, and we do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child under 13, please contact us immediately at privacy@eknmarketplace.com and we will delete it promptly. For users aged 13–17, we recommend that a parent or guardian reviews this policy. We take additional care with the data of young people in accordance with the Data (Use and Access) Act 2025 and the ICO's Children's Code. 12. Automated Decision-Making and Profiling We do not make solely automated decisions about you that produce significant legal effects (such as refusing a transaction or denying an application) without human review. We do use automated tools for fraud detection (flagging unusual order patterns for manual review) and for personalising product recommendations. These involve profiling but do not produce decisions that legally or significantly affect you. You may object to profiling at any time — see Section 7. 13. How to Raise a Concern or Complaint 13.1 Contact us first If you have any concern about how we handle your personal data, please contact us in the first instance at privacy@eknmarketplace.com. We aim to resolve all privacy concerns within 30 days. 13.2 Complain to the ICO If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection: • Website: ico.org.uk • Helpline: 0303 123 1113 • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF You also have the right to seek a judicial remedy against us or the ICO if you believe your rights have been infringed. 14. Changes to This Policy We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. When we make material changes, we will: • Update the "Effective Date" at the top of this page • Display a prominent notice on our website for at least 30 days • Send an email notification to registered customers for significant changes We encourage you to review this policy periodically. Continued use of our website after changes are posted constitutes your acceptance of the updated policy, to the extent permitted by law. 15. Contact Us If you have any questions about this Privacy Policy, or wish to exercise any of your data rights, please contact us: Email (preferred) privacy@eknmarketplace.com Website www.eknmarketplace.com/privacy Post Data Controller, EKN Marketplace, Stamford, Lincolnshire, England Response time Within 30 calendar days