Privacy Policy

Last updated: May 2026

This Privacy Policy explains how John & Co ("we", "us", "our") collects, uses, and protects your personal data when you visit our website (johnandco.com) or interact with us. We take your privacy seriously and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

John & Co is a fine fragrance brand based in London, UK. We are the data controller for any personal data collected through this website.

If you have any questions about this policy or how we handle your data, contact us at: hello@johnandcouk.store

2. What Data We Collect

We collect the following categories of personal data:

• Email address — when you sign up via our email popup or contact form.
• Name — when you fill in our contact form.
• Message content — the contents of any message you send via our contact form.
• Order information — if you make a purchase, your name, email, delivery address, and payment details are processed by Shopify (our e-commerce platform). We do not store payment card details ourselves.
• Technical data — basic information about how you use our site, collected via cookies and similar technologies (see Section 6).

We do not collect sensitive personal data (such as health information, race, religion, or biometric data).

3. Why We Collect Your Data and Our Legal Basis

We only process your data where we have a lawful reason to do so under UK GDPR:

• Email marketing (consent). If you sign up to our mailing list, we use your email address to send you news, offers, and updates about John & Co products. We rely on your consent to do this. You can withdraw your consent at any time by clicking "Unsubscribe" in any email we send.
• Responding to enquiries (legitimate interest / contract). When you contact us via our contact form, we use your name, email, and message to respond to your enquiry. This is necessary to provide you with the service you've requested.
• Processing orders (contract). If you place an order, we process your details as necessary to fulfil that contract — packing and dispatching your order, processing your payment, and handling any returns.
• Legal compliance. We may retain certain records where we are legally required to do so (for example, for tax and accounting purposes).

4. How We Use Your Data

Your data is used only for the purposes described above. We will never sell your personal data to third parties, and we will not use it for automated decision-making or profiling that produces legal or similarly significant effects.

5. Who We Share Your Data With

We use a small number of trusted third-party services to operate our business. Each of these acts as a data processor on our behalf:

• Klaviyo — our email marketing platform. Your email address is stored securely in Klaviyo when you subscribe. Klaviyo is GDPR-compliant and stores data on servers in the EU/US under standard contractual clauses. See Klaviyo's Privacy Policy.
• Shopify — our e-commerce and order fulfilment platform. If you place an order, your order data is processed by Shopify. See Shopify's Privacy Policy.
• Netlify / Cloudflare Pages — our website hosting provider, which may log basic technical data (IP address, page requests) as part of standard server operations.

We do not share your data with any other third parties without your explicit consent, except where required by law.

6. Cookies and Tracking

Our website uses cookies and similar browser storage technologies. Here is what we use and why:

• jcBag (localStorage) — stores the contents of your shopping bag so it persists between page visits. This is strictly necessary for the site to function.
• jcPopupDismissed (localStorage) — remembers whether you have closed or submitted our email signup popup, so we don't show it repeatedly. This is a functional cookie.
• jcCookieConsent (localStorage) — stores your cookie consent preference.
• Klaviyo tracking cookies — if you have accepted marketing cookies, Klaviyo may set a cookie to help us understand how visitors interact with our emails and site, so we can improve our communications. You can opt out via the cookie banner on this site or by unsubscribing from our emails.

You can manage or delete cookies at any time through your browser settings. Note that disabling cookies may affect some site functionality (such as the shopping bag).

7. How Long We Keep Your Data

• Marketing emails: We keep your email address on our mailing list until you unsubscribe or ask us to remove it.
• Contact form messages: We retain these for up to 12 months for the purpose of resolving your enquiry, then delete them.
• Order data: Retained for 7 years to comply with HMRC accounting requirements.

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right of access — you can request a copy of the personal data we hold about you.
• Right to rectification — you can ask us to correct inaccurate data.
• Right to erasure — you can ask us to delete your data (sometimes called the "right to be forgotten"), subject to any legal obligations we have to retain it.
• Right to restrict processing — you can ask us to stop processing your data in certain circumstances.
• Right to data portability — you can ask us to provide your data in a structured, machine-readable format.
• Right to object — you can object to us processing your data for direct marketing at any time.
• Right to withdraw consent — where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, email us at hello@johnandcouk.store. We will respond within one calendar month.

9. Right to Complain

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the UK's supervisory authority, the Information Commissioner's Office (ICO):

ico.org.uk/make-a-complaint
Telephone: 0303 123 1113

We would, however, appreciate the chance to address any concerns directly before you contact the ICO — please email us first.

10. International Transfers

Some of our third-party service providers (including Klaviyo and Shopify) may process data outside the UK. Where this happens, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by the UK ICO.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or in applicable law. The date at the top of this page shows when it was last revised. We encourage you to check back periodically.