Privacy Policy

 

Privacy Policy

Last updated: 18 April 2026

1. Introduction

This Privacy Policy explains how Helloklean Ltd, trading as Hello Klean ("we", "us", "our"), collects, uses, shares and protects your personal data when you visit https://helloklean.com (the "Website"), purchase our products, subscribe to the Hello Klean Smart Refill Plan, contact our customer support, or otherwise interact with us.

We are the "controller" of your personal data for the purposes of the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and — where you are located in the European Economic Area ("EEA") — Regulation (EU) 2016/679 ("EU GDPR") (together, "Data Protection Law").

2. Who we are

Controller: Helloklean Ltd Registered office: 2nd Floor, College House, 17 King Edwards Road, Ruislip, London HA4 7AE, United Kingdom Company registration: 12384534 (Companies House, England and Wales) VAT number: [GB363122722] Email: support@helloklean.com

2.1 UK data protection contact

For questions about this policy or to exercise your rights, contact our privacy team at support@helloklean.com. We have not formally appointed a Data Protection Officer as we are not required to under UK GDPR, but the privacy team is responsible for data protection matters.

2.2 EU representative (Article 27 EU GDPR)

As we are established outside the EEA but offer goods to individuals in the EEA, we have appointed an EU representative under Article 27 EU GDPR. Individuals in the EEA may contact our EU representative in relation to their personal data:

Personal Care Regulatory Ltd., Digital office Centre, Road Swords, Dublin, K67 E5AO, Ireland. info@personalcareregulatory.com

3. Personal data we collect

We collect and process the following categories of personal data:

Identity and contact data: name, billing and delivery address, email address, telephone number, country of residence, date of birth (where provided).

Account data: username, password (stored in hashed form), order history, saved preferences, wish lists, and subscription details for the Hello Klean Smart Refill Plan.

Transaction and payment data: products purchased, order value, delivery details, and limited payment information (card type and last four digits). We do not store full payment card numbers. Full card data is collected and processed by our payment service providers (Shopify Payments, PayPal, Shop Pay, and any buy-now-pay-later provider you select) in accordance with PCI-DSS.

Technical data: IP address, browser type and version, time zone and location, operating system, device identifiers, and referring URLs.

Usage data: pages viewed, items added to cart, time spent on pages, click paths, products viewed, and other interactions with the Website.

Marketing and communications data: your preferences in receiving marketing from us, email open and click data, and your communication preferences.

Customer support data: the content of emails, messages, reviews, survey responses, and other communications you send to us, including any information you choose to share about allergic reactions or product issues.

Sensitive data: we do not deliberately collect special category data. If you voluntarily disclose health information (e.g. when reporting an allergic reaction) we will process it on the basis of your explicit consent or where necessary for the establishment, exercise or defence of legal claims.

4. How we collect your data

We collect personal data:

• Directly from you when you create an account, place an order, subscribe to the Smart Refill Plan, sign up for our newsletter, complete a survey, leave a review, or contact customer support.

• Automatically when you use the Website, via cookies and similar technologies (see Section 11).

• From third parties and public sources, including: payment providers, fraud-prevention services, delivery carriers, analytics and advertising partners (e.g. Meta, Google), review platforms, and affiliate networks.

5. How we use your data and our legal bases

Under Data Protection Law, we must have a lawful basis to process your personal data. The table below sets out the purposes for which we process data and the corresponding legal basis.

Where we rely on legitimate interests, we have carried out a balancing test to ensure that our interests do not override your rights and freedoms. You can request a summary of that assessment by contacting us.

6. Marketing communications

If you sign up for our newsletter or tick a marketing opt-in box, we will send you emails about our products, offers and content. You can withdraw your consent at any time by:

• Clicking the "unsubscribe" link at the bottom of any marketing email;

• Updating your preferences in your account; or

• Emailing support@helloklean.com.

If you have purchased a product from us, we may send you marketing about similar products under the UK Privacy and Electronic Communications Regulations ("PECR") soft opt-in. You can opt out at any time using the methods above.

We do not sell your personal data.

7. Who we share your data with

We share personal data with the following categories of recipient, each of whom acts as either a processor (acting on our instructions) or controller:

E-commerce platform: Shopify Inc. (Canada) and its affiliates host our Website, store order and customer data, and process payments via Shopify Payments.

Payment providers: Shopify Payments, PayPal, Shop Pay, and any buy-now-pay-later provider you choose. These parties are independent controllers of the payment data they collect.

Delivery carriers: e.g. Royal Mail, DPD, DHL, UPS, Evri, and local carriers in the destination country. They receive name, delivery address and contact details to deliver your order.

Email and marketing platforms: e.g. Klaviyo, for sending newsletters and transactional emails.

Subscription platform: e.g. Recharge / Shopify Subscriptions, for managing Smart Refill Plan billing.

Analytics providers: e.g. Google Analytics, Shopify Analytics, for understanding Website usage. Analytics cookies are only set with your consent.

Advertising partners: e.g. Meta (Facebook and Instagram), Google Ads, TikTok, Pinterest, for serving and measuring targeted advertising. Advertising cookies/pixels are only set with your consent.

Reviews platform: e.g. Okendo, Trustpilot, Yotpo, for collecting and displaying customer reviews.

Customer support tools: e.g. Gorgias, Zendesk, for managing customer communications.

Professional advisers: accountants, lawyers, auditors, insurers, bankers and other consultants acting as processors or controllers.

Fraud-prevention services: e.g. Shopify's fraud analysis tools and third-party fraud-screening services.

EU Responsible Person (GPSR) and EU GDPR representative: as required by EU product-safety and data-protection law.

Regulators and public authorities: HMRC, ICO, EU data-protection authorities, market-surveillance authorities, courts and law-enforcement bodies, where required by law.

Corporate transactions: any actual or prospective buyer, investor, financier or successor of our business, and their advisers, in connection with a sale, merger, restructuring or financing.

We require all processors to provide appropriate safeguards for your personal data under a written contract in accordance with Article 28 GDPR.

8. International transfers

Some of our service providers are located outside the UK and the EEA, including in the United States, Canada and other jurisdictions. Whenever we transfer personal data outside the UK or EEA, we put in place one of the following safeguards:

• Transfers to countries assessed as providing an adequate level of protection by the UK Government or the European Commission (an "adequacy decision"); or

• The UK International Data Transfer Agreement ("IDTA") or the UK Addendum to the EU Standard Contractual Clauses ("SCCs"), together with the EU SCCs where required; or

• Another lawful transfer mechanism recognised under UK GDPR or EU GDPR.

You can request a copy of the relevant safeguard by emailing privacy@helloklean.com.

9. How long we keep your data

We retain personal data only for as long as necessary for the purposes for which it was collected, including to satisfy legal, accounting, tax or reporting requirements. Our standard retention periods are:

• Account data: for the lifetime of your account plus 2 years after last activity.

• Order and transaction data: 7 years after the end of the financial year in which the transaction took place (UK tax law).

• Customer support communications: 3 years from date of correspondence.

• Marketing data: until you withdraw consent or unsubscribe, after which we retain a suppression record to ensure we do not contact you again.

• Cookie-related data: as set out in our Cookie Policy, typically no longer than 13 months.

• Allergy / product-safety reports: 10 years, to meet our obligations under product-safety law (GPSR).

• Website analytics and logs: up to 26 months.

Where personal data is no longer needed, we will securely delete or anonymise it.

10. Your rights

Under UK GDPR and EU GDPR, you have the following rights in relation to your personal data:

• Right of access – to obtain confirmation that we process your data and a copy of it.

• Right to rectification – to have inaccurate data corrected or incomplete data completed.

• Right to erasure ("right to be forgotten") – to have your data deleted in certain circumstances.

• Right to restrict processing – to limit how we process your data in certain circumstances.

• Right to data portability – to receive data you have provided to us in a structured, commonly used, machine-readable format, and to have it transmitted to another controller.

• Right to object – to object to processing based on legitimate interests, and an absolute right to object to direct marketing at any time.

• Rights related to automated decision-making and profiling – not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not currently carry out such automated decision-making.

• Right to withdraw consent – where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, email support@helloklean.com. We will respond within one month and will not charge a fee unless your request is manifestly unfounded or excessive.

Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority. In the UK, that is the Information Commissioner's Office (ICO): https://ico.org.uk, 0303 123 1113. In the EEA, you can complain to your local data protection authority — a list is available at https://edpb.europa.eu/about-edpb/board/members_en.

We would, however, appreciate the chance to address your concerns before you approach the ICO, so please contact us first if you can.

11. Cookies and similar technologies

Our Website uses cookies and similar technologies (pixels, tags, local storage) to make the site work, to analyse usage and to deliver personalised advertising. Cookies are governed by PECR and Data Protection Law.

When you first visit the Website, a cookie banner allows you to accept, reject or configure non-essential cookies. Strictly necessary cookies (e.g. those keeping your cart contents and session) are always set, as they are required for the site to function.

Broad categories of cookies used:

• Strictly necessary – e.g. _session_id, cart, _secure_session_id. Required for the site to operate.

• Functionality / preferences – remember language, currency and region.

• Analytics – e.g. Google Analytics, Shopify Analytics; measure how the site is used. Set only with consent.

• Advertising – e.g. Meta Pixel, Google Ads, TikTok Pixel; deliver and measure targeted ads and build audiences. Set only with consent.

You can change your cookie preferences at any time via the "Cookie Preferences" link in our footer, or by clearing cookies in your browser. A full list of cookies (name, purpose, duration and type) is available in our Cookie Policy at [insert link].

12. Automated decision-making and profiling

We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you. We do use automated tools for fraud prevention and for personalising marketing communications and advertising; where this involves profiling, it is based on your consent (for marketing) or our legitimate interests (for fraud prevention). You can object at any time.

13. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure or destruction, including encryption in transit (TLS), PCI-DSS-compliant payment processing, access controls, and contractual safeguards with our processors.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO (and other supervisory authorities where relevant) within 72 hours of becoming aware of the breach, and will inform affected individuals without undue delay where the risk is high.

14. Children's data

The Website and our products are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact support@helloklean.com and we will delete it promptly.

15. Third-party links

The Website contains links to third-party websites, plug-ins and applications. Following these links may allow third parties to collect or share data about you. We do not control these third-party sites and are not responsible for their privacy policies. We encourage you to read the privacy notice of every website you visit.

16. Social media

Our Website may include links to and content from social-media platforms, including Meta (Facebook and Instagram), TikTok, Pinterest, YouTube and X (Twitter). When you interact with this content, or visit pages containing social-media pixels, the relevant platform may collect data about you. Where we embed social-media pixels or plugins, we act as a joint controller with the platform in respect of the collection and transmission of your data; the platform then processes your data for its own purposes as an independent controller.

The joint controller arrangements with Meta are set out at https://www.facebook.com/legal/controller_addendum. For further information on how each platform processes your data, please consult their own privacy policies:

• Meta: https://www.facebook.com/privacy/policy

• Instagram: https://help.instagram.com/519522125107875

• TikTok: https://www.tiktok.com/legal/privacy-policy

• Google / YouTube: https://policies.google.com/privacy

• Pinterest: https://policy.pinterest.com/privacy-policy

• X: https://twitter.com/privacy

We only load social-media pixels and plugins after you have given your consent via the cookie banner.

17. Changes to this Privacy Policy

We keep this Privacy Policy under regular review. We will post any updates on this page and, where the changes are material, will notify you by email or through a prominent notice on the Website at least 30 days before the changes take effect. The "Last updated" date at the top of this page shows when the policy was last revised.

18. How to contact us

Questions, comments and requests regarding this Privacy Policy are welcome:

Helloklean Ltd 2nd Floor, College House, 17 King Edwards Road, Ruislip, London HA4 7AE, United Kingdom Email: support@helloklean.com