Privacy policy

AEGIS ARMOUR LTD

PRIVACY POLICY

Version 1.0   |   Effective Date: 6 March 2026   |   www.aegisarmour.co.uk

YOUR PRIVACY MATTERS TO US.

This Privacy Policy explains how Aegis Armour Ltd collects, uses, stores, and protects your personal data when you visit www.aegisarmour.co.uk, create an account, place an order, or interact with us in any way. Please read this policy carefully. If you have any questions, contact us at the details provided in Section 2.

1.1   Aegis Armour Ltd ("Aegis Armour", "we", "us", "our") is the data controller for all personal data collected through our website www.aegisarmour.co.uk and in connection with your purchases and interactions with us.

1.2   As data controller, we determine the purposes for which and the means by which your personal data is processed. We are registered with the Information Commissioner's Office (ICO) in accordance with our obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1.3   To exercise any of your rights under this Policy, or if you have any queries, concerns, or complaints about how we handle your personal data, please contact us:

 

Data Controller:  Aegis Armour Ltd Website:  www.aegisarmour.co.uk Email:  Support@aegisarmour.co.uk Postal Address: 71 – 75 Shelton Street, Covent Garden, London WC2H 9JQ

 

1.4   If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

We collect and process the following categories of personal data about you:

 

Category	Data Collected	How We Collect It
Identity Data	Full name, username, or similar identifier	You provide this when registering or ordering
Contact Data	Delivery address, billing address, email address, telephone number	You provide this when placing an order or contacting us
Financial Data	Payment card details (last 4 digits only — full details held by Shopify Payments / payment processor)	Collected at checkout via our payment processor
Transaction Data	Details of products purchased, order value, delivery method, order history	Generated automatically when you place an order
Technical Data	IP address, browser type and version, device type, operating system, time zone setting, referral source	Collected automatically via cookies and analytics tools
Usage Data	Pages visited, search terms used on our Site, time spent on pages, click data	Collected via cookies and analytics tools (with consent)
Communications Data	Emails, live chat messages, or other correspondence between you and us	You provide this when contacting us
Marketing Preferences	Your preferences for receiving marketing communications from us	You provide or update these via your account or opt-out links

 

2.1   We do not knowingly collect any special categories of personal data (also known as sensitive personal data) such as data relating to race, ethnicity, health, religion, biometric data, or sexual orientation. If we need to collect such data in specific circumstances, we will seek your explicit consent and explain the reason at that time.

2.2   We do not collect personal data from children under the age of 18. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly.

We collect your personal data through the following means:

–     Direct interactions — when you create an account, place an order, contact our customer service team, subscribe to our mailing list, complete a form on our Site, or participate in a review or survey.

–     Automated technologies — as you browse our Site, we automatically collect Technical Data and Usage Data through cookies, server logs, and similar tracking technologies. Please see our Cookie Policy for full details.

–     Third-party sources — we may receive data from our e-commerce platform provider (Shopify Inc.), our payment processors, our delivery partners (Royal Mail, DPD), fraud prevention services, and analytics providers such as Google Analytics, where you have consented to their use.

Under the UK GDPR, we are required to have a lawful basis for each processing activity. The table below sets out our processing activities and the corresponding lawful basis:

 

Purpose of Processing	Data Used	Lawful Basis
Processing your order and arranging delivery	Identity, Contact, Transaction, Financial	Performance of a Contract (Art. 6(1)(b))
Managing your account and providing customer service	Identity, Contact, Communications	Performance of a Contract (Art. 6(1)(b))
Processing payment and preventing fraud	Identity, Financial, Technical	Performance of Contract; Legitimate Interests (fraud prevention)
Complying with legal and regulatory obligations (e.g. HMRC, Trading Standards)	Identity, Transaction, Financial	Legal Obligation (Art. 6(1)(c))
Sending transactional emails (order confirmations, despatch notifications)	Identity, Contact, Transaction	Performance of a Contract (Art. 6(1)(b))
Sending marketing communications (newsletters, promotions)	Identity, Contact, Marketing Preferences	Consent (Art. 6(1)(a)) — you may withdraw at any time
Improving our Site, products, and services through analytics	Technical, Usage	Legitimate Interests (Art. 6(1)(f)) — subject to cookie consent
Retaining records for accounting and legal compliance	Identity, Transaction, Financial	Legal Obligation (Art. 6(1)(c))
Responding to data subject access requests and complaints	Identity, Contact, Communications	Legal Obligation (Art. 6(1)(c))

 

4.1   Where we rely on legitimate interests as our lawful basis, we have assessed that our interests are not overridden by your interests, rights, or freedoms. You may object to processing based on legitimate interests at any time — see Section 15 for details.

4.2   Where we rely on your consent, you have the right to withdraw that consent at any time without detriment. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

5.1   We will only send you marketing communications by email if you have provided your consent to receive them, or (where permitted under the Privacy and Electronic Communications Regulations 2003) if you are an existing customer who has previously purchased similar products from us and have not opted out of marketing.

5.2   You can opt out of receiving marketing communications at any time by: (a) clicking the 'unsubscribe' link in any marketing email; (b) updating your preferences in your account; or (c) contacting us directly. Opting out of marketing will not affect the processing of your personal data for other purposes.

5.3   We will never sell, rent, or share your personal data with third parties for their own marketing purposes without your explicit consent.

5.4   Where you have given consent to receive marketing and we use third-party email service providers to send such communications, those providers act as data processors on our behalf and are bound by appropriate data processing agreements.

We share your personal data with the following categories of third parties acting as our data processors — that is, they process data on our behalf and under our instructions:

 

Processor / Category	Role	Data Shared
Shopify Inc.	E-commerce platform and hosting provider. Shopify processes data necessary to operate our store.	Identity, Contact, Transaction, Technical, Financial (card tokens)
Payment Processors (e.g. Shopify Payments / Stripe)	Secure handling of payment transactions.	Identity, Financial, Transaction
Royal Mail	Standard delivery of orders.	Identity, Contact (delivery address)
DPD (UK) Ltd	Express next-day delivery option.	Identity, Contact (delivery address), Transaction (parcel data)
Email Service Provider	Sending transactional and (where consented) marketing emails.	Identity, Contact, Marketing Preferences
Google Analytics / Analytics Tools	Aggregated website analytics to improve our Site. Used only with consent.	Technical, Usage (anonymised or pseudonymised)
Fraud Prevention Services	Protecting our business and customers from fraudulent activity.	Identity, Financial, Technical
IT Service Providers	Hosting, maintenance, and technical support of our systems.	Access to systems as required — governed by strict data access controls.

 

6.1   All our data processors are subject to written data processing agreements (DPAs) requiring them to: (a) process data only on our documented instructions; (b) implement appropriate technical and organisational security measures; (c) assist us in meeting our data protection obligations; and (d) delete or return data at the end of the processing relationship.

6.2   We may also disclose your personal data to third parties in the following limited circumstances:

–     Where required by law, regulation, or court order, including to law enforcement or regulatory authorities such as the ICO, HMRC, or Trading Standards;

–     Where necessary to protect the rights, property, or safety of Aegis Armour Ltd, our customers, or others;

–     In the event of a merger, acquisition, or sale of all or part of our business assets, in which case personal data may be transferred as part of that transaction, subject to equivalent protections.

6.3   We do not sell your personal data to any third party under any circumstances.

7.1   Our Site is built on and hosted by Shopify Inc., a Canadian company with operations globally. When you visit our Site or place an order, Shopify processes certain personal data as our data processor under a Data Processing Addendum (DPA). Shopify is certified under industry-standard security frameworks and processes data in accordance with our instructions.

7.2   Shopify may store and process your data in data centres located outside the United Kingdom (including in the United States and Canada). Where such international transfers occur, they are governed by appropriate legal safeguards — see Section 12 of this Policy for further information on international transfers.

7.3   For more information on Shopify's privacy practices, please refer to Shopify's own Privacy Policy available at shopify.com/legal/privacy.

8.1   We use cookies and similar tracking technologies (including pixels and web beacons) on our Site. Cookies are small text files placed on your device that help our Site function, remember your preferences, and (with your consent) allow us to analyse usage and serve relevant marketing content.

8.2   We use the following categories of cookies:

–     Required for the Site to function. These cannot be switched off. Examples include session cookies that maintain your basket and login status.: Strictly Necessary Cookies

–     Remember your preferences and personalise your experience (e.g. saved size preferences). These require your consent.: Functional Cookies

–     Collect anonymised data about how visitors use our Site to help us improve it (e.g. Google Analytics). These require your consent.: Analytics Cookies

–     Track your visits to our Site and other websites to deliver relevant advertising. These require your explicit consent and will only be active if you have opted in via our cookie consent tool.: Marketing / Targeting Cookies

8.3   When you first visit our Site, you will be presented with a cookie consent banner allowing you to accept, customise, or reject non-essential cookies. You can update your cookie preferences at any time via the 'Cookie Settings' link in our Site footer.

8.4   For a full list of the cookies we use, their purposes, and their durations, please refer to our separate Cookie Policy available on our Site.

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, including to satisfy legal, regulatory, accounting, or reporting obligations. Our key retention periods are as follows:

 

Data Category	Retention Period	Reason
Order and transaction records	7 years from end of tax year in which transaction occurred	HMRC / Companies Act legal obligations
Customer account data	Duration of account, plus 2 years after last login or order	Customer service and dispute resolution
Communications / customer service records	3 years from date of last communication	Dispute resolution; limitation period for contractual claims
Marketing consent records	Until consent is withdrawn + 1 year for audit purposes	PECR compliance; ICO guidance on consent records
Cookie consent records	1 year from date of consent	PECR compliance
Technical / usage data (analytics)	Up to 26 months (as per Google Analytics standard settings)	Analytics; improved by anonymisation where possible
Financial data (payment records)	7 years from transaction date	HMRC / accounting obligations
Fraud prevention records	Up to 6 years from date of last relevant activity	Legitimate interests; fraud deterrence

 

9.1   Upon expiry of the applicable retention period, we will securely delete or anonymise your personal data in accordance with our data deletion procedures. Anonymised data (which cannot be used to identify you) may be retained indefinitely for statistical analysis.

9.2   In some circumstances we may retain your data for longer periods — for example, if required by an ongoing legal claim or regulatory investigation. In such cases, we will retain data only for as long as necessary for that specific purpose.

10.1   We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against accidental loss, unauthorised access, alteration, disclosure, or destruction. These measures include:

–     SSL/TLS encryption for all data transmitted between your browser and our Site;

–     Secure hosting via Shopify's PCI-DSS compliant infrastructure;

–     Access controls ensuring that personal data is accessible only to authorised staff with a business need to access it;

–     Contractual requirements on all data processors to maintain equivalent security standards;

–     Regular review of our data handling practices and security procedures.

10.2   We do not store your full payment card details. All payment processing is handled by our PCI-DSS compliant payment processor. We retain only the last four digits of your card number for order reference purposes.

10.3   Although we implement robust security measures, no transmission of data over the internet is entirely secure. You acknowledge that any transmission of personal data to our Site is at your own risk. Once we receive your data, we apply strict procedures to protect it.

10.4   In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, as required by Article 33 of the UK GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

11.1   Our Site and services are not directed at, and are not intended for use by, individuals under the age of 18. We do not knowingly collect personal data from children under 18 without verifiable parental consent.

11.2   If you are a parent or guardian and believe that your child has provided personal data to us without your consent, please contact us immediately at the details in Section 1. We will take prompt steps to delete such data from our systems.

12.1   Some of our data processors, including Shopify Inc., operate globally and may transfer and store your personal data outside the United Kingdom. Where personal data is transferred to countries not subject to a UK adequacy decision, we ensure that appropriate safeguards are in place to protect your data, such as:

–     UK International Data Transfer Agreements (IDTAs) or the UK Addendum to EU Standard Contractual Clauses (SCCs);

–     Reliance on an adequacy decision by the UK Secretary of State where applicable;

–     Binding Corporate Rules (BCRs) where applicable.

12.2   Shopify Inc. is headquartered in Canada, which benefits from a UK adequacy decision for personal data transfers. Shopify's global infrastructure may also process data in the United States, in which case Shopify relies on SCCs and the EU-US Data Privacy Framework mechanisms as applicable.

12.3   You may request further information about the safeguards in place for international transfers by contacting us at the details in Section 1.

13.1   We do not currently use fully automated decision-making processes that produce legal or similarly significant effects on you.

13.2   We may use automated tools such as analytics and fraud detection systems that process your data to flag potentially fraudulent orders. Where such automated processing results in a decision to decline or hold an order, a member of our team will review the decision before any final action is taken. You have the right to request human review of any such decision that affects you.

14.1   Our Site may contain links to third-party websites, social media platforms, or other online services. This Privacy Policy applies solely to data collected by Aegis Armour Ltd through www.aegisarmour.co.uk. We are not responsible for the privacy practices of any third-party website, and we encourage you to read the privacy policies of any external site you visit.

Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:

 

Your Right	What It Means
Right of Access	You have the right to request a copy of the personal data we hold about you (a Data Subject Access Request or DSAR). We must respond within one calendar month.
Right to Rectification	You have the right to request that we correct any personal data about you that is inaccurate or incomplete.
Right to Erasure	You have the right to request that we delete your personal data where there is no longer a lawful reason for us to process it (the 'right to be forgotten'). This right is not absolute and may be subject to our legal retention obligations.
Right to Restrict Processing	You have the right to request that we suspend or restrict the processing of your personal data in certain circumstances — for example, if you contest its accuracy or object to its processing.
Right to Data Portability	Where we process your data on the basis of consent or contract, and by automated means, you have the right to receive that data in a structured, commonly used, machine-readable format and to request that we transmit it to another controller.
Right to Object	You have the right to object to processing of your personal data based on legitimate interests or direct marketing at any time. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Rights re: Automated Decisions	You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or significant effects on you. See Section 13.
Right to Withdraw Consent	Where we process your data on the basis of consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of prior processing.

 

15.1   To exercise any of your rights, please contact us in writing at the email or postal address set out in Section 1. Include your full name, contact details, and a clear description of your request. We may need to verify your identity before processing your request to protect against unauthorised access to data.

15.2   We will respond to all legitimate requests within one calendar month. In cases of complex or multiple requests, we may extend this period by a further two months, in which case we will notify you within the first month.

15.3   We will not charge a fee for exercising your rights in most circumstances. However, where a request is clearly unfounded, excessive, or repetitive, we may charge a reasonable administrative fee or refuse the request.

16.1   To submit a Data Subject Access Request, please contact us using the details in Section 1. Your request should include:

–     Your full name and email address (as registered with us, if applicable);

–     A description of the specific data or processing activity you are enquiring about (if known);

–     Proof of your identity (e.g. a copy of a government-issued photo ID) — we require this to protect against fraudulent requests.

16.2   We will acknowledge receipt of your DSAR within five Working Days and will provide a full response within one calendar month from the date we receive your verified request.

16.3   Your DSAR response will be provided free of charge unless the request is manifestly unfounded, excessive, or repetitive. In such cases, we reserve the right to charge a reasonable fee or decline to respond, with written reasons.

17.1   We take complaints about data protection very seriously. If you have a concern about how we handle your personal data, we encourage you to contact us in the first instance so that we can attempt to resolve it directly.

17.2   If you are not satisfied with our response, or if you believe we are processing your personal data unlawfully, you have the right to make a complaint to the Information Commissioner's Office (ICO), the UK's independent supervisory authority for data protection:

 

Information Commissioner's Office (ICO) Website:  ico.org.uk Helpline:  0303 123 1113 Address:  Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

 

17.3   You also have the right to bring a civil claim in the courts for compensation if you have suffered material or non-material damage as a result of a breach of data protection law by us.

18.1   At the date of this Policy, our Site operates solely for customers located in the United Kingdom and is governed by UK data protection law. We understand that Aegis Armour Ltd intends to expand into European Union markets in the future.

18.2   Once we begin accepting orders from customers located in EU member states, we will be required to comply with the EU General Data Protection Regulation (EU GDPR) in addition to the UK GDPR. This may require us to:

–     Appoint an EU representative under Article 27 EU GDPR;

–     Publish a separate EU-specific privacy policy;

–     Reassess and update our international data transfer mechanisms (noting that UK adequacy decisions do not automatically run in both directions for commercial data flows from the EU to the UK);

–     Register with one or more EU Data Protection Authorities as lead supervisory authority.

18.3   This Policy will be updated to reflect these obligations before any EU marketing or sales commence. We recommend customers check back regularly for updates.

 

ADVISORY: If you are based in the EU and accessing this Site prior to our formal EU launch, please note that this Policy reflects UK GDPR obligations only. EU residents retain rights under EU GDPR which may differ in some respects.

19.1   We reserve the right to update or amend this Privacy Policy at any time to reflect changes in our data processing practices, applicable law, or our business operations.

19.2   When we make material changes to this Policy, we will notify you by updating the effective date at the top of this document and, where appropriate, by sending you an email notification or displaying a prominent notice on our Site.

19.3   We encourage you to review this Policy periodically to stay informed about how we protect your personal data. Your continued use of our Site after any changes are published constitutes your acknowledgement of the revised Policy.

19.4   Previous versions of this Privacy Policy are available on request.

The following legal instruments govern the processing of personal data described in this Policy:

 

Legal Instrument	Relevance to This Policy
UK General Data Protection Regulation (UK GDPR)	The primary data protection law in the UK, retained from EU Regulation 2016/679 following the UK's departure from the EU. Governs all personal data processing.
Data Protection Act 2018 (DPA 2018)	Supplements and implements the UK GDPR in domestic law. Governs law enforcement processing and special categories of data in more detail.
Privacy and Electronic Communications Regulations 2003 (PECR)	Governs the use of cookies, electronic marketing, and other electronic communications. Requires consent for non-essential cookies and opt-in marketing emails to non-customers.
Consumer Contracts Regulations 2013	Relevant to our obligation to disclose processing activities clearly and transparently to consumers before they enter into a contract.
Digital Markets, Competition and Consumers Act 2024	Introduces updated consumer transparency obligations relevant to pricing and data disclosures online.

 

In this Policy the following terms have the meanings given to them in the UK GDPR unless otherwise stated:

–     "Personal data" means any information relating to an identified or identifiable natural person (a 'data subject').

–     "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

–     "Data controller" means the entity that determines the purposes and means of processing personal data.

–     "Data processor" means an entity that processes personal data on behalf of a data controller.

–     "Special category data" means personal data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.