PRIVACY POLICY

Totally Vapour Ltd  |  Last updated: 8 May 2026

1. Introduction

Welcome to Totally Vapour’s privacy notice. Totally Vapour Ltd (‘we’, ‘us’, ‘our’) respects your privacy and is committed to protecting your personal data. This notice explains how we collect, use, and safeguard your personal data when you interact with us, and sets out your rights under UK data protection law.

This notice applies to our website (totally-vapour.co.uk), our physical store, and any other interactions you have with us. It should be read alongside any other privacy or fair processing notices we may provide in specific circumstances.

Our website is not intended for children under 18 years of age. We do not knowingly collect personal data from children.

2. Who We Are

Totally Vapour Ltd is the data controller responsible for your personal data. Our registered address is:

Totally Vapour Ltd

76a Wharfdale Road, Tyseley, Birmingham, West Midlands, B11 2DE, UK

Email: info@totally-vapour.co.uk

Phone: 0121 706 3332

If you have any questions about this notice or wish to exercise your data rights, please contact us using the details above.

You also have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office (ICO), at www.ico.org.uk. We would, however, appreciate the opportunity to address your concerns before you contact the ICO.

3. The Data We Collect About You

We may collect, use, store and transfer the following categories of personal data:

• Identity Data – first name, last name, username, date of birth, gender
• Contact Data – billing address, delivery address, email address, telephone numbers
• Financial Data – bank account and payment card details (processed securely via third-party payment providers)
• Transaction Data – details of purchases and payments to and from you
• Technical Data – IP address, browser type and version, time zone, device information, cookies and similar tracking technologies
• Profile Data – username, password, purchase history, interests, preferences, feedback and survey responses
• Usage Data – information about how you use our website, products and services
• Marketing & Communications Data – your preferences for receiving marketing from us and your communication preferences

We also collect and use Aggregated Data (e.g. statistical or demographic data) which cannot be used to identify you individually.

We do not intentionally collect Special Category Data (such as health data, racial or ethnic origin, political opinions, religious beliefs, sexual orientation or biometric data) or data relating to criminal convictions or offences.

4. How We Collect Your Personal Data

Direct Interactions

You may give us your data by filling in forms, contacting us by phone, email, in store or via our website. This includes data you provide when you:

• Create an account or register on our website
• Place an order for products or services
• Subscribe to our newsletter or marketing communications
• Contact us with an enquiry or complaint
• Participate in a competition, promotion or survey
• Interact with us on social media

Automated Technologies

When you visit our website, we automatically collect Technical Data using cookies, server logs and similar tracking technologies. Please see Section 10 (Cookies) for more detail.

CCTV

CCTV cameras are used at our physical premises for security purposes and to prevent and investigate crime. Images captured may include staff, customers and visitors. Where required, this information may be shared with law enforcement.

Third Parties

We may receive personal data about you from third parties including payment processors, age verification providers, analytics providers, and social media platforms where you have interacted with our content.

5. How We Use Your Personal Data

We only use your personal data where the law permits. The legal bases we rely on are:

• Performance of a contract – where processing is necessary to fulfil or prepare a contract with you
• Legitimate interests – where it is necessary for our business interests and those interests are not outweighed by your rights
• Legal obligation – where we are required to comply with a legal or regulatory duty
• Consent – for certain marketing activities (you may withdraw consent at any time)

6. Marketing

We may contact you with relevant offers, products and services if you have purchased from us or requested information, and have not opted out of marketing communications.

We will always obtain your explicit consent before sharing your data with any third party for marketing purposes.

You can opt out of marketing at any time by clicking the unsubscribe link in any email, or by contacting us directly. Opting out of marketing will not affect communications necessary for the fulfilment of orders or legal obligations.

7. Automated Decision-Making

We use automated age verification (via Agechecked) to confirm that customers are aged 18 or over before completing a purchase, as required by law. This is a legal obligation, and if verification cannot be confirmed, your order may be cancelled.

Agechecked verifies your identity against UK electoral roll data. They retain only your email address; all other data used in verification is kept anonymous.

We do not use your personal data for any other automated decision-making or profiling that produces legal or significant effects on you.

8. Disclosures of Your Personal Data

We may share your personal data with the following categories of third parties:

• Other entities within the Totally Vapour group, for IT and administrative purposes
• Service providers who process data on our behalf (e.g. payment processors, delivery companies, email platforms, IT support)
• Age verification provider (Agechecked)
• Analytics and advertising providers (e.g. Google Analytics)
• Professional advisers including lawyers, accountants, bankers and insurers
• HM Revenue & Customs, regulators, the police and other authorities where required by law
• Third parties in connection with a business sale, merger or acquisition

All third parties we engage are required to handle your personal data securely and in accordance with UK data protection law. We do not permit them to use your data for their own purposes.

9. International Transfers

We do not routinely transfer your personal data outside the United Kingdom. Where any transfer does occur (for example, via third-party cloud services), we ensure that appropriate safeguards are in place in accordance with UK GDPR requirements, such as the use of UK International Data Transfer Agreements (IDTAs) or adequacy decisions made by the UK Secretary of State.

Please contact us if you would like further information about the specific safeguards used in any such transfer.

10. Cookies

Our website uses cookies and similar technologies to improve your browsing experience, analyse site traffic, and support our marketing activities. Cookies are small text files placed on your device when you visit our website.

We use the following types of cookies:

• Strictly necessary cookies – required for the website to function (e.g. shopping basket, login session)
• Performance/analytics cookies – help us understand how visitors use our site (e.g. Google Analytics)
• Functionality cookies – remember your preferences and settings
• Targeting/marketing cookies – used to deliver relevant advertising

When you first visit our website, you will be asked to consent to non-essential cookies. You can change your cookie preferences at any time via the cookie settings on our website, or by adjusting your browser settings. Please note that disabling certain cookies may affect the functionality of our website.

For full details, please refer to our separate Cookie Policy available on our website.

11. Data Security

We have implemented appropriate technical and organisational security measures to protect your personal data against accidental loss, unauthorised access, alteration or disclosure. Access to your personal data is restricted to employees, agents and contractors who have a legitimate business need.

We have procedures in place to respond to any suspected personal data breach and will notify you and the ICO where we are legally required to do so.

Please note that transmission of data over the internet is not completely secure. While we take all reasonable steps to protect your data, we cannot guarantee the security of data transmitted to our website.

12. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including satisfying any legal, accounting or regulatory requirements.

In determining appropriate retention periods, we consider the nature and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process the data, and applicable legal requirements.

As a general guide:

• Customer account and order data – retained for 7 years following the end of the customer relationship (in line with HMRC requirements)
• Marketing data – retained until you opt out or withdraw consent
• CCTV footage – typically retained for 30 days unless required for an investigation
• Website analytics data – retained in line with our analytics provider’s standard retention settings

You may request details of specific retention periods by contacting us.

13. Your Legal Rights

Under UK GDPR, you have the following rights in relation to your personal data:

• Right of access – to request a copy of the personal data we hold about you
• Right to rectification – to request correction of inaccurate or incomplete data
• Right to erasure – to request deletion of your personal data in certain circumstances
• Right to restrict processing – to ask us to suspend processing in certain circumstances
• Right to data portability – to receive your data in a structured, machine-readable format
• Right to object – to object to processing based on legitimate interests or for direct marketing
• Rights in relation to automated decision-making – to request human review of automated decisions
• Right to withdraw consent – where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, please contact us at info@totally-vapour.co.uk. We will respond within one month. We may need to verify your identity before processing your request. No fee is charged unless the request is manifestly unfounded or excessive.

14. Third-Party Links

Our website may contain links to third-party websites, plug-ins or applications. Clicking on these links may allow third parties to collect data about you. We are not responsible for the privacy practices of third-party websites and encourage you to read their privacy notices.

15. Changes to This Privacy Notice

We review and update this privacy notice periodically. Any changes will be published on this page with an updated effective date. Where changes are significant, we will make reasonable efforts to notify you directly.

This notice was last updated on 8 May 2025.

16. Glossary

Lawful Bases

Legitimate Interests: Processing necessary for our genuine business interests, provided these are not overridden by your rights and freedoms.

Performance of Contract: Processing necessary to fulfil a contract with you, or to take steps at your request before entering a contract.

Legal Obligation: Processing necessary to comply with a legal or regulatory requirement.

UK GDPR

The UK General Data Protection Regulation — the data protection framework that applies in the United Kingdom following the country’s departure from the European Union. It mirrors the EU GDPR in most respects but is administered by the UK’s Information Commissioner’s Office (ICO).