Privacy policy

1.Who we are

MAAREE is a sports performance apparel brand. We design and sell sports bras for women, engineered around our protected Overband^® Technology. Mari Thomas-Welland founded the company in 2018.

For the data we hold about our customers, we are the data controller.

2.What we collect, and why

We only collect what we need. Below is the full picture of what comes in, and the reason it does.

When you visit the site

We log your IP address, your browser and device type, the pages you view, the time you spend on them, and how you arrived. This is what keeps the site working, lets us spot bugs, and helps us understand which pages are pulling their weight.

When you buy from us

We need your name, email address, billing address, delivery address, phone number, and the order details themselves. We do not see or store your full card number. Card details go straight to our payment processors, who are PCI-DSS compliant and built for that one job.

When you sign up to our emails

We collect your email address. Sometimes we ask for your name, your size, or what you are training for, so the emails feel less like spam and more like a friend with a useful tip. You can unsubscribe at any time, in any email we send you.

When you book a free fitting

We collect your name, email, the time you choose, and any sizing details you share with the fitter so the session actually helps. Booking does not commit you to buying anything.

When you contact us

We see whatever you tell us in the message, plus your name and email. If your question is about an order, we will look up the order details too.

When you enter a giveaway or competition

We collect what the entry form asks for, usually your name and email. The terms for that specific competition will say what we do with it.

3.The legal bases we rely on

UK GDPR says we can only process your data if we have a lawful reason. Here are ours.

• Contract. When you buy from us or book a fitting, we process your data because we have to in order to deliver what you asked for.
• Consent. When you opt in to marketing emails, SMS, or non-essential cookies. You can withdraw consent at any time.
• Legitimate interests. When we improve the site, prevent fraud, or send order-related updates. We balance our interest against yours, and you can object whenever you want.
• Legal obligation. When the law tells us we have to keep records, for example for HMRC.

4.Who we share it with

We do not sell your data. We do not share it with third parties for them to market to you.

We do work with a small set of trusted suppliers to run the business. Each one only sees the data they need, and each one is under contract not to use it for anything else. The main names:

• Shopify runs our store, the checkout, and customer accounts. Order, account and payment data flows through Shopify's platform. Their privacy policy.
• Klaviyo sends our marketing emails and SMS, and tracks engagement so we can stop messaging people who are not interested. We share your email, phone number (if you gave us one), name, and behavioural data like opens and clicks. Their privacy policy.
• Klarna handles pay-in-instalments at checkout. If you choose Klarna, we pass on your contact and order details so they can run their own credit decision and tailor a payment plan. They become a data controller in their own right at that point. Their privacy statement.
• Calendly powers the booking flow for free fittings. We share your name, email, and the time slot you pick. Their privacy notice.
• Payment processors like Shopify Payments and PayPal handle card data end-to-end. We never see or store your full card number.
• Couriers such as Royal Mail and DHL get your delivery address so they can drop off the parcel.
• Accountants and tax advisors see invoice and order data because the law requires us to keep proper records.
• Analytics and advertising tools (Google Analytics, Meta) see anonymised browsing data so we can understand what is working on the site, but only if you have accepted those cookies.

We also share data when we have to: a court order, a legitimate request from law enforcement, or to protect the rights, property, or safety of our customers, our staff, and the public.

If MAAREE Ltd. is ever sold, merged, or restructured, your data may move to the new owner as part of the transfer. We will tell you before that happens, and the new owner will be bound to protect your data the same way we do.

5.How long we keep it

We do not hang on to data forever. Rough timings:

• Order records: 7 years from the date of the order. HMRC requires this for tax.
• Customer accounts: until you ask us to delete the account. After that, we keep only what we are legally required to keep.
• Marketing data: until you unsubscribe, or until we have not heard from you in 24 months. We then remove you from active lists within 30 days.
• Customer support emails: 2 years from your last message, unless we need them for an active issue.
• Website analytics: aggregated and anonymised after 14 months.
• Cookies: the cookie policy lays out individual durations.

6.International transfers

Some of our suppliers operate outside the UK, mostly in the United States and the EEA. When we send your data abroad, we use the safeguards UK law accepts:

• UK adequacy regulations, where they apply (the EEA, for example).
• The UK International Data Transfer Agreement (IDTA) for transfers to countries without an adequacy decision.
• The EU Standard Contractual Clauses with the UK Addendum, where the IDTA does not fit.

If you would like a copy of the safeguards in place for a specific transfer, get in touch and we will send them over.

7.Your rights

UK GDPR gives you eight rights over your personal data. Each of these is free to exercise. We will respond within one calendar month.

1. Ask for a copy of your data. Often called a Subject Access Request. You can ask what we hold about you and get a copy.
2. Correct your data. If something is wrong or out of date, tell us and we will fix it.
3. Delete your data. Also called the right to be forgotten. There are limits if we are legally required to keep certain records, but we will explain those.
4. Restrict how we use your data. You can ask us to pause processing while we sort out a query.
5. Take your data elsewhere. The right to data portability. We will provide your data in a common machine-readable format.
6. Object. You can object to direct marketing at any time. You can also object to processing based on legitimate interests.
7. Opt out of automated decisions. We do not make decisions about you using automated processing alone, so this rarely comes up. If that ever changes, we will tell you.
8. Withdraw consent. Where we relied on your consent (marketing emails, non-essential cookies), you can pull it back at any time.

To exercise any of these, send us a message and tell us which right you are using. We may need to verify it is really you before we hand over data.

8.Cookies

We use cookies for the same reasons most websites do. They keep the basket working, recognise you when you come back, help us understand which parts of the site are pulling their weight, and (only if you agree) let our ad partners show you ads that might actually be relevant.

What cookies are

Cookies are small text files saved to your browser when you visit a site. They let the site remember things about you between pages and between visits. Some cookies are set by us. Others are set by the third parties whose tools we use, like Shopify, Klaviyo, and the ad networks we run campaigns on.

Essential cookies

These keep the site working. Without them, the basket would not hold items, you could not stay logged in, and we could not protect against automated abuse. Essential cookies do not require your consent because the site cannot function without them.

Analytics cookies

These help us understand how people use the site, which pages convert, and where we have work to do. We only set these once you have accepted analytics cookies in the banner.

Marketing and advertising cookies

These let our ad partners (Meta, Google, and the other platforms we run campaigns on) target ads to you on their networks and measure whether our ads worked. We only set these once you have accepted marketing cookies in the banner.

Third-party widgets

Some features on the site rely on third-party tools that may set their own cookies when used:

• Stamped (the reviews widget on product pages)
• Klarna (only when you select Klarna at checkout)
• Calendly (only when you book a free fitting)

Each one is covered by its own privacy policy, linked in section 4.

How to control cookies

You have three layers of control.

• The cookie banner. The first time you visit, a banner asks what you want to allow. You can change your mind at any time using the "Cookie preferences" link in the footer.
• Your browser. Every modern browser lets you block or delete cookies. Look in the browser's settings under "Privacy" or "Cookies". Blocking essential cookies will break parts of the site, including the basket.
• Opt out at the source. For advertising cookies, you can also opt out directly with the ad networks: Meta at facebook.com/settings?tab=ads, Google at adssettings.google.com, and across most UK and EU ad networks at youronlinechoices.com.

A note on this list

The cookies set on the site change as we add or remove tools, swap apps, or update integrations. We update this list whenever we make a meaningful change. If you spot something missing or out of date, tell us and we will fix it.

9.Children

MAAREE products are made for adult bodies. We do not knowingly collect personal data from anyone under 16. If you are under 16, please ask a parent or guardian before you send us any personal information. If we find out we have collected data from someone under 16 without that consent, we will delete it.

10.Security

We take security seriously. Card data is encrypted in transit and processed by PCI-DSS compliant providers, so we never see your full card number. Our staff use multi-factor authentication on the systems that touch customer data. We review our suppliers' security regularly, and we limit access on a need-to-know basis.

No system is 100% secure, and the internet itself is not. We do everything we reasonably can to protect your data, and we are honest about the fact that we cannot guarantee against every possible threat. If something does not look right to you, tell us straight away.

If we ever uncover a personal data breach that puts your rights at risk, we will tell you and notify the Information Commissioner's Office, in line with UK law.

11.Links to other sites

Our site links to other websites. We cannot control what those sites do with your data, so we encourage you to read their privacy policies before you share anything. The same goes if you arrived here from another site: read theirs too. We are only responsible for our own.

12.Changes to this policy

We update this policy when we change how we work, or when the law changes. The "last updated" date at the top of the page tells you when we last revised it. If we make significant changes, we will flag them in the newsletter or on the homepage so you do not have to come hunting for the difference.

13.Complaints

If you think we have got something wrong with your data, please tell us first and give us a chance to fix it.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK regulator for data protection. Raising a complaint with the ICO does not affect any other legal rights you have.