Bundle & SavePrivacy Policy
Sans (UK) Privacy Policy
Effective date: 10 November 2025
1. Who we are
This Privacy Policy explains how Sans (“we”, “us”, “our”) handles your personal data in the United Kingdom when you visit our site, purchase our products, contact support, or receive our marketing.
-
Controller: Living Well Solutions UK Ltd, 124–128 City Road, London, England, EC1V 2NX
-
Privacy contact: hi@livesans.co.uk
We may update this notice from time to time. We will revise the effective date above and, where appropriate, notify you of material changes.
2. Personal data we collect
2.1 Data you provide
-
Orders & account: name, billing/shipping address, email, phone, order details, and payment information (processed by our payment provider; we do not store full card details).
-
Support: information about your enquiry, order context, communications and attachments.
-
Marketing preferences: your email/SMS opt-in choices and topic preferences.
2.2 Data collected automatically
-
Device & usage data: IP address, device identifiers, browser type, time zone, pages viewed, links clicked, referrers, session timing.
-
Cookies & similar technologies: identifiers and signals set/read on your device. See Section 6 (Cookies & similar technologies).
2.3 Data from third parties
-
Ecommerce & delivery: updates from our platforms and carriers to process and deliver orders.
-
Analytics/advertising: aggregated and identifier-based signals from our analytics/ads partners (only after consent where required).
3. How we use personal data and our lawful bases
| Purpose | Examples | Lawful basis |
|---|---|---|
| Purchases & fulfilment | process payment, prevent fraud, ship via Evri, manage returns/warranties, issue invoices | Contract; Legitimate interests (fraud prevention) |
| Customer support | respond to enquiries, quality assurance | Legitimate interests; Contract |
| Account & preferences | manage profile, addresses, subscriptions | Contract |
| Legal & compliance | tax/audit records, responding to lawful requests | Legal obligation |
| Analytics & performance | measure and improve site performance and UX | Consent (for non-essential cookies) |
| Marketing (email/SMS) | news, offers, product updates; unsubscribe any time | Consent (or soft opt-in for similar products by email, where permitted) |
| Advertising & ad matching | retargeting, lookalike audiences, campaign measurement | Consent |
| Security | detect abuse, protect services and users | Legitimate interests |
You may withdraw consent at any time. You have an absolute right to object to direct marketing at any time.
4. Disclosures of personal data
We share personal data with:
-
Ecommerce & payments: Shopify (store platform), Shopify Payments (payments).
-
Delivery & logistics: Evri (carrier).
-
Marketing & communications: Klaviyo (email), Attentive (SMS).
-
Analytics & advertising: Northbeam, Google Analytics 4, Google Ads, Meta, Microsoft/Bing Ads, TikTok, Google Tag Manager (tag deployment).
-
Product analytics/UX: Microsoft Clarity (session analytics with masking).
-
Data layer / identity services: Fueled (data layer/identity/attribution services).
-
Professional services & authorities: auditors, advisors, insurers, and public authorities where required by law.
Depending on context, partners act as processors (on our instructions) or independent controllers. We have appropriate contracts in place. We do not sell your personal data.
5. Advertising & ad matching
Where you consent to marketing/advertising cookies, we may use ad matching (e.g., uploading a hashed email to platforms such as Meta/Google/Klaviyo/Attentive) to find or reach audiences with similar interests, measure performance, and reduce irrelevant ads.
-
Ad matching runs only after your consent and can be turned off in Cookie Settings.
-
You can also control ads in-platform (e.g., Meta Ad Preferences, Google Ad Settings, Microsoft/Bing, TikTok).
-
We do not permit partners to store/sell/monetize your data for their own purposes.
6. Cookies & similar technologies (PECR)
We use essential cookies required for our store to function and, with your consent, analytics and advertising cookies.
-
Consent first: non-essential cookies (e.g., GA4, Northbeam, Meta, Google Ads, Bing, TikTok, Klaviyo web tracking, Microsoft Clarity) are not set unless you opt in via our cookie banner/controls.
-
Manage choices: use the Cookie Settings link (in our footer) to accept, reject, or change categories at any time.
-
Browser controls: you can also manage cookies in your browser; blocking cookies may affect site functionality.
We treat online identifiers (cookie IDs, advertising IDs, IP addresses) as personal data where they can be linked to you or your device.
A summary of our cookies and pixels appears in Appendix A – Cookie & Pixel Table.
7. International transfers
Some recipients are outside the UK. Where we transfer personal data internationally we use:
-
The UK–US Data Bridge (extension of the EU–US Data Privacy Framework) where the recipient participates; or
-
The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, plus supplementary measures where appropriate.
Further details are available on request.
8. Retention
We keep personal data only as long as needed for the purposes above and to meet legal, accounting, and reporting requirements:
-
Orders & invoices: 6 years (tax/audit).
-
Customer support: up to 36 months from your last interaction. Where a support matter relates to a contract, warranty or potential claim, we may retain relevant records up to 6 years to establish, exercise or defend legal claims.
-
Marketing (email/SMS): 24 months from your last interaction or until you unsubscribe/withdraw consent, whichever is sooner. We keep a minimal suppression record indefinitely to ensure we do not contact you after you opt out.
-
Cookie consent records: up to 24 months (or the period configured in our consent tool) to honour your settings.
We then delete or irreversibly anonymise the data.
9. Your rights (UK)
You have the right to access, rectify, erase, restrict, port, and object to processing. You can withdraw consent at any time. You have an absolute right to object to direct marketing.
We do not make decisions solely by automated means that produce legal or similarly significant effects. If this changes, we will tell you and enable human review and a right to contest a decision.
To exercise your rights, email hi@livesans.co.uk. We may ask for information to verify your identity. We will respond within one month (extendable by up to two further months for complex requests; we will let you know if we need more time).
You may complain to the Information Commissioner’s Office (ICO) at https://ico.org.uk/make-a-complaint. We would appreciate the chance to resolve your concerns first.
10. Security
We implement appropriate technical and organisational measures including encryption in transit (and at rest where supported by vendors), access controls and least-privilege, vendor due diligence and DPAs, staff training, and incident response procedures. No system is perfectly secure; we review and improve our controls regularly.
11. Children
Our site and services are not intended for children under 13. If you believe we have collected personal data about a child, please contact us and we will delete it.
12. Contact
Living Well Solutions UK Ltd
124–128 City Road, London, England, EC1V 2NX
Email: hi@livesans.co.uk
Appendix A – Cookie & Pixel Table (summary)
Non-essential cookies/pixels load only after consent. You can change choices any time via Cookie Settings. Names and durations may change as vendors update their services.
| Category | Provider | Example identifiers | Purpose | Typical duration |
|---|---|---|---|---|
| Essential | Shopify | _secure_session_id, cart, cart_sig, checkout_token, secure_customer_sig, _shopify_u, storefront_digest |
Store operation, checkout, authentication, security | Session to 2 years |
| Essential/Functional | Google Tag Manager | (first-party storage as configured) | Deploy/condition tags based on your consent choices | N/A |
| Analytics (consent) | Google Analytics 4 | _ga, _ga_*, _gid |
Site usage and performance (aggregated) | 24 hours to 2 years |
| Analytics (consent) | Northbeam | nb_* (naming may vary) |
Marketing & attribution analytics across campaigns | up to 2 years |
| Analytics/UX (consent) | Microsoft Clarity | _clck, _clsk, CLID |
Session analytics and UX diagnostics (with masking) | 24 hours to 1 year |
| Marketing/Ads (consent) | Meta (Facebook/Instagram) | Pixel (_fbp), event beacons |
Ad performance, retargeting, lookalikes | up to 2 years |
| Marketing/Ads (consent) | Google Ads | _gcl_au, conversion tags |
Ad performance, retargeting | up to 3 months |
| Marketing/Ads (consent) | Microsoft/Bing Ads | MUID, _uet* |
Ad performance, retargeting | up to 1 year |
| Marketing/Ads (consent) | TikTok | tt_* |
Ad performance, retargeting | up to 13 months |
| Email marketing (consent) | Klaviyo | __kla_id, __kla_viewed |
Email analytics, onsite signup and campaign measurement | up to 2 years |
| SMS marketing (consent) | Attentive | attn_* |
SMS signup flows, onsite modals, attribution | up to 2 years |
| Data layer / identity (consent) | Fueled | fueled_* (if cookies used) |
Data layer/identity to improve analytics/ads | varies |
Notes & safeguards
-
Consent gating: analytics, advertising, email/SMS tracking, session replay and ad matching run only after opt-in.
-
Session replay (Clarity): configured to mask sensitive fields; keystroke capture for payment/PII is disabled.
-
Ad matching/lookalikes: if you consent to marketing, we may share hashed identifiers with platforms for matching; you can opt out in Cookie Settings and via platform controls.
-
Retention.com: not currently active. If adopted in the future, it will be enabled only after consent and described as ad matching/identity resolution (not “selling” data).