Privacy Policy

Plain Language Summary

We’re goalkeepers, just like you. Our mission is to give every keeper the gear and support they need to perform with confidence—on the pitch and online. That includes looking after your personal information.

We collect only what we need. Things like your name, delivery address and email help us get your gloves to you and keep you updated on your order.
We never sell your data—period. Your details stay between us and the trusted services that help us run our store. Currently, we have no business or marketing partners that aren't service providers who we share data with. If this changes, we will ensure they follow an adequate duty of care to keep your data safe.
You stay in control. Unsubscribe links, opt‑out options and clear explanations mean you decide how we talk to you.
Security is our priority. We use encryption, access controls and other safeguards to keep your data safe.
We adapt as the internet changes. New tech brings new risks; we’ll keep reviewing and improving our protections and will always let you know when things change.

If you ever have questions, just drop us a line at info@calmagk.com —we’re here to help.

1. Who We Are

Calma Goalkeeping Limited ("we", "us", "our") is a consumer‑retail brand incorporated in the United Kingdom and operating online at https://calmagk.com. For the purposes of UK GDPR, EU GDPR and the Data Protection Act 2018, Calma Goalkeeping Limited is the Data Controller of the personal information we collect.

Registered company name: Calma Goalkeeping Limited
Company number: 11570856
Registered office: 4 Mason Court, Gillan Way, Penrith 40 Business Park, Penrith, England, CA11 9GR
Email: info@calmagk.com

If you have questions about this notice or wish to exercise your data‑protection rights, please contact our Data Protection Officer (DPO) at the address above.

2. Scope of This Notice

This Privacy Policy explains how we collect, use, disclose, transfer and store your personal information when you:

Visit or make a purchase from our Shopify‑hosted online store;
Interact with our marketing emails, SMS messages or adverts; or
Engage with us on social‑media platforms (Facebook/Instagram, YouTube, X/Twitter) that are connected to our store.

It applies to customers and visitors located in the United Kingdom, European Economic Area (EEA) and Switzerland, and to consumers in the United States, including residents of states with specific privacy statutes (e.g. California’s CCPA/CPRA).

3. Information We Collect

Category	Examples	Source
Identifiers	Name, billing & delivery address, email address, telephone number, account username	Provided by you at checkout, account signup or support contact
Commercial information	Products purchased, order value, returns, wish‑list items, discount‑code use	Generated through transactions
Payment details	Last four digits of card, payment method, transaction ID (full card details are handled directly by Shopify Payments/PayPal and are not stored by us)	Collected at checkout (Shopify)
Marketing preferences	Email/SMS opt‑in status, open & click rates, segmentation tags	Collected via Klaviyo signup forms & campaign analytics
Internet / network activity	IP address, device ID, browser type, referring URL, pages viewed, time spent, cookies, pixels, log files	Collected automatically via Shopify, Google Analytics, Meta Pixel, X Pixel
User‑generated content	Product reviews, comments, social posts, survey responses	Provided by you
Geolocation data	General location inferred from IP (city/region)	Automatically collected
Customer‑service interactions	Emails, chat transcripts, call notes	Provided by you and generated by us

We do not intentionally collect sensitive personal data (special‑category data) or data about children under 16. If we learn that such data has been provided, we will delete it promptly.

4. Legal Bases for Processing (UK/EU)

We rely on one or more of the following lawful bases under Article 6 GDPR:

Contract: to process and deliver your order, take payment, provide customer support;
Consent: to send you marketing emails/SMS where you have opted in;
Legitimate interests: to improve our site, prevent fraud, personalise offers and adverts (balanced against your rights);
Legal obligation: to keep VAT/tax records, comply with product‑safety or consumer‑protection laws.

For US consumers, our collection and use of personal information is carried out for "business purposes" as defined by applicable state laws.

5. How We Use Your Information

Order fulfilment & account management – to process payments, dispatch products, handle returns and exchanges;
Customer service – to respond to enquiries, complaints and warranty requests;
Marketing & personalisation – to send newsletters, promotions and abandoned‑cart reminders via Klaviyo; to show relevant ads on Google, YouTube, Facebook/Instagram and X;
Analytics & site optimisation – to understand traffic patterns, troubleshoot and improve the user experience;
Security & fraud prevention – to protect our store, customers and business;
Compliance & legal – to maintain records and meet regulatory requirements.

We do not sell, rent or share your personal information with third parties for their own direct marketing.

6. Disclosures & Third‑Party Service Providers

We share data only with trusted processors who help us run our business. Each acts under written contracts that require them to safeguard personal information.

Provider	Role	Location	Safeguards
Shopify Inc.	Ecommerce platform, hosting, payment processing	Canada / worldwide	Adequacy decision (Canada) & SCCs for non‑EEA transfers
Klaviyo Inc.	Email & SMS marketing platform, customer‑data storage	United States	EU‑US/UK‑US Data Privacy Framework + SCCs
Google LLC (incl. YouTube)	Analytics, advertising, YouTube embed	United States	Data Privacy Framework + SCCs
Meta Platforms Ireland Ltd	Facebook & Instagram ads, Meta Pixel	Ireland/United States	SCCs
X Corp.	Advertising, X Pixel	United States	SCCs
TikTok Technology Ltd	Advertising, TikTok Pixel	Ireland / United States	SCCs
Logistics partners (e.g. Royal Mail, DHL)	Shipping & delivery	UK / EU / US	Contractual necessity
Payment gateways (Shopify Payments, PayPal)	Secure payments & anti‑fraud	Multiple	PCI‑DSS compliance

We may also disclose personal data when required by law or to protect our rights (e.g., to HMRC, customs authorities, courts, or law‑enforcement agencies).

The above list may change from time to time at our discretion. While we do not currently share personal data with any third‑party marketing or business partners that are not acting solely as our service providers, we reserve the right to do so in the future with carefully vetted partners, provided such sharing complies with applicable data‑protection laws and is covered by appropriate contractual safeguards (including, where required, your consent).

7. International Data Transfers

Because many of our service providers are based outside the UK/EEA, your data may be transferred to countries that do not provide the same level of protection. Whenever we transfer information internationally, we ensure appropriate safeguards are in place, such as:

Adequacy decisions (e.g., Canada for Shopify);
Standard Contractual Clauses (SCCs) approved by the European Commission/UK ICO;
Data Privacy Framework certification for US recipients.

A copy of the relevant safeguards is available on request.

8. Marketing Communications

We will send you email and/or SMS marketing only if you have given us explicit consent (opt‑in) or where we have an existing customer relationship and are allowed to rely on soft opt‑in under PECR. You can:

Click “Unsubscribe” in any email;
Reply STOP to any SMS; or
Contact us at info@calmagk.com.

We aim to action opt‑out requests within 48 hours. Please note that transactional messages (e.g., order confirmations, shipping updates) are necessary and will still be sent.

9. Cookies & Similar Technologies

We use first‑ and third‑party cookies, web beacons and pixels to:

Keep your shopping cart updated;
Remember account preferences;
Analyse site performance (Google Analytics);
Deliver personalised ads (Meta Pixel, Google Ads, X Pixel).

Our cookie banner lets you accept or reject non‑essential cookies. You can also adjust browser settings to disable cookies, though this may affect site functionality.

For detailed information, see our separate Cookie Policy.

10. Your Rights

UK / EU Residents

You have the right to:

Access – obtain a copy of your personal data;
Rectify – correct inaccurate or incomplete data;
Erase – request deletion in certain circumstances;
Restrict – limit processing under specific conditions;
Object – object to processing based on legitimate interests or direct marketing;
Portability – receive data in a structured, machine‑readable format;
Withdraw consent – at any time where processing relies on consent;
Lodge a complaint – with the ICO (UK) or your local supervisory authority.

US Residents (e.g., California, Colorado, Virginia)

Subject to state law, you may have the right to:

Know what personal information we collect, use and disclose;
Request deletion;
Opt out of the “sale” or “sharing” of personal information (we do not sell data but honour such requests);
Non‑discrimination for exercising your rights.

To exercise any of these rights, email info@calmagk.com or write to us at the address above. You may also exercise your CCPA/CPRA opt‑out right ("Do Not Sell or Share My Personal Information") by emailing info@calmagk.com with the subject line "CCPA Opt‑Out". We will verify your identity and respond within one month (45 days for CCPA).

11. Data Retention

We keep personal information only as long as necessary:

Orders & tax records: 7 years from the end of the financial year;
Marketing lists: until you unsubscribe or 2 years after your last interaction;
Support tickets: 3 years after resolution;
Analytics data: 26 months (Google Analytics standard setting).

We will then securely delete or anonymise the data.

12. Security Measures

We implement appropriate technical and organisational measures, including:

TLS/SSL encryption in transit;
AES‑256 encryption at rest (Shopify);
Two‑factor authentication for staff accounts;
Access controls and role‑based permissions;
Regular vulnerability scanning and penetration testing;
Staff training and confidentiality agreements.

Despite these measures, no online service is 100% secure. We therefore cannot guarantee absolute security.

13. Children’s Privacy

Our products and website are not directed to children under 16. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with data, please contact us so we can delete it.

14. Changes to This Policy

We may update this notice from time to time (e.g., to reflect legal changes or new features). Any changes will be posted on this page with a revised “Last updated” date. For material changes, we will provide a prominent notice (e.g., email or banner).

15. Contact Us

If you have any questions about this Privacy Policy, your personal information, or wish to exercise your rights, please contact:

Data Protection Officer
Calma Goalkeeping Limited
4 Mason Court, Gillan Way, Penrith 40 Business Park, Penrith, England, CA11 9GR
Email: info@calmagk.com

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) (www.ico.org.uk) or your local data‑protection regulator.

Disclaimer

This draft is provided for general information only and does not constitute legal advice. You should obtain professional legal review before publishing your final policy