Privacy policy

Last updated: 21 May 2026

About this policy

This Privacy Policy explains how Zyleo (the "Store", "we", "us", or "our") collects, uses, stores, and protects your personal data when you visit our website zyleo.co.uk, place an order, or otherwise interact with our online shop. Zyleo is an e-commerce brand operating exclusively in the United Kingdom.

We are committed to protecting your privacy and handling your personal data in a transparent and lawful manner. This policy is designed to comply with both the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the European Union General Data Protection Regulation (EU GDPR), as our operating entity is established in France.

By using our website or purchasing from us, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of it, please do not use our website or services.

Who is the data controller

The data controller responsible for your personal data under UK GDPR and EU GDPR is:

  • Brand: Zyleo
  • Company: HISOKA SAS
  • SIRET: 989 850 680 00012
  • Registered office: 1 Rue Marguerin, 75014 Paris, France
  • Share capital: 10 000 €
  • APE code: 47.91A
  • Tax status: Franchise en base, art. 293 B du CGI
  • Contact email: contact@zyleo.co.uk

HISOKA SAS is the legal entity that determines the purposes and means of processing your personal data and is therefore the data controller within the meaning of Article 4(7) of UK GDPR and EU GDPR.

What personal data we collect

We collect the following categories of personal data when you browse our website or place an order with us:

  • Identity data: first name and last name.
  • Billing address: street, city, postcode, country.
  • Shipping address: street, city, postcode, country (if different from billing address).
  • Contact data: email address.
  • Phone number: optional, used only for delivery-related communications.
  • Order data: products purchased, order amount, payment status, order date, order history.
  • Technical data: IP address, browser type and version, operating system, device type, screen resolution, time zone, referring URLs.
  • Usage data: pages visited, time spent on pages, clicks, navigation paths.

We do not knowingly collect or process special categories of personal data (such as health data, political opinions, religious beliefs, or biometric data). Payment card details are never stored on our servers and are handled directly by our PCI-DSS compliant payment processor.

How we collect it

We collect personal data in the following ways:

  • Directly from you: when you create an account, fill in a checkout form, contact our customer support, or subscribe to our newsletter.
  • Automatically: through cookies, pixels, and similar technologies when you browse our website.
  • From third parties: from our payment processor (to confirm payment status) and our shipping carriers (to track delivery).

How we use your data

We use your personal data for the following purposes:

  • To process and fulfil your orders, including taking payment and arranging delivery.
  • To communicate with you about your order, including order confirmations, shipping notifications, and delivery updates.
  • To provide customer support and respond to your enquiries.
  • To process returns, refunds, and exchanges.
  • To comply with our legal and accounting obligations, including invoicing and bookkeeping under French law.
  • To detect, prevent, and investigate fraudulent transactions or other unlawful activity.
  • To improve our website, products, and services through analytics and aggregated usage data.
  • To monitor and analyse traffic to our website in order to optimise the user experience.
  • To send you marketing communications, where you have given your consent.

Legal basis for processing (UK/EU GDPR)

Under Article 6 of UK GDPR and EU GDPR, we process your personal data on the following legal bases:

  • Performance of a contract (Article 6(1)(b)): to process your order, take payment, deliver your products, and provide post-sale customer service. Without this data, we cannot fulfil our contract with you.
  • Legitimate interest (Article 6(1)(f)): to detect and prevent fraud, secure our website, analyse aggregated traffic for improvement, and ensure the smooth operation of our store. We balance our legitimate interests against your rights and freedoms.
  • Consent (Article 6(1)(a)): for non-essential cookies, analytics, advertising, and marketing emails. You can withdraw your consent at any time.
  • Legal obligation (Article 6(1)(c)): to comply with our accounting, tax, and consumer protection obligations under French and UK law.

Who we share your data with

We share your personal data only with trusted third parties who help us run our online store. These include:

  • Shopify: our e-commerce platform, which hosts the website, manages product catalogues, and processes customer accounts and orders.
  • Shopify Payments: our payment processor, which handles card transactions in a secure PCI-DSS compliant environment.
  • UPS: for the delivery of orders within the United Kingdom.
  • UPS: for the delivery of orders, particularly larger parcels or tracked services.
  • Google Analytics: for aggregated website analytics and performance monitoring.
  • Google Merchant Center: for the management of our product feed and Google Shopping listings.

Each of these third parties acts either as a processor on our behalf or as an independent controller for their own defined purposes, and is bound by appropriate data protection commitments.

We never sell, rent, or trade your personal data to third parties for their own marketing purposes. We may also disclose your data where required by law, court order, or regulatory authority.

International transfers

Your personal data may be transferred to and processed in countries outside the United Kingdom and the European Economic Area (EEA), in particular the United States, where some of our service providers are based.

  • Shopify: headquartered in Canada with infrastructure in the United States.
  • Google (Analytics and Merchant Center): headquartered in the United States.

Where personal data is transferred outside the UK or EEA, we ensure that adequate safeguards are in place in accordance with Article 46 of UK GDPR and EU GDPR. This includes reliance on the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses, and the EU-US and UK-US Data Privacy Framework where applicable.

How long we keep your data

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, or reporting requirements.

  • Customer account data: retained for as long as your account remains active, plus a reasonable period thereafter.
  • Order and invoice data: retained for 10 years from the end of the financial year, in accordance with French accounting obligations (Code de commerce, article L123-22).
  • Marketing data: retained until you withdraw your consent or after three years of inactivity.
  • Analytics data: typically retained for up to 14 months in aggregated and pseudonymised form.
  • Customer support correspondence: retained for up to three years after the last contact.

Once retention periods expire, your personal data is securely deleted or anonymised.

Your rights under UK GDPR and EU GDPR

You have the following rights in relation to your personal data:

  • Right of access: to obtain a copy of the personal data we hold about you.
  • Right to rectification: to correct inaccurate or incomplete personal data.
  • Right to erasure ("right to be forgotten"): to request the deletion of your personal data where there is no compelling reason for us to continue processing it.
  • Right to restriction of processing: to ask us to suspend the processing of your personal data in certain circumstances.
  • Right to data portability: to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
  • Right to object: to object to processing based on legitimate interests, including direct marketing.
  • Right to withdraw consent: at any time, where processing is based on your consent, without affecting the lawfulness of processing based on consent before its withdrawal.
  • Right to lodge a complaint: with a supervisory authority.

How to exercise your rights

To exercise any of these rights, please contact us by email at contact@zyleo.co.uk. We will respond to your request within one month, as required by UK GDPR and EU GDPR. In some cases, we may need to verify your identity before processing your request, in order to protect your data.

Exercising your rights is free of charge, except in cases of manifestly unfounded or excessive requests, where we may charge a reasonable fee or refuse to act on the request.

Cookies

Our website uses cookies and similar technologies to ensure the proper functioning of the store, remember your preferences, analyse traffic, and (with your consent) deliver personalised content.

When you first visit our website, a cookie banner is displayed allowing you to accept, reject, or customise non-essential cookies. You can change your cookie preferences at any time through the banner or your browser settings. Strictly necessary cookies do not require consent as they are essential for the website to function.

Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, accidental loss, alteration, disclosure, or destruction.

Our online store is hosted on Shopify, which is certified PCI-DSS Level 1, the highest level of compliance for handling cardholder data. All transactions are encrypted using TLS (Transport Layer Security), and sensitive payment information is processed exclusively by our PCI-DSS compliant payment processor and never stored on our own systems.

Despite all reasonable precautions, no method of transmission over the internet or electronic storage is completely secure. We cannot therefore guarantee absolute security of your data.

Children's privacy

Our website and products are not directed at children. We do not knowingly collect personal data from children under the age of 16 without verifiable parental consent. If you are under 16, please do not provide us with any personal data.

If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at contact@zyleo.co.uk.

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, legal requirements, or for other operational reasons. The updated version will always be available on this page with a revised "Last updated" date.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data. Where changes are material, we will provide a more prominent notice or, where required by law, request your renewed consent.

Contact

If you have any questions, concerns, or complaints about this Privacy Policy or how we handle your personal data, please contact us at:

You also have the right to lodge a complaint with a data protection supervisory authority. The relevant authorities are:

  • United Kingdom: Information Commissioner's Office (ICO), Information Commissioner's Office (ICO) — www.ico.org.uk
  • France: Commission Nationale de l'Informatique et des Libertés (CNIL), Commission Nationale de l'Informatique et des Libertés (CNIL) — www.cnil.fr

We would, however, appreciate the opportunity to address your concerns directly before you approach a supervisory authority, so please consider contacting us first.

 

Contact

  • Company name (legal entity): HISOKA SAS — French Société par Actions Simplifiée
  • Trading as: Zyleo (zyleo.co.uk)
  • Registered office: 1 Rue Marguerin, 75014 Paris, France
  • Company registration number: 989 850 680 (SIREN, France)
  • VAT status: VAT not applicable — art. 293 B French General Tax Code
  • Phone (UK customer service): +44 20 8040 5007
  • Email: contact@zyleo.co.uk
  • Opening hours: Monday–Saturday · 9 am – 7 pm UK time
  • Service promise: Guaranteed reply within 1 working day