Privacy Policy

Last Updated: 12 March 2026

1. Introduction

Millbank Sports Limited (hereinafter referred to as "we," "us," "our," or the "Company") is committed to protecting and respecting the privacy of individuals who visit www.millbanksports.com (hereinafter referred to as the "Website") or otherwise interact with our services. We recognise the importance of safeguarding personal data and are dedicated to processing such data in a transparent, lawful, and fair manner.

The purpose of this Privacy Policy is to inform you about how we collect, use, store, share, and protect your personal data when you access the Website, place an Order, create an account, or communicate with us. It also sets out your rights as a data subject under applicable data protection legislation.

We process personal data in accordance with the United Kingdom General Data Protection Regulation ("UK GDPR"), as incorporated into domestic law by the European Union (Withdrawal) Act 2018 and supplemented by the Data Protection Act 2018 ("DPA 2018"). Where our Goods are offered to consumers residing in the European Economic Area ("EEA"), we also comply with the General Data Protection Regulation (EU) 2016/679 ("EU GDPR"). References to "GDPR" throughout this Policy shall be construed as references to the UK GDPR and, where applicable, the EU GDPR.

By using the Website or providing personal data to us, you acknowledge that you have read and understood this Privacy Policy. Should you have questions or concerns regarding the processing of your personal data, please contact us at: contact@millbanksports.com

2. Data Controller

For the purposes of the GDPR and the DPA 2018, the data controller responsible for the personal data collected through the Website is:

Millbank Sports Limited

Email: contact@millbanksports.com

Website: www.millbanksports.com

As the data controller, we determine the purposes and means of processing personal data and bear responsibility for ensuring that all processing activities comply with applicable data protection legislation.

 

3. Categories of Personal Data We Collect

We collect and process the following categories of personal data, depending on the nature of your interaction with the Website:

3.1 Information You Provide Directly

  • Identity Data: Full name, title, and any other identifiers supplied during account registration or the checkout process.

  • Contact Data: Email address, postal address, delivery address, and telephone number.

  • Financial Data: Payment card details and billing address, which are processed through our secure third-party payment gateway. The Company does not directly store or retain full payment card numbers.

  • Order Data: Details of the Goods purchased, Order history, delivery preferences, and any correspondence relating to specific transactions.

  • Communication Data: Information contained in emails, contact form submissions, or other written correspondence directed to us, including the content and metadata of such communications.

3.2 Information Collected Automatically

When you visit the Website, certain data is collected automatically through the use of cookies and similar tracking technologies, as further described in our Cookie Policy. Automatically collected data may include:

  • Technical Data: Internet Protocol ("IP") address, browser type and version, operating system, device type, screen resolution, and time zone setting.

  • Usage Data: Pages visited, time spent on each page, navigation paths, referral source (the website from which you arrived), click patterns, and other behavioural data relating to your interaction with the Website.

  • Location Data: Approximate geographic location derived from your IP address.

The Website is hosted on the Squarespace platform, which places both necessary and non-essential cookies on visitors' browsers. Necessary cookies support core functionality such as shopping cart operations, customer accounts, and URL redirects. Non-essential cookies, including analytics and performance cookies, gather information about how visitors interact with the Website.

3.3 Information from Third Parties

We may receive personal data from third-party sources, including payment processors, delivery service providers, and fraud prevention agencies, where such data is necessary for the performance of a Contract or to comply with a legal obligation.

4. Lawful Bases for Processing

Under Article 6(1) of the UK GDPR, we process your personal data on the basis of one or more of the following lawful grounds:

  • Performance of a Contract (Article 6(1)(b)): Processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract. For example, we process Identity Data, Contact Data, and Financial Data to fulfil your Orders, arrange delivery, and manage returns.

  • Legitimate Interests (Article 6(1)(f)): Processing is necessary for the purposes of our legitimate interests, provided that such interests are not overridden by your fundamental rights and freedoms. Our legitimate interests include operating and improving the Website, preventing fraud, ensuring network and information security, and conducting internal analytics to understand customer behaviour and preferences.

  • Legal Obligation (Article 6(1)(c)): Processing is necessary to comply with a legal obligation to which we are subject, such as maintaining financial records for tax and accounting purposes under applicable UK legislation, or responding to lawful requests from regulatory authorities.

  • Consent (Article 6(1)(a)): Where none of the above lawful bases applies, we shall seek your explicit consent before processing your personal data for a specific purpose. Consent may be sought, for instance, in connection with direct marketing communications. You have the right to withdraw consent at any time, as detailed in Section 9 of this Policy.

5. Purposes of Processing

We use the personal data collected for the following specific purposes:

  • Order Fulfilment and Contract Performance: Processing and dispatching Orders, issuing Order Confirmations and invoices, arranging delivery, managing returns and refunds, and providing post-sale customer support.

  • Account Management: Creating and maintaining customer accounts, authenticating login credentials, and storing Order history for your convenience.

  • Website Administration and Security: Ensuring the proper functioning of the Website, monitoring for unauthorised access or suspicious activity, diagnosing technical issues, and maintaining system integrity.

  • Analytics and Improvement: Analysing aggregated and anonymised data regarding Website traffic, user behaviour, and purchasing patterns to improve our product offerings, Website design, and overall customer experience.

  • Communication: Responding to enquiries, complaints, and feedback submitted through the contact email or other channels available on the Website.

  • Legal and Regulatory Compliance: Maintaining records required under tax, accounting, and consumer protection legislation, and cooperating with law enforcement or regulatory authorities where legally compelled to do so.

  • Marketing (with Consent): Where you have provided explicit opt-in consent, sending promotional emails, newsletters, or product updates regarding our Goods and services. Each marketing communication will include a clear and functional unsubscribe mechanism.

6. Data Sharing and Third-Party Recipients

We do not sell, rent, or trade your personal data to third parties for their independent marketing purposes. Personal data may, however, be shared with the following categories of recipients, strictly to the extent necessary for the purposes described in this Policy:

  • Payment Processors: Secure third-party payment gateways process Financial Data to authorise and complete transactions. Such processors operate under their own privacy policies and are bound by contractual obligations to protect the confidentiality of personal data.

  • Delivery and Logistics Providers: Contact Data and Order Data are shared with shipping carriers to facilitate the delivery of Goods to your specified address.

  • Platform Provider (Squarespace): As the Website is hosted on the Squarespace platform, certain personal data (including Technical Data and Usage Data) is processed by Squarespace Inc. in accordance with its own Privacy Policy, available at www.squarespace.com/privacy.

  • Professional Advisers: Legal counsel, accountants, auditors, and insurers may receive access to personal data where necessary for the provision of professional services to the Company.

  • Regulatory and Law Enforcement Authorities: Personal data may be disclosed to public authorities where required by law, regulation, or legal process, including in response to a court order or request from the Information Commissioner's Office ("ICO").

All third-party recipients who process personal data on our behalf do so under written data processing agreements that impose obligations of confidentiality and compliance with the GDPR, in accordance with Article 28 of the UK GDPR.

7. International Data Transfers

Squarespace, Inc. is headquartered in the United States of America. Accordingly, certain personal data collected through the Website may be transferred to, stored, and processed in the United States or other jurisdictions outside the United Kingdom and the EEA.

Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place in accordance with Articles 44 to 49 of the UK GDPR. Such safeguards may include:

  • Transfers to countries that have received an adequacy decision from the UK Secretary of State under Section 17A of the DPA 2018.

  • Standard Contractual Clauses ("SCCs") approved by the Information Commissioner's Office, imposing contractual obligations on the data importer to protect the transferred data to a standard equivalent to that of UK data protection law.

  • The International Data Transfer Agreement ("IDTA") or the UK Addendum to the EU SCCs, as published by the ICO.

You may request further information regarding the specific safeguards applied to international transfers by contacting us at contact@millbanksports.com.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The specific retention periods depend on the nature of the data and the purpose of processing:

  • Order and Transaction Data: Retained for a period of six years from the date of the relevant transaction, in compliance with UK tax and accounting obligations under the Taxes Management Act 1970 and the Companies Act 2006.

  • Account Data: Retained for as long as your account remains active. Upon account deletion, personal data associated with the account shall be erased within 30 days, subject to any overriding legal retention obligations.

  • Communication Records: Retained for a period of two years from the date of the most recent correspondence, unless the communication relates to a legal claim or dispute, in which case it shall be retained until the matter is fully resolved.

  • Technical and Usage Data: Anonymised analytics data may be retained indefinitely. Identifiable Technical Data (such as IP addresses) is retained for no longer than 12 months.

  • Marketing Consent Records: Records of consent granted or withdrawn are retained for three years from the date of the relevant action, to demonstrate compliance with the GDPR's accountability principle.

Upon expiry of the applicable retention period, personal data shall be securely deleted or irreversibly anonymised.

9. Your Rights as a Data Subject

Under the UK GDPR and the DPA 2018, you are entitled to exercise the following rights in relation to your personal data:

  • Right of Access (Article 15): You have the right to obtain confirmation as to whether personal data concerning you is being processed and, where that is the case, to request access to the personal data along with supplementary information about the processing. A Data Subject Access Request ("DSAR") can be submitted by contacting us at contact@millbanksports.com. We shall respond within one calendar month of receipt, unless the request is complex or voluminous, in which case the response period may be extended by a further two months.

  • Right to Rectification (Article 16): You have the right to request correction of inaccurate personal data or completion of incomplete personal data held by us.

  • Right to Erasure (Article 17): Also known as the "right to be forgotten," you may request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent (and no other lawful basis applies), or where the data has been unlawfully processed. Certain exceptions apply, including where retention is necessary for compliance with a legal obligation or for the establishment, exercise, or defence of legal claims.

  • Right to Restriction of Processing (Article 18): You may request that we restrict the processing of your personal data in specific circumstances, such as where you contest the accuracy of the data or where you have objected to processing pending verification of whether our legitimate interests override your rights.

  • Right to Data Portability (Article 20): Where processing is based on consent or the performance of a contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another data controller.

  • Right to Object (Article 21): You have the right to object to the processing of your personal data where such processing is based on legitimate interests or is carried out for direct marketing purposes. Upon receipt of an objection, we shall cease processing the relevant data unless we can demonstrate compelling legitimate grounds that override your interests.

  • Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. At present, the Company does not engage in solely automated decision-making processes.

To exercise any of the above rights, please submit your request in writing to contact@millbanksports.com. We may require verification of your identity before processing such requests, to ensure the security and integrity of personal data.

10. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or alteration, in compliance with Article 32 of the UK GDPR. Security measures in place include:

  • Secure Socket Layer ("SSL") encryption for all data transmitted between your browser and the Website.

  • Restricted access to personal data on a need-to-know basis, with role-based access controls for authorised personnel.

  • Regular monitoring and review of security systems and processes.

  • Use of secure, PCI DSS-compliant third-party payment processors for handling Financial Data.

While we take all reasonable precautions to protect your personal data, no method of transmission over the internet or method of electronic storage is entirely secure. We cannot guarantee absolute security, but we are committed to implementing and maintaining robust measures that reflect current industry standards and best practices.

11. Children's Privacy

The Website is not directed at individuals under the age of 18, and we do not knowingly collect personal data from children. If we become aware that personal data has been collected from a child without the consent of a parent or legal guardian, we shall take immediate steps to delete such data from our records. Should you believe that a child has provided personal data to us, please contact us at contact@millbanksports.com so that appropriate action may be taken.

12. Third-Party Links

The Website may contain hyperlinks to external websites operated by third parties. We have no control over the content, privacy practices, or security measures of such websites. A link to a third-party website does not constitute an endorsement or recommendation of that website's privacy practices. We encourage you to review the privacy policies of any external website before providing personal data, as the Company bears no liability for the data handling practices of third-party operators.

13. Changes to This Privacy Policy

We reserve the right to update or amend this Privacy Policy from time to time to reflect changes in our data processing practices, applicable legislation, or regulatory guidance. Any amendments shall be published on the Website, and the "Last Updated" date at the top of this Policy shall be revised accordingly.

Where a material change is made to the way in which we process personal data, we shall make reasonable efforts to notify affected individuals by email or through a prominent notice on the Website prior to the change taking effect. Continued use of the Website following publication of an amended Privacy Policy constitutes acceptance of the updated terms.

14. Complaints and Supervisory Authority

If you are dissatisfied with the way in which we have handled your personal data or responded to a request to exercise your data subject rights, you have the right to lodge a complaint with the relevant supervisory authority.

For individuals in the United Kingdom, the supervisory authority is the Information Commissioner's Office ("ICO"):

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Telephone: 0303 123 1113

Website: https://ico.org.uk

For individuals residing in an EU Member State, you may lodge a complaint with the data protection authority in your country of habitual residence, place of work, or the place where the alleged infringement occurred. A directory of EU data protection authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

We would, however, appreciate the opportunity to address your concerns before you approach a supervisory authority. Accordingly, we kindly request that you contact us first at contact@millbanksports.com so that we may endeavour to resolve the matter directly.

15. Contact Information

For all enquiries, requests, or complaints relating to this Privacy Policy or the processing of your personal data, please contact:

Millbank Sports Limited

Email: contact@millbanksports.com

Website: www.millbanksports.com.