Privacy Policy
Last updated: 7 March 2026
Bootle AB ("Bootle," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect your personal information when you visit our website at bootle.io, place an order, subscribe to our communications, or otherwise interact with us.
Please read this policy carefully. By using our website or services, you acknowledge that you have read and understood this Privacy Policy.
Contents
- 1. Data Controller
- 2. Information We Collect
- 3. How and Why We Use Your Information
- 4. Who We Share Your Information With
- 5. Cookies and Tracking Technologies
- 6. International Data Transfers
- 7. Data Retention
- 8. Data Security
- 9. Children's Privacy
- 10. Your Privacy Rights
- 11. Automated Decision-Making
- 12. Updates to This Policy
- 13. Contact Us
- 14. How to Exercise Your Rights
1. Data Controller
The data controller responsible for your personal information is:
Bootle AB
Org. nr. 559333-3379
Nybrogatan 6, 114 34 Stockholm, Sweden
Email: privacy@bootle.io
Our lead supervisory authority is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, "IMY"), Box 8114, 104 20 Stockholm, Sweden. Website: imy.se
UK Representative: George Barker (Co-Founder)
Email: george@bootle.io
Address: 124 City Road, London, EC1V 2NX
2. Information We Collect
2.1 Information You Provide to Us
- Order information: name, email address, phone number, shipping address, billing address, and order details when you make a purchase. We operate guest checkout only — no user accounts are created.
- Payment information: payment card details are collected and processed exclusively by our payment processor, Stripe. We never receive, store, or have access to your full card number.
- Marketing communications: email address and name when you subscribe to our newsletter or marketing emails.
- Product reviews: name, star rating, review text, and optional photos or videos when you submit a review via Klaviyo Reviews.
- Customer support: any information you provide when you contact us with a question, complaint, or request.
- B2B enquiries: company name, contact name, email, phone, role, and engraving specifications when you enquire about corporate gifting.
2.2 Information Collected Automatically
When you visit our website, we automatically collect certain information, including:
- IP address
- Browser type and version
- Device type and operating system
- Language preferences
- Referring URLs and pages visited
- Country and approximate location (derived from IP address)
- Usage data such as pages viewed, time on site, clicks, and interactions
2.3 Cookies and Similar Technologies
We use cookies and similar technologies to collect some of the information described above. For full details on the cookies we use, their purposes, and how to manage your preferences, please refer to our Cookie Policy.
2.4 Information We Do Not Collect
We do not process sensitive personal information (such as racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, or biometric data). We do not offer social login or require user account creation.
3. How and Why We Use Your Information
We process your personal information only where we have a valid legal basis to do so. The table below sets out our processing purposes and the corresponding legal basis under the GDPR.
| Purpose | Legal Basis |
|---|---|
| Order fulfilment and delivery | Performance of contract (Art. 6(1)(b) GDPR) |
| Payment processing via Stripe | Performance of contract (Art. 6(1)(b) GDPR) |
| Customer support and enquiries | Legitimate interest (Art. 6(1)(f) GDPR) |
| Email marketing and newsletters (Klaviyo) | Consent (Art. 6(1)(a) GDPR) |
| Targeted advertising (Meta, TikTok) | Consent (Art. 6(1)(a) GDPR) |
| Website analytics (GA4, Hotjar) | Consent (Art. 6(1)(a) GDPR) in the EU/UK; Legitimate interest elsewhere |
| Fraud prevention and security | Legitimate interest (Art. 6(1)(f) GDPR) |
| Product reviews (Klaviyo Reviews) | Consent (Art. 6(1)(a) GDPR) |
| B2B corporate gifting enquiries | Legitimate interest / pre-contractual steps (Art. 6(1)(b)/(f) GDPR) |
| Legal compliance (tax, accounting records) | Legal obligation (Art. 6(1)(c) GDPR) |
| Website functionality (country detection, sessions) | Legitimate interest (Art. 6(1)(f) GDPR) |
Where we rely on legitimate interest, we have carried out a balancing assessment to ensure that your rights and freedoms are not overridden. You may contact us at privacy@bootle.io to request details of these assessments.
4. Who We Share Your Information With
We share your personal information with the following categories of third parties, solely for the purposes described below.
| Third Party | Data Shared | Purpose | Location |
|---|---|---|---|
| Shopify Inc. | Order data, customer information, browsing activity | E-commerce platform | US, Canada |
| Stripe Inc. | Payment card data | Payment processing | US |
| Google LLC (GA4) | IP address, device information, browsing behaviour | Website analytics | US |
| Meta Platforms Inc. (Pixel + Conversions API) | IP address, device information, browsing events, purchase events | Advertising and attribution | US |
| TikTok (ByteDance Ltd) | IP address, device information, browsing events | Advertising and attribution | US, Singapore |
| Hotjar Ltd | IP address (anonymised), device information, session recordings | UX analytics | Malta (EU) |
| Klaviyo Inc. | Email, name, browsing activity, order data, reviews | Email marketing and reviews | US |
| 123PL | Name, address, order and shipping details | Order fulfilment | UK |
| Royal Mail / FedEx | Name, address | Shipping carriers | UK |
We do not sell your personal information. However, we share certain information with advertising partners (Meta, TikTok) for cross-context behavioural advertising. Under California law (CCPA/CPRA), this may constitute "sharing." You may opt out of this sharing via our Cookie Preference Centre.
Business transfers: If Bootle AB is involved in a merger, acquisition, reorganisation, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.
5. Cookies and Tracking Technologies
We use cookies and similar technologies on our website. These include strictly necessary cookies (required for the website to function), analytics cookies, and marketing cookies.
You can manage your cookie preferences at any time through our Cookie Preference Centre, accessible via the cookie banner or in the footer of our website.
For a full list of cookies we use, their purposes, durations, and providers, please see our Cookie Policy.
6. International Data Transfers
Bootle AB is based in Sweden (EU/EEA). Some of the third parties we work with are located outside the EEA. We ensure that all international data transfers are protected by appropriate safeguards as required by the GDPR.
| Destination | Recipients | Safeguard |
|---|---|---|
| United States | Shopify, Stripe, Google, Meta, TikTok, Klaviyo | EU-US Data Privacy Framework (where certified) and/or Standard Contractual Clauses (SCCs) |
| Canada | Shopify | EU adequacy decision |
| Singapore | TikTok | Standard Contractual Clauses (SCCs) |
| Malta (EU) | Hotjar | No additional safeguards required (EEA) |
| United Kingdom | 123PL, Royal Mail, FedEx | EU adequacy decision |
No personal data is transferred to China. All manufacturing-related data (such as B2B engraving specifications) is handled at our UK fulfilment facility only.
You may request a copy of the safeguards we use for international transfers by contacting us at privacy@bootle.io.
7. Data Retention
We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The specific retention periods are set out below.
| Data Category | Retention Period | Reason |
|---|---|---|
| Order and transaction data | 7 years from date of transaction | Swedish Bokföringslag (Accounting Act) |
| Marketing and newsletter data | Until consent is withdrawn, plus 30 days | GDPR consent requirements |
| Analytics data (GA4) | 14 months | GA4 default retention setting |
| Session recordings (Hotjar) | 365 days | Hotjar default retention |
| Customer support correspondence | 3 years from last contact | Legitimate interest |
| Cookie consent records | Duration of consent, plus 1 year | Accountability and compliance |
| Product reviews | Indefinitely while published; deleted upon request | Consent and legitimate interest |
| B2B enquiry data | 3 years from last contact | Pre-contractual steps and legitimate interest |
When personal information is no longer required, we securely delete or anonymise it.
8. Data Security
We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include encryption in transit (TLS/SSL), secure payment processing via Stripe (PCI DSS compliant), access controls, and regular review of our security practices.
While we take reasonable steps to protect your information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security of your personal information.
9. Children's Privacy
Our website and services are not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have inadvertently collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@bootle.io.
10. Your Privacy Rights
10.1 EEA and UK Residents (GDPR / UK GDPR)
If you are located in the European Economic Area or the United Kingdom, you have the following rights under the GDPR:
- Right of access (Art. 15) — You may request a copy of the personal information we hold about you.
- Right to rectification (Art. 16) — You may request that we correct inaccurate or incomplete personal information.
- Right to erasure (Art. 17) — You may request that we delete your personal information, subject to certain legal exceptions.
- Right to restrict processing (Art. 18) — You may request that we limit how we use your personal information.
- Right to data portability (Art. 20) — You may request to receive your personal information in a structured, commonly used, machine-readable format.
- Right to object (Art. 21) — You may object to processing based on legitimate interest, including direct marketing.
- Right to withdraw consent (Art. 7) — Where we process your data based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
- Right to lodge a complaint — You have the right to lodge a complaint with a supervisory authority.
Lead supervisory authority: IMY (Integritetsskyddsmyndigheten), Box 8114, 104 20 Stockholm, Sweden. Website: imy.se
UK supervisory authority: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom. Website: ico.org.uk
10.2 US Residents (CCPA/CPRA and State Privacy Laws)
If you are a resident of California or another US state with applicable privacy legislation, you may have the following rights:
- Right to know — You may request information about the categories and specific pieces of personal information we have collected about you.
- Right to delete — You may request that we delete personal information we have collected from you, subject to certain exceptions.
- Right to correct — You may request that we correct inaccurate personal information.
- Right to opt out of sale or sharing — You may opt out of the "sale" or "sharing" of your personal information for cross-context behavioural advertising.
- Right to non-discrimination — We will not discriminate against you for exercising any of your privacy rights.
- Right to limit use of sensitive personal information — We do not collect sensitive personal information as defined by California law.
Categories of Personal Information Collected in the Last 12 Months
| Category (per Cal. Civ. Code 1798.140) | Collected |
|---|---|
| A. Identifiers (name, email, phone, address) | Yes |
| B. California Customer Records (name, address, phone) | Yes |
| C. Protected classifications | No |
| D. Commercial information (purchase history, order data) | Yes |
| E. Biometric information | No |
| F. Internet or network activity (browsing, interactions) | Yes |
| G. Geolocation data (IP-based approximate location) | Yes |
| H. Sensory data (audio, visual) | No |
| I. Professional or employment-related information | No |
| J. Non-public education information | No |
| K. Inferences drawn from other PI | No |
| L. Sensitive personal information | No |
We share personal information with advertising networks (Meta, TikTok) for cross-context behavioural advertising. The categories shared include identifiers, internet or network activity, and geolocation data. You may opt out of this sharing via our Cookie Preference Centre.
Global Privacy Control (GPC)
We honour Global Privacy Control (GPC) signals as a valid opt-out request where required by applicable law.
Do Not Track (DNT)
We do not currently respond to Do Not Track browser signals, as no uniform standard for interpreting these signals has been adopted.
11. Automated Decision-Making
We do not make automated decisions that produce legal or similarly significant effects about you. We use audience segmentation tools (such as Klaviyo and Meta) to deliver relevant marketing communications and advertisements, but these activities do not produce legal or similarly significant effects on you.
12. Updates to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will update the "Last updated" date at the top of this page.
We encourage you to review this page periodically. For material changes, we will make reasonable efforts to notify you, such as by displaying a notice on our website or sending you an email.
13. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
Bootle AB
Org. nr. 559333-3379
Nybrogatan 6, 114 34 Stockholm, Sweden
Email: privacy@bootle.io
UK Representative:
George Barker
Email: george@bootle.io
Address: 124 City Road, London, EC1V 2NX
14. How to Exercise Your Rights
To exercise any of the rights described in this Privacy Policy, please submit a request by emailing privacy@bootle.io. Include your full name and the email address associated with your interaction with us so that we can locate your information.
We will respond to your request within:
- 30 days for requests under the GDPR / UK GDPR
- 45 days for requests under the CCPA / CPRA
These timeframes may be extended where permitted by law, in which case we will inform you of the extension and the reasons for it.
We may need to verify your identity before processing your request to protect your privacy and security. If we cannot verify your identity, we may be unable to fulfil your request.
If you have previously consented to receiving marketing emails, you can withdraw your consent at any time by clicking the "unsubscribe" link in any marketing email or by contacting us at privacy@bootle.io.