Privacy Policy

Privacy Notice

1) Who we are

This Privacy Notice explains how Vaulted Vapes Ltd collects, uses, and protects your personal data when you visit www.vaultedvapes.co.uk and when you use our vape vending machines and services.

We do not market or sell to anyone under 18. Our products are age‑restricted.

 

2) The data we collect

a) On our website

  • Identifiers: name, email, phone, company (for business enquiries).
  • Account details (if you create an account): username, password (hashed), contact preferences.
  • Order & payment details: billing/shipping address, payment method (processed by our chosen payment provider; we don’t store full card details).
  • Support correspondence: messages, attachments, call notes.
  • Technical data: IP address, device/browser info, pages viewed, referring site, time stamps.
  • Cookies & similar tech: essential cookies, analytics (e.g., Google Analytics), marketing cookies (if you consent).

b) When you use our vending machines

  • Age verification: date of birth confirmation, pass/fail result, verification token/reference. If a third‑party provider is used (e.g., ID scan/kiosk check), they may process your ID—please see their privacy notice.
  • Transaction data: items purchased, machine ID/location, time stamp, payment receipt ID (payment handled by our provider).
  • Telemetry & maintenance logs: machine status, error codes, usage counts—generally not personal data, but may be linked to a transaction ID/time.
  • CCTV near machines (if applicable): video footage for security and incident investigation.

c) Business contacts and suppliers (B2B)

  • Professional details: name, role, company, email, phone, contract records.

 

3) How we use your data & lawful bases

We process your data only when we have a lawful basis under UK GDPR:

  • Perform a contract (Article 6(1)(b)): to take orders, process payments, deliver goods, provide support, manage your account.
  • Legal obligation (Article 6(1)(c)): to comply with age‑restricted sales laws, tax/VAT/audit requirements.
  • Legitimate interests (Article 6(1)(f)): to keep our website and machines secure, prevent fraud, maintain and improve our services, handle B2B communications, and operate CCTV for security (balanced against your rights).
  • Consent (Article 6(1)(a)): for optional marketing emails/SMS and non‑essential cookies/analytics. You can withdraw consent at any time.

We do not sell personal data.

 

4) Cookies and analytics

We use cookies to make the site work (essential) and, with your consent, to analyse usage and improve performance (analytics) or personalise offers (marketing).

  • Essential cookies: required for core functionality (security, checkout, login).
  • Analytics cookies (optional): help us understand how visitors use the site.
  • Marketing cookies (optional): personalise content or measure campaign effectiveness.

You can manage preferences through our Cookie Banner and your browser settings. For more detail, see our Cookie Policy.

 

5) Age verification

We verify that customers are 18+ before completing vape purchases via our website or vending machines. Verification may be conducted by:

  • A trusted third‑party age verification provider; or
  • In‑person checks (for serviced machines/events).

We retain only the verification result (pass/fail) and a reference/token where needed to evidence compliance. If a third party scans or validates your ID, they act as an independent controller or processor—see their privacy notice for details.

 

6) CCTV (if applicable)

We may operate CCTV near machines for security, theft/fraud prevention, and incident investigation. Footage is stored securely and retained for a limited period (typically 30 days) unless required longer for an investigation or legal claim. Access is restricted to authorised personnel.

 

7) Who we share your data with

We share data only as necessary:

  • Payment processors: to process transactions and prevent fraud.
  • Age verification providers: to validate age and comply with law.
  • Hosting, IT, and analytics providers: to operate the website and services.
  • Delivery & logistics partners: to fulfill orders (if applicable).
  • Maintenance & field service partners: for machine servicing and incident response.
  • Insurers, auditors, professional advisers: for compliance and business operations.
  • Law enforcement/regulators: where required by law or to protect our rights and safety.

We have appropriate contracts and safeguards with our processors.

 

8) International transfers

If we transfer personal data outside the UK (e.g., to cloud providers), we use appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses, and conduct transfer risk assessments as required.

 

9) Data retention

We keep data only for as long as necessary:

  • Orders & transactions: typically 6 years for tax/audit requirements.
  • Age verification results: minimum needed to evidence compliance (e.g., 1–3 years, depending on legal/insurance needs).
  • CCTV footage: typically 30 days, longer if needed for an investigation.
  • Support and correspondence: typically 2 years.
  • Marketing preferences: until you opt out or your account is inactive for 24 months.
  • Website analytics data: per tool’s configuration (we aim to minimise retention).

We may adjust periods to meet legal, regulatory, or insurance requirements.

 

10) Your rights

Under UK data protection law, you have:

  • Right of access to your data.
  • Right to rectification of inaccurate data.
  • Right to erasure (where applicable).
  • Right to restrict processing (where applicable).
  • Right to data portability (for data you provided, processed by automated means under consent/contract).
  • Right to object to processing based on legitimate interests or direct marketing.
  • Right to withdraw consent at any time (for consent‑based processing).

To exercise your rights, contact us at [privacy@yourdomain.co.uk]. We may need to verify your identity.

If you’re not satisfied, you can complain to the Information Commissioner’s Office (ICO):
www.ico.org.uk | Tel: 0303 123 1113 | Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, UK.

 

11) Security

We implement technical and organisational measures to protect personal data, including encryption in transit, access controls, and regular security reviews. No system is 100% secure; we work to mitigate risks and respond promptly to incidents.

 

12) Children’s data

We do not knowingly collect personal data from individuals under 18. If we discover such data has been collected, we will delete it promptly.

 

13) Marketing

We send marketing communications only with your consent or where permitted for B2B contacts under legitimate interests. You can opt out at any time via unsubscribe links or by contacting us.

 

14) Updates to this notice

We may update this Privacy Notice from time to time. If changes are material, we’ll highlight them on our website or notify you by email (where appropriate). Please check back regularly to stay informed.

 

15) Contact us

Questions or requests about your data?
Email info@vaultedvapes.co.uk

 

Logo

©Copyright. All rights reserved.

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.