Privacy Policy
Effective date: 30/05/2026 Last updated: 30/05/2026
This Privacy Policy explains what personal data we collect when you visit atelierbrim.co.uk, why we collect it, how we look after it, and the rights you have under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), and the Data (Use and Access) Act 2025.
If you have any question about this policy or how we handle your personal data, please email our Data Protection contact at studio@atelierbrim.co.uk.
1. Who we are (data controller)
atelierbrim is the trading name of ZIIEMA, a French sole-trader business (micro-entreprise). ZIIEMA is operated by Jamiil Booly and is the data controller for the personal data we collect through atelierbrim.co.uk.
- Trading name: atelierbrim
- Legal entity: ZIIEMA (micro-entreprise, France)
- Registered address: 92 Rue Mstislav Rostropovitch, 75017 Paris, France
- SIRET: 99262902200029
- EORI (UK): GB031660548000
- Data controller contact (DPO function): studio@atelierbrim.co.uk
- General customer service: care@atelierbrim.co.uk
- Pre-sales enquiries: hello@atelierbrim.co.uk
atelierbrim is an overseas seller that ships hats from France to consumers in the United Kingdom. Because we offer goods to UK consumers, the UK GDPR applies to our processing of UK personal data under Article 3(2) of the UK GDPR.
We are not currently required to pay the ICO Data Protection Fee because we have no establishment or representative in the United Kingdom; we will register if and when our UK presence triggers the requirement. If you are based in the European Union, the EU GDPR also applies to our processing of your personal data under our French establishment.
2. What personal data we collect
We collect the following categories of personal data.
Identity and contact data - First name, last name - Delivery address (UK) - Billing address - Email address - Telephone number (where you provide it)
Transaction data - Order history (products, quantities, prices in GBP) - Payment confirmation reference (we do not store full card numbers — see §5) - Refund and return history
Marketing data - Newsletter subscription status (opt-in / opt-out) - Preferences and communication history - Customer service messages (email, contact form)
Technical and usage data - IP address (anonymised where possible) - Browser type and version - Device type, operating system - Pages visited, time on site, referring URL - Cookie identifiers (only where you have given consent — see our Cookie Policy)
We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child without parental consent, we will delete it without delay.
3. How we collect your personal data
We collect personal data when you:
- Place an order on atelierbrim.co.uk
- Create a customer account
- Subscribe to our newsletter
- Contact us by email or via our contact form
- Submit a return or refund request
- Browse our website (technical and cookie data, where consent is given)
- Respond to a survey or review request after purchase
We may also receive limited data from our payment processor (Shopify Payments / Stripe) to confirm that your transaction has been authorised. We do not buy or import marketing lists from third parties.
4. Why we use your personal data (lawful bases under Article 6 UK GDPR)
The UK GDPR requires a specific lawful basis for every processing activity. We rely on the following four bases:
| Purpose | Data used | Lawful basis |
|---|---|---|
| Process your order, take payment, deliver and handle returns | Name, address, email, payment confirmation, order data | Contract — Article 6(1)(b) |
| Provide post-purchase customer service (refund, return, query) | Name, email, order data, message content | Contract — Article 6(1)(b) |
| Comply with UK tax law (HMRC NETP) and accounting obligations | Order data, VAT records | Legal obligation — Article 6(1)(c) |
| Prevent fraud, secure our site, manage risk | IP address, device data, transaction patterns | Legitimate interests — Article 6(1)(f) |
| Improve our products and service (anonymised analytics) | Aggregated technical data | Legitimate interests — Article 6(1)(f) |
| Send marketing emails to subscribers and prospects | Email, preferences | Consent — Article 6(1)(a) |
| Send post-purchase marketing about similar products | PECR soft opt-in (with clear free opt-out in every message) | |
| Place non-essential cookies (analytics, marketing) | Cookie identifiers, IP | Consent — Article 6(1)(a) + PECR |
You can withdraw your consent at any time without affecting the lawfulness of processing before withdrawal. You can object at any time to processing based on legitimate interests; for direct marketing the objection is absolute (see §8).
5. Who we share your personal data with (processors)
We never sell your personal data. We share it only with the processors strictly required to operate atelierbrim, each bound by a written data-processing agreement that meets UK GDPR Article 28 requirements.
| # | Processor | Country | Purpose | Transfer mechanism |
|---|---|---|---|---|
| 1 | Shopify Inc. | Canada | Store platform, hosting, order processing | UK adequacy regulations for Canadian commercial organisations subject to PIPEDA + Shopify Data Processing Addendum + UK Addendum to SCCs where applicable |
| 2 | Shopify Payments / Stripe | United Kingdom and Ireland | Payment authorisation and processing (we never see your card details) | UK / EEA — adequacy |
| 3 | Klaviyo, Inc. | United States | Email marketing platform (newsletter, post-purchase emails) | UK Extension to the EU-US Data Privacy Framework + Klaviyo DPA + UK IDTA where applicable |
| 4 | Google Workspace (Google LLC) | United States | Business email hosting for @atelierbrim.co.uk | UK Extension to the EU-US Data Privacy Framework (subject to Google LLC's DPF certification status; UK Addendum to SCCs as a fallback) |
| 5 | Google Analytics 4 (Google LLC) | United States | Website analytics (loaded only after cookie consent — see Cookie Policy) | UK Extension to the EU-US Data Privacy Framework + IP anonymisation enabled |
| 6 | Squarespace, Inc. | United States | DNS resolution for atelierbrim.co.uk and atelierbrim.uk | UK SCCs / UK Extension DPF |
| 7 | La Poste — Colissimo | France | Standard international shipping carrier (FR → UK) | UK ↔ EU adequacy decision (2021, renewed 2025) |
| 8 | Chronopost | France | Express international shipping carrier (FR → UK) | UK ↔ EU adequacy decision (2021, renewed 2025) |
| 9 | Royal Mail Group (via international carrier handover) | United Kingdom | UK domestic last-mile delivery handled by Colissimo's UK partner network — no direct contract between atelierbrim and Royal Mail at this stage | UK — no transfer required |
We may disclose your data to law enforcement, regulators, or courts where we are legally required to do so. We will tell you about such a disclosure unless we are prohibited from doing so by law.
We do not use Meta Pixel, TikTok Pixel, or any third-party advertising tracker at this time. If we add an advertising processor in the future, we will update this Privacy Policy and request fresh consent through our Cookie Policy where required.
6. International data transfers
Some of our processors are located outside the United Kingdom. When we transfer your personal data outside the UK, we rely on one or more of the following safeguards approved by the ICO:
- UK adequacy regulations for transfers to the European Economic Area (renewed by the European Commission in June 2025).
- UK Extension to the EU-US Data Privacy Framework for transfers to certified United States organisations.
- UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU Standard Contractual Clauses for all other transfers.
- A documented transfer risk assessment (TRA) where required by ICO guidance.
You can request a copy of the transfer mechanism that applies to a specific transfer by writing to our Data Protection contact (see §13).
7. How long we keep your personal data (retention)
We keep your personal data only for as long as we need it for the purposes set out in this Privacy Policy, and in line with statutory retention rules.
| Category | Retention period | Reason |
|---|---|---|
| Order, invoice, and accounting records | 6 years after the end of the financial year | HMRC record-keeping requirement (VAT Notice 700/21 and the obligation to retain accounting records for at least 6 years) |
| Customer account data | While your account is active, then 2 years of inactivity | Customer service continuity, then minimisation |
| Marketing data (subscribed) | Until you unsubscribe or withdraw consent | UK GDPR Article 7(3) + PECR |
| Customer service correspondence | 3 years from last contact | Resolution of disputes, refunds, CRA / CCR claims |
| Cookie data | Per cookie — see our Cookie Policy | PECR + ICO cookies guidance (April 2026) |
| Returns and refund records | 6 years | Tax and consumer-law evidence |
| Technical logs (server, security) | 12 months | Fraud prevention, IT security |
Note on UK VAT records: our UK VAT registration is currently being processed by HMRC. UK VAT records will be kept for at least 6 years from the effective date of registration in accordance with HMRC NETP rules.
When the retention period ends, we either delete the data securely or anonymise it so that it can no longer be linked to you.
8. Your rights under UK GDPR
You have the following rights over your personal data. You can exercise any of them free of charge by emailing studio@atelierbrim.co.uk. We will respond within one month (extendable to three months for complex requests, with notice).
(a) Right of access — Article 15 Ask for a copy of the personal data we hold about you.
(b) Right to rectification — Article 16 Ask us to correct inaccurate or incomplete data.
(c) Right to erasure ("right to be forgotten") — Article 17 Ask us to delete your data, subject to exceptions (for example, where we must keep tax records for 6 years).
(d) Right to restriction of processing — Article 18 Ask us to limit how we use your data while a query is resolved.
(e) Right to data portability — Article 20 Ask us to send your data to you or to another controller in a structured, commonly used, machine-readable format.
(f) Right to object — Article 21 Object to processing based on legitimate interests, including direct marketing (where you object to marketing, we will stop without exception).
(g) Right to withdraw consent — Article 7(3) Withdraw any consent you have given (for example, marketing emails or non-essential cookies) at any time. Withdrawal does not affect processing that took place before withdrawal.
We may ask you to verify your identity before we act on a request, to make sure we do not disclose your data to the wrong person.
If you are not happy with how we respond, you can complain (see §10).
9. How we keep your personal data secure
We use a combination of technical and organisational measures to protect your personal data, including:
- TLS / HTTPS encryption on every page of atelierbrim.co.uk
- Tokenised payments through Shopify Payments / Stripe (we never store full card details)
- Two-factor authentication on every administrator account (Shopify, Klaviyo, Google Workspace)
- Minimum-access principle — only the sole trader has full access to personal data; processors only see the data needed to perform their function under their data-processing agreement
- Regular software updates and security patches on Shopify and Google Workspace
- Written data-processing agreements with every processor listed in §5
- A documented incident-response process — we will notify the ICO within 72 hours and affected customers without undue delay if a personal-data breach is likely to result in a risk to your rights and freedoms (UK GDPR Articles 33-34)
No system is ever completely secure, but we work continuously to keep your data safe.
10. Complaints
If you are concerned about how we handle your personal data, please write to us first at our Data Protection contact (see §13). We aim to resolve every complaint quickly and fairly.
You also have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom
For free, independent consumer advice on your data and consumer rights, you can also contact Citizens Advice at citizensadvice.org.uk or on 0808 223 1133 (consumer helpline). Local Trading Standards services can take enforcement action where a trader breaches consumer law.
Complaining to the ICO does not affect any other legal remedy you may have, including a claim for compensation under section 168 of the Data Protection Act 2018.
11. Cookies and similar technologies
We use cookies and similar technologies on atelierbrim.co.uk. Some are strictly necessary to operate the site (for example, your shopping basket) and do not require consent. Others (analytics, preferences, marketing) are loaded only after you have given consent through our cookie banner, in line with PECR and the ICO Cookies guidance (April 2026 update).
Full details — including a list of every cookie, its purpose, its duration, and how to change your preferences — are set out in our Cookie Policy [link: /pages/cookie-policy].
You can change or withdraw your cookie consent at any time by clicking the "Cookie preferences" link in the footer of every page on atelierbrim.co.uk. The cookie banner can be re-triggered at any moment from this link, with equal prominence given to "Accept" and "Reject" choices in line with the ICO Cookies guidance (April 2026).
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time, for example to reflect changes in the law or in our processors. The "Last updated" date at the top of this page shows the most recent revision.
For material changes that affect how we use your personal data, we will tell you in advance — by an on-site notice, an email to your registered address, or a banner on the home page — and we will obtain fresh consent where the law requires it.
13. Contact
- Data Protection contact (DPO function): studio@atelierbrim.co.uk
- General customer service: care@atelierbrim.co.uk
- Pre-sales enquiries: hello@atelierbrim.co.uk
- Telephone (UK): [UK phone — TBD]
- Registered address: 92 Rue Mstislav Rostropovitch, 75017 Paris, France
Your statutory rights under the UK GDPR, the Data Protection Act 2018, and the Consumer Rights Act 2015 always apply regardless of any choice of law. Disputes about our processing of UK personal data may be brought before the ICO or the courts of England and Wales. Disputes about the establishment of the data controller are governed by French law.
ZIIEMA, trading as atelierbrim · SIRET 99262902200029 · EORI GB031660548000