Privacy policy

Privacy Policy

Last updated: 11 May 2026

This Privacy Policy explains how PROTOKOL 9 collects, uses, stores, and protects your personal data when you visit our website, place an order, or interact with our services.

We are committed to handling your personal data responsibly, transparently, and in compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the French Data Protection Act (Loi Informatique et Libertés), and the UK Data Protection Act 2018.


1. Who we are (the data controller)

For the purposes of data protection law, the data controller responsible for your personal data is:

  • [BUSINESS NAME — to be added once your auto-entrepreneur registration is complete]
  • Registered address: [REGISTERED ADDRESS — to be added]
  • SIREN number: [SIREN NUMBER — to be added]
  • Contact: through the Contact page

If you have any questions about this Privacy Policy or about how we handle your personal data, you can reach us through the Contact page at any time.

2. What personal data we collect

We collect the following categories of personal data when you interact with us:

Information you provide directly to us:

  • Name and contact details (email address, delivery address, billing address, phone number if provided)
  • Account credentials if you create an account
  • Order history, including the products you have purchased and your transaction details
  • Communications you send to us through the contact form, email, or social media
  • Reviews, testimonials, photographs, or other content you submit
  • Payment information (processed by our payment provider — we do not store full card details)
  • Membership status and preferences for The Protokol programme

Information collected automatically when you visit the website:

  • IP address and approximate location based on it
  • Browser type, version, and language
  • Device type, operating system, and screen resolution
  • Pages visited, time spent on pages, and navigation paths
  • Referring website or source of traffic
  • Date and time of your visit
  • Cookies and similar tracking technologies (see our Cookie Policy)

Information from third parties:

  • Information from payment providers confirming successful transactions
  • Information from delivery carriers confirming shipping status
  • If you log in or sign up via a social media account (where supported), the information that social platform shares with us according to your privacy settings

We do not knowingly collect personal data from individuals under the age of 18. If you become aware that a minor has provided us with personal data, contact us through the Contact page and we will take steps to delete it.

3. Why we collect your data (purposes and legal bases)

We collect and use your personal data only for specific, legitimate purposes. Under data protection law, every use of personal data must be justified by a "legal basis." The table below summarises why we collect your data and the legal basis for each use.

To process and fulfil your orders Legal basis: performance of a contract

  • Processing payment, dispatching products, providing customer service, handling returns and refunds

To create and manage your account Legal basis: performance of a contract, your consent

  • Maintaining your account, recognising you on return visits, tracking your order history

To send order-related communications Legal basis: performance of a contract

  • Order confirmations, dispatch notifications, delivery updates, refund or replacement confirmations

To send marketing communications Legal basis: your consent, our legitimate interest in promoting our products

  • Newsletter, product launches, promotional offers, and updates about The Protokol. You can withdraw consent at any time by unsubscribing using the link in any marketing email.

To operate The Protokol membership programme Legal basis: performance of a contract, our legitimate interest in customer retention

  • Tracking membership status, applying discounts, sending member-only correspondence

To respond to your enquiries Legal basis: our legitimate interest in providing customer service

  • Replying to contact form submissions, addressing complaints, providing product advice

To improve our products and services Legal basis: our legitimate interest in product improvement

  • Analysing customer feedback, monitoring product safety, identifying patterns in customer questions or concerns

To monitor website performance and prevent fraud Legal basis: our legitimate interest in security and fraud prevention

  • Analysing traffic patterns, detecting suspicious activity, securing our systems

To comply with legal obligations Legal basis: legal obligation

  • Tax reporting, responding to lawful requests from authorities, complying with cosmetic safety regulations, retaining records as required by law

4. Cookies and similar technologies

We use cookies and similar technologies on our website. These help us provide essential website functionality, remember your preferences, understand how customers use the website, and (with your consent) deliver relevant marketing.

For full details about the cookies we use, why we use them, and how to manage your preferences, see our Cookie Policy.

You can adjust your cookie preferences at any time through the cookie consent banner on our website or through your browser settings.

5. Who we share your data with

We do not sell your personal data to anyone. We never have, and we never will.

We share your data only with the following categories of recipients, and only to the extent necessary:

Service providers who help us run the business:

  • Shopify — our e-commerce platform, hosting the website and processing orders
  • Shopify Payments (or alternative payment provider) — processing card payments securely
  • Klaviyo — sending transactional emails and (with your consent) marketing emails
  • Shipping carriers — delivering your orders worldwide
  • Customer service tools integrated with our email platform
  • Cloud storage providers for secure data backup

These service providers are bound by contractual obligations to handle your data only for the purposes we authorise and to maintain appropriate security measures.

Legal and regulatory authorities:

We may disclose personal data when required to do so by law, by court order, or by a legally valid request from a public authority. We may also share data to protect our legal rights, prevent fraud, or address security issues.

In the event of a business transfer:

If our business is ever sold, merged, or reorganised, your personal data may be transferred to the new entity, subject to the same protections set out in this Privacy Policy. We will notify you of any such transfer.

6. International data transfers

PROTOKOL 9 is based in France. Our primary service providers operate in jurisdictions with strong data protection frameworks, including:

  • The European Economic Area (covered by GDPR)
  • The United Kingdom (recognised as providing adequate protection under EU GDPR)
  • The United States and Canada (where we use providers, transfers are made under Standard Contractual Clauses approved by the European Commission, or equivalent safeguards)

When your personal data is transferred outside the European Economic Area, we take steps to ensure that an equivalent level of protection applies.

7. How long we keep your data

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, and reporting obligations.

The following general retention periods apply:

Account and order data — for as long as your account is active, plus seven (7) years after your last order, for accounting and tax compliance under French law

Marketing data — until you unsubscribe or withdraw consent, plus a short period for record-keeping purposes (typically 3 years from your last interaction)

Customer service communications — typically 2 to 3 years from the date of the most recent communication

Cookies and similar tracking data — see our Cookie Policy for retention periods of specific cookie types

Anonymised analytics data — may be retained indefinitely for statistical and improvement purposes, as it can no longer identify you

When the retention period expires, we either delete the data securely or anonymise it so that it can no longer be linked to you.

8. Your rights under data protection law

Under EU and UK data protection law, you have the following rights regarding your personal data:

Right of access — You can request a copy of the personal data we hold about you.

Right to rectification — You can request correction of inaccurate or incomplete data.

Right to erasure ("right to be forgotten") — You can request that we delete your personal data, subject to certain legal exceptions.

Right to restriction of processing — You can request that we limit how we use your data in certain circumstances.

Right to data portability — You can request a copy of the data you have provided to us in a structured, machine-readable format, and request that we transfer it to another provider where technically feasible.

Right to object — You can object to our processing of your data based on legitimate interests, and you can object to marketing communications at any time.

Right to withdraw consent — Where we process data based on your consent, you can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Rights related to automated decision-making — We do not currently use automated decision-making or profiling that has a significant legal or similar effect on you. If this changes, we will inform you.

To exercise any of these rights, contact us through the Contact page. We will respond within one month of receiving your request, as required by law. There is no charge for exercising these rights, except in cases of manifestly unfounded or excessive requests.

9. Your right to lodge a complaint

If you are not satisfied with how we have handled your personal data, you have the right to lodge a complaint with the data protection authority in your country of residence.

For customers in France, the relevant authority is the Commission Nationale de l'Informatique et des Libertés (CNIL)https://www.cnil.fr

For customers in the United Kingdom, the relevant authority is the Information Commissioner's Office (ICO)https://ico.org.uk

For customers in other EU countries, you can find your local data protection authority through the European Data Protection Board — https://edpb.europa.eu

We would always appreciate the opportunity to address your concerns before you contact a regulator, so please consider reaching out to us first through the Contact page.

10. How we protect your data

We take the security of your personal data seriously. We have put in place appropriate technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Secure HTTPS encryption for all data transmitted to and from our website
  • Industry-standard payment processing that complies with PCI-DSS requirements
  • Restricted access to personal data on a need-to-know basis
  • Regular security reviews of our systems and service providers
  • Secure password practices and authentication requirements

Despite our best efforts, no system can be guaranteed completely secure. If we become aware of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the relevant data protection authority within 72 hours, as required by law.

11. Children's privacy

Our products and services are intended for adults aged 18 and over. We do not knowingly collect personal data from children under 18. If you are aware that a child has provided us with personal data, contact us through the Contact page and we will delete it.

12. Third-party links

Our website may contain links to third-party websites, including social media platforms, scientific journal databases, and external resources. We are not responsible for the privacy practices of these third parties. We recommend that you read the privacy policies of any third-party website you visit.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, in technology, or in legal requirements. The date of the most recent update is shown at the top of this page.

For material changes that significantly affect how we handle your data, we will notify you in advance through the website or by email if you are a registered customer. Continued use of the website after changes are published constitutes acceptance of the updated policy.

14. Contact

For any questions or concerns about this Privacy Policy or about how we handle your personal data, reach out to us through the Contact page. We respond within one business day.

Cookie Policy

Last updated: 11 May 2026

This Cookie Policy explains what cookies are, what cookies we use on the PROTOKOL 9 website, why we use them, and how you can manage your preferences.

This policy should be read alongside our Privacy Policy, which provides further information about how we handle your personal data.


1. What are cookies?

Cookies are small text files that are placed on your device (computer, tablet, or smartphone) by websites that you visit. They are widely used to make websites work properly, to make them work more efficiently, and to provide information to website owners about how visitors use their sites.

Cookies set by the website you are visiting are called "first-party cookies." Cookies set by other domains than the website you are visiting are called "third-party cookies." Third-party cookies are typically used for analytics, marketing, or social media features.

Cookies may be "session cookies" (which are deleted when you close your browser) or "persistent cookies" (which remain on your device until they expire or you delete them).

2. The cookies we use

We use the following categories of cookies on our website. Some are essential for the website to work, and others require your consent before they are set.

Strictly necessary cookies

These cookies are essential for the website to function properly. They enable core features such as security, network management, account login, and shopping cart functionality. The website cannot function correctly without them.

These cookies do not require consent because they are necessary for the service you have requested.

Examples include:

  • Cookies set by Shopify to maintain your session and cart
  • Cookies used for authentication when you log into your account
  • Cookies used to record your cookie consent preferences

Functional cookies

These cookies enable enhanced functionality and personalisation, such as remembering your preferences (language, currency, region) and improving your experience.

If you do not allow these cookies, some parts of the website may not function as smoothly.

Analytics cookies

These cookies help us understand how visitors interact with our website by collecting and reporting information anonymously. They tell us which pages are most popular, how visitors navigate the site, and where they might encounter issues.

We use this information to improve the website experience.

Examples may include:

  • Cookies set by Shopify's built-in analytics
  • Cookies from analytics services such as Google Analytics (where used)

These cookies are only set with your consent.

Marketing cookies

These cookies are used to track your activity across websites in order to deliver advertising that is more relevant to you. They may be set by us or by third-party advertising partners.

We may use marketing cookies for purposes such as:

  • Showing relevant ads on social media platforms (e.g. Meta, Instagram)
  • Measuring the effectiveness of our advertising campaigns
  • Building audiences for retargeting and lookalike marketing

These cookies are only set with your consent.

3. Specific third-party services

The following third-party services may set cookies on our website. Each operates under its own privacy and cookie policies, which we encourage you to review.

Service Purpose More information
Shopify E-commerce platform and analytics https://www.shopify.com/legal/privacy
Klaviyo Email marketing and customer engagement https://www.klaviyo.com/legal/privacy-policy
Meta (Facebook/Instagram) Marketing pixel for ad measurement (if active) https://www.facebook.com/policy.php
Google Analytics and ad services (if active) https://policies.google.com/privacy

If we add or remove third-party services that use cookies, we will update this policy accordingly.

4. How to manage your cookie preferences

You have full control over which cookies are set on your device. You can manage your preferences in the following ways:

Through our cookie consent banner

When you first visit our website, you will see a cookie consent banner that allows you to accept all cookies, reject non-essential cookies, or customise your preferences. You can change your settings at any time by clicking the cookie preferences link in the website footer.

Through your browser settings

Most browsers allow you to block or delete cookies through their settings. The location of these settings varies by browser, but you can typically find them under the "Privacy" or "Security" section of your browser preferences.

Helpful guides for major browsers:

Note that if you block or delete strictly necessary cookies, parts of the website may not function correctly.

Through third-party opt-out tools

You can also opt out of certain third-party tracking through industry-wide tools such as:

5. Do Not Track signals

Some browsers offer a "Do Not Track" (DNT) setting that signals to websites that you do not wish to be tracked. As there is no universally accepted standard for how websites should respond to DNT signals, we currently do not respond to them. We respect your cookie preferences as set through our consent banner.

6. Changes to this Cookie Policy

We may update this Cookie Policy from time to time to reflect changes in the cookies we use, in technology, or in legal requirements. The date of the most recent update is shown at the top of this page.

If we make material changes, we will notify you through the website or by other appropriate means.

7. Contact

If you have any questions about our use of cookies, reach out to us through the Contact page. We respond within one business day.