Privacy Policy
Effective date: 11/04/2026 Last updated: 11/04/2026 Version: 1.0
1. About This Policy
This privacy policy ("Policy") describes how Nolli Ltd ("we", "us" or "our") collects, uses, shares and protects your personal data.
Data controller: Nolli Ltd, a company registered in England and Wales under company number 17123844, with its registered office at Terminal E2, Farnborough Airport, Farnborough, Hampshire, United Kingdom, GU14 6XA.
Data protection contact: If you have any questions about this Policy or how we handle your personal data, please contact us at privacy@nolli.co.uk.
This Policy is separate from our Terms of Service, which sets out the legal contract between you and Nolli Ltd for using our services.
We respect your right to privacy and ask that you read this Policy carefully, as it contains important information about how we collect and use your personal data.
This Policy applies to personal data we collect through our website, in connection with the services we provide, from third-party sources, and through customer support or promotional programmes. In this Policy, we refer to all of these collectively as our "services".
If you provide us with personal data about other people, you must ensure you have the appropriate authority or consent to do so before sharing it with us.
2. Personal Data We Collect and How We Obtain It
The personal data we collect depends on how you interact with us. We collect personal data in the following ways:
Directly from you - This includes when you visit our website, use our services, or provide personal data through other interactions with us. For example, we ask for your telephone number and email address when you register for our services, and we collect your contact information and any other details you share when you request support. You are not obliged to provide us with personal data, but if you choose not to, you may be unable to use some or all of our services.
Automatically - We collect some personal data about you automatically when you visit our website, interact with our social media accounts or business pages, or use our services. For example, we collect data about the pages you view and the links you select.
From third parties - Although we collect the majority of personal data directly from you or automatically, we sometimes obtain it from other sources. For example, from trusted third parties and service providers that help us deliver our services (such as providers of email, hosting, marketing, analytics, financial, credit and payment services) and from social media platforms.
Categories of Personal Data
The table below summarises the categories of personal data we collect and their sources.
| Category | Description | Sources |
|---|---|---|
| Identity and contact data | Your telephone number, email address, social media handle, or any personal information you voluntarily provide in a customer service request or in comments on social media. | Directly from you, automatically, or from third parties. |
| Subscription data | Your subscription identifier, subscription start and end dates, and subscription tier. | Directly from you, automatically, or from third parties. |
| Communications data | Feedback on our services and other communications with us or with our service providers. | Directly from you, automatically, or from third parties. |
| Marketing and advertising data | Interests based on your use of our services, survey responses, promotions you enter, communication preferences, subscription details, and interactions with our social media accounts and business pages. | Directly from you, automatically, or from third parties. |
| Device data | Data collected using tags and pixels, including your IP address, internet service provider, browser type, device type and location, operating system, device identifiers, and advertising identifiers. | Automatically or from third parties. |
| Service usage data | Information about your interaction with our services and with our marketing and advertising campaigns, including page views, searches, clicks, content interaction, length of visits, and other functional information on service performance. This also includes service utilisation, such as features you purchase and use. | Automatically or from third parties. |
| Uploaded content | Any personal data contained in photographs, videos, or audio recordings that you share online by tagging our social media accounts or business pages. | Directly from you. |
| Enrichment data | Profile information, engagement data, and behavioural tracking obtained from social media platforms. | Automatically or from third parties. |
3. Core Automated Processes
We rely on automated processes and artificial intelligence tools to enable essential parts of our services, including the processing of emails sent to us.
Email Processing
When you send an email to track@nolli.co.uk, we use artificial intelligence to extract retailer and order information, which enables us to calculate your return deadlines. The results of this extraction are presented to you within the service, and you have the opportunity to review and correct any information before it is used. These emails are deleted upon successful processing. If we are unable to extract the required information automatically, your email will be reviewed by a member of our team and deleted upon successful processing or when it is established that processing is not possible.
Fair Usage Detection
Nolli Ltd uses algorithms to detect usage that is contrary to our Fair Usage Policy (https://www.nolli.co.uk/fair-usage). If our systems identify activity that may breach the Fair Usage Policy, we may restrict or suspend access to your account. You may contest any such decision by contacting us at privacy@nolli.co.uk.
4. How We Use Your Personal Data
We use your personal data for the purposes set out below, together with the lawful basis we rely on for each purpose under the UK General Data Protection Regulation ("UK GDPR").
| Purpose | Lawful Basis |
|---|---|
| To deliver our services - for example, to register you for our services, send you returns dealine notifications, manage your trial or subscription, and facilitate your purchase of services. | Performance of a contract. |
| To communicate with you about our services - for example, to send you service updates, invoices, technical notices, security alerts, support messages, responses to your enquiries, and information about changes to our terms or policies. We may contact you by email, WhatsApp, SMS, or other messaging channels. | Performance of a contract. |
| For quality assurance, training, and record-keeping - for example, to review communications with you in order to improve our customer support service. | Legitimate interest: improving our services for our users. |
| For security management - for example, to address threats and fraud, protect you, our business and our people, and to enforce our policies and Terms of Service. We may use malware detection and other monitoring tools to identify suspicious activity and block unauthorised access. | Legitimate interest: protecting our services and users against fraud and other unlawful activity, and protecting our business from unfair use. |
| To evaluate and develop new features, technologies, and improvements to our services. | Legitimate interest: developing and improving products and features for our users. |
| To diagnose, troubleshoot, and fix issues with our services. | Performance of a contract. |
| For marketing or advertising where consent is required by law - for example, when we use cookies to understand your interests. | Consent. |
| For other marketing, promotion, and advertising purposes where consent is not required by law - for example, when we contact existing users about newly launched products or services. | Legitimate interest: business growth. We conduct a balancing test to ensure our interests do not override your rights and freedoms. |
| To conduct research and surveys - for example, when we contact our users to ask for feedback. | Legitimate interest: understanding how users think about and use our services so that we can improve them. |
| For legal and regulatory compliance - for example, asking users to self-attest that they are over 18 years of age. | Compliance with a legal obligation. |
| To establish, exercise, and defend legal claims - for example, if we are involved in litigation and need to provide information to our legal advisers. | Legitimate interest: seeking legal advice and protecting ourselves, our users, or others in legal proceedings. |
| To conduct business planning, reporting, and forecasting, and to measure the effectiveness of marketing and advertising - for example, when we analyse aggregated user data such as the number of new registrations in order to monitor business growth. | Legitimate interest: researching and planning so that we can continue to operate our business successfully. |
5. Cookies and Related Technologies
We use cookies and other online identifiers on our website, in our emails, and in our online advertising for the purposes described in this Policy.
Cookies are small text files stored on your browser or device by websites, applications, online media, and advertisements. We use cookies and similar technologies for purposes including:
- authenticating users;
- remembering user preferences and settings;
- determining the popularity of content;
- delivering and measuring the effectiveness of advertising campaigns; and
- analysing site traffic and trends, and generally understanding the online behaviours and interests of people who interact with our services.
We may also permit third parties to provide audience measurement and analytics services for us, to serve advertisements on our behalf across the internet or for other companies' products and services on our website, and to track and report on the performance of those advertisements. These third parties may use cookies, web beacons, software development kits, and other technologies to identify the devices used by visitors to our website, as well as when those visitors access other online sites and services.
For detailed information about the specific cookies we use, their purposes, and how to manage your cookie preferences, please refer to our Cookie Policy at https://www.nolli.co.uk/cookie-policy.
6. Data Sharing and Disclosure
We may share your personal data with the following categories of third parties:
- accountants, consultants, solicitors, and other professional service providers;
- advertising and marketing partners and providers, including advertising and marketing publishers (such as social media platforms), advertising networks and advertisers, third-party data providers, advertising technology vendors, measurement and analytics providers, and other service providers;
- advertising intermediaries, such as Google and others -- we share data including advertising or device identifiers, hashed email addresses, and advertising interaction data with these intermediaries to enable their services and for such other purposes as are disclosed in their privacy notices (you may opt out of advertisement personalisation in your browser settings, and you can visit these intermediaries' privacy notices for further information about their data handling practices);
- cloud storage and hosting providers;
- customer support platform and service providers;
- payment processors and facilitators, including Stripe;
- research partners, including those carrying out surveys or research projects in partnership with us or on our behalf;
- social media companies, including Meta and TikTok, in connection with our use of their tools on our website and social media platforms;
- service providers that assist us to enhance the safety and security of our website and services;
- service providers that provide us with artificial intelligence tools and services; and
- regulators, law enforcement agencies, and other authorities where we believe in good faith that it is necessary to do so, for example to comply with a legal obligation.
We may also share data with others in connection with, or during negotiations of, any merger, sale of company assets, or acquisition of all or a portion of our business by or into another company.
7. Data Retention and Deletion
We retain your personal data for as long as we have an ongoing relationship with you and for a period of time afterwards where we have an ongoing business or legal need to do so.
The specific retention periods we apply are as follows:
| Data Type | Retention Period |
|---|---|
| Account data | For the Life of Account (LOA) |
| Emails forwarded to track@nolli.co.uk | Deleted upon successful processing. If processing fails, deleted upon manual processing or when it is established that processing is not possible. |
| All other email communication | 7 years |
| Transaction and billing data | 7 years after the transaction. |
| Marketing and communications data | 7 years. |
| Device and usage data | For the Life of Account (LOA) |
Where we do not need to retain your data in order to provide our services, or for the purposes of our tax, legal, or regulatory requirements, we will delete once your data is no longer necessary for the purposes for which we collected it. Retention periods vary depending on the type of data and the purposes for which we collected it.
Account Deletion
You may request that we delete your account by contacting us at privacy@nolli.co.uk.
Following an account deletion request, we delete your account and data, except where retention is necessary for the purposes of safety, security, fraud prevention, compliance with legal requirements, or because of issues relating to your account (such as unresolved claim, or dispute). For example, if you are banned from using our services because of serious fraudulent behaviour, we will retain your data after an account deletion request to prevent you from re-obtaining access to our services.
The categories of data that we retain in such circumstances vary depending on the purpose for the retention. For example, if we retain your data due to fraudulent behaviour, we will retain the data relating to such behaviour and the data that we need to prevent you from further accessing our services, which may include your account information, transaction data, and user content and communications data.
We generally delete data within 90 days of an account deletion request, except where retention is necessary for the reasons described above.
8. International Transfers
When we share personal data, it may be transferred to and processed in countries other than the United Kingdom, including the United States and the Netherlands, due to the location of our data hosting platforms and artificial intelligence tools.
These countries may have data protection laws that differ from those in the United Kingdom. Where we transfer personal data outside the United Kingdom, we ensure that appropriate safeguards are in place in accordance with the UK GDPR, including:
- transfers to countries that have been granted an adequacy decision by the Secretary of State (this applies to the Netherlands and the United States amongst others);
- the use of the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses; or
- other lawful transfer mechanisms as appropriate.
Your communications and personal data will not be used for artificial intelligence model training.
9. Children's Data
Our services are not directed at individuals under the age of 18, and we do not knowingly collect personal data from children. We ask users to self-attest that they are aged 18 or over when registering for our services.
If we become aware that we have collected personal data from an individual under the age of 18 without appropriate parental consent, we will take steps to delete that data as soon as reasonably practicable. If you believe we may have collected data from a child, please contact us at privacy@nolli.co.uk.
10. Changes to This Policy
We may make changes to this Policy from time to time.
Where we make material changes, we will provide you with prominent notice as appropriate under the circumstances. For example, we may display a prominent notice on our website or send you an email notification.
11. Your Personal Data Rights
Under UK data protection law, you have the following rights in relation to your personal data. You can find out more about these rights and the exemptions that may apply on the Information Commissioner's Office (ICO) website at https://ico.org.uk.
Right of access - You have the right to request copies of your personal data. You may also request information about where we obtain your personal data from and with whom we share it. Certain exemptions may apply, which means you may not receive all the information you request.
Right to rectification - You have the right to ask us to correct personal data you believe is inaccurate or to complete personal data you believe is incomplete.
Right to erasure - You have the right to ask us to delete your personal data in certain circumstances.
Right to restriction of processing - You have the right to ask us to restrict how we use your personal data in certain circumstances.
Right to object to processing - You have the right to object to our processing of your personal data, including where we process it on the basis of legitimate interest. We will stop processing your data unless we can demonstrate compelling legitimate grounds that override your rights.
Right to data portability - You have the right to request that we transfer the personal data you have provided to us to another organisation, or to you, in a structured, commonly used, and machine-readable format.
Right to withdraw consent - Where we rely on your consent as the lawful basis for processing, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of any processing carried out before the withdrawal.
If you wish to exercise any of these rights, please contact us at privacy@nolli.co.uk. We will respond to your request without undue delay and in any event within one calendar month.
You also have the right to lodge a complaint with the ICO if you are concerned about how we handle your personal data. See Section 12 below.
12. How to Complain
If you have any concerns about our use of your personal data, you can make a complaint to us at privacy@nolli.co.uk.
If you remain dissatisfied with how we have handled your data after raising a complaint with us, you have the right to complain to the Information Commissioner's Office (ICO).
Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
Helpline number: 0303 123 1113 Website: https://www.ico.org.uk/make-a-complaint