Privacy Policy

PRIVACY POLICY

Last Updated: 5 January 2026

1. INTRODUCTION

This Privacy Policy describes how RK BRANDS LTD (Company No. 11272653), trading as AYBL ("AYBL", "we", "us", or "our"), collects, uses, stores, shares, and protects your personal information when you interact with our Services.

Our Services include:

• Our website at www.aybl.com and associated regional websites

• Our mobile applications

• Any sales, marketing, customer service, or event-related interactions

Important Notice: By using our Services, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.

2. CONTACT INFORMATION

Data Controller: RK BRANDS LTD (11272653)

Registered Office Address:

Unit 2 Velocity Way

Redditch

England

B98 7FX

Email: support@aybl.com

For privacy-specific inquiries, data subject requests, or concerns about how we handle your personal information, please contact us using the details above.

3. INFORMATION WE COLLECT

3.1 Information You Provide Directly

We collect personal information that you voluntarily provide when you:

• Register for an account or create a customer profile

• Place orders or make purchases

• Subscribe to newsletters or marketing communications

• Contact customer service or support

• Participate in surveys, competitions, or promotions

• Leave reviews or interact with our online community

• Apply for employment opportunities

This information may include:

• Personal identifiers: Full name, email address, telephone number, postal address, date of birth, gender

• Account information: Username, password, account preferences, purchase history

• Financial information: Payment card details, billing address (processed securely through our payment processor)

• Communications: Content of messages, feedback, reviews, or correspondence with us

• Professional information: CV, employment history, qualifications (for job applications)

3.2 Information We Collect Automatically

When you visit or use our Services, we automatically collect certain technical and usage information:

• Device information: IP address, device type, operating system, browser type and version, unique device identifiers

• Usage data: Pages visited, time spent on pages, links clicked, referring/exit pages, search queries, browsing patterns

• Location data: Approximate geographic location based on IP address or precise location if you grant permission through your device

• Cookies and tracking technologies: Information collected through cookies, web beacons, pixels, and similar technologies (see Section 9)

3.3 Information from Third Parties

We may receive information about you from:

• Social media platforms (if you choose to connect your social media account or log in through social media)

• Payment processors and fraud prevention services

• Delivery and logistics partners

• Analytics and advertising partners

• Publicly available sources (e.g., social media profiles you make public)

4. HOW WE USE YOUR INFORMATION

We process your personal information for the following purposes:

4.1 Service Provision and Order Fulfillment

• Create and manage your account

• Process orders, payments, and transactions

• Arrange delivery and fulfillment

• Handle returns, exchanges, and refunds

• Provide customer service and technical support

4.2 Communication and Marketing

• Send transactional emails (order confirmations, shipping updates, account notifications)

• Send promotional emails and marketing communications (with your consent where required)

• Conduct surveys and request feedback

• Send SMS/text messages for order updates and promotional purposes (with your explicit consent)

4.3 Personalization and Improvement

• Personalize your experience and provide tailored product recommendations

• Display targeted advertising and promotional content

• Analyze usage patterns and identify trends

• Improve our website, products, and services

• Develop new products and features

4.4 Legal and Security Purposes

• Detect, prevent, and investigate fraud, security incidents, and illegal activities

• Protect the security and integrity of our Services

• Comply with legal obligations, regulations, and law enforcement requests

• Enforce our terms and conditions

• Protect our rights, property, and safety, and those of our users

5. LEGAL BASIS FOR PROCESSING (EEA/UK)

Under the General Data Protection Regulation (GDPR) and UK GDPR, we rely on the following legal bases for processing your personal information:

Consent: We process certain information with your explicit consent, such as marketing communications, location data, and social media integrations. You may withdraw consent at any time.

Contract Performance: Processing is necessary to fulfill our contractual obligations to you, including processing orders, delivering products, and providing customer service.

Legitimate Interests: We process information where necessary for our legitimate business interests, including:

• Improving our products and services

• Marketing and promotional activities

• Fraud prevention and security

• Analytics and business intelligence

• Network and information security

Legal Obligations: We process information when required to comply with legal obligations, such as tax reporting, financial record-keeping, and responding to lawful requests from authorities.

Vital Interests: In rare circumstances, we may process information to protect the vital interests of you or another person, such as in emergencies.

6. HOW WE SHARE YOUR INFORMATION

We may share your personal information with the following categories of recipients:

6.1 Service Providers and Business Partners

We engage trusted third-party service providers who process personal information on our behalf:

• Payment processors (e.g., Shopify, Klarna)

• Shipping and logistics providers

• Cloud storage and hosting providers

• Email and SMS communication services

• Customer service platforms

• Analytics and data analysis providers

• Marketing and advertising platforms

• Fraud prevention and security services

These service providers are contractually bound to protect your information and use it only for the specific purposes we authorize.

6.2 Advertising and Analytics Partners

We work with advertising networks and analytics providers to deliver targeted advertising and measure campaign effectiveness. This may include sharing hashed or pseudonymized identifiers.

6.3 Legal and Regulatory Authorities

We may disclose personal information when required by law or in response to:

• Valid legal processes (court orders, subpoenas, warrants)

• Government or regulatory investigations

• Law enforcement requests

• National security requirements

6.4 Business Transfers

If we undergo a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal information may be transferred to the successor entity, subject to applicable data protection laws.

6.5 Consent-Based Sharing

We may share information with other parties when you provide explicit consent, such as connecting your account with third-party platforms or participating in co-branded promotions.

7. INTERNATIONAL DATA TRANSFERS

Your personal information may be transferred to, stored, and processed in countries outside the European Economic Area (EEA) and United Kingdom, including the United States and other jurisdictions where our service providers operate.

When we transfer personal information internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission

• Adequacy decisions recognizing equivalent data protection

• UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs

• Binding Corporate Rules or certification schemes where applicable

For more information about our international transfer safeguards, please contact us using the details in Section 2.

8. DATA RETENTION

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention periods vary based on:

• Account information: Retained while your account is active and for up to 3 years after closure

• Transaction records: Retained for 7 years to comply with financial and tax obligations

• Marketing communications: Retained until you unsubscribe or withdraw consent

• Technical logs: Typically retained for 12-24 months

• Legal claims: Retained for the duration of any legal proceedings plus applicable limitation periods

When personal information is no longer needed, we securely delete or anonymize it in accordance with data protection requirements.

9. COOKIES AND TRACKING TECHNOLOGIES

We use cookies, web beacons, pixels, and similar tracking technologies to collect information about your interactions with our Services.

Types of cookies we use:

Essential Cookies: Necessary for website functionality, security, and service delivery (e.g., shopping cart, login sessions)

Performance Cookies: Collect anonymous data about website usage to help us improve performance

Functional Cookies: Remember your preferences and personalize your experience

Marketing/Advertising Cookies: Track your browsing to deliver relevant ads and measure campaign effectiveness

Managing Cookies: You can control cookies through your browser settings and our cookie consent tool. Note that disabling certain cookies may affect website functionality. For detailed information, see our Cookie Policy at www.aybl.com/pages/cookie-policy

10. DATA SECURITY

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

Our security measures include:

• Encryption of data in transit using TLS/SSL protocols

• Encryption of sensitive data at rest

• Regular security assessments and vulnerability testing

• Access controls and authentication requirements

• Employee training on data protection and security

• Secure payment processing through PCI-DSS compliant providers

• Regular backups and disaster recovery procedures

Important: While we strive to protect your information, no method of transmission or electronic storage is 100% secure. You should take steps to protect your account credentials and notify us immediately of any unauthorized access.

11. YOUR PRIVACY RIGHTS

11.1 Rights for EEA/UK Residents

Under GDPR and UK GDPR, you have the following rights:

Right of Access: Request a copy of the personal information we hold about you

Right to Rectification: Request correction of inaccurate or incomplete information

Right to Erasure: Request deletion of your personal information in certain circumstances

Right to Restriction: Request limitation of processing in specific situations

Right to Data Portability: Receive your data in a structured, machine-readable format and transfer it to another controller

Right to Object: Object to processing based on legitimate interests or for direct marketing purposes

Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

Right to Lodge a Complaint: File a complaint with your local supervisory authority (UK: Information Commissioner's Office - www.ico.org.uk)

11.2 Rights for California Residents (CCPA/CPRA)

California residents have specific rights under the California Consumer Privacy Act:

• Right to Know: Request disclosure of categories and specific pieces of personal information collected

• Right to Delete: Request deletion of personal information

• Right to Opt-Out: Opt out of the sale or sharing of personal information

• Right to Correct: Request correction of inaccurate personal information

• Right to Limit: Limit the use of sensitive personal information

• Right to Non-Discrimination: Not receive discriminatory treatment for exercising privacy rights

Note: We do not sell personal information to third parties for monetary consideration. We may share personal information for advertising purposes, which may constitute a "sale" or "sharing" under California law.

11.3 Rights for Canadian Residents

Canadian residents have rights under applicable provincial privacy laws (PIPEDA, CPPA, etc.) including the right to access, correct, and request deletion of personal information.

11.4 Exercising Your Rights

To exercise any of these rights:

• Email us at support@aybl.com with "Privacy Rights Request" in the subject line

• Submit a request through our online form at www.aybl.com/pages/request-my-data

• Access your account settings to update preferences

We will respond to verified requests within the timeframes required by applicable law (typically 30 days, extendable to 60-90 days in complex cases).

12. MARKETING COMMUNICATIONS

We may send you promotional emails, SMS messages, and push notifications about products, offers, and events.

Opting Out:

• Email: Click "unsubscribe" in any marketing email or adjust preferences in your account

• SMS: Reply "STOP" to any promotional text message

• Push Notifications: Disable through your device settings

• Account Settings: Log in and update your communication preferences

Note: Even if you opt out of marketing communications, we will still send transactional messages related to your orders and account.

13. CHILDREN'S PRIVACY

Our Services are not directed to children under 16 years of age (or under 13 in jurisdictions where that is the minimum age). We do not knowingly collect personal information from children below these ages.

If we become aware that we have collected personal information from a child without appropriate parental consent, we will take steps to delete that information as quickly as possible.

Parents or guardians who believe their child has provided personal information should contact us immediately at support@aybl.com.

14. THIRD-PARTY WEBSITES AND SERVICES

Our Services may contain links to third-party websites, social media platforms, and services not operated by AYBL. This Privacy Policy does not apply to those third parties.

We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services you access through our Services.

15. SOCIAL MEDIA FEATURES

Our Services include social media features, such as login buttons and sharing widgets. These features may collect information about your IP address and browsing activity and may set cookies.

If you use social login features, we may receive profile information from the social media platform according to your privacy settings on that platform. This typically includes your name, email address, profile picture, and friend list.

Your interactions with social media features are governed by the privacy policies of the companies providing them.

16. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations.

Notification of Changes: We will notify you of material changes by:

• Posting a prominent notice on our website

• Sending an email to your registered email address

• Displaying an in-app notification

The "Last Updated" date at the top of this policy indicates when it was most recently revised. We encourage you to review this Privacy Policy periodically.

Continued use of our Services after changes become effective constitutes acceptance of the updated Privacy Policy.

17. AUTOMATED DECISION-MAKING AND PROFILING

We may use automated processing and profiling to:

• Personalize product recommendations and content

• Detect and prevent fraud

• Optimize marketing campaigns

• Analyze shopping behavior and preferences

We do not make decisions based solely on automated processing that produce legal effects or similarly significantly affect you without human intervention. You have the right to request human review of automated decisions where applicable.

18. DO NOT TRACK SIGNALS

Some web browsers have a "Do Not Track" (DNT) feature that signals websites you visit that you do not want your online activity tracked.

Currently, there is no industry standard for how websites should respond to DNT signals. At this time, our Services do not respond to DNT browser signals or similar mechanisms. However, you can control cookies and tracking through your browser settings and our cookie consent tool.

19. QUESTIONS AND COMPLAINTS

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:

Email: support@aybl.com

Post:

RK BRANDS LTD (11272653)

Unit 2 Velocity Way

Redditch, England B98 7FX

United Kingdom

We will investigate and respond to complaints within reasonable timeframes as required by applicable law.

Supervisory Authority Contacts:

• UK residents: Information Commissioner's Office (ICO) - www.ico.org.uk

• EEA residents: Your local Data Protection Authority - ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm

• California residents: California Attorney General - oag.ca.gov

20. DEFINITIONS

Personal Information: Information that identifies, relates to, or could reasonably be linked with a particular individual or household.

Processing: Any operation performed on personal information, including collection, storage, use, disclosure, and deletion.

Services: Our website, mobile applications, and any related services, features, or content we provide.

Cookies: Small text files placed on your device to collect standard internet log information and visitor behavior information.

Controller: The entity that determines the purposes and means of processing personal information.

Processor: An entity that processes personal information on behalf of the controller.

ACKNOWLEDGMENT

By using our Services, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. If you do not agree with this Privacy Policy, please discontinue use of our Services.

Thank you for trusting AYBL with your personal information. We are committed to protecting your privacy and providing transparency about our data practices.

Last Updated: 5 January 2026