Privacy Policy

Kind Collection
Public Privacy & Data Policy (GDPR-Aligned)

1. Purpose

Kind Collection protects personal data and respects privacy rights in all customer, supplier, collaborator, and website interactions.
This Policy explains, in plain language, how Kind Collection collects, uses, stores, shares, and protects personal data in line with:

• UK GDPR
• Data Protection Act 2018 (UK)
• the Privacy and Electronic Communications Regulations (PECR), where applicable

• Kind Collection’s broader responsible business, ethical sourcing, and governance commitments

This is a rights-based policy. Kind Collection will process personal data lawfully, fairly, and transparently, and will protect personal data using reasonable security measures appropriate to the business. Kind Collection will not collect or use personal data beyond what is relevant and necessary for lawful and legitimate business purposes.
This Policy forms part of Kind Collection’s intentional governance and responsible business approach and supports evidence of responsible practice for B Corp requirements. It provides a clear public statement on (as applicable): what personal

data Kind Collection collects, why it is collected, how it is used, how it is stored, who has access, how long it is retained, whether it is shared, individual rights, and how to contact Kind Collection for data requests.

2. Scope

This Policy applies to personal data processed by Kind Collection in connection with:

●  website enquiries and contact forms

●  customer orders (including bespoke enquiries and commissions)

●  made-to-order production administration and customer approvals

●  order, payment and delivery administration (including via third-party providers)

●  customer communications and aftercare support (including

●  repairs/remodelling, where offered)

●  supplier and service-provider communications

●  collaborations, events, and community engagement (where applicable)

●  business operations, record-keeping, and legal compliance

●  marketing communications (where a lawful basis applies, including consent

where required)

2.1 Business Structure

Kind Collection is responsible for data protection. Kind Collection uses third-party service providers (for example, website platform, accounting software, courier, and accountant) and shares personal data only where necessary to provide these services.

3. Mission & Impact Summary

Kind Collection is an independent UK jewellery studio creating bespoke and made-to-order jewellery with care for people and planet. The business prioritises slow, traceable craft, the use of recycled precious metals and responsibly sourced materials, and thoughtful lower-impact operational practices.

Kind Collection manages impact through practical governance systems, documented policies, supplier due diligence, and implementation tracking across the business.

4. Resource Conservation Impact Business Model

Kind Collection’s Resource Conservation Impact Business Model is centred on reducing resource extraction and environmental impact through the use of recycled precious metals, responsible material choices, made-to-order production, repair/remodelling where applicable, and lower-waste packaging and studio practices.

Data processing connected to this work (for example, supplier records, material and order records, product specifications, and impact tracking) will be managed in a way that protects privacy while supporting responsible governance, traceability, and evidence of impact in practice.

5. Legal & Rights-Based Commitments

5.1 Compliance with national law

Kind Collection will comply with applicable UK data protection and privacy law, including:

• UK GDPR
• Data Protection Act 2018
• PECR (Privacy and Electronic Communications Regulations), where applicable

(for example, electronic marketing and cookies)

Where lawful contractual, platform, or regulatory requirements impose additional obligations, Kind Collection will apply those requirements where relevant and proportionate to the business.

5.2 Fundamental Principles and Rights at Work (ILO reference)

Kind Collection recognises the ILO Fundamental Principles and Rights at Work as part of its broader responsible business framework. While this is a privacy and data policy (not an employment or labour policy), Kind Collection’s approach to personal data is consistent with dignity, fairness, non-discrimination, and respect for rights in business relationships.

Relevant cross-reference policies include:

• Governance Policy

• Code of Ethics Policy
• EDI & Anti-Discrimination Policy
• Responsible Sourcing Policy / Supplier Code of Conduct Policy • Customer Stewardship & Ethical Engagement Policy
• Stakeholder Engagement Policy

5.3 Rights-based processing statement

Kind Collection will:
• process personal data lawfully, fairly, and transparently
• collect only personal data that is relevant and necessary
• use personal data only for stated and legitimate purposes
• keep personal data accurate and up to date where reasonably possible
• retain personal data only for as long as required (or legally required)
• protect personal data with reasonable security measures appropriate to the

business
• uphold valid data subject rights within legal timelines

Kind Collection does not sell personal data.

6. Data Protection Principles (How Kind Collection Will Process Data)
Kind Collection applies a rights-based approach to personal data. In practice, this means Kind Collection:

●  processes personal data lawfully, fairly, and transparently

●  limits collection and use of personal data to what is relevant and necessary for stated, legitimate purposes

●  takes reasonable steps to keep personal data accurate and up to date where reasonably possible

●  retains personal data only for as long as required (including where legally required)

●  protects personal data with reasonable security measures appropriate to the business

● responds to valid data subject rights requests within legal timelines

These principles are implemented through the commitments set out in Section 5.3. Kind Collection does not sell personal data.

7. What Personal Data Kind Collection Collects

Kind Collection will describe what personal data is collected in this Policy and will collect only personal data that is relevant and necessary for lawful business purposes. Depending on the interaction, Kind Collection may collect and process:

7.1 Customer and enquiry data

●  Name

●  email address

●  phone number (if provided)

●  billing address

●  delivery address

●  order details (including product selections, bespoke project details,

●  sizing/specifications where relevant)

●  sizing and personalisation information (for example ring size, engraving

instructions, or product specifications) where needed to design, make, or fulfil

an order

●  recipient name and delivery address details provided by a customer for gift

purchases or direct delivery (used only to fulfil the order and provide related

customer service)

●  customer-provided reference images (for example design inspiration,

heirloom/remodelling references, or fit/style references), where voluntarily provided for a bespoke design, remodelling, or repair request
transaction records and payment status information (full payment card details are typically processed by payment providers and are not stored by Kind Collection)

●  customer communications (including enquiries, quotes, approvals, aftercare, repairs, and remodelling requests)

●  marketing preferences and consent status (where applicable)

7.2 Supplier / service provider data

●  contact names

●  business email address and phone number

●  company name and address

●  role/job title

●  invoice and payment records

●  due diligence and communication records relevant to sourcing and operations (where applicable)

7.3 Website and technical data (where applicable)

●  IP address

●  browser/device information

●  cookie preferences / consent choices

●  website usage data / analytics data (aggregated where possible)

7.4 Special category / high-risk data

Kind Collection does not intentionally collect special category personal data for standard jewellery sales and services. If such data is received unintentionally, Kind Collection will restrict processing and delete it where lawful and appropriate.

8. Lawful Bases for Processing

Kind Collection will only process personal data where a lawful basis applies. This may include:

●  Contract – to respond to enquiries, provide quotes, create and fulfil orders, and arrange delivery, repairs or remodelling services

●  Legal obligation – to comply with tax, accounting, consumer, fraud-prevention, and other legal requirements

●  Legitimate interests – to operate and improve the business, maintain records, manage customer service, protect against fraud, and administer supplier relationships (balanced against individual rights)

●  Consent – for certain marketing communications and cookie preferences where required

●  Vital interests / legal claims – where exceptionally relevant and lawful

●  Kind Collection will apply the lawful basis appropriate to the purpose.

9. Why Kind Collection Collects Personal Data and How It Is Used

Kind Collection explains why personal data is collected and how it is used. Kind Collection collects and uses personal data to:

●  respond to enquiries and bespoke design requests

●  prepare quotes and confirm order details/specifications

●  process and fulfil customer orders

●  arrange delivery, collection, repairs, remodelling and aftercare services

●  communicate with customers about orders, timelines, approvals and support

●  manage supplier and service-provider relationships

●  maintain business records for accounting, tax and legal compliance

●  prevent fraud and protect the business

●  send marketing communications only where lawful and consent-based where required

●  manage responsible business governance and impact tracking records, while

●  minimising personal data and limiting access appropriately

Kind Collection will not use personal data for unrelated purposes without a lawful basis.

9.1 Email marketing

Kind Collection only sends marketing emails where there is a lawful basis under UK law (typically opt-in consent, and where permitted, customer marketing based on an existing relationship). Kind Collection uses an email marketing provider with appropriate privacy and security controls. Kind Collection maintains records of marketing consent (where required) and unsubscribe status, and every marketing email includes a clear unsubscribe option.

9.2 Bespoke jewellery and design communications

Bespoke jewellery projects often involve iterative communication and personal preferences. Kind Collection collects and uses only the project information needed to design, make, and deliver the requested service, and will not use it for unrelated purposes without a lawful basis.

9.3 Customer-provided reference images and design information

Where customers choose to send reference images or design information (for example inspiration images, heirloom jewellery images, remodelling references, or sizing/fit context), Kind Collection will use this information only for the requested design, production, repair/remodelling service, and related customer communication. Kind Collection will not use customer-provided images for marketing or public sharing without separate permission.

10. Data Storage, Access and Sharing

Kind Collection explains how personal data is stored, who has access, and when personal data is shared with third parties.

10.1 How personal data is stored

Personal data is stored using systems appropriate to a sole trader business, including:

• website/e-commerce platform records
• email and communications systems
• payment and transaction systems (via third-party payment processors)
• accounting and business administration systems
• cloud storage or business software tools used for operations (with access controls

enabled where available)

Kind Collection uses password-protected systems and limits the storage of personal data to what is necessary (where reasonably possible).

10.2 Security and customer responsibilities

Kind Collection uses reasonable security measures appropriate to the business (such as password protection and access controls where available). While Kind Collection takes care to protect personal data, no online system can be guaranteed to be 100% secure. Customers are responsible for ensuring the information they provide (including delivery details) is accurate.

10.3 Who has access to personal data

Access to personal data is restricted to:
• Tansy Haak (Founder) – primary and accountable person
• trusted third-party service providers/processors, only where access is necessary to

deliver services or operate the business lawfully (for example payment processing, courier delivery, website hosting, email platforms, and accounting support) Kind Collection does not intentionally provide access to personal data to unauthorised persons and uses reasonable safeguards to prevent unauthorised access.

10.4 Whether data is shared and with whom

Kind Collection may share personal data only where necessary and lawful, including with:

●  payment processors (to process payments)

●  delivery/courier companies (to deliver orders)

●  website/e-commerce platform providers (to manage orders and website

services)

●  email/communications providers (to manage customer communications and,

●  where applicable, marketing preferences)

●  IT and cloud service providers (to support business operations and secure

storage)

●  accountant/bookkeeper (for accounting and tax compliance)

●  legal or regulatory authorities where required by law

●  professional advisers where necessary and subject to confidentiality

Kind Collection does not sell personal data.

10.5 Third-party processor controls

Where third parties process personal data on behalf of Kind Collection, Kind Collection will seek to ensure appropriate data protection terms are in place (for example through platform terms or service agreements) and that access is limited to what is necessary.

11. International Transfers

Where service providers store or process personal data outside the UK, Kind Collection uses service providers that state they support lawful international transfers under UK GDPR (for example, adequacy regulations or appropriate contractual safeguards), where applicable.

12. Data Retention

Kind Collection explains how long personal data is retained. Personal data is retained only for as long as necessary for the purpose collected, and to meet legal, accounting, tax, consumer, dispute-resolution, and legitimate business record requirements. Retention periods vary depending on the type of record, including:

●  customer order and fulfilment records

●  aftercare/repair/remodelling records

●  accounting and tax records

●  supplier and service provider records

●  marketing consent and unsubscribe records

●  privacy requests and complaint records (where applicable)

For handmade, bespoke, repair, and remodelling services, Kind Collection may retain relevant order specifications, sizing/personalisation details, and related customer communication records for a reasonable period to support production records, aftercare, repeat service, and customer support, subject to legal and business record requirements.

When personal data is no longer required, Kind Collection will take reasonable steps to delete or anonymise it (where reasonably possible), subject to legal retention obligations.

13. Data Security Commitments

Kind Collection uses reasonable security measures appropriate to a sole trader (0-worker) business model to protect personal data, including:

●  password-protected systems and devices

●  use of reputable platforms/providers for website, payments and

●  communications (with privacy and security controls enabled where available)

●  limited access to personal data (Founder-only, except trusted service

●  providers where necessary to deliver services)

●  periodic review of stored personal data and removal of unnecessary records where reasonably possible

●  careful handling of customer and supplier information

●  secure disposal, deletion, or anonymisation of personal data where it is no

●  longer needed, subject to legal retention requirements

Where a material data protection issue or incident occurs, Kind Collection will document the issue and any corrective action taken, proportionate to the circumstances and business size, within its internal records.

14. Customer Rights and Data Requests

Kind Collection explains individual rights and how to contact the business to exercise those rights. Under UK GDPR (subject to legal limitations), individuals may have the right to:

●  access their personal data

●  request correction of inaccurate data

●  request deletion/erasure of personal data

●  restrict processing

●  object to certain processing

●  withdraw consent (including marketing consent)

●  request data portability (where applicable)

●  lodge a complaint with the UK Information Commissioner’s Office (ICO)

Kind Collection will respond to valid requests in line with legal timeframes. Kind Collection may verify identity where required and may refuse or limit a request where a lawful exemption applies. Kind Collection will retain appropriate records of requests and outcomes.

14.1 Contact details for data requests

For privacy or personal data requests, individuals can contact Kind Collection using the contact details published on the Kind Collection website:

Website: https://www.kindjewellery.com
Data request contact: Kind Collection contact form

15. Marketing Communications and Cookies

Kind Collection sends marketing communications only where lawful and provides an option to unsubscribe or withdraw consent where required.

Where cookies or similar technologies are used on the website, Kind Collection provides information about their use and, where required by law, offers cookie choices/consent options through the website’s cookie banner or platform settings (where available).

16. Accountability, Governance and Named Responsible Person 16.1 Accountable person

Responsible person for this Policy: Tansy Haak (Founder, Sole Trader)

The Founder is responsible for:
• policy implementation
• lawful processing decisions
• privacy rights response handling
• provider/platform oversight (proportionate to business size and where applicable) incident escalation and corrective actions review of this Policy and related records at least annually

16.2 Intentional governance and impact management
This Policy is part of Kind Collection’s governance and responsible business approach. Kind Collection keeps privacy and data protection record-keeping proportionate to business size. Evidence is retained primarily through routine platform and operational records (for example, website/platform settings, communications logs, consent/unsubscribe records where applicable, and provider terms/controls). Separate internal notes are kept only where a material change, request, issue, or corrective action arises.

17. Policy in Use, Metrics and Tracking

B Corp privacy policy evidence statement
This public policy is supported by proportionate implementation records showing privacy and data protection in use. Where applicable, this may include: privacy notice updates, cookie/consent settings checks, provider/platform reviews, unsubscribe and consent handling, data request logs, and corrective actions. Evidence is recorded in the Impact Master and relevant operational systems.

17.1 Tracking systems

Kind Collection retains evidence primarily within the platforms used to operate the business (for example, website/e-commerce platform records, communications systems, and email marketing provider records where used). Separate internal notes are created only where a privacy/data request, issue, or corrective action arises.

17.2 Minimum privacy/data metrics tracked

Kind Collection keeps privacy and data protection record-keeping proportionate to business size. Routine records are retained primarily within the platforms used to operate the business (for example, website/e-commerce platform order records, email/contact form communications, email marketing consent/unsubscribe records where applicable, and payment/delivery transaction records held by providers). Separate internal logs are created only where an issue, request, or corrective action arises.

Where applicable, Kind Collection will retain:

●  privacy/data requests and outcomes (in the relevant communication record)

●  marketing unsubscribe/consent status (in the email marketing platform, where used) any data incident and the steps taken (in internal notes and/or platform support records)

●  periodic checks of key settings (e.g., cookie/consent controls where available), evidenced by platform settings or screenshots where appropriate.

18. Evidence Systems

Kind Collection retains supporting evidence through routine business records and platform/provider records. Internal evidence trackers may be used for organisations where relevant, but these are not public documents.

19. Data Incidents and Corrective Action

Kind Collection will record and review any material actual or suspected personal data incident. Where a reportable breach occurs, Kind Collection will assess and act in line with UK GDPR requirements, including ICO notification and communication to affected individuals where legally required. Corrective actions will be documented through routine business records and platform/provider records (and, where used, internal governance notes), proportionate to the issue and business size.

20. Cross-References to Related Policies

This Policy should be read alongside Kind Collection’s related policies and website notices (where adopted and/or published), including:

• Governance Policy
• Code of Ethics
• Customer Stewardship & Ethical Engagement Policy • Stakeholder Engagement Policy
• EDI & Anti-Discrimination Policy
• Responsible Sourcing Policy
• Supplier Code of Conduct

  • Environmental Policy

  • Terms & Conditions and other website notices (where applicable)

These documents work together to set expectations for ethical conduct, privacy, rights, responsible sourcing, and accountable business practice.

21. Review Schedule

●  Adoption date: February 2026

●  Review frequency: Annual (minimum), and earlier if there is a material legal, operational, website/platform, or business model change

●  Next review due: February 2027

22. Version Control

Version 1.0

Created by

Tansy Haak (Founder) & Genette Dibsdall (Consultant)

Date Feb 2026