Privacy Policy

Who we are

Our website address (“The Website”) is: Our physical store front is located at: Classic Drive, Coventry, CV6 6AS. We can be contacted via telephone +44 7460 084 289 or by email:

This page (the “Privacy Policy”) is designed to publicise how In2Vape (“The Company”) protects your data when you visit The Website.

The Privacy Policy is provided in a layered format, with a table of contents, to allow users to read specific areas set out below. At the end of the Privacy Policy a Glossary is included to provide understanding and meanings to terms used in the Privacy Policy.

  1. Important Information

The Privacy Policy is provided to users of The Website so that the users can understand how the Company collects, processes and protects personal data through their use of The Website. This includes any data provided by the user to the Company upon registration, if a user registers to the Newsletter or if a user purchases a product from the Company.

Users of The Website must not be under 18 years of age. The Website is designed for users above the age of 18 years. The Company reserves the right to request valid identification (including, but not limited to, passports, driving license, proof of address, citizen cards bearing the “PASS” symbol”). The Company reserves the right to request multiple forms of identification if the user is suspected of being under 18 years of age. The Website is not intended for the use of anybody under the age of 18 years, The Company does not use The Website to knowingly collect data relating to persons under the age of 18 years.

It is important that this Privacy Policy is read, together with any other privacy notices or Terms and Conditions pages available on The Website. The Company may provide any fair processing notice on any occasion deemed fit by The Company. These notices will contain important information relating to how we collect and process personal data of users of The Website. The Company will publish these notices to ensure users are fully aware of how and why we use their data.

This Privacy Policy supplements all notices published by The Company, and is in no way intended to over ride any such notices.

Data Controller

The Company is the controller and is therefore responsible for your personal data.

The Company has appointed a data privacy manager, who is responsible for overseeing questions in relation to this privacy notice, and any data protection laws that govern the use of personal data that may be processed by The Company. If any user has any questions concerning this Privacy Notice, or our data protection compliance, please contact the data privacy manager using the details below.

Controller Details

Full name of legal entity: In2Vape Limited

Name or Title of Data Privacy Manager: Data Privacy Manager


Postal Address: Classic Drive, Coventry, CV6 6AS

Telephone Number: +44 7460 084 289

Users have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (

The Company implores any users to contact them directly with any concerns in the hope that The Company may resolve any issues that have arisen, prior to contacting the ICO. The Company takes privacy complaints and data protection concerns seriously.

Changes to the Privacy Policy

This version of the Privacy Policy was last updated on Saturday, 01 September 2018.

The User’s duty to inform The Company of changes

The Company requests that all registered users keep their personal data accurate and current.

The Website may include hyperlinks to third-party websites, plugins and applications such as PayPal or Google. By accessing these hyperlinks, users may allow third parties to collect or share the user’s data. In2Vape does not control these third-party websites and are not responsible for their privacy statements. It is good practise for users to read the privacy notice of each website visited.

  1. The Data We Collect About Users


Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).


The Company may collect, use, store and transfer different kinds of personal data about users which we have grouped together in the following categories:


  1. Identity Data includes first name, last name, email address, title and GBG age verification results
  2. Contact Data includes billing address, delivery address, email address and telephone numbers.
  3. Transaction Data includes details about products users have purchased from The Company (via The Website), returns, refunds and other relevant information to manage customer relationship.
  4. Technical Data includes internet protocol (IP) address, users login information, browser type and version, browser plug-in types and versions, operating system and platform.
  5. Usage Data includes information about how users use The Website.
  6. Marketing and Communications Data includes user’s preferences in receiving marketing from The Company and their communication preferences.

The Company also collects, uses and shares Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from user’s personal data but is not considered personal data in law – this data does not directly or indirectly reveal your identity. For example, The Company may aggregate a user’s Usage Data to calculate the percentage of users accessing a specific website feature. However, if The Company combines or connects Aggregated Data with user’s personal data so that it can directly or indirectly identify a user, The Company treats the combined data as personal data which will be used in accordance with this Privacy Policy.


The Company does not collect any Special Categories of Personal Data about user’s (this includes details about user’s race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about a user’s health and genetic and biometric data). Nor does The Company collect any information about criminal convictions and offences.


  1. How Personal Data Is Collected


The Company uses different methods to collect data from and about users, including through:


  • Direct Interactions

Users may provide Identity and Contact data by filling in forms or by corresponding with the Company by post, telephone, email or otherwise. This includes personal data users provide when they:

  • Place an order on The Website to purchase a product (or products).
  • Register on The Website to create an account.
  • Subscribe to our newsletter
  • Provide feedback directly to The Company via correspondence or review options on The Website.


  • Automated Technologies or Interactions

As a user interacts with The Website, The Website may automatically collect Technical Data about a user’s equipment used to access the website, their browsing actions and patterns. This data is collected using Cookies, server logs and other similar technologies.

  • Third-Parties or Publicly Available Sources

The Company may receive personal data about users from various Third-Parties as set out below.

  • Technical Data from the following parties
    • Analytics providers such as Google, based outside the EU.
    • Search information providers such as Google or Bring, based outside the EU.
  • Contact, Financial and Transaction Data from providers of Technical, Payment and Delivery services such as PayPal, based outside the EU.
  • Identity and Contact Data from Data Brokers or Aggregators.
  • Identity and Contact Data from publicly available sources, such as, but not limited to, Companies House, the Electoral Register, based inside the EU.


  1. How Personal Data Is Processed


The Company will only use personal data when allowed so by the Law. Most commonly, The Company will use personal data in the following circumstances:

  • When The Company needs to perform the contract that the Company enters or has entered with the user.
  • Where it is necessary for legitimate interests of the Company (or those of a third party) and the interests of the user, the user’s fundamental rights do not override those interests.
  • Where The Company will need to comply with a legal or regulatory obligation.


More information about the types of lawful basis that The Company relies on to process personal data can be found in the Glossary.


The Company does not generally rely on consent as a legal basis for processing user’s personal data, other than in relation to sending direct marketing communications to users via email. Users have the right to withdraw consent to marketing contact at any time by contacting us.


Purposes for which The Company uses personal data


Set out below in Table 1, is an exhaustive description of all the ways The Company processes (and uses personal data, and which of the legal bases The Company relies on to do so. The legitimate interests of The Company have been identified where appropriate.


The Company may process your personal data for more than one lawful ground, depending on the specific purpose for which The Company is using your data. Please contact The Company for specific details of any legal ground that The Company relies on to process your personal data, where more than one ground has been set out.


Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest
To register a user as a new customer (a) Identity
(b) Contact
Performance of a contract with the user
To process and deliver a user’s order including:
(a) Manage payments (b) Collect and recover money owed to The Company
(a) Identity
(b) Contact
(c) Financial
(d) Transaction
€ Marketing and Communications
(a) Performance of a contract with a user
(b) Necessary for the legitimate interests of The Company (to recover debts due to The Company)
To manage a relationship with a user which will include:
(a) Notifying the user about changes to the Terms and Conditions or Privacy Policy
(a) Identity
(b) Contact
(c) Profile
(a) Performance of a contract with a user
(b) Necessary to comply with a legal obligation
To enable a user to partake in a prize draw, competition or complete a survey (a) Identity
(b) Contact
(c) Profile
(d) Usage
€ Marketing and Communications
(a) Performance of a contract with the user
(b) Necessary for legitimate interests of The Company (to study how customers use products/services, to develop these interests and grow the business)
To administer and protect the business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) (a) Identity
(b) Contact
(c) Technical
(a) Necessary for legitimate interests of The Company (for running the business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
(b) Necessary to comply with a legal obligation
To deliver relevant website content and advertisements to users and measure or understand the effectiveness of the advertising we serve to users (a) Identity
(b) Contact
(c) Profile
(d) Usage
€ Marketing and Communications
(f) Technical
Necessary for legitimate interests of The Company (to study how customers use products/services, to develop them, to grow the business and to inform any marketing strategies)
To use data analytics to improve The Website, products/services, marketing, customer relationships and experiences (a) Technical
(b) Usage
Necessary for legitimate interests of The Company (to define types of customers for products and services, to keep The Website updated and relevant, to develop the business and to inform any marketing strategies)
To make suggestions and recommendations to users about goods or services that may be of interest to users (a) Identity
(b) Contact
(c) Technical
(d) Usage
€ Profile
Necessary for the legitimate interests of The Company (to develop any provided products/services and grow the business)

Table 1





The Company strives to provide all users with choice regarding certain personal data users, particularly concerning marketing and advertising.


Promotional Offers


The Company may use a user’s Identity, Contact, Technical and Profile Data to form a view on what The Company believes the user may want, need, or any products that may be of interest to the user. The Company uses this basis to decide on which products, services and offers may be relevant to the user.




A user may, at any time, request that marketing correspondence is ceased. This can be achieved by contacting The Company.

When a user has opted out of receiving these marketing messages, this will not apply to personal data provided to The Company as a result or product that a user may have purchased, or through other transactions.




A user can set their internet browser (such as Google Chrome, Internet Explorer, Safari etc) to refuse all or some browser cookies, or to alert the user when websites set or access cookies. If this feature is disabled or refused, some parts of The Website may not function correctly.


The Website uses a feature “remember me” – which is an automatic login process that creates a cookie on the user’s local machine. This cookie contains a unique login ID and avoids the need for a user to re-enter their login details upon visits to our site. (This feature will keep a user logged in). The Company does not recommend that the “remember me” feature is used on shared machines, this can lead to member-only information being accessed by other (illegitimate) users.


The cookies in use by The Website and by The Company are “analytical” cookies, which allow The Company to recognise and count the number of visitors on The Website. These cookies allow The Company to track how users move around The Website whilst The Website is in use by a user. This tracking feature allows The Company to improve The Website.


Change of Purpose


The Company will only use personal data of users for purposes of which it is collected, unless it is reasonably considered that it must be used for another reason, and that reason is compatible with the original purpose (of collection). If users wish to receive an explanation on how the processing for the new purpose is compatible with the original purpose, please contact The Company.


If The Company is required to use any personal data for an unrelated purpose, The Company will notify the user to explain the legal basis which allows The Company to do so.


The Company may process personal data without knowledge or consent of a user, in compliance with the above rules, where this is required or permitted by law.


  1. Disclosures of Personal Data


The Company may have to share users personal data with parties set out below for the purposes set out in Table 1.


  • Internal Third Parties as set out in the Glossary
  • External Third Parties as set out in the Glossary.
  • Third parties to whom The Company may choose to sell, transfer or merge parts of the business or assets owned by The Company. The Company may seek to acquire other businesses, or merge with them. If a change occurs to the business, then the new owners may use any personal data of users collected by The Company, in the same way as set out in this Privacy Policy.


The Company requires all third parties to respect the security of the personal data of all the users of The Website, whether those users are registered users or not. These companies must act in accordance with the law. The Company does not allow third-party service providers to use any users personal data for their own purpose, and only permits these third-parties to process your personal data for the specified purposes and in accordance with the instructions given by The Company.


  1. International Transfer Of Data (Outside the EU)

The Company does not transfer any personal data of any user outside the European Economic Area (EEA).


  1. Data Security (How Personal Data Is Secured)


The Company has put in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, The Company restricts access to the personal data of all users to employees, agents, contractors and other third-parties who have a business to know. These third-parties will only process your personal data on instruction from The Company, these third-parties are subject to a legal duty of confidentiality.



The Company has implemented safeguarding procedures to deal with any suspected personal data breaches. The Company will notify all users and the ICO of any breach, where we are legally required to do so.


  1. Retention Of Data

The Company will only retain users personal data for as long as necessary to fulfil the purposes it was collected for, including the purposes of satisfying any legal, accounting or reporting requirements.


To determine the appropriate retention period for personal data, The Company considers the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of user’s personal data, the purposes for which The Company collects personal data and whether The Company can achieve those purposes through other means, and the applicable legal requirements.


By law, The Company keeps basic information about users, including Contact, Identity, Financial and Transaction Data for six years after users cease being customers, this is for tax and accounting purposes.


In some circumstances, users can request their data to be deleted, see the Request Erasure paragraph in the Glossary for details.


In some circumstances, The Company may anonymise users personal data (so that it can no longer be associated with the user, and that the user cannot be personally identified from that data) for research and statistical purposes in which The Company may use this information indefinitely without further notice to you.


  1. Legal Rights Of The User


Under certain circumstances, users have the rights under data protection laws in relation to their personal data.

  • Request access to personal data
  • Request correction of personal data
  • Request erasure of personal data
  • Object to processing of personal data
  • Request restriction of processing personal data
  • Request transfer of personal data
  • Right to withdraw consent

More information on the above points may be found in the Glossary.


If a user wishes to exercise any of the rights above, please contact The Company.


There is no fee required to exercise any of these rights. Users will not be charged. If a user’s request is unfounded, repetitive or excessive, The Company reserves the right to charge a reasonable access fee, alternatively The Company may refuse to comply with your request under these circumstances.


Please be advised that The Company may need to request specific information from a user to help confirm the identity of the user, and ensure the users right to access their personal data (or to exercise any other of the user’s rights). This is a strict security measure and ensures personal data is not disclosed to any person who has no right to receive it. The Company may also contact the user to request further information in response to your request.


The Company will try to respond to all legitimate requests within 30 working days. Occasionally The Company may not respond within 30 working days if a request is particularly complex, or several requests are made. Please be advised that The Company will endeavour to keep the user updated during this process.





Legitimate Interest means the interest of the business in conducting and managing the business to enable The Company to give users the best service/product and the best and most secure experience. The Company will make sure that it considers and balances any potential impact on users (both positive and negative) and the rights of users before it processes personal data for legitimate interests. The Company do not use personal data for activities where interests are overridden by the impact on users (unless The Company has a user’s consent or are otherwise required or permitted to by law). Users can obtain further information about how The Company assesses legitimate interests against any potential impact on users in respect of specific activities by contacting The Company.

Performance of Contract means processing personal data where it is necessary for the performance of a contract to which users are a party or to take steps at a user’s request before entering into such a contract.

Comply with a legal or regulatory obligation means processing personal data where it is necessary for compliance with a legal or regulatory obligation that The Company is subject to.


External Third Parties

  • Service providers acting as processors based in the UK who provide cloud computing and web design and system administration services.
  • Professional advisers including lawyers, bankers, auditors and insurers based in the UK who provide consultancy, banking, legal, insurance and accounting services.
  • HM Revenue & Customs, regulators and other authorities based in the United Kingdom who require reporting of processing activities in certain circumstances.
  • Service providers based outside of the EEA who provide email newsletter and other marketing services.
  • Payment providers including Paypal, Secure Trading, First Data and Amex who are based outside of the EEA.
  • Couriers based in the UK who provide delivery services.


Users have the right to:

Request access to their personal data (commonly known as a “data subject access request”). This enables users to receive a copy of the personal data The Company holds about that user and to check that The Company is lawfully processing it.

Request correction of the personal data that The Company holds about a user. This enables the user to have any incomplete or inaccurate data The Company holds about the user corrected, though The Company may need to verify the accuracy of the new data provided to it.

Request erasure of personal data. This enables users to ask The Company to delete or remove personal data where there is no good reason for The Company to continuing to process it. Users also have the right to ask The Company to delete or remove their personal data where users have successfully exercised their right to object to processing (see below), where The Company may have processed a user’s information unlawfully or where The Company are required to erase a user’s personal data to comply with local law. Note, however, that The Company may not always be able to comply with a user’s request of erasure for specific legal reasons which will be notified to the user, if applicable, at the time of their request.

Object to processing of personal data where The Company are relying on a legitimate interest (or those of a third party) and there is something about the user’s particular situation which makes the user want to object to processing on this ground as the user feels it impacts on their fundamental rights and freedoms. Users also have the right to object where The Company are processing their personal data for direct marketing purposes. In some cases, The Company may demonstrate that they have compelling legitimate grounds to process a user’s information which override their rights and freedoms.

Request restriction of processing of personal data. This enables users to ask us to suspend the processing of their personal data in the following scenarios: (a) if they want us to establish the data’s accuracy; (b) where use of the data is unlawful but the user does not want the data erased; (c) where a user needs The Company to hold the data even if The Company no longer requires it as the user needs it to establish, exercise or defend legal claims; or (d) the users have objected to the use of their data but The Company needs to verify whether it has any overriding legitimate grounds to use it.

Request the transfer of personal data to a user or to a third party. We will provide to the user, or a third party they have chosen, their personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which the user initially provided consent for The Company to use or where The Company used the information to perform a contract with the user.

Withdraw consent at any time where The Company are relying on consent to process the user’s personal data. However, this will not affect the lawfulness of any processing carried out before the user withdraws their consent. If the user withdraws their consent, The Company may not be able to provide certain products or services to the user. The Company will advise the user if this is the case at the time they withdraw their consent.