Your privacy is important to us. This Privacy Policy explains how Oxygen-AT (referred to as “we”, “us”, or “our”) collects, uses, and protects your personal information when you use our website oxygen-at.com or purchase our products. We comply with the UK General Data Protection Regulation (UK GDPR) and the EU GDPR in handling personal data, and we have written this policy in clear language for transparency . By using our site or services, you agree to the collection and use of information in accordance with this policy.
Oxygen-AT is a sole trader business based in the United Kingdom. The business is owned and operated by David Lamb (trading as Oxygen-AT). For the purposes of data protection law, David Lamb is the “data controller” of your personal information. If you have any questions about this Privacy Policy or how we use your data, you can contact us at admin@oxygen-at.com (or via the contact details provided on our Contact page).
We only collect personal data that is necessary for the operation of our store and the services you request. This includes:
Identity and Contact Data: Your name, shipping address, billing address, email address, and phone number (collected when you place an order or sign up for an account).
Order and Transaction Data: Details of the products you have ordered, order dates/times, and transaction amounts. (Note: We do not collect or store your full payment card details – payments are handled securely by third-party processors as described below.)
Payment Information: Payment method details (e.g. card type or PayPal account email). We use Stripe and PayPal to process payments, so your financial details are transmitted directly to those providers. We do not store your credit/debit card numbers on our servers; Stripe and PayPal handle this information in accordance with their own security standards and privacy policies.
Account Data: If you create an account on our site, we collect your login details (username and password – passwords are stored in hashed/encrypted form) and any preferences or information you save in your account profile.
Communications: Copies of your communications with us (emails or messages via our contact form), and any information you choose to provide when contacting us (such as queries, feedback, or reviews).
Marketing Data: If you subscribe to our newsletter or marketing communications, we collect your name and email address for that purpose.
Technical and Usage Data: When you visit our site, we may automatically collect certain information about your device and browsing actions through cookies and similar technologies. This can include your IP address, browser type, device identifiers, pages viewed, and how you interact with our website. (See our Cookie Policy for more details on what we collect and why.)
We do not collect any special categories of personal data (such as sensitive personal information like health, religion, or biometric data). Our website and services are intended for adults; we do not knowingly collect personal data from children under 16 years of age.
We will only use your personal data for legitimate business purposes and in accordance with applicable laws. The main purposes for which we process your information are:
To Fulfil Orders and Provide Services: We use your name, address, and contact details to process and deliver your orders. This includes sharing necessary details with our suppliers and delivery partners to ship the product to you, and using your email to send order confirmations, invoices, and shipping notifications. We process this data to perform our contract with you (your purchase).
Customer Service: We will use your contact information to communicate with you about any inquiries, support requests, or issues with your order. For example, if you contact us with a question or a problem, we will use your info to respond and resolve it.
Returns and Refunds: If you exercise your right to cancel an order or request a return/refund, we will use your details to process the return and provide any refund due.
Marketing (With Consent): If you have subscribed to our newsletter or opted in to receive marketing emails, we will use your name and email to send you our news, product updates, special offers, and promotions. You will only receive such communications if you have given explicit consent to receive them (e.g. by signing up on our site or ticking an opt-in box) . We do not send unsolicited marketing emails, and you can opt out at any time. (See “Marketing Communications” below for more details.)
Personalization and Analytics: We may use cookies and similar technologies to understand how customers use our site and to improve your browsing experience. For example, we might analyze which products or pages are popular to improve our offerings, or remember your preferences (like language or currency). This usage data is often aggregated and does not directly identify you, but it may be linked to your account if you are logged in.
Legal Obligations: In some cases we need to process and retain certain data to comply with legal requirements. For example, we keep transaction records for accounting and tax purposes, and we may use your personal data to satisfy consumer protection laws (such as keeping proof of purchase and communications related to orders, or providing information required by law enforcement or regulators if lawfully requested).
Fraud Prevention and Security: We may process personal data to protect our business and customers from fraud and other illegal activities. For instance, information like IP address or payment details may be used to detect fraudulent transactions. We also use security measures (described below) to safeguard our site and your data. If necessary, we may share data with payment providers or authorities to investigate fraud.
Other Legitimate Interests: We may process your data for additional purposes that are compatible with the original purpose and allowed under data protection law. For example, if you have already bought from us, we may send a one-off follow-up email asking for feedback on the product or our service. We will only do this where it is lawful and not overridden by your rights.
We will not use your personal information for any purpose that is incompatible with the purposes listed above. In particular, we do not sell or rent your personal information to third parties for their own marketing. If we ever need to use your data for a new purpose, we will update this Privacy Policy and, if required, seek your consent.
Under the UK and EU GDPR, we must have a valid “legal basis” (reason) to process your personal data. Depending on the specific processing activity, we rely on one or more of the following legal bases:
Performance of a Contract: We process most of your information to fulfill our contract with you. When you place an order, a contract of sale is formed – we need to use your personal data (name, address, payment info, etc.) to deliver the product and service you requested. Without this data, we cannot perform our agreement with you.
Consent: We rely on your consent for certain types of processing. For example, we will only send you marketing emails or newsletters if you have given clear consent for us to do so (such as by signing up for our mailing list) . You have the right to withdraw consent at any time, and if you do so we will stop the processing that was based on consent (for instance, we will stop sending you the newsletter). Withdrawing consent will not affect the lawfulness of any processing we already carried out while we had your consent.
Legitimate Interests: In some cases, we process data because it is in our legitimate business interests to do so, and we have assessed that this does not override your rights and freedoms. For example, it is in our interest to understand how customers use our website so we can improve it, or to prevent fraud and secure our platform. When we rely on legitimate interests, we ensure that we consider and balance any potential impact on you (both positive and negative) and your rights under data protection laws. You have the right to object to processing based on our legitimate interests if you have grounds relating to your particular situation.
Legal Obligation: We may process and retain certain data because we have a legal obligation to do so. For instance, UK tax law and accounting rules require us to keep transaction records (which include personal data) for a certain number of years. If we are subject to a lawful request by public authorities (e.g. law enforcement) to provide personal data, that processing would be based on legal obligation.
Where two or more legal bases apply for the same processing (which can happen, for example, with order data – we process it to perform the contract and to meet legal record-keeping duties), we have noted this in relevant sections of this Policy. If you have questions about the specific legal basis for any particular processing of your data, feel free to contact us.
We treat your personal information with care and confidentiality. We will never sell your personal data to third parties for marketing or any other purpose. However, we do share certain data with third parties in order to run our business and provide services to you – always on a need-to-know basis and under appropriate safeguards. The types of third parties with whom we share data are:
Product Suppliers and Fulfilment Partners: Oxygen-AT operates on a dropshipping model. This means that when you purchase a product from us, the item may be shipped to you directly by our third-party supplier (for example, a supplier on AliExpress). We will share the necessary information with that supplier solely for the purpose of fulfilling your order – typically, your name and delivery address (and possibly your telephone or email if required for delivery notifications). We require our suppliers to use this information only for order fulfillment and to handle it securely. (Please note: our suppliers may be located outside of the UK/EU – see “International Data Transfers” below.)
Delivery Companies: If we use separate shipping or courier companies (for instance, postal services or courier partners) to deliver your order, we will provide them with your name, delivery address, and contact information needed to complete the delivery. These companies are also obligated to protect your data and use it only for shipping purposes.
Payment Processors: We use reputable third-party payment processors, namely Stripe and PayPal, to handle payment transactions on our site. When you make a payment, you are securely redirected to or integrated with these platforms. The information you provide at checkout (such as your credit card number or PayPal login) is transmitted directly to the payment processor; we do not see or store your full financial details. The payment processor will provide us with limited information to confirm the transaction (e.g. your name, email, billing address, and a confirmation that payment was successful). Stripe and PayPal are independent data controllers for the payment information you provide to them; we recommend reviewing their Privacy Policies for information on how they handle your data.
Email Marketing Provider (Mailchimp): If you subscribe to our email newsletter or other marketing communications, your name and email address will be shared with our email service provider Mailchimp (operated by Intuit). We use Mailchimp to manage our subscriber list and to design and send out marketing emails. Mailchimp stores subscriber data on its secure servers and processes it only on our instructions, for the purpose of sending you the emails you signed up for. Please note: Mailchimp is a US-based service, so your email and name may be transferred to the United States (see “International Data Transfers” below for how we protect your data in such cases). Mailchimp has contractually committed to comply with data protection requirements when transferring data internationally . We have a Data Processing Agreement in place with Mailchimp to ensure your data is protected. You can unsubscribe from our mailing list at any time by clicking the “Unsubscribe” link in any of our emails or by contacting us.
Analytics and Cookies: We may use third-party analytics tools (such as Google Analytics) to collect anonymized data about website traffic and usage. These tools may set cookies in your browser (with your consent – see our Cookie Policy) and collect technical information like your IP address or device ID. However, this information is anonymized or aggregated so that it does not directly identify you. It helps us analyze website performance and user behaviour (e.g. which pages are visited most) so we can improve our service. Google Analytics, for example, operates as a data processor for us, and we have configured it to minimize data collection (IP anonymization is enabled). You can opt out of analytics cookies through our cookie consent banner or by installing the Google Analytics opt-out browser add-on.
Service Providers: We employ other companies and individuals to perform functions on our behalf, strictly to support our website and services. For example, this includes our web hosting provider (which stores our website and database), IT support or developers (who may occasionally need access to fix issues), and cloud storage or backup services. These providers may in the course of their work have access to personal data, but only to the extent necessary to perform their tasks. They are obligated by contract to keep your data confidential and secure.
Legal and Compliance: We may disclose personal information to courts, law enforcement, government authorities, or other third parties when we believe it is legally required to do so or when it is necessary to comply with our legal obligations, enforce our terms and conditions, or protect our rights, property, or safety (or those of our customers and business partners). This might include sharing information for fraud prevention or to reduce credit risk.
In all cases, we only share the minimum information that the third party needs to perform their specific service. Wherever feasible, data is encrypted or otherwise protected. All third parties who process personal data on our behalf are subject to contractual obligations to process it in line with applicable privacy laws, to use it only for the purposes we specify, and to apply appropriate security measures.
If we ever need to transfer or share your data for any other reason (for example, in the event of a business transfer or merger), we will notify you and ensure such transfer is lawful and subject to confidentiality.
As a UK-based business serving customers globally, some of the personal data we collect may be transferred and stored outside of the United Kingdom (UK) or European Economic Area (EEA). In particular:
Our email newsletter service (Mailchimp) and some of our dropshipping suppliers are based outside the UK/EU. For example, Mailchimp’s servers are located in the United States, and many of our product suppliers operate from China or other countries outside Europe. This means the personal information you provide (such as your email for newsletters, or your name and address for order fulfilment) may be transferred to or accessed from a country that has different data protection laws than your home country.
When we transfer personal data internationally, we take steps to ensure that appropriate safeguards are in place to protect your information. For transfers from the UK/EEA to countries not deemed “adequate” by UK/EU authorities, we use legally approved data transfer mechanisms. For example, we may incorporate standard contractual clauses (SCCs) into our contracts with service providers, which obligate them to protect your data to GDPR standards. In the case of Mailchimp, the company has certified its compliance with relevant data protection frameworks to allow lawful transfer of EU data to the US . Similarly, if we share data with our AliExpress suppliers in China for order fulfillment, this is done under the necessity of fulfilling our contract with you (the sale) and we ensure those suppliers handle the data securely and only for shipping purposes.
We continuously monitor the legal developments around international data transfers (such as new frameworks or court rulings) and will adjust our practices if needed to ensure ongoing compliance. Your privacy rights remain protected wherever your data is processed – we will always treat your information in accordance with this Privacy Policy, whether it is handled in the UK or elsewhere.
If you have questions about the specific safeguards in place for the transfer of your data internationally, please contact us. We can provide more details upon request (for example, references to the specific contractual clauses or certification applicable).
We will retain your personal information only for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. How long we keep data depends on the type of information and the purpose for which we use it:
Order and Transaction Data: We generally retain records of your purchases (invoices, order details, correspondence) for at least six (6) years from the date of the transaction. This retention period is based on UK tax and accounting laws (which require us to keep records for a minimum of 6 years) and is also useful for handling any disputes or warranty claims.
Customer Service Communications: If you contact us with inquiries or for support, we may keep those communications for up to 2 years after your issue is resolved, in case you have follow-up queries or to improve our services.
Account Information: If you create an account on our site, we will retain your account data while your account remains active. If you choose to delete your account, or if an account is inactive for an extended period (e.g. several years), we may anonymize or delete the account data. We may retain basic information about the account (like email address and orders made) for our records, but will either delete or anonymize personal details not needed.
Marketing Data: If you have subscribed to our newsletter or marketing emails, we will retain your email on our mailing list until you unsubscribe or ask us to remove it. If you unsubscribe, we may keep your email on a suppression list (to ensure we don’t accidentally email you again) as required by anti-spam laws.
Analytics Data: Data collected via analytics cookies is typically retained for a shorter period (often 14 months in the case of Google Analytics) or as specified in our Cookie Policy. This data is usually aggregated, but any identifiers are deleted or anonymised after the retention period.
Legal Requirements: In certain situations, we might need to keep data longer if required by law. For example, if we are handling a dispute or if a law enforcement request is ongoing, we will retain relevant data until the matter is fully resolved. We also retain any records necessary to comply with sanctions, fraud prevention, or other legal compliance programs.
After the applicable retention period ends, or if the data is no longer needed for the originally stated purpose, we will delete or anonymize your personal data in a secure manner. For example, we may archive old order records in a way that your personal details are removed, or securely erase data from our systems. If deletion is not feasible (for example, because the data is stored in backup archives), then we will securely store the data and isolate it from further use until deletion is possible.
As a customer or user in the UK or EU (or in other jurisdictions with similar data protection laws), you have certain rights over your personal data. We are committed to upholding these rights. You have the right to:
Access Your Data: You can request a copy of the personal information we hold about you, along with information on how we use it. This is commonly known as a “Subject Access Request.” We will provide this to you free of charge within the legal timeframes (generally within one month).
Rectification: If any of the personal data we hold about you is incorrect or incomplete, you have the right to have it corrected. For example, if you change address or spot an error in our records, please let us know and we will update it.
Erasure: You have the right to request that we delete your personal data in certain circumstances – for instance, if the data is no longer necessary for the purposes it was collected, or if you withdraw consent and we have no other legal basis to continue processing. This is sometimes called the “right to be forgotten.” Please note that this right is not absolute; we may need to retain certain information where we have a compelling legitimate reason or legal obligation (for example, we cannot delete your past transaction records immediately if we are required to keep them for tax purposes). We will however always comply with our legal obligations regarding deletion of data.
Restriction of Processing: You can ask us to suspend or restrict the processing of your personal data in certain scenarios. For example, if you contest the accuracy of the data, or if you have objected to processing (see below) and we are considering your request, you can ask that the data not be used other than to store it until the issue is resolved.
Data Portability: For data that you have provided to us and which we process by automated means on the basis of consent or contract, you have the right to request that we provide it to you (or a third party you nominate) in a commonly used, machine-readable format. For example, you could request an export of your account data.
Object to Processing: You have the right to object to certain types of processing. You can object to direct marketing at any time (and as a result we will stop sending you marketing). You can also object, on grounds relating to your particular situation, to any processing based on legitimate interests. If we agree that your objection is justified, we will stop the processing. If we believe we have overriding legitimate grounds to continue, we will let you know and explain our reasoning, and you still have the right to complain to a regulator (see below).
Withdraw Consent: Where we rely on your consent to process data (such as for sending promotional emails), you have the right to withdraw that consent at any time . Withdrawing consent will not affect the lawfulness of processing done before the withdrawal. Once you withdraw consent, we will cease the relevant processing. For example, if you unsubscribe from our newsletter, we will stop sending it.
Automated Decision-Making: We do not currently carry out any fully automated decision-making or profiling that has legal or similarly significant effects on you. If that changes in the future, you have rights regarding such processes (including the right to obtain human intervention and to contest decisions).
Complaint to Supervisory Authority: If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner’s Office (ICO). You can find details on how to report a concern on the ICO’s website. If you reside in an EU country, you may contact your local Data Protection Authority. We would, however, appreciate the chance to address your concerns directly before you approach a regulator – so please consider contacting us first, and we will do our best to resolve any issue.
To exercise any of your rights, please contact us at admin@oxygen-at.com. We may need to verify your identity before fulfilling certain requests (to ensure we don’t disclose data to the wrong person). We will respond to your requests as soon as possible, and in any event within the timeframe required by law (generally one month, which can be extended by two further months for complex requests we will inform you if an extension is needed).
Our website uses cookies and similar tracking technologies to enhance your experience and analyze how our site is used. Cookies are small text files placed on your device when you visit a website. Some cookies are essential for our site to function (for example, to remember items in your cart), while others help us improve the site (analytics cookies) or offer you a more personalized experience.
When you first visit our site, you will see a cookie consent banner. Except for cookies that are strictly necessary for the operation of the site, we will not set cookies on your device without your permission. You have the choice to accept or reject non-essential cookies (such as analytics or marketing cookies) via this banner, in line with UK and EU law that requires prior consent for non-essential cookies . You can also change your cookie preferences at any time by using the “Cookie Settings” link on our site or adjusting your browser settings to block or delete cookies.
For detailed information on the cookies we use, their purposes, and how to manage them, please see our separate Cookie Policy. In summary, we use cookies to remember your preferences, keep you logged in, analyze traffic (through tools like Google Analytics), and for advertising/marketing purposes (if applicable). Our Cookie Policy provides a list of cookies and explains how you can control them. By continuing to use our site with cookies enabled, you consent to our use of cookies as described in that policy.
As noted above, we will only send you marketing or promotional communications if you have actively opted in to receive them. This may occur, for example, when you enter your email to subscribe to our newsletter, or if you tick a checkbox during checkout to receive updates and offers. We follow all applicable laws and regulations regarding email marketing, including the UK Privacy and Electronic Communications Regulations (PECR) and EU anti-spam laws which require explicit consent for marketing emails .
How to Manage Your Preferences: If you have subscribed to our newsletter, you can unsubscribe at any time. Every marketing email we send will include an “Unsubscribe” link at the bottom. Simply click that link, and you will be able to opt out of further emails from us. Alternatively, you can contact us at any time at [email protected] and request to be removed from our mailing list. We will promptly honour all opt-out requests.
Please note that even if you opt out of marketing emails, we may still need to send you transactional or service emails related to your orders. For example, we will email you about order confirmations, shipping updates, or responses to your inquiries – those are not marketing communications but necessary for us to fulfill our contract with you.
Use of Mailchimp: Our marketing emails are sent via Mailchimp, as mentioned earlier. Mailchimp may use analytics technologies (like web beacons) in the emails to let us know if you opened an email or clicked a link, which helps us gauge engagement . We primarily use these statistics to improve our content and scheduling (for example, to see which topics are of most interest to subscribers). The data is only collected in aggregate form; we do not profile individual subscribers’ email behaviour beyond basic categorization (such as identifying inactive subscribers to remove from the list). If you prefer not to be tracked in this way, you can opt out of the newsletter entirely. We respect your choice and will ensure you only receive communications you’re comfortable with.
We take the security of your personal information very seriously. We have implemented a variety of technical and organizational measures to protect your data from unauthorized access, alteration, disclosure, or destruction. These measures include:
Encryption: Our website is secured via SSL/TLS encryption. This means that when you enter personal information (such as your name, address, or credit card number) on our site, that information is encrypted in transit and transmitted securely. You can verify that our site is secure by looking for the padlock icon in your browser address bar and the “https://” prefix in our URL.
Payment Security: We use PCI-DSS compliant payment processors (Stripe and PayPal) to handle transactions. These providers are industry leaders in payment security. Your payment details are processed using secure encryption and tokenization methods. We never store your card numbers on our systems.
Access Controls: Personal data is stored on secure servers, and we limit access to those employees, contractors, and service providers who need to know the information in order to process it for us. All such persons are subject to strict confidentiality obligations. For example, our internal systems require authentication (passwords, 2-factor authentication where possible), and administrative access to databases is restricted to authorized personnel.
Malware Protection and Updates: We keep our website platform, plugins, and software up to date to protect against security vulnerabilities. We also use firewalls and security scanning tools to guard against malware and unauthorized intrusion.
Backups: We perform regular backups of our website data to ensure we can recover in case of any incidents. Backups are encrypted and stored securely.
Monitoring: Our hosting environment and security services monitor for suspicious activities or potential breaches. If we detect any unusual activity, we investigate and take action to protect your data.
Training and Policies: We ensure that anyone who handles personal data on our behalf is trained in data protection principles. We have internal policies in place to handle data securely and respond appropriately in the event of any security incident.
While we strive to protect your information, no website, database, or transmission can be guaranteed to be 100% secure. However, we maintain and continually improve our security practices to minimize risks. In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant authorities as required by law.
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or other factors. If we make significant changes, we will notify you by posting a prominent notice on our website or by other appropriate means. The “Last updated” date at the bottom of this page will indicate when the latest changes were made.
We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. If you continue to use our website or services after a change to the Policy, it will indicate your acceptance of the updated terms (where applicable). For any material changes that affect the way we handle personal data, we will seek re-consent if required by law.
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please do not hesitate to contact us. Our contact details for privacy inquiries are:
Email: support@oxygen-at.com
We will be happy to assist you and will respond as soon as possible. Your trust is very important to us, and we are committed to safeguarding your privacy.
Last updated: 18 May 2025
