Privacy Policy
Kitd LTD (referred to as "we," "us," or "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy outlines how we collect, use, store, and share your personal information in order to be able to service you and provide sports team kits and similar products.
We are a "Data Controller" for the personal data we process, meaning we determine the purposes and means of processing that data.
5-7 Montgomery Street Lane, Edinburgh, EH7 5JT
We collect and process various types of personal data depending on your relationship with us (e.g., as a club manager, team manager, player, parent/guardian etc.).
- Category of Data Subject
- Club/Team Managers/Order Placer
- Data Collected
- Name, Email Address, Phone Number, Club/Team Name, Billing Address, Payment Information (handled via secure provider).
- Purpose of Collection
- To set up accounts, manage orders, communicate about designs and delivery, and process payments.
- Lawful Basis for Processing (UK GDPR)
- Performance of a Contract (to supply the kits as per your order/agreement).
- Category of Data Subject
- Players/Kit Recipients
- Data Collected
- Full Name, Delivery Address, Specific Sizing Information, Preferred Player Number, Initials/Personalisation details.
- Purpose of Collection
- To accurately manufacture, personalise (printing/embroidery), and deliver the custom sportswear kit to the correct person.
- Lawful Basis for Processing (UK GDPR)
- Performance of a Contract (necessary to fulfil the custom order). Legitimate Interests (to manage and dispatch bulk club orders efficiently).
- Category of Data Subject
- Website/General Enquiries
- Data Collected
- Anonymised IP address (last octet removed), browser type, usage data (via cookies), name, and email for correspondence.
- Purpose of Collection
- To improve our website, respond to enquiries, send requested information (if you opt-in), and for security monitoring (see Section 8).
- Lawful Basis for Processing (UK GDPR)
- Legitimate Interests (to run our business and website effectively, security monitoring). Consent (for optional marketing communications).
| Category of Data Subject | Data Collected | Purpose of Collection | Lawful Basis for Processing (UK GDPR) |
|---|---|---|---|
| Club/Team Managers/Order Placer | Name, Email Address, Phone Number, Club/Team Name, Billing Address, Payment Information (handled via secure provider). | To set up accounts, manage orders, communicate about designs and delivery, and process payments. | Performance of a Contract (to supply the kits as per your order/agreement). |
| Players/Kit Recipients | Full Name, Delivery Address, Specific Sizing Information, Preferred Player Number, Initials/Personalisation details. | To accurately manufacture, personalise (printing/embroidery), and deliver the custom sportswear kit to the correct person. | Performance of a Contract (necessary to fulfil the custom order). Legitimate Interests (to manage and dispatch bulk club orders efficiently). |
| Website/General Enquiries | Anonymised IP address (last octet removed), browser type, usage data (via cookies), name, and email for correspondence. | To improve our website, respond to enquiries, send requested information (if you opt-in), and for security monitoring (see Section 8). | Legitimate Interests (to run our business and website effectively, security monitoring). Consent (for optional marketing communications). |
We collect data from the following sources:
Directly from you: When you place an order online, via email, over the phone, or through club-specific order forms.
From your Club/Team Manager/Club Rep: In the case of bulk team orders, the club or team manager may provide us with a list of names, sizes, and personalisation details (e.g., player numbers) for the players on their behalf. In this case, your Club/Team is responsible for ensuring they have a lawful basis to share your data with us.
Through our website: When you use our contact forms, sign up for a newsletter, or through the use of cookies (see Section 7).
We only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
To Fulfil Your Order (Contract): To process the design, manufacture, personalisation (e.g., names and numbers), packaging, and delivery of your bespoke sportswear.
To Communicate with You (Contract/Legitimate Interest): To provide order updates, resolve issues, and respond to your enquiries.
For Marketing (Consent): To send you updates, promotions, or offers about our products and services, but only if you have given us explicit, clear, and separate consent to do so. You can withdraw this consent at any time.
For Business Operations (Legitimate Interest): For accounting, record-keeping, and to defend our legal rights.
We may need to share your personal data with third parties for the purposes set out in this policy. We only share the minimum data necessary for the service and ensure all third-party providers are compliant with UK data protection law.
Delivery Partners: We will share names and delivery addresses with courier and postal services (e.g., Royal Mail, DPD) to ensure your order reaches you.
Payment Processors: Your payment information is processed by secure, third-party payment gateways (e.g., Shopify Payments, PayPal). We do not store your full card details.
Manufacturers/Suppliers: We may share names, numbers, initials, and sizing details with our trusted suppliers or in-house team to apply the required personalisation to your kit.
Professional Advisors: Such as lawyers, accountants, or insurers, when necessary for legal or professional services.
Legal Obligation: If we are required to disclose your personal data to comply with any legal obligation or lawful request from public authorities.
Our website uses cookies to distinguish you from other users. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies.
We have implemented appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way. This includes encrypted storage, password-protected systems, and limited access to personal data for our employees and service providers.
We have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Security Event Monitoring
To protect our systems and your data, we monitor and log security-related events such as authentication attempts, rate limit violations, and suspicious activity. This monitoring helps us detect and prevent fraud, abuse, and security threats.
IP Address Anonymisation: For privacy protection, we anonymise IP addresses before storing them in our security logs. IPv4 addresses have their last octet removed (e.g., an address like xxx.xxx.xxx.123 becomes xxx.xxx.xxx.0), and IPv6 addresses are similarly anonymised. This allows us to detect patterns and threats while protecting your privacy.
Data Retention: Security event logs are retained for up to 90 days, after which they are automatically deleted. Critical security events may be retained longer if required for legal or security purposes.
Your Rights: You have the right to request access to security event data related to your account, and to request deletion of such data where legally permissible. See Section 12 for more information on your rights.
Maintaining the security and privacy of our customers' personal data is a collective responsibility. Any customer, individual, employee, or contractor granted access to our order system, internal network, or any system containing customer data (including names, addresses, sizing, and payment information) must adhere to the following strict guidelines:
1. Data Minimisation and Necessity
All users must strictly adhere to the principle of data minimisation.
Do not enter unnecessary data: Only collect, record, and enter the minimum personal information required to process the order (e.g., name, size, number, and address).
Children & Vulnerable Adults: Be especially sensitive around data relating to children and vulnerable adults. Please contact us before submitting data if you are unsure or need any advice. We have a policy that we do not provide products personalised with children's names.
Avoid free text fields for sensitive data: Do not record or input any highly sensitive or unnecessary personal information into the system (e.g., political opinions, detailed health data, or any special category data) unless it is explicitly required and a lawful basis has been established.
2. Password and Access Security
Strong Passwords: You must use strong, unique passwords for accessing the order system and any other systems containing customer data. Passwords should contain a mix of upper and lower-case letters, numbers, and symbols.
Password Confidentiality: Never share your user ID or password with any other person, under any circumstances. Access is personal and must be logged under your unique credentials.
Secure Log-Out: Always log out of the order system and lock your computer screen when leaving your workstation, even for a short time.
Storage: Your usernames and passwords must be kept secure at all times and should never be shared.
3. Data Confidentiality and Handling
Non-Disclosure: All customer information is strictly confidential. Do not discuss or disclose customer data (including order details, addresses, or sizing) to any unauthorised personnel, third parties, or outside of the professional context of fulfilling the order.
Secure Storage (Physical & Digital): If you must temporarily store or process data outside the main system (e.g., on a spreadsheet for a bulk order), the file must be password-protected and deleted immediately upon successful upload or completion of the order. Physical documents containing personal data must be kept under lock and key.
Prompt Reporting: If you suspect a data breach, a security vulnerability, or an unauthorised disclosure of personal information, you must immediately report it to Kitd LTD immediately.
At Kitd LTD, we take the security of your data seriously and implement robust measures to protect your information. However, you, as a customer, are the first line of defence against online scams and phishing attempts.
We want to make you aware of common tactics used by criminals and provide guidance on how to keep your personal and financial details safe when interacting with us online.
1. Phishing and Fraudulent Contact
Phishing is a common technique used by fraudsters where they try to trick you into clicking a link, opening an attachment, or giving away personal/financial information by pretending to be a legitimate organisation.
Kitd LTD will NEVER ask you for the following information via an unsolicited email, text message, or phone call:
Your full payment card number, CVV, or PIN.
Your account password or login credentials.
To transfer money to a different bank account than the one used for your official order invoice/checkout.
To provide personal data (like sizing or name details) by clicking on a suspicious link or downloading an unexpected file.
2. How to Spot and Avoid Scams
To protect yourself and your club members, please be vigilant and follow these steps:
- Warning Sign
- Unexpected Communication
- Your Protective Action
- STOP: If you receive an email or text message claiming to be from Kitd LTD that you were not expecting, particularly one with an urgent request or an offer that seems "too good to be true."
- Warning Sign
- Suspicious Links or Attachments
- Your Protective Action
- DO NOT CLICK: Never click on links in suspicious messages. If you think the message might be genuine, do not use the link; instead, type the official Kitd LTD website address directly into your browser or call us on the official number provided in Section 2.
- Warning Sign
- Request for Credentials
- Your Protective Action
- NEVER SHARE: We will never ask you to confirm or update your password or payment details via email. If you need to update your details, log into your verified account on our official website.
- Warning Sign
- Fake Websites
- Your Protective Action
- CHECK THE URL: Always verify the website address in your browser bar when placing an order or making a payment. Look for the padlock symbol and ensure the address is correct (e.g., www.kitdltd.co.uk, not a variation with misspellings).
- Warning Sign
- Unusual Payment Requests
- Your Protective Action
- REFUSE: We process all secure payments through our official website's payment gateway. If you are asked to pay for an order via a direct bank transfer, especially to an unverified or unusual account, treat it as highly suspicious.
| Warning Sign | Your Protective Action |
|---|---|
| Unexpected Communication | STOP: If you receive an email or text message claiming to be from Kitd LTD that you were not expecting, particularly one with an urgent request or an offer that seems "too good to be true." |
| Suspicious Links or Attachments | DO NOT CLICK: Never click on links in suspicious messages. If you think the message might be genuine, do not use the link; instead, type the official Kitd LTD website address directly into your browser or call us on the official number provided in Section 2. |
| Request for Credentials | NEVER SHARE: We will never ask you to confirm or update your password or payment details via email. If you need to update your details, log into your verified account on our official website. |
| Fake Websites | CHECK THE URL: Always verify the website address in your browser bar when placing an order or making a payment. Look for the padlock symbol and ensure the address is correct (e.g., www.kitdltd.co.uk, not a variation with misspellings). |
| Unusual Payment Requests | REFUSE: We process all secure payments through our official website's payment gateway. If you are asked to pay for an order via a direct bank transfer, especially to an unverified or unusual account, treat it as highly suspicious. |
3. What to do if you suspect a scam
If you receive a suspicious communication, or believe you have been the victim of fraud related to our services:
Contact us immediately: Use the official email address or phone number in Section 2 of this policy to report the issue.
Report the communication:
Suspicious emails: Forward them to the UK's National Cyber Security Centre (NCSC) at report@phishing.gov.uk.
Suspicious text messages: Forward them free of charge to 7726.
Report to authorities: If you have lost money or believe you have been a victim of cyber-crime or fraud, report it to Action Fraud (the UK's national reporting centre for fraud and cyber crime) online or by calling 0300 123 2040.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
Order and Personalisation Data: We will typically retain order-related data (including personalisation details, sizing, and payment records) for up to six years to comply with UK tax, legal, and warranty obligations.
Marketing Consent: We will keep data for marketing purposes until you withdraw your consent.
Under UK data protection law, you have the right to:
- Your Right
- Request access (Subject Access Request)
- What it means
- To receive a copy of the personal data we hold about you.
- Your Right
- Request correction
- What it means
- To have incomplete or inaccurate data we hold about you corrected.
- Your Right
- Request erasure (Right to be forgotten)
- What it means
- To ask us to delete or remove personal data where there is no good reason for us to continue processing it.
- Your Right
- Object to processing
- What it means
- Where we are relying on a legitimate interest and you want to stop us from processing your data.
- Your Right
- Request restriction of processing
- What it means
- To ask us to suspend the processing of your personal data in certain scenarios.
- Your Right
- Request the transfer (Data Portability)
- What it means
- To have your personal data transferred to you or a third party.
- Your Right
- Withdraw consent
- What it means
- To withdraw consent at any time where we are relying on consent to process your personal data.
| Your Right | What it means |
|---|---|
| Request access (Subject Access Request) | To receive a copy of the personal data we hold about you. |
| Request correction | To have incomplete or inaccurate data we hold about you corrected. |
| Request erasure (Right to be forgotten) | To ask us to delete or remove personal data where there is no good reason for us to continue processing it. |
| Object to processing | Where we are relying on a legitimate interest and you want to stop us from processing your data. |
| Request restriction of processing | To ask us to suspend the processing of your personal data in certain scenarios. |
| Request the transfer (Data Portability) | To have your personal data transferred to you or a third party. |
| Withdraw consent | To withdraw consent at any time where we are relying on consent to process your personal data. |
To exercise any of these rights, please contact our Data Protection Contact using the details provided in Section 2, or reach us via our contact page. We will respond to your request within one month.
If you have concerns about our privacy practices, please contact us in the first instance. If you are not satisfied with our response, you have the right to make a complaint at any time to the UK's supervisory authority for data protection matters, which is the Information Commissioner's Office (ICO).
ICO Contact Details:
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline Number: 0303 123 1113
This privacy policy is effective as of March 2026 and will be updated as necessary to reflect changes in our practices or applicable laws.