This Privacy Policy describes how DROOL ART LIMITED (“DROOL,” “we,” “us,” or “our”) collects, uses, and discloses personal information when you visit www.drool-art.com (the “Site”), make a purchase, or otherwise interact with us.

To exercise any of the privacy rights described in this policy, please visit our Privacy Hub, which contains region-specific request forms for customers in the United States, United Kingdom, European Union, Canada, Brazil, South Africa, Japan, Thailand, Australia, New Zealand, and elsewhere. You may also email us at privacy@drool-art.com — both methods are equally supported.

1. Personal information we collect

We collect the following categories of personal information:

• Contact and order information — name, email address, phone number, billing and shipping address, and details of the products you purchase. We refer to this collectively as “Order Information.” We do not store full payment card numbers; these are processed directly by our payment providers.

• Account information — if you create a customer account, your login credentials and saved preferences.

• Communications — messages you send us by email, contact form, or customer support, and our responses.

• Device and usage information — IP address, browser type, time zone, operating system, referring URLs, pages viewed, and how you interact with the Site, collected automatically via cookies, log files, web beacons, tags, and pixels. We refer to this collectively as “Device Information.”

• Marketing and SMS preferences — your subscription status and consent for email and SMS marketing.

When we talk about “Personal Information” in this Privacy Policy, we mean Order Information, Device Information, and any other information that identifies or relates to you.

Sources of Personal Information

We collect Personal Information from the following sources:

• Directly from you — when you place an order, create an account, contact us, or sign up for marketing.

• Automatically from your device — through cookies, pixels, and similar technologies when you visit the Site.

• Service providers — including Shopify, payment processors, shipping carriers, customer support tools, and review/UGC platforms acting on our behalf.

• Advertising and analytics partners — such as Meta and Google, who provide reporting, audience-matching, and ad-performance data.

• Fraud-prevention and risk vendors — including Shopify’s built-in fraud analysis, which provides risk signals about transactions.

2. How we use personal information

We use Personal Information to:

• Process and fulfil your orders, including payment, shipping, returns, and customer invoices or confirmations.

• Create and manage your account.

• Provide customer support and respond to your inquiries.

• Send transactional communications (order confirmations, shipping updates, receipts).

• Send marketing communications, including cart reminder messages, where you have opted in. You may opt out at any time.

• Screen orders for potential risk or fraud (in particular using your IP address and device information). All fraud-related decisions are reviewed by a human before any action affecting your order is taken.

• Personalise your experience and show relevant products and offers.

• Measure and improve the Site’s performance, content, and advertising.

• Comply with legal obligations and enforce our terms.

3. Legal bases for processing (UK/EU)

If you are located in the United Kingdom, European Economic Area, or Switzerland, we rely on the following legal bases under the UK GDPR and EU GDPR:

• Contract — to process your orders and provide the services you request.

• Consent — for marketing communications, SMS messages, and non-essential cookies. You may withdraw consent at any time.

• Legitimate interests — to operate and improve our business, secure the Site, and prevent fraud, where our interests are not overridden by your rights.

• Legal obligation — to comply with tax, accounting, consumer protection, and other laws.

4. Cookies and tracking technologies

We use cookies and similar technologies (pixels, tags, log files, local storage) for essential site functionality, analytics, personalisation, and advertising. You can manage your preferences at any time via the cookie banner on our Site or by clicking “Your Privacy Choices” in our footer.

We honour Global Privacy Control (GPC) browser signals as a valid opt-out of the sale and sharing of personal information for U.S. visitors. We do not currently respond to generic “Do Not Track” signals, which are not standardised.

5. SMS and messaging

If you opt in to receive SMS messages from us, we collect and use your phone number and related consent information to send you updates, cart reminders, and promotional messages. We will not share your opt-in to an SMS campaign with any third party for purposes unrelated to providing you with the services of that campaign. We may share your personal data, including your SMS opt-in or consent status, with third parties that help us provide our messaging services (platform providers, phone companies, and vendors who assist in the delivery of text messages). Text messaging originator opt-in data and consent will not be shared with any third parties for unrelated purposes. You can opt out at any time by replying STOP.

6. Financial incentives

From time to time we offer a discount or other benefit (for example, a one-time discount code, free shipping, or a gift) in exchange for signing up for our marketing email or SMS list. The specific offer may vary from time to time and will be described at the point of signup.

The personal information collected through these programmes (your email address, phone number, and consent status) has value to us in the form of repeat purchases and reduced marketing acquisition costs. We have estimated this value based on the discount or benefit offered and historical engagement and purchase rates of our subscribers.

Participation in any incentive programme is entirely voluntary. You may withdraw at any time by unsubscribing from our marketing emails (link in every email) or by replying STOP to any SMS message, and we will not penalise you or deny you goods or services for doing so. The discount code or benefit you have already received remains valid in accordance with its stated terms.

7. How we share personal information

We share Personal Information with the following categories of recipients:

• Shopify (e-commerce platform and host) — receives Order Information, Account Information, Communications, and Device Information necessary to host the Site and process orders.

• Payment processors (e.g., Shopify Payments) — receive name, billing address, email, and payment card details directly from you at checkout. We do not store full card numbers.

• Shipping carriers and fulfilment apps — receive name, shipping address, phone number, and order details necessary to deliver and, where applicable, return your order.

• Email and SMS providers (e.g., Klaviyo) — receive name, email, phone number, marketing/SMS consent status, purchase history, and engagement data to send transactional and marketing messages on our behalf.

• Customer support tools — receive name, email, order details, and the contents of any messages you send us, in order to assist with your enquiry.

• Reviews and user-generated-content platforms — receive name, email, and order details to invite you to leave a review and to publish reviews you choose to submit.

• Meta (Facebook/Instagram) — receives hashed email, IP address, and event data (e.g., page view, add-to-cart, purchase value) for ad delivery, measurement, and audience matching.

• Google (Ads and Analytics) — receives hashed email, IP address, device identifiers, and event data for analytics, ad delivery, and measurement.

• Fraud-prevention vendors — including Shopify’s built-in fraud analysis, which receives IP address, device information, and order details to provide risk signals about transactions.

• Professional advisors — accountants, lawyers, and insurers where necessary.

• Authorities — where required by law, subpoena, court order, or to protect our rights, safety, or property or that of others.

• Business transfers — in connection with a merger, acquisition, reorganisation, financing, or sale of all or part of our business.

We may also use additional service providers from time to time (for example, hosting, analytics, or operational tools); where we do, we contractually require them to process Personal Information only on our instructions and in line with this policy.

We do not sell Personal Information for money. Some of our advertising-related sharing qualifies as a “sale” or “sharing” under California and other U.S. state laws; you can opt out via our Do Not Sell or Share My Personal Information page (see also “U.S. state privacy rights” below).

You can learn more about how Google uses your personal information at policies.google.com/privacy and opt out of Google Analytics at tools.google.com/dlpage/gaoptout. For general targeted-advertising opt-outs, visit the Digital Advertising Alliance’s portal at optout.aboutads.info and the Network Advertising Initiative at networkadvertising.org.

8. International data transfers

We are based in the United Kingdom, and Personal Information we collect may be transferred to, stored, and processed in countries outside the UK and EEA, including the United States and Canada. Where required, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, the European Commission’s Standard Contractual Clauses, and the UK Extension and EU-U.S. Data Privacy Framework.

9. Data retention

We retain Personal Information for as long as necessary to provide the services, comply with our legal obligations (including tax and accounting requirements, typically six years in the UK for transactional records), resolve disputes, and enforce our agreements. When Personal Information is no longer needed, we delete or anonymise it.

10. Security

We maintain reasonable administrative, technical, and physical safeguards designed to protect Personal Information. No system is perfectly secure, however, and we cannot guarantee the absolute security of information transmitted to or from the Site.

11. Your privacy rights

Depending on where you live, you may have rights including:

• The right to access and obtain a copy of your Personal Information.

• The right to correct inaccurate Personal Information.

• The right to delete your Personal Information.

• The right to data portability.

• The right to object to or restrict certain processing, including direct marketing.

• The right to withdraw consent at any time.

• The right to opt out of the sale or sharing of your Personal Information and of targeted advertising.

• The right to limit the use and disclosure of sensitive Personal Information (California). We do not currently use or disclose sensitive Personal Information for purposes other than those permitted under the CPRA (e.g., providing the services you request, security, and short-term transient use), so this right does not currently apply, but we will update this policy if our practices change.

• The right to non-discrimination for exercising these rights.

• The right to lodge a complaint with your local data protection authority.

To submit a request, you may use either of two equally supported methods: (1) the appropriate form on our Privacy Hub, or (2) email us at privacy@drool-art.com with “Privacy Request” in the subject line. We will verify your identity before responding and will respond within the timeframes required by applicable law. You may designate an authorised agent to submit a request on your behalf.

United Kingdom, European Economic Area, and Switzerland

Submit requests via our Privacy Rights (GDPR) page or by emailing privacy@drool-art.com. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) or your EEA national data protection authority.

U.S. state privacy rights

Residents of California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Delaware, New Jersey, New Hampshire, Iowa, Indiana, Tennessee, Nebraska, Minnesota, Maryland, Kentucky, Rhode Island, and other states with comprehensive privacy laws have the rights described above, including the right to opt out of the sale or sharing of Personal Information and of targeted advertising. Exercise these rights via:

• Your Privacy Choices — for access, deletion, correction, and similar requests.

• Do Not Sell or Share My Personal Information — to opt out of sale, sharing, and targeted advertising.

• privacy@drool-art.com — to submit any of the above requests by email.

We honour Global Privacy Control (GPC) browser signals as a valid opt-out.

California “Shine the Light” law. California residents may request a list of third parties to whom we have disclosed Personal Information for those third parties’ direct marketing purposes in the prior calendar year. We do not share Personal Information in this way.

Canada

Canadian residents, including Quebec residents under Law 25, may submit requests via our Privacy Rights (Canada) page or by emailing privacy@drool-art.com.

Brazil

Brazilian data subjects may exercise rights under the LGPD via our Central de Privacidade or by emailing privacy@drool-art.com.

South Africa

Residents of South Africa may exercise rights under POPIA via our POPIA Compliance page or by emailing privacy@drool-art.com.

Japan

Residents of Japan may submit requests under the APPI via our プライバシーに関する権利 (APPI) page or by emailing privacy@drool-art.com.

Thailand

Residents of Thailand may exercise rights under the PDPA via our PDPA Compliance page or by emailing privacy@drool-art.com.

Australia and New Zealand

Residents of Australia and New Zealand may submit requests via our Privacy Rights (AU/NZ) page or by emailing privacy@drool-art.com.

Other regions

If none of the regions above apply to you, please use our general privacy request page or email privacy@drool-art.com.

12. Children’s privacy

Our Site is not directed to children under 16, and we do not knowingly collect Personal Information from children. If you believe a child has provided us with Personal Information, please contact us and we will delete it.

In addition, we do not knowingly sell or share the Personal Information of consumers under the age of 16. If we learn that we have inadvertently collected such information, we will only sell or share it with the affirmative opt-in consent required by the California Consumer Privacy Act (parental consent for consumers under 13, and the consumer’s own consent for consumers aged 13 to 16).

13. Automated decision-making

We do not use Personal Information for automated decision-making that produces legal or similarly significant effects. Where automated systems flag a transaction as potentially high-risk (for example, fraud screening), the resulting decision is reviewed by a person before any action is taken.

14. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated policy on this page and update the “Last updated” date below. Material changes will be communicated more prominently where required by law.

15. Contact us

For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us:

DROOL ART LIMITED

Lytchett House, 13 Freeland Park

Wareham Road, Poole

Dorset, BH16 6FA

United Kingdom

Website: www.drool-art.com

Email: privacy@drool-art.com

Last updated: 30 April 2026