Privacy policy

Summary

Welcome to the privacy policy of Nothing but Bands. This policy explains what data we collect, why we collect it, and your rights in relation to it. Latest update: October 12, 2025.

Owner and Data Controller

KZL Agency OÜ
Keemia tn 4
Tallinn
10616 Harjumaa
Estonia

Owner contact email: contact@nothingbutbands.com
Privacy email: privacy@nothingbutbands.com

Data Protection Officer (DPO)

We are not required to appoint a Data Protection Officer. For any privacy enquiries, please contact privacy@nothingbutbands.com.

UK Representative (Art. 27 UK GDPR)

Rickert Services Ltd UK
- KZL Agency OÜ -
PO Box 1487
Peterborough
PE1 9XX
United Kingdom

Contact: art-27-rep-KZLAgency@rickert-services.uk

UK residents may contact our UK Representative for matters related to the processing of Personal Data under the UK GDPR.

Types of Data collected

Among the types of Personal Data that this Application collects, by itself or through third parties, there are:

• Trackers
• Usage Data
• email address
• purchase history
• password
• number of Users
• session statistics
• payment info
• device information
• device logs
• browsing history
• clicks
• page views
• unique device identifiers for advertising (Google Advertiser ID or IDFA, for example)
• first name
• last name
• address
• contact details
• phone number
• interests
• gender
• search history
• referral URL
• country
• product interaction

Complete details on each type of Personal Data collected are provided in the dedicated sections of this privacy policy or by specific explanation texts displayed prior to the Data collection.
Personal Data may be freely provided by the User, or, in case of Usage Data, collected automatically when using this Application.
Unless specified otherwise, all Data requested by this Application is mandatory and failure to provide this Data may make it impossible for this Application to provide its services. In cases where this Application specifically states that some Data is not mandatory, Users are free not to communicate this Data without consequences to the availability or the functioning of the Service.

If you do not provide required data: we may be unable to create an account, process your order, deliver products, or provide support. Refusing marketing consent does not affect your ability to shop.
Users who are uncertain about which Personal Data is mandatory are welcome to contact the Owner.
Any use of Cookies – or of other tracking tools — by this Application or by the owners of third-party services used by this Application serves the purpose of providing the Service required by the User, in addition to any other purposes described in the present document and in the Cookie Policy.

Users are responsible for any third-party Personal Data obtained, published or shared through this Application.

Sources - In addition to data you provide, we receive Personal Data from payment processors (Shopify Payments/Stripe/PayPal), analytics and advertising partners (e.g., Google, Meta, Microsoft, Pinterest), anti-fraud and security providers, and referral/affiliate partners.

Mode and place of processing the Data

Methods of processing

The Owner takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data.
The Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to the Owner, in some cases, the Data may be accessible to certain types of persons in charge, involved with the operation of this Application (administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as Data Processors by the Owner. The updated list of these parties may be requested from the Owner at any time.

International data transfers

Some of our providers operate a global infrastructure. This means your Personal Data may be accessed from or transferred to countries outside the EEA/UK (for example, the United States) for hosting, content delivery, security monitoring, customer support, analytics, payments, email/SMS delivery and advertising measurement.

When such transfers occur, we implement appropriate safeguards to protect your Personal Data, including:

• the European Commission’s Standard Contractual Clauses (SCCs) with the UK Addendum/IDTA where required;
• transfers to recipients in countries subject to an adequacy decision; and
• where a U.S. recipient is self-certified, reliance on the EU–US Data Privacy Framework (and the UK Extension, as applicable).

We also assess (and ask our vendors to assess) the laws and practices of the destination country and adopt technical and organizational measures where needed. You can contact us at privacy@nothingbutbands.com to request more information.

Place

The Data is processed at the Owner's operating offices and in any other places where the parties involved in the processing are located.

Depending on the User's location, data transfers may involve transferring the User's Data to a country other than their own. To find out more about the place of processing of such transferred Data, Users can check the section containing details about the processing of Personal Data.

Retention periods 

We retain Personal Data for as long as necessary to fulfil the purposes set out in this policy, unless a longer period is required or permitted by law, including but not limited to tax, accounting and fraud-prevention requirements, or to establish, exercise or defend legal claims. Where feasible, we anonymize or aggregate data rather than retain it in identifiable form.

We periodically review the data we hold and either delete it or anonymize it when it is no longer needed. If we need to keep data longer to comply with legal obligations or to resolve disputes, we will restrict its use to those purposes only.

The purposes of processing

Legal bases by purpose (GDPR):

• Order fulfilment, returns & customer service → Contract; Legal obligation (tax/accounting); Legitimate interests (fraud prevention).

• Payments & fraud screening → Contract; Legitimate interests (prevent abuse); Legal obligation (AML where applicable).

• Email/SMS marketing (Klaviyo) → Consent (EEA/UK). You may withdraw consent at any time.

• Analytics (GA4) → Consent (EEA/UK).

• Advertising/remarketing (Meta/Google/Microsoft/Pinterest) → Consent (EEA/UK).

• Personalization & recommendations (Rebuy) → Consent (EEA/UK).

The Data concerning the User is collected to allow the Owner to provide its Service, comply with its legal obligations, respond to enforcement requests, protect its rights and interests (or those of its Users or third parties), detect any malicious or fraudulent activity, as well as the following:

• Managing contacts and sending messages
• Registration and authentication provided directly by this Application
• Tag management
• Analytics
• Handling payments
• Platform services and hosting
• Traffic optimization and distribution
• Infrastructure monitoring
• Interaction with external social networks and platforms
• Remarketing and behavioral targeting
• Advertising

Detailed information on the processing of Personal Data

Advertising

This type of service allows User Data to be utilized for advertising communication purposes. These communications are displayed in the form of banners and other advertisements on this Application, possibly based on User interests.
This does not mean that all Personal Data are used for this purpose. Information and conditions of use are shown below.
Some of the services listed below may use Trackers to identify Users or they may use the behavioral retargeting technique, i.e. displaying ads tailored to the User’s interests and behavior, including those detected outside this Application.
For more information, please check the privacy policies of the relevant services.
Services of this kind usually allow Users to opt out of such tracking. Users may learn how to opt out of interest-based advertising more generally by visiting the relevant opt-out section in this document.

Meta Ads (Pixel & Conversions API) — EEA/UK & US

Meta ads conversion tracking (Meta pixel) is an analytics service provided by Meta Platforms, Inc. or by Meta Platforms Ireland Limited, depending on how the Owner manages the Data processing, that connects data from the Meta Audience Network with actions performed on this Application. The Meta pixel tracks conversions that can be attributed to ads on Facebook, Instagram and Meta Audience Network.

Google Ads conversion tracking — EEA/UK & US

Google Ads conversion tracking is an analytics service provided by Google LLC or by Google Ireland Limited, depending on how the Owner manages the Data processing, that connects data from the Google Ads advertising network with actions performed on this Application.

Google partner info: policies.google.com/technologies/partner-sites — Business Data: business.safety.google/privacy

Google Ads Customer Match — EEA/UK & US

Google Ads Customer Match is an advertising service provided by Google LLC or by Google Ireland Limited, depending on how the Owner manages the Data processing, that allows matching Data that Users have shared with the Owner to existing Google accounts in order to target them or similar Users with personalized ads. Users can opt out of Google's use of personalized advertising by visiting Google's Ads Settings.

Google Ads Settings: adssettings.google.com/authenticated — Partner info: partner-sites — Business Data: business.safety.google/privacy

Google Ads enhanced conversions — EEA/UK & US

Google Ads enhanced conversions is an advertising service provided by Google LLC or by Google Ireland Limited, depending on how the Owner manages the Data processing, that allows the Owner to send hashed first-party conversion Data to Google in order to improve conversion measurements.

Pinterest Ads — United States

Pinterest Ads is an advertising service provided by Pinterest, Inc. that allows the Owner to run advertising campaigns on the Pinterest advertising network.

Users may opt out of behavioral advertising features through their device settings, their Pinterest personalization settings.

Pinterest Conversion Tag — United States

Pinterest Conversion Tag is an analytics service provided by Pinterest, Inc. that connects data from the Pinterest advertising network with actions performed on this Application.

Users may opt out of behavioral advertising features through their device settings, their Pinterest personalization settings or by visiting the AdChoices opt-out page.

Microsoft Advertising — United States

Microsoft Advertising is an advertising and conversion tracking service provided by Microsoft Corporation or by Microsoft Ireland Operations Limited, depending on how the Owner manages the Data processing, that connects data from the Microsoft advertising network with actions performed on this Application. The service supports remarketing and interest-based ads across Microsoft properties and partner sites (including Bing).

Analytics

The services contained in this section enable the Owner to monitor and analyze web traffic and can be used to keep track of User behavior.

Google Analytics 4 — EEA/UK & US

Google Analytics 4 is a web analysis service provided by Google LLC or by Google Ireland Limited, depending on how the Owner manages the Data processing, (“Google”). Google utilizes the Data collected to track and examine the use of this Application, to prepare reports on its activities and share them with other Google services. Google may use the Data collected to contextualize and personalize the ads of its own advertising network. In Google Analytics 4, IP addresses are used at collection time and then discarded before Data is logged in any data center or server. Users can learn more by consulting Google’s official documentation.

In order to understand Google's use of Data, consult their partner policy and their Business Data page.

Shopify Analytics — Canada/United States

Shopify Analytics is an analytics service provided by Shopify Inc. or by Shopify International Limited, depending on how the Owner manages the Data processing.

Tag management

This type of service helps the Owner to manage the tags or scripts needed on this Application in a centralized fashion.
This results in the Users' Data flowing through these services, potentially resulting in the retention of this Data.

Google Tag Manager — EEA/UK & US

Google Tag Manager is a tag management service provided by Google LLC or by Google Ireland Limited, depending on how the Owner manages the Data processing.

In order to understand Google's use of Data, consult their partner policy and their Business Data page.

Stape (Server-side Google Tag Manager hosting) — EEA/UK & US

Stape provides hosting for Server-side Google Tag Manager (sGTM). This service routes analytics and advertising events you configure on this Application through a server-side container, which can improve data quality and control over data sent to third parties.

Customer support / Helpdesk

Zendesk (Customer Support) — EEA/UK & US

Zendesk is a customer support platform that helps us manage helpdesk tickets and communications. Support conversations may include order references and related account details needed to resolve your request.

Reviews & UGC

Okendo (Reviews & UGC) — EEA/UK & US

Okendo enables collection and display of product reviews, ratings, photos/videos, and Q&A on this Application. It may verify purchases and associate reviews with relevant orders and products.

Order tracking page

Track123 (Order Tracking) — EEA/UK & US

Track123 provides shipment tracking pages, status lookups, and optional delivery notifications so you can monitor the progress of your orders placed through this Application.

Managing contacts and sending messages

This type of service makes it possible to manage a database of email contacts, phone contacts or any other contact information to communicate with the User.
These services may also collect data concerning the date and time when the message was viewed by the User, as well as when the User interacted with it, such as by clicking on links included in the message.

Klaviyo (Email & SMS) — United States

The above excludes text messaging originator opt-in data and consent; this information will not be shared with any third parties.

Klaviyo is an email address management and message sending service provided by Klaviyo Inc.

To take advantage of the service provided by Klaviyo, the Owner typically shares information about (purchasing) Users, such as for example contact details and shopping histories. Check the indication at “Personal Data processed“ below for an explanation of the extent of the sharing.

• email address
• phone number (where provided)
• purchase history
• Usage Data (message engagement)
• Trackers

• Email — use the unsubscribe link in any email.
  SMS — reply STOP to opt out and HELP for help. Message & data rates may apply; message frequency varies. You can also contact

• identifiers
• commercial information
• internet or other electronic network activity information

Further Information for Users in the European Union

Legal basis of processing

The Owner may process Personal Data relating to Users if one of the following applies:

• Users have given their consent for one or more specific purposes.
• provision of Data is necessary for the performance of an agreement with the User and/or for any pre-contractual obligations thereof;
• processing is necessary for compliance with a legal obligation to which the Owner is subject;
• processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Owner;
• processing is necessary for the purposes of the legitimate interests pursued by the Owner or by a third party.

In any case, the Owner will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

Further information about retention time

Unless specified otherwise in this document, Personal Data shall be processed and stored for as long as required by the purpose they have been collected for and may be retained for longer due to applicable legal obligation or based on the Users’ consent.

Therefore:

• Personal Data collected for purposes related to the performance of a contract between the Owner and the User shall be retained until such contract has been fully performed.
• Personal Data collected for the purposes of the Owner’s legitimate interests shall be retained as long as needed to fulfill such purposes. Users may find specific information regarding the legitimate interests pursued by the Owner within the relevant sections of this document or by contacting the Owner.

The Owner may be allowed to retain Personal Data for a longer period whenever the User has given consent to such processing, as long as such consent is not withdrawn. Furthermore, the Owner may be obliged to retain Personal Data for a longer period whenever required to fulfil a legal obligation or upon order of an authority.

Once the retention period expires, Personal Data shall be deleted. Therefore, the right of access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.

The rights of Users based on the General Data Protection Regulation (GDPR)

Users may exercise certain rights regarding their Data processed by the Owner.

In particular, Users have the right to do the following, to the extent permitted by law:

• Withdraw their consent at any time. Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data.
• Object to processing of their Data. Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent.
• Access their Data. Users have the right to learn if Data is being processed by the Owner, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Data undergoing processing.
• Verify and seek rectification. Users have the right to verify the accuracy of their Data and ask for it to be updated or corrected.
• Restrict the processing of their Data. Users have the right to restrict the processing of their Data. In this case, the Owner will not process their Data for any purpose other than storing it.
• Have their Personal Data deleted or otherwise removed. Users have the right to obtain the erasure of their Data from the Owner.
• Receive their Data and have it transferred to another controller. Users have the right to receive their Data in a structured, commonly used and machine readable format and, if technically feasible, to have it transmitted to another controller without any hindrance.
• Lodge a complaint. Users have the right to bring a claim before their competent data protection authority.

Users are also entitled to learn about the legal basis for Data transfers abroad including to any international organization governed by public international law or set up by two or more countries, such as the UN, and about the security measures taken by the Owner to safeguard their Data.

Where Personal Data is processed for a public interest, in the exercise of an official authority vested in the Owner or for the purposes of the legitimate interests pursued by the Owner, Users may object to such processing by providing a ground related to their particular situation to justify the objection.

Users must know that, however, should their Personal Data be processed for direct marketing purposes, they can object to that processing at any time, free of charge and without providing any justification. Where the User objects to processing for direct marketing purposes, the Personal Data will no longer be processed for such purposes.

How to exercise these rights

Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. Such requests are free of charge and will be answered by the Owner as early as possible and always within one month, providing Users with the information required by law. Any rectification or erasure of Personal Data or restriction of processing will be communicated by the Owner to each recipient, if any, to whom the Personal Data has been disclosed unless this proves impossible or involves disproportionate effort. At the Users’ request, the Owner will inform them about those recipients.

Supervisory authorities

You may lodge a complaint with your local supervisory authority. As our company is established in Estonia, you may also contact the Estonian Data Protection Inspectorate (AKI): info@aki.ee, +372 627 4135, Tatari 39, 10134 Tallinn, Estonia.

If you are in the United Kingdom, you may contact the Information Commissioner’s Office (ICO): icocasework@ico.org.uk, +44 303 123 1113, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, UK. Website: ico.org.uk.

If you are in Canada, you may contact the Office of the Privacy Commissioner of Canada (OPC): 30 Victoria Street, Gatineau, Quebec K1A 1H3, Canada. Tel: 1-800-282-1376. Website: priv.gc.ca.

If you are in Australia, you may contact the Office of the Australian Information Commissioner (OAIC): GPO Box 5218, Sydney NSW 2001. Tel: 1300 363 992. Website: oaic.gov.au.

Further information for Users in the United States

This part of the document integrates with and supplements the information contained in the rest of the privacy policy and is provided by the business running this Application and, if the case may be, its parent, subsidiaries and affiliates (for the purposes of this section referred to collectively as “we”, “us”, “our”).
The information contained in this section applies to all Users (Users are referred to below, simply as “you”, “your”, “yours”), who are residents in the following states: California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Nevada, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island and Montana.
For such Users, this information supersedes any other possibly divergent or conflicting provisions contained in the privacy policy.
This part of the document uses the term Personal Information (and Sensitive Personal Information).

Identifiers

Commercial information

Internet or other electronic network activity information

Inferences drawn from other personal information

What are the sources of the Personal Information we collect?

We collect the above-mentioned categories of Personal Information, either directly or indirectly, from you when you use this Application.

For example, you directly provide your Personal Information when you submit requests via any forms on this Application. You also provide Personal Information indirectly when you navigate this Application, as Personal Information about you is automatically observed and collected.

Finally, we may collect your Personal Information from third parties that work with us in connection with the Service or with the functioning of this Application and features thereof.

Your privacy rights under US state laws

You may exercise certain rights regarding your Personal Information. In particular, to the extent permitted by applicable law, you have:

• the right to access Personal Information: the right to know. You have the right to request that we confirm whether or not we are processing your Personal Information. You also have the right to access such Personal Information;
• the right to correct inaccurate Personal Information. You have the right to request that we correct any inaccurate Personal Information we maintain about you;
• the right to request the deletion of your Personal Information. You have the right to request that we delete any of your Personal Information;
• the right to obtain a copy of your Personal Information. We will provide your Personal Information in a portable and usable format that allows you to transfer data easily to another entity – provided that this is technically feasible;
• the right to opt out from the Sale of your Personal Information; We will not discriminate against you for exercising your privacy rights.
• the right to non-discrimination.

Additional rights for Users residing in California

In addition to the rights listed above common to all Users in the United States, as a User residing in California, you have:

• The right to opt out of the Sharing of your Personal Information for cross-context behavioral advertising;
• The right to request to limit our use or disclosure of your Sensitive Personal Information to only that which is necessary to perform the services or provide the goods, as is reasonably expected by an average consumer. Please note that certain exceptions outlined in the law may apply, such as, when the collection and processing of Sensitive Personal Information is necessary to verify or maintain the quality or safety of our service.

Additional rights for Users residing in Virginia, Colorado, Connecticut, Texas, Oregon, Nevada, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island and Montana

In addition to the rights listed above common to all Users in the United States, as a User residing in Virginia, Colorado, Connecticut, Texas, Oregon, Nevada, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island and Montana you have

• The right to opt out of the processing of your personal information for Targeted Advertising or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you;
• The right to freely give, deny or withdraw your consent for the processing of your Sensitive Personal Information. Please note that certain exceptions outlined in the law may apply, such as, but not limited to, when the collection and processing of Sensitive Personal Information is necessary for the provision of a product or service specifically requested by the consumer. In Maryland, your Sensitive Personal Information will be collected or processed only if strictly necessary to provide or maintain a specific product or service requested by you.

In Minnesota and Maryland Users also have the right to obtain a list of the specific third parties to which the controller has disclosed the consumer's personal data

* Note that in some states like Minnesota you have the following specific rights connected to profiling:

• The right to question the results of the profiling;
  
• The right to be informed of the reason that the profiling resulted in the decision; if feasible
  
• The right to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future;
  
• The right to review personal data used in the profiling;
  
• If inaccurate, the right to have the data corrected and the profiling decision reevaluated based on the corrected data;
  

Additional rights for users residing in Utah and Iowa

In addition to the rights listed above common to all Users in the United States, as a User residing in Utah and Iowa, you have:

• The right to opt out of the processing of your Personal Information for Targeted Advertising;
• The right to opt out of the processing of your Sensitive Personal Information. Please note that certain exceptions outlined in the law may apply, such as, but not limited to, when the collection and processing of Sensitive Personal Information is necessary for the provision of a product or service specifically requested by the consumer.

How to exercise your privacy rights under US state laws

To exercise the rights described above, you need to submit your request to us by contacting us via the contact details provided in this document.

For us to respond to your request, we must know who you are. We will not respond to any request if we are unable to verify your identity and therefore confirm the Personal Information in our possession relates to you. You are not required to create an account with us to submit your request. We will use any Personal Information collected from you in connection with the verification of your request solely for verification and shall not further disclose the Personal Information, retain it longer than necessary for purposes of verification, or use it for unrelated purposes.

If you are an adult, you can make a request on behalf of a child under your parental authority.

How to exercise your rights to opt out

In addition to what is stated above, to exercise your right to opt out of Sale, Sharing, and Targeted Advertising, you can use our privacy choices page .

If you submit an opt-out via a user-enabled Global Privacy Control (GPC) signal, we will treat it as a valid request in a frictionless manner. The opt-out will be applied to the browser/device from which the signal is sent and, if you are logged in, we will also attempt to associate your preference with your account. If you clear cookies or use a different browser/device, you may need to reapply your choice on that environment.

How and when we are expected to handle your request

We will respond to your request without undue delay, and in all cases within the timeframe required by applicable law. If we need more time, we will explain the reasons and indicate the additional time required.

We do not charge a fee to process or respond to your request unless permitted by law (e.g., when a request is manifestly unfounded or excessive). In such cases, we may charge a reasonable fee or refuse to act and will explain our decision. For browser-based opt-outs (including GPC), we will not require you to create an account or undergo identity verification; for account-level requests we may take reasonable steps to verify your identity so we can apply the preference to your profile.

If we deny your request, you may appeal by emailing privacy@nothingbutbands.com with subject “Privacy Appeal.” We will respond within the time required by applicable law.