Loyalty Points 0
Don’t miss outYour discount code will be emailed to you

One time offer and applicable to all new registered users

Privacy Policy

Privacy Policy

Go Sweet is a trading name of VAPE SUPPLIER™ Ltd, a company registered in England and Wales (company number 10873335, VAT number GB 272938666). VAPE SUPPLIER™ Ltd is registered as a data controller with the UK Information Commissioner's Office under registration number ZA710059. Our registered office is 33 Bennetts Hill, Birmingham, West Midlands, England, B2 5SN. In this policy, "we", "us" and "our" means VAPE SUPPLIER™ Ltd (t/a Go Sweet).

This privacy policy explains what personal data we collect when you use gosweet.co.uk, why we collect it, how we use it, who we share it with, how long we keep it and what rights you have over it. It is written in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003.


Who we are and how to contact us

The data controller for personal data collected through gosweet.co.uk is VAPE SUPPLIER™ Ltd. We are the legal entity responsible for deciding how and why your personal data is processed. For all data protection enquiries, subject access requests, deletion requests or complaints about how we handle your data, contact us at help@gosweet.co.uk.

You can also write to us at our registered office: VAPE SUPPLIER™ Ltd, 33 Bennetts Hill, Birmingham, West Midlands, England, B2 5SN.


What personal data we collect

We collect personal data in the following categories:

  • Identity and contact data: your full name, billing address, delivery address, email address and phone number, collected when you place an order or create an account
  • Transaction data: details of the products you have purchased, order history, order value, refund history and delivery details
  • Payment data: card type and the last four digits of your card number, retained for fraud prevention and refund processing. We do not store full card numbers or CVV codes on our systems; these are processed directly by our payment processor
  • Account data: your account username, password (stored as an encrypted hash, never in plain text), saved addresses and saved payment methods if you choose to save them
  • Marketing data: your email subscription status, marketing preferences, opens and clicks on our marketing emails, and your interaction history with our email campaigns
  • Technical data: your IP address, browser type and version, device type, operating system, time zone setting, referring website, pages viewed on our site, and the path you took through the site
  • Communication data: the content of any emails, contact form messages or other correspondence you send to us

We do not knowingly collect personal data from children under 13. If you are under 13, do not provide any personal data through this website. If you are between 13 and 16, you may need parental consent to subscribe to marketing communications.


Why we collect it and our lawful basis

Under UK GDPR, we must have a lawful basis for every processing activity. Here is what we do and why:

  • To process and fulfil your order (identity, contact, transaction and payment data): lawful basis is performance of a contract. We cannot deliver your sweets without this data
  • To process payments and prevent fraud (payment and transaction data): lawful basis is performance of a contract and legitimate interests (preventing fraudulent transactions)
  • To manage your account (account data): lawful basis is performance of a contract
  • To send marketing emails (contact and marketing data): lawful basis is consent, given when you tick the marketing opt-in box at checkout or sign up to our newsletter. You can withdraw consent at any time via the unsubscribe link in any marketing email
  • To send order and service emails (contact and transaction data): lawful basis is performance of a contract. These include order confirmations, dispatch notifications and delivery updates, and are sent regardless of marketing consent because they are necessary to fulfil your order
  • To analyse site usage and improve our website (technical data): lawful basis is legitimate interests (understanding how customers use our site to improve the experience), subject to cookie consent where the data is collected via non-essential cookies
  • To run advertising campaigns (technical and transaction data shared with ad platforms): lawful basis is consent, given through the cookie banner. Without consent we do not load advertising pixels
  • To respond to your enquiries (communication data): lawful basis is legitimate interests (responding to customer questions) or performance of a contract where the enquiry relates to an existing order
  • To comply with legal obligations (transaction and payment data retained for tax purposes): lawful basis is legal obligation under HMRC rules requiring retention of business records for six years

Who we share your data with

We share your personal data with the following categories of third party processors, all of whom are bound by data processing agreements that require them to handle your data in line with UK GDPR:

  • Shopify Inc. (our ecommerce platform): processes all order data, account data and payment data. Shopify is based in Canada (recognised by the UK government as providing adequate data protection) with infrastructure in multiple jurisdictions
  • Payment processors (Shopify Payments, PayPal, Klarna and any other payment provider you choose at checkout): process payment data directly. We do not see your full card details
  • Klaviyo Inc. (our email marketing platform): processes your email address, marketing preferences and engagement data. Klaviyo is based in the United States and we rely on the UK-US Data Bridge for these international transfers
  • Google LLC (Google Analytics 4): processes anonymised and pseudonymised technical data about your interactions with the site, subject to your cookie consent. Google is based in the United States and we rely on the UK-US Data Bridge
  • Meta Platforms Inc. (Meta Pixel for Facebook and Instagram advertising): processes technical data and pseudonymised event data, subject to your cookie consent. Meta is based in the United States and we rely on the UK-US Data Bridge
  • TikTok Technology Limited (TikTok Pixel): processes technical data and pseudonymised event data, subject to your cookie consent. TikTok's data is processed under contractual safeguards including UK Standard Contractual Clauses
  • Delivery couriers (Royal Mail, DPD, Evri or whichever courier handles your order): receive your name, delivery address and phone number to deliver your order
  • HMRC and other regulators: where we are legally required to share information for tax, audit or law enforcement purposes

We do not sell your personal data to third parties for their own marketing purposes. We do not share your data with anyone except the processors listed above and the legal authorities where required.


International data transfers

Some of our processors are based outside the UK, most notably in the United States. Where we transfer your personal data outside the UK, we rely on one of the following safeguards approved under UK GDPR:

  • Adequacy decisions: where the UK government has formally recognised a country as providing an adequate level of data protection (for example, Canada and the European Economic Area)
  • The UK-US Data Bridge: the formal extension of the EU-US Data Privacy Framework to UK data transfers. Klaviyo, Google and Meta are certified under this framework
  • UK Standard Contractual Clauses (International Data Transfer Agreement): contractual safeguards approved by the Information Commissioner's Office for transfers to countries without an adequacy decision

How long we keep your data

We retain personal data for the following periods:

  • Order and transaction records: 6 years from the date of the order, in line with HMRC's record retention requirements under the Companies Act 2006 and the VAT Act 1994
  • Account data: for as long as your account is active. If you have not logged in or placed an order for 3 years, we will contact you and may close the account if you do not respond
  • Marketing data: until you withdraw your consent (by unsubscribing) or 3 years from your last engagement with our emails, whichever is sooner
  • Communication data: 2 years from the last correspondence, unless the communication relates to an ongoing matter or legal claim
  • Technical and analytics data: 14 months in Google Analytics 4 by default; cookie-based data follows the lifetimes set out in our cookie information below

Cookies and tracking technologies

We use cookies and similar technologies to make the site work, to understand how customers use it, and to deliver relevant advertising. Under the Privacy and Electronic Communications Regulations 2003, we are required to obtain your consent before placing non-essential cookies on your device. When you first visit the site, you will see a cookie banner that lets you accept or reject each category of cookie.

Cookies fall into the following categories:

  • Strictly necessary cookies: required for the site to function, including session management, shopping basket persistence and security. These are set without consent because the site cannot work without them
  • Functional cookies: remember your preferences such as language and saved addresses. Set only with your consent
  • Analytics cookies: used by Google Analytics 4 and Shopify Analytics to measure site performance and customer behaviour in aggregate. Set only with your consent
  • Advertising cookies: used by Meta Pixel and TikTok Pixel to measure ad performance and show you relevant adverts on Facebook, Instagram and TikTok. Set only with your consent

You can change your cookie preferences at any time by clicking the cookie settings link in the footer of any page on gosweet.co.uk. You can also manage or delete cookies through your browser settings, although this may affect how the site functions.


Your rights under UK GDPR

UK data protection law gives you a set of rights over your personal data. You can exercise any of these rights by contacting us at help@gosweet.co.uk. We will respond within one month, which is the statutory maximum response time.

  • Right of access: you can request a copy of all personal data we hold about you, free of charge
  • Right to rectification: you can ask us to correct any personal data that is inaccurate or incomplete
  • Right to erasure (the "right to be forgotten"): you can ask us to delete your personal data, subject to legal exemptions such as our obligation to keep transaction records for 6 years
  • Right to restrict processing: you can ask us to stop processing your data while a dispute is being resolved
  • Right to data portability: you can ask us to send your personal data to you or another provider in a structured, machine-readable format
  • Right to object: you can object to processing based on legitimate interests, and you have an absolute right to object to direct marketing at any time
  • Rights related to automated decision-making: we do not make decisions about you based solely on automated processing, but if we did, you would have the right to human review
  • Right to withdraw consent: where our lawful basis is consent (such as marketing emails or non-essential cookies), you can withdraw consent at any time without affecting the lawfulness of processing before withdrawal

We do not charge a fee for handling these requests unless they are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request. We may need to verify your identity before responding, to make sure we do not disclose your data to the wrong person.


How we keep your data secure

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration or disclosure. These measures include encrypted data transmission (TLS/SSL on all pages), encrypted password storage, restricted access to customer data on a need-to-know basis, regular security reviews of our platform and processors, and contractual data protection terms with every processor we use.

In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours and, where the risk is high, we will notify you directly without undue delay.


Marketing emails

We send marketing emails only to customers who have opted in, either at checkout or through a separate newsletter signup. Every marketing email contains an unsubscribe link in the footer; one click and you are removed from the list. We do not send marketing emails to people who have not opted in, and we do not send marketing texts or make marketing phone calls.

Order confirmations, dispatch notifications and customer service responses are not marketing emails; they are necessary to fulfil your order and are sent regardless of marketing preferences.


How to make a complaint

If you have a concern about how we handle your personal data, please contact us first at help@gosweet.co.uk. We take privacy complaints seriously and will work to resolve the issue quickly.

If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office, which is the supervisory authority for data protection in the UK:

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk


Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices, our processors, or the law. When we make material changes, we will update the "last updated" date at the top of this page and, where the change significantly affects how we use your data, we will notify you by email or through a prominent notice on the site before the change takes effect.

This policy was last updated in May 2026.