Privacy policy
Privacy policy
Last updated 2026-06-04. This policy explains how KōJō Nutrition Ltd ("we", "us", "KōJō") collects, uses, shares and protects personal data when you use kojo.life. It is written to satisfy the UK GDPR and the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR) and the E-Commerce Regulations 2002.
1. Controller and contact
Data controller: KōJō Nutrition Ltd. Registered in England and Wales, company no. 17153179. Registered office: 8 Elm Close, Weston Turville, Aylesbury, Buckinghamshire, HP22 5SS, United Kingdom.
Privacy contact: hello@kojo.life. For data subject requests, breach reports, or any privacy concern, write to that address with "Privacy" in the subject line. We do not have a statutory obligation to appoint a Data Protection Officer; you can still reach the controller via this address.
ICO registration: See our legal notice for our ICO data-protection register entry.
2. What personal data we collect
| Category | Examples | Source |
|---|---|---|
| Identity | Name, email, phone number (optional), date of birth (optional) | You |
| Billing & delivery | Postal address, billing address, payment card token (we never see the full card number — only Shopify Payments / Recharge does) | You; payment processor |
| Order | Order history, subscription state, product preferences | You; Shopify; Recharge |
| Marketing | Email open / click events, subscription status to our marketing list, consent record | You; Klaviyo |
| Reviews | Review text, star rating, name as shown on review | You; Judge.me |
| Technical | IP address, device / browser metadata, pages viewed, session interactions (only with your consent to non-essential cookies) | Your device; Shopify Web Pixels Manager; Hotjar; Google Analytics 4 |
3. How we use it, and the lawful basis
| Purpose | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Fulfil orders (process payment, ship product, customer service) | Contract performance (Art. 6(1)(b)) |
| Manage subscriptions (recurring billing, cancellation, renewal reminders) | Contract performance (Art. 6(1)(b)) |
| Send marketing emails about Rōnin and related products | Consent (Art. 6(1)(a)) — given via the website signup form; you can withdraw at any time |
| Comply with our legal obligations (tax, accounting, regulatory enforcement) | Legal obligation (Art. 6(1)(c)) |
| Improve the site, debug issues, measure analytics | Consent (Art. 6(1)(a)) for non-essential cookies; legitimate interests (Art. 6(1)(f)) for aggregate, anonymised reporting |
| Detect and prevent fraud | Legitimate interests (Art. 6(1)(f)) — protecting the business and customers from fraudulent orders |
| Display reviews and aggregate ratings | Consent (Art. 6(1)(a)) — given when you submit a review through Judge.me |
4. Who we share data with (our processors)
We use the following processors to run the business. Each has signed (or is in the process of signing) a UK GDPR Art. 28 data processing agreement with us.
| Processor | Function | Country |
|---|---|---|
| Shopify International Limited | E-commerce platform, hosting, order processing | Ireland / Canada |
| Shopify Payments | Card payment processing | Ireland / United States |
| Recharge Payments, Inc. | Subscription billing | United States |
| Klaviyo, Inc. | Email marketing, waitlist signups | United States |
| Judge.me | Product reviews | Hong Kong / Singapore |
| Contentsquare SAS (Hotjar) | Session analytics and heatmaps (only with your consent) | Malta / United States |
| Google LLC | Google Analytics 4 (only with your consent) | United States |
| Cloudflare, Inc. | Content delivery, security (DDoS protection) | United States |
| Cloudflare R2 (videos.ashy.ink) | Hosting Niwa breathing-app videos | United States |
| Indian Type Foundry (Fontshare) | Web fonts | India |
We may also share data with HMRC, tax authorities, accountants, lawyers, courts, regulators, or law-enforcement agencies where we are legally required to do so.
5. International transfers
Several of our processors are based in the United States, Hong Kong, or India. Where we transfer personal data outside the United Kingdom, we use the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (in force since 21 March 2024) issued by the Information Commissioner, or another approved transfer mechanism. We carry out Transfer Impact Assessments where appropriate, following EDPB Recommendations 01/2020.
You may request a copy of the transfer safeguards in place by emailing hello@kojo.life.
6. How long we keep your data (retention)
| Data | Retention period | Why |
|---|---|---|
| Order & invoice records | 7 years from the end of the tax year | HMRC record-keeping requirements (Companies Act 2006, VAT) |
| Customer account (name, email, address) | Until you ask us to delete it; otherwise 3 years after your last order | To service repeat orders and warranty / regulatory queries |
| Subscription state | Duration of the active subscription + 7 years for billing records | Contract + HMRC |
| Marketing-list profile | Until you unsubscribe; we then keep a suppression record indefinitely (email only) so we do not contact you again | PECR / consent withdrawal |
| Analytics events (anonymised) | 14 months in Google Analytics 4 (default) | Statistical purposes |
| Session recordings (Hotjar) | 365 days from capture (Hotjar default) | Site-improvement diagnostics |
| Customer-service correspondence | 3 years after the matter is closed | Defending claims, dispute resolution |
7. Your rights
Under the UK GDPR you have the following rights:
- Access — you can ask for a copy of the personal data we hold about you (Art. 15)
- Rectification — you can ask us to correct inaccurate data (Art. 16)
- Erasure — you can ask us to delete your data ("right to be forgotten"), subject to legal-obligation exceptions (Art. 17)
- Restriction — you can ask us to stop processing your data while a complaint is being resolved (Art. 18)
- Portability — you can ask for your data in a machine-readable format and have it sent to another controller (Art. 20)
- Objection — you can object to processing based on legitimate interests, including direct-marketing objection at any time (Art. 21)
- Automated decisions — we do not carry out automated decision-making with legal or similarly significant effects (Art. 22)
- Withdraw consent — where we rely on consent, you can withdraw at any time without affecting prior lawful processing
To exercise any of these rights, email hello@kojo.life with "Privacy request" in the subject. We will respond within one calendar month. We may need to verify your identity (one email round-trip from the address on file is normally enough) before releasing or deleting data.
8. Complaints to the Information Commissioner
You have the right to complain to the Information Commissioner's Office (ICO) if you think we have mishandled your personal data. You can contact the ICO at ico.org.uk/make-a-complaint, by phone on 0303 123 1113, or in writing to Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. We would ask you to email us first so we have a chance to resolve the matter directly.
9. Cookies and tracking
We use cookies and similar tracking technologies. Some are strictly necessary (your shopping cart, currency preference, secure-checkout token); these do not require consent under PECR. Others are analytics or marketing cookies (Google Analytics, Hotjar session recording, Klaviyo behavioural tracking); these we set only with your consent, which you can give or withdraw via our cookie banner.
For the full list of cookies, their purpose, the third party setting them, and their retention period, see our legal notice (cookie inventory). To change your preferences at any time, use the "Cookie preferences" link in the footer (where available) or clear cookies in your browser settings.
10. Data breach reporting
If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, in accordance with UK GDPR Art. 33. Where the breach is likely to result in a high risk to you, we will also notify you without undue delay (Art. 34).
11. Changes to this policy
We may update this policy from time to time. The "last updated" date at the top reflects the most recent change. We will notify you of material changes by email if you have given marketing consent, or by a banner on the site. Continued use of the site after an update does not constitute consent to changes affecting consent-based processing — we will re-request consent in those cases.
12. Children
Rōnin Daily Formula is sold to adults aged 18 and over. We do not knowingly collect data from children under 18. If you believe a child has provided us with personal data, email hello@kojo.life and we will delete it.