Privacy Policy

Last updated: 26 April 2026

RemCurl ("we", "us", "our") takes your privacy seriously. This Privacy Policy explains exactly what personal data we collect when you visit remcurl.com, place a pre-order, create an account, or interact with our services — and how we protect, use, and give you control over that data. It applies to residents of the United Kingdom, the European Economic Area, and all other jurisdictions we serve.

1. Who We Are

RemCurl is a product innovation company that designs, manufactures, and sells the RemCurl automated curl-definition device for textured hair. We are the data controller for personal data collected through this website. You can reach our privacy team at privacy@remcurl.com.

2. Data We Collect

We only collect data that is necessary for the purposes described in this policy.

Account & Identity Data

Full nameAccount registration and order fulfilment
Email addressAccount login, order confirmations, customer service
Password (hashed)Authentication — we never store plain-text passwords
Profile photo (optional)Account personalisation, reviewer programme

Order & Payment Data

Shipping addressOrder fulfilment and returns
Billing addressPayment fraud prevention
Payment card detailsProcessed and stored exclusively by Stripe — we never see or store full card numbers
PayPal account detailsProcessed exclusively by PayPal — we receive only a transaction reference
Order historyCustomer service, returns, statutory accounting obligations

Returns & Support Data

Product photos / videosReturn claim verification — uploaded via secure Supabase Storage
Return reason and descriptionProcessing your return request
IP address at time of return submissionFraud detection and prevention

Communications Data

Messages sent via the contact form or in-app inboxResponding to your enquiries and support requests
Email open / click events (via Mailgun)Measuring effectiveness of transactional emails and detecting delivery failures

Technical & Usage Data

IP addressSecurity, fraud prevention, geographic routing
Browser type and versionOptimising the website experience
Device type and operating systemEnsuring compatibility across devices
Pages visited and referral sourceImproving our website and marketing

Referral & Marketing Data

Referral codes you generate or useAttributing referral discounts and rewards
Marketing preferences (opt-in/out)Sending or suppressing promotional emails

3. How We Use Your Data

  • Process and fulfil pre-orders and future purchases
  • Create and manage your account
  • Send transactional emails (order confirmations, shipping updates, return status)
  • Handle returns, refunds, and warranty claims
  • Provide in-app customer support via our messaging inbox
  • Detect and prevent fraud, particularly on return submissions
  • Operate our reviewer programme for product testing participants
  • Send marketing communications where you have consented
  • Comply with legal obligations including tax and financial record-keeping
  • Improve our website, products, and customer experience through analytics

5. Third-Party Sharing

We do not sell your personal data. We share data only with the following specific third parties, and only to the extent necessary:

Stripe

Privacy Policy

Purpose

Payment processing

Data Shared

Billing address, payment card details, order amount

Location

United States (EU/UK Standard Contractual Clauses in place)

PayPal

Privacy Policy

Purpose

Alternative payment processing

Data Shared

Name, email, PayPal account reference, order amount

Location

United States (EU/UK Standard Contractual Clauses in place)

Supabase

Privacy Policy

Purpose

Database, authentication, and file storage infrastructure

Data Shared

All personal data stored on our platform (encrypted at rest)

Location

European Union (AWS eu-west-1)

Mailgun

Privacy Policy

Purpose

Transactional and marketing email delivery

Data Shared

Email address, name, and email engagement events (opens, clicks, bounces)

Location

European Union (EU data region enabled)

Shipping Carriers

Purpose

Order fulfilment and delivery

Data Shared

Name, shipping address, and order reference

Location

Varies by carrier and destination country

All third-party processors are bound by data processing agreements and may only use your data for the purposes we specify.

6. Data Retention

We retain your data only for as long as necessary for the purpose it was collected or as required by law.

Data CategoryRetention PeriodReason
Order and payment records7 years from order dateHMRC / statutory tax obligations
Active account dataDuration of account + 30 days after deletion requestService delivery
Inactive account data (no login for 3 years)Deleted after 90-day inactivity noticeData minimisation
Return claims and supporting images90 days after final resolutionFraud prevention and dispute resolution
Customer support messages3 years from last interactionContinuity of support
Marketing preferences and consent recordsUntil opt-out + 1 yearProof of consent
Email engagement logs1 yearDelivery optimisation
IP addresses (return fraud logs)12 monthsFraud prevention
Audit logs (admin actions)2 yearsSecurity and accountability

7. Your Rights

Under UK GDPR and EU GDPR you have the following rights. We will respond to all requests within 30 days. To exercise any right, email us at privacy@remcurl.com with the subject line "Data Subject Request".

Right of Access (Art. 15)

Request a copy of all personal data we hold about you, including what it is, why we hold it, who we share it with, and for how long.

Right to Rectification (Art. 16)

Ask us to correct inaccurate or incomplete personal data. You can also update most data directly in your account settings.

Right to Erasure / Right to Be Forgotten (Art. 17)

Request deletion of your personal data where there is no compelling reason for its continued processing. Note: we may be unable to delete data we are legally required to retain (e.g. financial records).

Right to Restriction of Processing (Art. 18)

Ask us to restrict processing of your data while a dispute about accuracy or lawfulness is resolved.

Right to Data Portability (Art. 20)

Receive a copy of data you have provided to us in a structured, machine-readable format (e.g. JSON or CSV), and transfer it to another controller.

Right to Object (Art. 21)

Object to processing based on legitimate interests or for direct marketing. Where you object to direct marketing, we will stop immediately.

Right to Withdraw Consent (Art. 7)

Where processing is based on consent, you can withdraw it at any time via your account notification settings or by emailing us. Withdrawal does not affect the lawfulness of prior processing.

Right to Lodge a Complaint

If you are in the UK, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk or call 0303 123 1113. EEA residents may contact their local supervisory authority.

8. Cookies & Tracking

We use a minimal set of cookies required for the site to function securely:

  • Authentication session cookie — keeps you logged in (essential, session-scoped)
  • CSRF token — protects form submissions from cross-site request forgery (essential)
  • Cart / checkout state — remembers your cart between pages (essential, session-scoped)

We do not currently use third-party advertising or analytics cookies. If we introduce optional cookies in future, we will request your consent first.

9. Data Security

We implement appropriate technical and organisational measures to protect your data:

  • All data transmitted between your browser and our servers is encrypted via TLS 1.2+
  • Passwords are hashed using industry-standard algorithms — we cannot read them
  • Database access is restricted with Row-Level Security policies
  • File uploads are stored in private, access-controlled storage buckets
  • Admin access requires multi-factor authentication
  • Audit logs record all sensitive administrative actions
  • Payment data is never stored on our servers — card processing is handled entirely by Stripe and PayPal

No internet transmission is completely secure. If you suspect a data breach, contact us immediately at privacy@remcurl.com.

10. International Data Transfers

Some of our third-party processors (Stripe, PayPal) are based in the United States. Transfers to these processors are made under EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA), ensuring an equivalent level of data protection to that provided under UK GDPR and EU GDPR. Our primary data storage through Supabase is located in the EU (AWS eu-west-1).

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this page. Your continued use of our services after notification constitutes acceptance of the revised policy. The current version is always available at remcurl.com/privacy.

12. Contact Us

For any privacy-related queries, data subject requests, or concerns, please contact our privacy team:

RemCurl Privacy Team

Email: privacy@remcurl.com

Alternatively, use our contact form.

We aim to respond to all privacy requests within 30 calendar days.