Privacy policy
Last updated: March 2026
1. About this Policy
1.1 This Privacy Policy ("Policy") sets out how Protec Technologies Limited, trading as PROTEC Recovery ("we", "us", "our") collects, uses, discloses, and otherwise processes the personal data of individuals who visit our website at shop.protecrecovery.com (the "Site"), use our mobile applications, purchase or use our connected hardware products, or otherwise interact with us (together, the "Services").
1.2 For the purposes of the UK General Data Protection Regulation (the "UK GDPR") and the Data Protection Act 2018 (the "DPA 2018"), we are the data controller in respect of the personal data described in this Policy.
1.3 Where we process personal data of individuals located in the European Economic Area, we do so in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679) (the "EU GDPR").
Contact details
- Data Protection Contact: privacy@protecrecovery.com
- Protec Technologies Limited, trading as PROTEC Recovery
2. Personal data we collect
2.1 We may collect and process the following categories of personal data:
(a) Information you provide to us directly
- Identity data — full name, title, date of birth (where applicable).
- Contact data — email address, telephone number, billing address, delivery address.
- Transaction data — details of orders placed, payment information (processed by our third-party payment providers; we do not store full card details), purchase history.
- Account data — username, password, account preferences, marketing preferences.
- Communication data — correspondence with us including emails, support tickets, live chat transcripts, telephone call records, and any feedback or reviews you submit.
(b) Information collected from your use of connected products
Where you use our connected hardware products (including, without limitation, compression boots, cold plunge systems, infrared saunas, and hyperbaric chambers) or our companion mobile application, we may collect:
- Device usage data — session duration, frequency of use, programme or mode selected, temperature settings, pressure settings, and other operational parameters.
- Device telemetry data — firmware version, connectivity status, error logs, hardware diagnostic data.
- Application usage data — features accessed, interaction patterns, user preferences within the application.
- Bluetooth connection data — device pairing identifiers, connection logs, signal data.
(c) Health and wellness data
Certain of our products and services are designed for health and wellness purposes. Where you connect a third-party wearable device or health data account to our application, or where our products capture physiological measurements, we may collect data including (but not limited to) activity metrics, heart rate data, heart rate variability, sleep data, body composition data, and recovery metrics.
Such data may constitute special category data within the meaning of Article 9 of the UK GDPR. We shall only process special category data where we have obtained your explicit consent or where another lawful condition under Article 9(2) applies. You may withdraw your consent at any time in accordance with Section 8 below.
(d) Information collected automatically
- Technical data — IP address, browser type and version, device type, operating system, screen resolution.
- Usage data — pages visited, links clicked, referring URL, time spent on pages, navigation paths.
- Cookie data — information collected through cookies and similar tracking technologies (see Section 10 below).
- Location data — approximate geographic location inferred from your IP address.
(e) Information received from third parties
- Transaction confirmations from payment processors.
- Delivery status updates from shipping partners.
- Referral and attribution data from marketing partners.
3. Purposes and legal bases for processing
3.1 We process your personal data for the following purposes, relying on the legal bases indicated:
- Performance of a contract with you (Article 6(1)(b) UK GDPR): processing and fulfilling your orders; operating our connected products and companion application; providing customer support and after-sales service; administering your account; processing returns and refunds.
- Consent (Article 6(1)(a) UK GDPR): sending you marketing communications; processing health and wellness data or special category data; using your personal data for AI research and product development purposes.
- Legitimate interests (Article 6(1)(f) UK GDPR): analysing website usage and product performance to improve our services; conducting internal research and development using aggregated or anonymised data; detecting and preventing fraud; maintaining the security of our systems. Where we rely on legitimate interests, we have conducted a balancing assessment to ensure our interests do not override your rights and freedoms. You have the right to object to such processing (see Section 8).
- Legal obligation (Article 6(1)(c) UK GDPR): complying with applicable tax, accounting, and regulatory obligations; responding to lawful requests from public authorities.
4. Marketing
4.1 We shall only send you direct marketing communications where we have your prior consent or, in the case of existing customers, where the marketing relates to similar products or services and you have not opted out (the "soft opt-in" under Regulation 22 of the Privacy and Electronic Communications Regulations 2003).
4.2 You may withdraw your consent to marketing at any time by: (a) clicking the "unsubscribe" link in any marketing email; (b) emailing privacy@protecrecovery.com; or (c) updating your account preferences.
5. Disclosure of personal data
5.1 We may disclose your personal data to the following categories of recipient:
- Payment processors — for the purpose of processing payments securely (including Shopify Payments and Klarna).
- Delivery and logistics partners — for the purpose of fulfilling and delivering your orders.
- Email service providers — for the purpose of sending transactional and, where you have consented, marketing communications (including Klaviyo).
- Analytics providers — for the purpose of analysing Site usage and performance (including Google Analytics).
- Ecommerce platform provider — Shopify Inc., which hosts and operates our online store.
- Professional advisors — including solicitors, accountants, auditors, and insurers, where reasonably necessary.
- Regulatory authorities and law enforcement — where we are required to do so by law, regulation, or court order, or where disclosure is necessary to protect our rights, property, or safety, or that of our customers or others.
- Corporate transactions — in connection with any merger, acquisition, reorganisation, or sale of all or substantially all of our assets, your personal data may be transferred to the relevant third party, subject to appropriate safeguards.
5.2 We do not sell your personal data to third parties.
6. International transfers
6.1 Your personal data may be transferred to, and processed in, countries outside the United Kingdom and the European Economic Area, including the United States of America and Ireland, by our service providers and partners identified in Section 5 above.
6.2 Where we transfer personal data outside the UK, we ensure that appropriate safeguards are in place in accordance with Chapter V of the UK GDPR, including:
- transfers to countries subject to an adequacy decision by the Secretary of State;
- the International Data Transfer Agreement ("IDTA") issued by the Information Commissioner's Office;
- Standard Contractual Clauses ("SCCs") adopted by the European Commission (as supplemented by the UK Addendum where applicable).
6.3 You may request a copy of the safeguards we rely upon by contacting privacy@protecrecovery.com.
7. Data retention
7.1 We retain personal data only for so long as is necessary for the purposes for which it was collected, or as required by applicable law. Our standard retention periods are as follows:
- Order and transaction data: 7 years from the date of the transaction (for tax and legal compliance).
- Account data: for the duration of your account, plus 30 days following deletion.
- Marketing data: until you withdraw your consent or unsubscribe.
- Website access logs: 12 months.
- Customer support records: 3 years from the date of resolution.
- Connected product usage data: for the duration of your account, plus 3 years.
- Health and wellness data: until you withdraw your consent, or 3 years after your last interaction with us, whichever is sooner.
- Device telemetry data: 2 years.
7.2 Where we are required by law to retain data for a longer period, we shall do so in accordance with the applicable legal requirement.
8. Your rights
8.1 Subject to applicable law, you have the following rights in respect of your personal data:
- Right of access (Article 15 UK GDPR) — the right to obtain confirmation as to whether we process your personal data and, if so, to obtain a copy of that data together with certain supplementary information.
- Right to rectification (Article 16 UK GDPR) — the right to require us to correct any inaccurate personal data and to complete any incomplete personal data.
- Right to erasure (Article 17 UK GDPR) — the right to require us to erase your personal data in certain circumstances (the "right to be forgotten").
- Right to restriction of processing (Article 18 UK GDPR) — the right to require us to restrict our processing of your personal data in certain circumstances.
- Right to data portability (Article 20 UK GDPR) — the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
- Right to object (Article 21 UK GDPR) — the right to object to our processing of your personal data where we rely on legitimate interests as our legal basis.
- Right to withdraw consent — where we process your personal data on the basis of your consent (including consent for health data processing), you have the right to withdraw that consent at any time. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to withdrawal.
8.2 To exercise any of these rights, please contact us at privacy@protecrecovery.com, providing your full name, email address, and details of the right you wish to exercise. We shall respond to your request without undue delay and in any event within one month of receipt. Where requests are manifestly unfounded or excessive (in particular where they are repetitive), we may charge a reasonable fee or refuse to act on the request, in accordance with Article 12(5) UK GDPR.
8.3 We may request verification of your identity before processing your request.
9. Security
9.1 We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures include, without limitation:
- encryption of data in transit using SSL/TLS;
- use of PCI DSS-compliant payment processors;
- access controls and authentication mechanisms;
- regular security assessments and vulnerability testing;
- staff training on data protection and information security.
9.2 Whilst we take all reasonable steps to protect your personal data, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your data.
10. Cookies
10.1 Our Site uses cookies and similar tracking technologies. Cookies are small text files placed on your device when you visit our Site.
10.2 We use the following categories of cookies:
- Strictly necessary cookies — required for the operation of our Site (e.g., session management, shopping cart functionality). These cookies do not require your consent.
- Analytics cookies — used to collect information about how visitors use our Site, which we use to improve our Site and Services.
- Functional cookies — used to remember your preferences and enhance your experience.
- Marketing cookies — used to deliver advertisements relevant to you and to measure the effectiveness of our advertising campaigns.
10.3 You may manage your cookie preferences through your browser settings. Please note that disabling certain cookies may affect the functionality of our Site.
11. Children
11.1 Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate parental consent, we shall take steps to delete that data promptly.
12. Third-party links
12.1 Our Site may contain links to third-party websites, applications, or services that are not operated or controlled by us. This Policy does not apply to any third-party sites. We encourage you to review the privacy policies of any third-party sites you visit.
13. Changes to this Policy
13.1 We may update this Policy from time to time to reflect changes in our processing activities, applicable law, or regulatory guidance. The updated Policy will be published on this page with a revised "Last updated" date.
13.2 Where we make material changes to this Policy, we shall notify you by email (where we hold your email address) or by means of a prominent notice on our Site prior to the changes taking effect.
14. Complaints
14.1 If you have any concerns about our processing of your personal data, we encourage you to contact us in the first instance at privacy@protecrecovery.com so that we can seek to resolve your concern.
14.2 You also have the right to lodge a complaint with the Information Commissioner's Office (the "ICO"), the UK's supervisory authority for data protection:
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
14.3 If you are located in the European Economic Area, you may also lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.
15. Contact
For all privacy-related enquiries, please contact:
- Email: privacy@protecrecovery.com
- Entity: Protec Technologies Limited, trading as PROTEC Recovery