vvast Limited Privacy Notice

(Our friends know us as vvast, pronounced vast and always spelt with a lower case v)

What data do we collect?

At vvast we collect data directly from individuals and we never purchase or acquire data outside of the public domain. We collect, process and store data of employees, prospective employees, supported brands, prospective supported brands, brand consumers and 3rd party suppliers.

We never collect sensitive or special category data other than to satisfy additional laws outside of data protection such as employment law or when you give it to us directly.

DataSupported BrandProspective Supported BrandBrand Consumers3rd Party Suppliers
Phone number
Purchase history
IP Address*

*when visiting vvast.com or our supported brand websites

Data we collect for employment purposes can be found within our employee contracts and full data protection policy.

Supported brand = a brand who vvast works with directly to support ecommerce sales

Prospective supported brand = a brand who could benefit from vvast’s services but who does not currently have a contract with vvast

Brand consumers = individuals who visit a brand website, purchase goods online and sign up for emails

3rd Parties = suppliers of goods or services to vvast

Employee = someone who works for vvast

Prospective employee = someone who has applied for or has been approached directly by vvast for a vacant job role

Your choices

You can choose not to provide us with personal data. If you choose to do this, you can continue to use the vvast/supported brand website(s) and browse its pages, but we will not be able to process transactions or continue a relationship without personal data.

You can block cookies by activating a setting on our cookie banner allowing you to refuse cookies. You can also delete cookies through your browser settings. If you turn off cookies, you can continue to use the vvast/supported brand website(s) and browse its pages.

You can opt out from marketing by clicking the unsubscribe option in any of our marketing communications.

Your rights

You can exercise your rights by sending us an email at contact@vvast.net

You have the right to access information we hold about you. This includes the right to ask us supplementary information about:

  • the categories of data we’re processing
  • the purposes of data processing
  • the categories of third parties to whom the data may be disclosed
  • how long the data will be stored (or the criteria used to determine that period)
  • your other rights regarding our use of your data

We will provide you with the information within one month of your request, unless doing so would adversely affect the rights and freedoms of other (e.g. another person’s confidentiality or intellectual property rights). We’ll tell you if we can’t meet your request for that reason.

You have the right to make us correct any inaccurate personal data about you.

You can object to us using your data for profiling you or making automated decisions about you

We may use your data to determine whether we should let you know information that might be relevant to you (for example, tailoring emails or social media advertising to you based on your behaviour).

You have the right to port your data to another service. We will give you a copy of your data in CSV format so that you can provide it to another service.

If you ask us and it is technically possible, we will directly transfer the data to the other service for you. We will not do so to the extent that this involves disclosing data about any other individual.

You have the right to be ‘forgotten’ by us. You can do this by asking us to erase any personal data we hold about you, if it is no longer necessary for us to hold the data for purposes of your use of vvast, a supported brand or any other law.

You have the right to lodge a complaint regarding our use of your data, please tell us first, so we have a chance to address your concerns. If we fail in this, you can address any complaint to the UK Information Commissioner’s Office, either by calling their helpline or as directed on their website at www.ico.org.uk.

These rights apply to all of the data categories listed in the ‘Data we collect and how we collect it’ section


We do everything we can to ensure the security of your data and are proud to be Cyber Essentials & Cyber Essentials Plus certified.

In today’s data driven and connected world the security of your data is more important than ever. We recognise this and have implemented the following security controls:

All passwords to platforms or systems containing personal data are generated via a password vault. Access to the vault is only permitted via multi factor authentication.

Access to any platform or system containing consumer data is only granted to those who absolutely require it, even our Privacy and Compliance Manager doesn’t have access.

We deploy mobile device management to every single device that accesses any vvast system and we can remotely wipe that device at any time. All devices are regularly scanned for viruses and malware and patches are remotely deployed to applications regularly.

All staff are bound by confidentiality and will never disclose or share your data unless authorised to do so.

vvast’s data protection role

vvast is not currently a subprocessor of any 3rd party data and we process all data as either a controller, joint controller or processor.

Where is your data stored?

Like most companies vvast utilises 3rd parties to provide services to our brands and their consumers and to store data. A list of the 3rd parties who process personal data is listed below.

These 3rd parties will be based in the UK, EEA and in some cases outside of the both the UK and EEA.

vvast conducts thorough reviews of all of its 3rd parties, including data protection agreements, where possible to ensure that every possible safeguard is in place and that the data is secure. Should there be a possibility that data could be exposed to a high level of risk a Data Protection Impact Assessment will be completed and will be available upon request.

3rd parties

vvast works with a number of 3rd parties to offer ecommerce solutions to our brands, most of which do not process brand consumer data in any way, below is a list of those who have access to or process the data of our brands consumers and a brief description of what they do.

3rd PartyBrief Description
Amazon/AWSAmazon market place and AWS data storage solutions
BrightpearlDigital operations platform that integrates with Shopify
Crazy EggWebsite heatmap and optimisation platform
DivaacoAnalysis of brand trading and product purchasing for future optimisation
Facebook GroupAdvertising of brand products via lookalike audiences, cookies/pixels and custom audiences
GoogleAnalytics via cookie/pixel information
Hectic Numbersvvast’s sister company who provide trade reporting between vvast and our brands
KlarnaPayment plan option at checkout
KlaviyoMarketing via brand website sign up
Mention MeCustomer recommendation tool
NarvarCustomer experience via delivery prediction, package tracking, returns and exchanges
NostoProduct recommendation tool
PaypalPayment processor
Power BI (Microsoft)Business Intelligence platform to analyse trading and product trends
RIFWarehouse, stock and delivery fulfilment
ShiptheoryShopifyShipping integration and label printingThe platform that our brand websites are built upon
SignifydFraud prevention checking
Stitch Data (Talend)A tool to move data securely from Brightpearl to Power BI via AWS for trade analysis
StripePayment processor
TrustpilotCustomer review platform
Upward CommsContact center and fulfillment
ZendeskCustomer services platform

How long is your data stored?

Once per year we perform a full cleanse of data to ensure that we are only processing the data of those individuals who have an ongoing and active relationship with vvast and/or our brands.

As part of our Record of Processing Activities we have defined the length of time we store all of our data, should your data be due for deletion it will be erased during the yearly data cleanse.

To understand data retention in relation to your data please feel free to contact us at contact@vvast.net


This site uses cookies, please see below a list of the cookies currently in operation:

cookielawinfo-checkbox-necessaryThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category “Necessary”.1 hourNecessary
cookielawinfo-checkbox-non-necessaryThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category “Non-necessary”.1 hourNecessary
_gaThis cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site’s analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.2 yearsAnalytics
_gidThis cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.1 dayAnalytics
_gatThis cookies is installed by Google Universal Analytics to throttle the request rate to limit the collection of data on high traffic sites.1 minutePerformance

You can update your cookie preferences via our cookie banner.


Should a breach of your data occur that is likely to result in the harm to the rights and freedoms on an individual or group of individuals vvast will notify those involved within 72 hours along with the ICO, where applicable.

Additional information

vvast has not appointed a statutory Data Protection Officer as we are not required to by law, however, we have appointed a full time Privacy and Compliance Manager to ensure the continued security of our data.

vvast maintains and updates a Record of Processing Activities (ROPA) in which we list the lawful basis for processing all of our data. Wherever Legitimate Interests is relied upon vvast has conducted an impact assessment which is available upon demand to those who’s data is included.

From January 1st 2021 the UK will no longer be part of the European Economic Area (EEA). As vvast trades in the EU we have appointed a European representative to comply with Article 27 of the GDPR.

This representative is:

Hectic UG (haftungsbeschränkt), Beethovenstr. 2, D-68165 Mannheim, VAT ID/ USt.-IdNr.: DE333798536, Commercial Registration Number/ Handelsregister Gewebeanmeldung: HRB 737484, Tax Identification Number/ Steuernummer: 38184/15129. privacy@hectic.info +49 160 6835555

Bye for now

Still with us? Wow! Well done for reading this notice all the way through. We totally get that privacy and security can be confusing and often notices like this are full of jargon that is hard to understand.

If you would like to speak to a human in regard to your data please feel free to email us at contact@vvast.net and we will be happy to talk further.

Let's stay connected

Get the latest news and insights on D2C at vvast scale straight into your inbox.