Privacy Policy
1. Introduction
This Global Privacy Policy ("Policy") explains how the Beyond Alcohol group of companies ("the Group," "we," "us," or "our") collects, uses, shares, and protects personal data when you interact with our websites, products, and services (collectively, the "Service").
The Group comprises:
- Beyond Alcohol Ltd — a company registered in England and Wales, operating threespiritdrinks.com (the "UK Service").
- Beyond Alcohol, Inc. — a subsidiary incorporated in the United States, operating us.threespiritdrinks.com (the "US Service").
Together, we trade under the brand name "Three Spirit." This Policy applies globally and sets out additional jurisdiction-specific rights for residents of the United Kingdom, the European Economic Area ("EEA"), and the United States (including state-specific rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and other US state privacy laws).
By using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with our practices, please do not use the Service.
2. Data Controllers
The controller of your personal data depends on how and where you interact with us:
- If you use the UK Service (threespiritdrinks.com), the data controller is Beyond Alcohol Ltd, registered at its principal place of business in England.
- If you use the US Service (us.threespiritdrinks.com), the data controller is Beyond Alcohol, Inc.
Where the two entities act as joint controllers or share personal data within the Group, each entity remains responsible for complying with applicable data protection laws in its jurisdiction.
3. Personal Data We Collect
3.1 Data You Provide to Us
- Identity data: first name, last name.
- Contact data: email address, postal address (including city, state/province, ZIP/postal code, country), telephone number.
- Account data: username, password, account preferences.
- Transaction data: details of orders and payments for products purchased through the Service, delivery information.
- Communication data: correspondence when you contact customer support, participate in surveys, or leave product reviews.
- Marketing preferences: your choices regarding receiving marketing communications from us.
- Referral data: information provided when you participate in our refer-a-friend programme, including the name and email of the person you are referring.
3.2 Data Collected Automatically
- Usage data: pages visited, time and date of visit, time spent on pages, click-stream data, and other diagnostic data.
- Device and technical data: IP address, browser type and version, operating system, device identifiers, screen resolution, and language settings.
- Location data: approximate geographic location inferred from your IP address.
- Cookie and tracking data: information collected through cookies, web beacons, pixel tags, and similar technologies (see Section 8 below).
3.3 Data from Third Parties
- Analytics providers: aggregated or pseudonymised browsing and engagement data (e.g., from Google Analytics).
- Advertising partners: identifiers and inferences used for behavioural remarketing (e.g., from Meta/Facebook and Google advertising platforms).
- Payment processors: confirmation of payment (we do not receive or store your full payment card details).
- Data enrichment partners (US): when you visit our US website, log in, register, or open an email, cookies, ad beacons, and similar technologies may be used by our online data partners or vendors to associate these activities with information they or others have about you, including your name, email address, mailing address, and phone number.
4. How We Use Your Personal Data
We use your personal data for the following purposes:
- Providing and maintaining the Service: processing orders, managing your account, delivering products, and providing customer support.
- Improving the Service: analysing usage trends, conducting research, and developing new features and products.
- Communicating with you: sending order confirmations, responding to enquiries, and notifying you of changes to the Service or this Policy.
- Marketing: with your consent (or where we have a legitimate interest), sending newsletters, promotional offers, and information about products and events. You can opt out at any time via the unsubscribe link in our emails or by contacting us.
- Behavioural advertising: serving targeted advertisements on third-party platforms based on your browsing behaviour on the Service.
- Referral programmes: enrolling participants, monitoring for fraudulent use, communicating programme details, and delivering rewards.
- Payment processing: facilitating transactions through our third-party payment processors (e.g., Stripe, PayPal).
- Legal and compliance purposes: complying with applicable laws, responding to lawful requests from public authorities, enforcing our terms and conditions, and protecting our rights and property.
- Safety and security: detecting, preventing, and addressing fraud, security incidents, and technical issues.
5. Lawful Bases for Processing (UK and EEA)
If you are located in the United Kingdom or the European Economic Area, we rely on one or more of the following lawful bases under the UK GDPR and the EU GDPR:
| Lawful basis | Examples of processing activities |
|---|---|
| Performance of a contract | Processing your orders, managing your account, and providing customer support. |
| Consent | Sending you marketing communications; placing non-essential cookies; processing referral data of the person you refer. |
| Legitimate interests | Improving the Service, conducting analytics, fraud prevention, and direct marketing of similar products to existing customers (soft opt-in under UK PECR). |
| Legal obligation | Complying with tax, accounting, and regulatory requirements; responding to lawful requests from authorities. |
Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms.
6. Data Sharing and Disclosure
6.1 Within the Group
Beyond Alcohol Ltd and Beyond Alcohol, Inc. share personal data with each other for the purposes described in this Policy, including centralised customer support, marketing, analytics, and IT administration. Such sharing is governed by appropriate data transfer safeguards (see Section 9).
6.2 Third-Party Service Providers
We engage trusted third parties to perform services on our behalf. These providers process personal data only on our instructions and are contractually bound to protect it. Categories include:
- Payment processors: Stripe, PayPal (PCI-DSS compliant).
- Analytics providers: Google Analytics.
- Advertising and remarketing partners: Google Ads, Meta/Facebook.
- Email and marketing platforms: providers that help us send newsletters and promotional communications.
- Hosting and infrastructure providers: cloud services that host the Service.
- Referral programme providers: services that administer our refer-a-friend programme.
You may consent to or opt out of non-essential third-party integrations using the cookie consent tool available on the Service.
6.3 Legal and Regulatory Disclosures
We may disclose your personal data if required to do so by law or in response to valid legal process (e.g., a court order or government request), or where disclosure is necessary to comply with a legal obligation, protect and defend our rights or property, prevent or investigate possible wrongdoing, protect the personal safety of users or the public, or protect against legal liability.
6.4 Business Transfers
If the Group or any of its entities is involved in a merger, acquisition, reorganisation, or asset sale, your personal data may be transferred as part of that transaction. We will provide notice before your data becomes subject to a different privacy policy.
7. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes described in this Policy, unless a longer retention period is required or permitted by law.
| Data category | Retention period |
|---|---|
| Account and transaction data | For the duration of your account plus 6 years after closure (to meet tax and accounting obligations). |
| Marketing and communication preferences | Until you unsubscribe or withdraw consent, then suppressed for a reasonable period to honour your opt-out. |
| Usage and analytics data | Typically up to 26 months, unless required for security investigations or legal compliance. |
| Cookie data | Varies by cookie type; see Section 8 below. |
| Customer support correspondence | Up to 3 years after resolution, unless needed for ongoing legal matters. |
When personal data is no longer needed, we securely delete or anonymise it.
8. Cookies and Tracking Technologies
We use cookies and similar technologies (web beacons, pixel tags, and scripts) to operate, analyse, and improve the Service. Cookies are small data files placed on your device.
8.1 Categories of Cookies
| Category | Purpose | Duration |
|---|---|---|
| Strictly necessary | Enable core functionality such as page navigation, access to secure areas, and shopping-cart features. | Cannot be disabled. |
| Preference / functionality | Remember your settings, language preferences, and personalisation choices. | Session or up to 1 year. |
| Analytics / performance | Collect aggregated data on how visitors use the Service (e.g., Google Analytics). | Up to 26 months. |
| Advertising / targeting | Deliver relevant advertisements and measure campaign effectiveness (e.g., Meta Pixel, Google Ads). | Up to 13 months. |
8.2 Managing Cookies
When you first visit the Service, a cookie consent banner allows you to accept or reject non-essential cookies. You can update your preferences at any time via the cookie settings link in the website footer. You may also configure your browser to refuse cookies, though some features of the Service may not function properly without them.
8.3 "Do Not Track" Signals
Some browsers transmit a "Do Not Track" (DNT) signal. At present, there is no industry-standard method for responding to DNT signals, and the Service does not currently alter its practices in response to them. We will update this Policy if a standard is adopted in the future.
9. International Data Transfers
Because the Group operates in both the UK and the US, your personal data may be transferred to and processed in a country other than the one in which it was collected.
9.1 Transfers from the UK / EEA
When personal data is transferred out of the UK or EEA (for example, to our US operations), we ensure an adequate level of protection by relying on one or more of the following safeguards:
- Adequacy decisions: transfers to countries that the UK Secretary of State or the European Commission has determined provide an adequate level of data protection.
- Standard Contractual Clauses (SCCs): approved contractual terms that bind the data importer to protect personal data to UK/EU standards. We use the UK International Data Transfer Addendum and/or the EU SCCs as appropriate.
- Your explicit consent: in limited circumstances, where other safeguards are not available and you have been informed of the risks.
9.2 Transfers from the US
If you are located in the US and your data is transferred to the UK for processing, we ensure it is protected in accordance with this Policy and applicable UK data protection law. You may obtain further details about our transfer safeguards by contacting us using the details in Section 15.
10. Your Rights — United Kingdom and European Economic Area
If you are a resident of the UK or EEA, you have the following rights under the UK GDPR / EU GDPR. To exercise any of these rights, please contact us using the details in Section 15.
- Right of access: obtain confirmation of whether we process your personal data and, if so, request a copy of it.
- Right to rectification: request correction of inaccurate or incomplete personal data.
- Right to erasure ("right to be forgotten"): request deletion of your personal data where there is no compelling reason for continued processing.
- Right to restriction of processing: request that we limit processing in certain circumstances (e.g., while we verify accuracy).
- Right to data portability: receive your personal data in a structured, commonly used, machine-readable format and, where technically feasible, have it transmitted to another controller.
- Right to object: object to processing based on legitimate interests or direct marketing at any time.
- Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
- Rights relating to automated decision-making: not be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects, unless authorised by law or based on your explicit consent.
We will respond to your request within one month, or notify you if an extension is required. We may ask you to verify your identity before acting on a request.
If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or, if you are in the EEA, your local supervisory authority.
11. Your Rights — United States
Several US states have enacted comprehensive privacy legislation granting residents specific rights over their personal information. The rights below apply where mandated by applicable state law, including (but not limited to) the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, and the Connecticut Data Privacy Act.
11.1 Categories of Personal Information
In the preceding 12 months, we may have collected, used, and disclosed the following categories of personal information (using CCPA terminology):
- Identifiers: name, email address, postal address, IP address, account name.
- Commercial information: records of products purchased, order history.
- Internet or electronic network activity: browsing history, search history, and interactions with the Service.
- Geolocation data: approximate location derived from IP address.
- Inferences: preferences and characteristics drawn from the above to create a profile.
11.2 Your Rights
- Right to know / access: request the categories and specific pieces of personal information we have collected about you.
- Right to delete: request deletion of personal information we hold, subject to legal exceptions.
- Right to correct: request correction of inaccurate personal information.
- Right to opt out of "sale" or "sharing": we may share personal information with advertising partners for cross-context behavioural advertising, which may constitute a "sale" or "sharing" under certain state laws. You may opt out via our cookie consent tool or by contacting us.
- Right to limit use of sensitive personal information: if applicable, you may direct us to limit the use and disclosure of sensitive personal information to what is necessary for the Service.
- Right to non-discrimination: we will not discriminate against you for exercising any of these rights.
To submit a request, please contact us at the email address in Section 15. We will verify your identity and respond within the timeframes required by applicable law (generally 45 days for CCPA/CPRA requests). You may also designate an authorised agent to submit a request on your behalf.
11.3 "Do Not Sell or Share My Personal Information"
We do not sell personal information in exchange for monetary consideration. However, the use of certain advertising cookies and tracking technologies may be considered "sharing" of personal information under the CCPA/CPRA. You can opt out of such sharing through our cookie consent tool.
11.4 Financial Incentive Programmes
From time to time, we may offer loyalty, referral, or discount programmes that involve the collection of personal data. Participation is voluntary, and you may withdraw at any time. The value of the incentive is reasonably related to the value of the data collected.
12. Security of Your Data
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS/SSL), access controls, regular security assessments, and staff training on data protection.
Our payment processors (Stripe, PayPal) are certified to PCI-DSS standards as managed by the PCI Security Standards Council. While we strive to protect your personal data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents.
13. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority (the ICO for UK data subjects) within 72 hours of becoming aware of the breach, where feasible.
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
- Comply with applicable US state breach notification laws, including notifying affected individuals and state authorities within the required timeframes.
We maintain an internal breach register and incident response procedures to ensure timely and effective handling of any data security incidents.
14. Children's Privacy
The Service is intended for individuals aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately. If we discover that we have collected personal data from a child without appropriate parental consent, we will take prompt steps to delete that data from our systems.
15. Contact Us
If you have any questions about this Policy, wish to exercise your data protection rights, or have a complaint about how we handle your personal data, please contact us:
For UK or EEA data protection matters, you may also contact the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: +44 (0)303 123 1113
16. Links to Other Sites
The Service may contain links to third-party websites that are not operated by us. We strongly advise you to review the privacy policy of every site you visit. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services.
17. Automated Decision-Making and Profiling
We may use automated tools to personalise your experience on the Service (for example, recommending products based on your browsing history) and to detect fraud. These activities do not produce decisions with legal or similarly significant effects on you. If we introduce any automated decision-making that could significantly affect you, we will inform you in advance, provide an opportunity to contest the decision, and offer human review upon request, in accordance with applicable law.
18. Changes to This Policy
We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will:
- Post the updated Policy on the Service with a revised effective date.
- Notify you by email and/or a prominent notice on the Service prior to the changes taking effect.
We encourage you to review this Policy periodically. Your continued use of the Service after changes become effective constitutes your acknowledgement of the updated Policy.
