Privacy

Policy

If you have any queries or requests about this privacy policy or how we handle your information more generally, you can get in touch by contacting:

• our general customer services team at: [email protected]
• our Data Protection Contact: [email protected]

Or by post: Defected Records, Ground Floor, 23 Curtain Road, London, EC2A 3LT

We collect your information when you interact with us or use our services, such as when you use our Site to place an order. We also look at how visitors use our Site, to help us improve our services and optimise customer experience. We collect information:

1. when you create an account with us or you change your account settings;
2. when you place an order with us and during the order process (including for payment and order delivery);
3. through your interactions with us or our services, such as when you request information or to receive marketing, information about Defected initiatives or other communications from us by email, phone, post, SMS, push notification, or via any future chat function that we introduce;
4. when you interact with us on social media (comments, direct messages, tags, or via official campaigns);
5. when you use digital marketing links or smart links (including DSP pre-saves, ad pixels, cookies and analytics trackers);
6. when you participate in a competition, prize draw, promotion about our services, or our partners’ services;
7. when you browse or use our Site (before and after you create an account with us);
8. when you purchase or redeem via ticketing platforms or join a guestlist for one of our events; and
9. when you provide information for accessibility or health and safety needs when attending an event (processed only with your explicit consent).

We also collect information from third party sites, such as advertising and social media platforms and our fraud detection provider. If you link your social media or your third-party accounts to us, we will keep a record of your social media handle, and the other information that is made available to us according to your social media account settings. 

As part of our commitment to the privacy of our customers and visitors to our Sites more generally, we want to be clear about the sorts of information we will collect from you.

When you visit the Sites or make a Defected order through the Site, including any partner’s website we work with to provide any one of the services that we undertake, you are asked for information about yourself including your name, contact details, delivery address, order details, loyalty scheme details where applicable, and payment information such as credit or debit card details. We will also collect information from you when you contact our support teams using the chat function on our Site. We will also collect your date of birth to verify your age when you purchase age restricted items.

We collect information about your use of the Sites and information about you from any messages you post to the Site or when you contact us or provide us with feedback, including via email, post, phone or chat function. If you contact us by phone, we record and make notes about the call, including for training and service improvement purposes. 

We collect information from your mobile device or computer, such as its operating system, the device and connection type and the IP address from which you are accessing our Sites. We also collect technical information about your use of our services through a mobile device, for example, carrier, location data and performance data such as mobile payment methods, interaction with other retail technology such as use of NFC Tags, QR Codes and/or use of mobile vouchers. Unless you have elected to remain anonymous through your device and/or platform settings, this information may be collected and used by us automatically if you use the service through your mobile device(s) via any Defected mobile application, through your mobile's browser or otherwise.

We may also collect preferences, feedback and survey responses (e.g. music interests, playlists), and special category data (e.g. health and safety or accessibility needs at events) with explicit consent.

Where we need to collect information by law, or under the terms of a contract we have with you, and you fail to provide that information, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with our services). In this case, we may have to cancel our service to you but we will notify you if this is the case at the time.

We will only process your information if there is a reason for doing so, and if that reason is permitted by law.

Where we need to provide you with the service you have requested or to enter into a contract with you we use your information to:

• enable us to provide you with access to the relevant parts of the Sites, we collect necessary cookies from your device;
• supply the services you have requested, we collect your name, contact details, delivery address and order details;
• enable us to collect payment from you, we collect your credit or debit card information; and
• contact you where necessary concerning our services, such as to resolve issues you may have with your order, we collect the information listed above and any additional information we may need to resolve your issue.

We process your information to enforce our contractual terms with you and any other agreement, to ensure compliance with our internal policies and procedures and for the exercise or defence of legal claims and to protect the rights of Defected and our partners or others (including to prevent fraud).

We also process your information where we have a legitimate interest for doing so, which are to:

• personalise our services, including to make it easier and faster for you to place orders;
• improve the effectiveness and quality of service that our customers can expect from us in the future;
• tailor content that we or our partners display to you, for example so that we can show you partners which are in your area or make sure you see the advertising which is most relevant to you, based on characteristics determined by us;
• enable our customer support team to help you with any enquiries or complaints in the most efficient way possible and to provide a positive customer experience;
• contact you for your views and feedback on our services or our partners’ services and/or products and to notify you if there are any important changes or developments to the Sites or our services;
• send you information by post about our products, services, promotions and Defected initiatives (if you do not want to receive these, you can let us know by getting in touch (Please see section 1. Contact Us));
• analyse your activity on the Sites so that we can administer, support, improve and develop our business and for statistical and analytical purposes and to help us to prevent fraud; and
• detect, investigate, report and seek to prevent fraud or crime.

Furthermore, we process your information where we have explicit consent to do so, for marketing emails, competitions, cookies and event health and safety information.

If you submit comments and feedback regarding the Sites and the services, we may use such comments and feedback on the Sites and in any marketing or advertising materials. We will only identify you for this purpose by the name and the city you have provided us and such comments and feedback may be shared with our partners to assess and improve their services.

We will also analyse data about your use of the Sites and the services to create profiles relating to you and for you. This means that we may make certain assumptions about what you may be interested in and use this, for example, to send you more tailored marketing communications, to present you with partners that we think you will prefer, or to let you know about special offers or products which we think you may be interested. This activity is referred to as profiling. This profiling does not produce legal or similarly significant effects on you and is subject to appropriate safeguards. You may object to profiling for marketing purposes at any time and you have certain rights in relation to this type of processing. Please see section 11. Your Rights for more details.

We may also use your information to comply with any legal obligation or regulatory requirement to which we are subject.

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of the Site may become inaccessible or not function properly. For more information about the cookies we use, and how to set or amend your cookie preferences, please see our Cookie Policy.

We use cookies, pixels and other tracking technologies for site functionality, analytics and advertising (including Google, Meta, TikTok, DSP partners).

Types of Cookies

• Strictly Necessary Cookies – required for site operation and ecommerce functions. Cannot be switched off.
• Performance & Analytics Cookies – help us improve site performance and user experience.
• Functionality Cookies – remember preferences like language, region, and saved items.
• Advertising & Targeting Cookies – allow us and partners (Google Ads, Meta, TikTok, Spotify, YouTube) to deliver personalised ads and measure campaign performance.

Third-Party Cookies

We work with third-party platforms that may place cookies when you click our links, use DSP smartlinks/pre-saves, or engage with us on social media. Their policies apply to their cookies and we shall not be liable for the content, accuracy, or practices of those third-party cookie policies.

Managing Cookies & Consent

When you first visit our site, you’ll see a cookie consent banner. You can:

• Accept all cookies
• Reject all non-essential cookies
• Customise your preferences

You can change your preferences at any time via our Cookie Settings or your browser.

Non-essential cookies (including analytics and advertising cookies) are only placed on your device after you have provided consent via our cookie management platform.

We record and store your consent preferences in accordance with regulatory requirements. You may withdraw or amend your consent at any time via the Cookie Settings link.

Strictly necessary cookies do not require consent under PECR as they are essential for the operation of the Site.

Where you have given your consent or where we have a legitimate interest for doing so (and are permitted to do so by law) we will use your information to let you know about our other products and services, or Defected initiatives that may be of interest to you and we may contact you to do so by email, post, phone, or push notification or in-app message.

We use online advertising to keep you aware of what we’re up to and to help you see and find our products.

You may see Defected banners and ads when you are on other websites and apps, such as on social media. We manage this through a variety of digital marketing networks and using a range of advertising technologies. The banners and ads you see are based on information we hold about you, or your previous use of our services (for example, your order history) or on banners or ads on our Site that you have previously clicked on.  We use your information to send you communications that are the most relevant to you. You have certain rights in relation to this type of processing. Please see section 11. Your Rights for more details. For more information on our use of advertising technologies and cookies, please see our – Cookie Policy.

You can control your marketing preferences by:

• visiting our website, www.defected.com, or mobile application;
• clicking on "Account" (for our website this is under the drop-down menu); and
• scrolling down to "Marketing Preferences".

Where you have chosen at a device level to begin or continue receiving push notifications from us, we may send you push notifications relating to the services that you have requested from us and information about our services, offers and Defected initiatives. You can choose to stop receiving push notifications from us at any time by changing your preferences on your mobile device.

We will only send you marketing where you have opted in (or where permitted under the “soft opt-in” rules). You can opt out at any time via your account settings or by clicking “unsubscribe” in our emails.

We may show you personalised advertising across social media platforms, DSPs and third-party websites, based on your interactions with us.

We undertake fraud checks on all customers which is necessary for us to:

• perform our contracted services to customers;
• ensure that our services (and those of all our partners) provided are duly paid for;
• ensure that customers themselves are protected from fraudulent transactions being made on their payment cards.

Given the volume of customer orders we handle, we may sometimes use automated systems, including from a third-party fraud detection provider. Such system may analyse your order data to make automated decisions as to whether or not we should accept an order. This is a fairer and more accurate and efficient way of conducting fraud checks since human checks would simply not be possible in the timeframes and given the volumes of customers that we deal with. Where we use AI-assisted technologies, we ensure transparency, fairness, and appropriate human oversight consistent with applicable data protection law and regulatory guidance.

The checks and decisions that are made look at various components including known industry indicators of fraud which our expert fraud detection provider makes available to us, as well as fraud patterns we have detected on our Sites. When combined, these generate an automated score indicating the likelihood of a fraudulent transaction. Where we believe there may be fraudulent activity we may block you from placing an order and using our Site. The specific fraud indicators are dynamic so will change depending on what types of fraud are being detected in the industry, country and our Sites at any particular time.

We may use automated systems for fraud detection. You have the right to request human review of any automated decision and to express your point of view.

Our fraud detection is in place to protect our customers, as well as Defected. You have the right to contest any automated decision made about you and to be given more information about why any such decision was made. Please see section 11. Your Rights for more details.
We implement appropriate safeguards consistent with UK GDPR as amended by the Data (Use and Access) Act 2025.

We will only retain your information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

When determining the appropriate retention periods, we will take into account factors including:

• our contractual obligations and rights in relation to the information involved;
• legal obligation(s) under applicable law to retain information for a certain period of time;
• statute of limitations under applicable law(s);
• our legitimate interests for retaining the information (please see section 4. Use of Your Information);
• whether there is an actual or potential dispute; and
• guidelines issued by relevant data protection authorities.

Otherwise, we securely erase or anonymise your information where we no longer require it for the purposes we collected it for.

Indicative Retention Periods

Account Data: retained while account is active and for 6 years thereafter.
Transaction Data: retained for 6 years.
Marketing Data: retained until consent is withdrawn.
Fraud Data: retained for up to 6 years.
Event Health/Accessibility Data: retained only as long as necessary.

The information we collect about you will be transferred to and stored on our servers located within the EU. We are very careful and transparent about who else your information is shared with.

We share your information with other Defected group companies only where necessary for the purposes set out in the Use of Your Information section above. We share your information with our partners (such as other retail partners), who have access to limited information to enable them to fulfil an order. Where relevant and you give your consent, we may share the health information you volunteer to us with partners to enable them to investigate and respond to complaints.

We share your information with third party service providers that provide services on our behalf.

The types of third party service providers whom we share your information with include for example:

• Payment providers (including online payment providers and fraud detection providers);
• Service providers (payment processors, IT/cloud providers, fulfilment houses, marketing agencies, ticketing companies);
• DSPs (e.g. Spotify, Apple) when you engage with pre-save or smartlink campaigns;
• Social media & ad networks (Google, Meta, TikTok) for advertising.
• Event partners, venues, and promoters (where needed for access, safety or marketing campaigns).
• Riders, who have access to limited information to enable them to fulfil an order;
• Customer support providers (including, but not limited to, companies that assist us to provide customer or technical support); and
• Marketing and advertising partners.

We share your information when we promote a programme or offer a service or product in conjunction with a third-party business partner. We will share your information with that partner to assist in marketing or to provide the associated product or service. In most of those cases, the programme or offer will include the name of the third-party business partner, either alone or with ours. An example of such a business partner relationship would be a partner that we partner with for providing delivery services.

International transfers may occur (e.g. to the US). Where this happens, we rely on UK/EU approved safeguards such as Standard Contractual Clauses to ensure protection.

If you submit comments and feedback regarding the Sites, services, and our partners we may share such comments and feedback with our partners. In addition, and if you consent to it, we may share health information about you with our partners, for example if you report any specific food allergies after placing an order.

Defected will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy and applicable laws when it is transferred to third parties.

If our business enters into a joint venture with, purchases or is sold to or merged with another business entity, your information may be disclosed or transferred to the target company, our new business partners or owners or their advisors.

We may also share your information:

• if we are under a duty to disclose or share your information in order to comply with (and/or where we believe we are under a duty to comply with) any legal obligation or regulatory requirement;
• in order to enforce our contractual terms with you and any other agreement;
• to protect the rights of Defected, our partners, or others, including to prevent fraud; and
• with such third parties as we reasonably consider necessary in order to prevent crime, e.g. the police or for health and safety purposes.

In some cases the information we collect from you might be processed outside the United Kingdom or the European Economic Area, such as the United States and the countries in which Defected operates. These countries may not have the same protections for your information as the UK or EEA has. To the extent these countries have not been lawfully recognised as providing an adequate level of data protection, we will ensure that the information that is processed by us and our suppliers outside of the UK or EEA is protected in the same way as it would be if it was processed within the UK or the EEA. We ensure to use an appropriate data transfer mechanism, such as reliance on the protections set out in approved standard contractual clauses.

Please contact us using the contact details above for further information on the specific mechanism used by us when transferring your information.

We adopt robust technologies and policies to protect your information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

We have implemented procedures to deal with any data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will take steps to protect your information, we cannot guarantee the security of your information transmitted to the Sites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

When you open an account you may create a password, or other secure login method and also provide payment card details. You must use a unique password and keep any password you create, or other secure login method, secret in order to help prevent others from accessing your account.

Under certain circumstances, you have rights under data protection law in relation to the information we hold about you.

These include:

• The right of access. This is also known as a “data subject access request”. You have the right to receive a copy of the information we hold about you and to check that we are lawfully processing it. When responding to access requests, we will conduct reasonable and proportionate searches for personal data. We may refuse or charge a reasonable fee for requests that are manifestly unfounded, excessive or repetitive, as permitted by law.
• The right to rectification. You are entitled to have any incomplete or inaccurate information we hold about you corrected, though we may need to verify the accuracy of the new information you provide to us.
• The right to erasure. This is also known as “the right to be forgotten” which enables you to request the deletion or removal of certain of the information that we hold about you where there is no good reason for us continuing to process it. This right is not absolute and only applies in certain circumstances.
• The right to restrict processing. You have the right to block or suppress further use of your information in certain circumstances. When processing is restricted, we may still have a lawful reason to store your information, but we will not use it further.
• The right to data portability. You have the right to receive your information in a structured, commonly used and machine-readable format which you can transfer to another service provider or other third party. This right is not absolute and only applies in certain circumstances.
• The right to withdraw consent. Where we rely on consent to use your information, you have the right to withdraw that consent at any time.  Withdrawing consent will not, however, make unlawful our use of your information before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you.
• The right to object to processing. You have the right to object to certain types of processing of your information, including processing for direct marketing purposes and profiling. You can object by changing your marketing preferences and disabling cookies as set out in section 5. Cookies and section 6. Marketing or by contacting us.
• You have the right not to be subject to a decision based solely on automated processing of your information, such as in connection with our fraud checks.

You have rights under GDPR/UK GDPR, including: access, rectification, erasure, restriction, portability, withdrawal of consent, objection to processing/profiling, and to not be subject solely to automated decisions.

To exercise any of these rights, please notify our Data Protection Contact in writing at [email protected].

If you are unhappy with how we have handled your information you can contact your local data protection authority. In the UK, this is the Information Commissioner’s Office. We would, however, really appreciate the chance to deal with your concerns before you approach your local data protection authority and so we please ask that you contact us first.

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Information Commissioner’s Office, Wycliffe House, Water Lane Wilmslow Cheshire SK9 5AF

www.ico.org.uk

Our services are not directed at children under 13. We comply with the UK Age Appropriate Design Code and implement safeguards where our services may be accessed by individuals under 18.

If you believe we have collected personal data relating to a child without appropriate consent, please contact us.

We may update this privacy policy occasionally. The latest version will always be on our website. Where appropriate, or where material changes are made, we may notify you of the changes, for example by email or push notification.

This privacy policy was last updated: 25th February 2026