Privacy policy
Last updated: 1 June 2026
This Privacy Policy explains how we handle your personal data when you visit magicmilk.bike, place an order, sign up to our emails, or get in touch with us.
We've tried to write it plainly. If anything's unclear, email info@magicmilk.uk — we'll explain it.
1. Who controls your data
magicmilk.bike is operated by OKO Sales Ltd, the exclusive UK distributor of Magic Milk, under licence from OKO Global LLP, who owns the Magic Milk brand and the website.
For data protection purposes, the two companies act as joint data controllers of personal data collected through magicmilk.bike. We've agreed how the responsibilities are split:
| Joint controller | What they decide and do |
|---|---|
| OKO Sales Ltd | Day-to-day operation of the site: orders, payments, fulfilment, returns, customer support, transactional emails, account management. |
| OKO Global LLP | Brand and site ownership: maintenance of the site, brand-level analytics, marketing decisions, the Magic Milk newsletter. |
You can contact either of us about your data. We'd suggest starting with OKO Sales Ltd for anything order-related and OKO Global LLP for anything about marketing or the brand — but it doesn't really matter; we route internally.
Contact details:
- OKO Sales Ltd — 21 Atlas Estate, Brookvale Road, Witton, Birmingham B6 7EX. Company No. 04994288. Email: info@magicmilk.uk. Phone: +44 (0) 121 356 6565.
- OKO Global LLP — 167–169 Great Portland Street, 5th Floor, London W1W 5PF. Company No. OC363642. Email: info@magicmilk.uk. Phone: +44 (0) 20 7870 3156.
For general privacy queries, including exercising your rights below: info@magicmilk.uk.
2. What personal data we collect
Depending on how you interact with us, we may collect or process:
You give us directly: - Name, email, phone, billing and shipping address (when you place an order or create an account). - Payment details (handled by our payment provider — we don't store full card numbers on our servers). - Order history, returns history, support correspondence. - Newsletter sign-up details (email, and any preferences you give us). - Anything you tell us when you contact us, leave a review, or interact with us on social media.
We collect automatically when you use the site: - IP address, device type, browser, operating system, approximate location (city level). - Pages viewed, products clicked, items added to cart, time on site. - Referring website and how you arrived. - Cookies and similar technologies — see section 8.
We receive from third parties: - Information from our payment provider (fraud signals, payment confirmation). - Information from couriers (delivery status, address corrections). - Information from advertising platforms about how our ads performed (in aggregate).
3. Why we use your data — and our lawful basis
Under UK GDPR, we need a "lawful basis" for every use of your data. Here's how that maps to what we actually do:
| What we do | Why | Lawful basis |
|---|---|---|
| Process and fulfil your order | So you get what you bought | Contract — we need this to deliver the order to you. |
| Take payment, prevent fraud | To make sure payments are real | Contract + Legitimate interests (preventing fraud and protecting the business). |
| Send order confirmations, dispatch and returns updates | So you know what's happening | Contract. |
| Customer support | To answer your questions | Contract (if order-related) or Legitimate interests (general queries). |
| Manage your account if you create one | To let you log in, see past orders, save addresses | Contract. |
| Send you marketing emails (newsletter, offers) | Because you've asked us to | Consent — you can withdraw at any time by clicking unsubscribe. |
| Show you ads on other platforms (Meta, Google, etc.) | To reach you outside the site | Consent (where required) via the cookie banner. |
| Analyse site performance (page views, conversions) | To improve the site | Legitimate interests (running a business well), with privacy-respecting setup. |
| Keep accounting records | We have to | Legal obligation (HMRC, Companies Act requirements). |
| Respond to legal requests | We have to | Legal obligation. |
| Improve products based on patterns we see | To make Magic Milk better | Legitimate interests, using aggregated data where possible. |
You can always contact us to ask about the basis for a specific use, or to object to processing based on legitimate interests.
4. Who we share your data with
We share personal data only with parties who help us run the business, and only the data they need. We use written agreements (data processing agreements) with each of them.
Categories of recipients:
- Shopify — our e-commerce platform. The site is hosted on Shopify, which means Shopify processes order, customer and analytics data on our behalf as a processor.
- Payment providers — for example Shopify Payments, Stripe, PayPal, Apple Pay and Google Pay. They process card details directly under their own privacy policies.
- Couriers and fulfilment partners — to deliver your order (name, address, phone, email).
- Email and marketing platforms — to send transactional and (with your consent) marketing emails.
- Analytics and advertising platforms — for example Google Analytics and Meta, to measure how the site and our ads perform. Where these set cookies, they only run after you've given consent through the cookie banner.
- Reviews platforms — if you leave a review.
- Professional advisers — accountants, lawyers, tax authorities (HMRC), banks — where there's a legal or operational need.
- OKO Global LLP / OKO Sales Ltd — between the two joint controllers, as described in section 1.
We do not sell your personal data, and we don't share it with anyone for them to use for their own marketing.
If we ever sell or transfer the business (or part of it), your data may transfer with it — but only on the same terms set out here.
5. International transfers
Some of our processors (notably Shopify and some analytics or advertising platforms) are based outside the UK. When your data moves outside the UK, we make sure it's protected by one of the routes UK law allows:
- The destination country has been recognised by the UK government as offering adequate protection, or
- We've signed the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or equivalent safeguards with the processor.
You can ask us for a copy of the safeguards we rely on — email info@magicmilk.uk.
6. How long we keep your data
We keep personal data only as long as we need it. As a rough guide:
- Order and customer records — 6 years after your last order, to meet HMRC and accounting requirements.
- Customer support correspondence — 2 years from the last message, in case it's needed for a follow-up issue.
- Newsletter subscribers — until you unsubscribe, plus a short suppression record so we don't accidentally email you again.
- Account data — until you delete the account, then suppressed for any required legal retention.
- Analytics data — typically up to 14 months in identifiable form; longer in aggregated, non-identifying form.
- Cookie data — see section 8 for individual cookie durations.
When the retention period ends, we delete the data or anonymise it so it can no longer identify you.
7. Your rights under UK GDPR
You have the following rights over your personal data:
- Access — ask us for a copy of what we hold about you.
- Rectification — ask us to correct anything that's wrong.
- Erasure — ask us to delete your data, where there's no overriding reason to keep it.
- Restriction — ask us to stop using your data temporarily, while a question is resolved.
- Portability — ask for your data in a portable format so you can take it elsewhere.
- Object — object to processing we do on the basis of legitimate interests, including profiling.
- Withdraw consent — at any time, where we rely on consent (e.g. marketing emails, non-essential cookies).
- Not be subject to fully automated decisions that produce legal or similarly significant effects on you.
To exercise any of these, email info@magicmilk.uk with enough detail for us to identify you and what you're asking for. We'll respond within one month. There's no fee for a standard request.
You also have the right to complain to the Information Commissioner's Office (ICO) — the UK's data protection regulator — if you think we've handled your data badly. You can find them at ico.org.uk or call 0303 123 1113. We'd appreciate the chance to put things right first, but you're not required to come to us first.
8. Cookies and similar technologies
We use cookies and similar tools to make the site work, remember your basket, understand how the site performs, and (with your consent) measure ad campaigns and show you relevant ads.
There are broadly three kinds:
- Strictly necessary — needed to run the site (cart, checkout, login, security). These don't need your consent under UK law.
- Performance / analytics — help us understand which pages work and which don't. We only set these after you've consented.
- Marketing / advertising — used by ad platforms (Meta, Google, etc.) to measure and target ads. We only set these after you've consented.
You can change your cookie preferences any time via the cookie banner or the link in the site footer. You can also block or delete cookies in your browser — but some parts of the site (checkout, account) won't work properly if you block strictly necessary cookies.
9. Marketing
We'll only email you marketing if:
- You've ticked the box to subscribe to the Magic Milk newsletter, or
- You're an existing customer and we're contacting you about similar products to ones you've bought, in line with the "soft opt-in" allowed by the Privacy and Electronic Communications Regulations (PECR).
Every marketing email has an unsubscribe link. One click is enough — you don't need to give a reason. You can also email info@magicmilk.uk to be removed.
10. Children
magicmilk.bike isn't aimed at children, and we don't knowingly collect data from anyone under 16. If you think a child has given us their data, email us and we'll delete it.
11. Security
We take reasonable steps to protect your data — encrypted connections, access controls, secure payment providers, and limited internal access on a need-to-know basis. No system is perfectly secure, and we can't guarantee absolute security. If we ever discover a breach that affects your rights, we'll tell you and report it to the ICO as the law requires.
12. Links to other sites
The site may link to other websites — social platforms, partners, race teams, retailers. Their privacy practices are theirs, not ours. Check their policies before sharing any data with them.
13. Changes to this policy
We may update this policy from time to time — to reflect changes in what we do, what the law requires, or what our processors do. We'll always update the "Last updated" date at the top. For material changes, we'll let you know more visibly (a banner, an email if you have an account, or both).
14. Getting in touch
For privacy questions or to exercise your rights, email info@magicmilk.uk — this reaches both joint controllers.
- OKO Sales Ltd (operator): info@magicmilk.uk · +44 (0) 121 356 6565 · 21 Atlas Estate, Brookvale Road, Witton, Birmingham B6 7EX
- OKO Global LLP (brand owner): info@magicmilk.uk · +44 (0) 20 7870 3156 · 167–169 Great Portland Street, 5th Floor, London W1W 5PF
If you're not satisfied with our response, contact the Information Commissioner's Office at ico.org.uk or 0303 123 1113.