OLEA LEGACY LTD
PRIVACY POLICY
Version 1.1 | Last Updated: 05 March 2026
Applicable Law: UK GDPR • EU GDPR • CCPA • PECR | Data Controller: Olea Legacy Ltd | ICO Registration Number: ZC101841

1. INTRODUCTION AND WHO WE ARE
Olea Legacy Ltd (“Olea Legacy”, “we”, “us” or “our”) is committed to protecting the privacy and personal data of every individual who interacts with us, whether as a customer, enquirer, newsletter subscriber, or visitor to our website. This Privacy Policy explains in clear and transparent terms how we collect, use, store, protect, share and delete your personal data, and what rights you have in relation to that data.
This Privacy Policy applies to all personal data processed by Olea Legacy Ltd in connection with:
Use of our website at www.olealegacy.com (the “Site”);
Enquiries, orders and service requests submitted via our website contact form or by email;
Communications conducted via WhatsApp Business;
Subscription to our newsletter or marketing communications;
Participation in the Ownership – Stewardship Programme or the Legacy Estate Programme;
Any other direct interaction with Olea Legacy Ltd.

We do not require you to create an online account to use our Site. All customer interactions beyond initial website contact are managed via direct communication by email or WhatsApp.
By using our Site or providing us with your personal information, you acknowledge that you have read and understood this Privacy Policy.

2. DATA CONTROLLER DETAILS AND REPRESENTATIVES
2.1 Data Controller
Olea Legacy Ltd is the data controller responsible for personal data processed in connection with its business activities. As data controller, Olea Legacy Ltd determines the purposes for which and the manner in which personal data is processed.

Company Name: Olea Legacy Ltd
Registered in: England and Wales
Company Number: 16875648
Registered Office: 128 City Road, London, EC1V 2NX, United Kingdom
Data Protection Contact: info@olealegacy.com
ICO Registration Number: ZC101841

2.2 UK Supervisory Authority
Olea Legacy Ltd’s lead supervisory authority for UK GDPR purposes is the Information Commissioner’s Office (ICO):

Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: https://ico.org.uk
Helpline: 0303 123 1113
Online reporting: https://ico.org.uk/make-a-complaint

You have the right to lodge a complaint with the ICO at any time if you believe that your personal data has been processed in a manner that does not comply with the UK GDPR. We would, however, ask that you contact us in the first instance so that we may seek to resolve your concern directly.
2.3 EU Representative under Article 27 EU GDPR

Olea Legacy Ltd appointed EU Representative for EU GDPR purposes is:

EU Representative: Evangelia Karapiperi
Address: Kainourgio Horio Pediados Heraklion Crete
Email: karapiperi@hotmail.com

EU data subjects may contact our EU Representative directly for any matter relating to the processing of their personal data or to exercise their rights under EU GDPR. This representative is authorised to act on behalf of Olea Legacy Ltd in all dealings with EU supervisory authorities and EU data subjects.
2.4 EU Supervisory Authorities
If you are located in the European Union and have a concern about how we have processed your personal data, you have the right to lodge a complaint with the data protection supervisory authority of the EU member state in which you are habitually resident, your place of work, or the place of the alleged infringement. A full list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en.
Given that Olea Legacy Ltd’s production operations are located in Greece, the Hellenic Data Protection Authority (HDPA) is also a relevant supervisory authority:

Hellenic Data Protection Authority (HDPA)
Kifissias 1-3, 11523 Athens, Greece
Website: https://www.dpa.gr
Email: contact@dpa.gr
Telephone: +30 210 6475600

3. PERSONAL DATA WE COLLECT
3.1 Data You Provide Directly
We collect personal data that you voluntarily provide to us. Depending on how you interact with us, this may include:

Via the Website Contact / Enquiry Form (WordPress)
Full name;
Email address;
Telephone number (if provided);
Subject matter and content of your enquiry or request;
Any additional personal details you choose to include in the free-text fields of the form.

Via WhatsApp Business
Your WhatsApp display name and profile information (as set in your WhatsApp account);
Your telephone number (required by WhatsApp to send messages);
The content of messages exchanged between you and Olea Legacy Ltd, including any personal details, requests, or documents you share within the conversation;
Message metadata (timestamps, read receipts, delivery status) as processed by Meta Platforms Ireland Ltd.

Via Email Correspondence
Name, email address and any other personal information included in your email;
Content of correspondence and attachments.

Via Newsletter Subscription
Name and email address.

Via Programme Participation (Stewardship or Legacy Estate)
Full legal name;
Billing address and delivery address;
Email address and telephone number;
Payment information (processed exclusively by third-party payment providers; Olea Legacy Ltd does not store full payment card details);
Order history and programme participation records;
Personalisation preferences (for example, custom label name or grove assignment).

B2B Contact Data
Where you contact us or transact with us on behalf of a business, company, or organisation, we process personal data relating to you as a business representative (typically your name, business email address, job title, and telephone number). Such data is processed to manage the commercial relationship between Olea Legacy Ltd and the organisation you represent. The same rights and protections described in this policy apply to your personal data as a B2B contact.
3.2 Data Collected Automatically
When you visit our Site, we automatically collect certain technical and usage data via cookies and similar technologies, including:
IP address;
Browser type and version;
Operating system;
Referring website URL;
Pages visited and time spent on each page;
Date and time of visits;
Approximate geographic location (derived from IP address, not GPS);
Device type and screen resolution.

This data is collected via cookies and tracking technologies as described in Section 7 of this policy.
3.3 Data We Do Not Collect
We do not intentionally collect any special categories of personal data (as defined under UK GDPR Article 9 and EU GDPR Article 9), including data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation, unless you voluntarily provide such information in a message to us, in which case we will treat it with the highest level of care.
We do not knowingly collect personal data from children under the age of 13 (or under the applicable age of digital consent in your jurisdiction). See Section 12 for our full Children’s Privacy policy.

4. HOW AND WHY WE USE YOUR PERSONAL DATA
We only use your personal data where we have a valid legal basis to do so under applicable data protection law. The table below maps each processing purpose to the personal data involved, the legal basis relied upon, and the applicable retention period.

PURPOSE 1: Responding to enquiries submitted via the website contact form or by email.
Data used: Name, email address, telephone number (if provided), content of enquiry.
Legal basis: Contractual necessity (Article 6(1)(b) UK/EU GDPR) — processing is necessary to take steps at your request prior to entering a contract; and/or Legitimate interests (Article 6(1)(f)) — our legitimate interest in responding to business communications.
Retention: For the duration of the enquiry plus 12 months from resolution, or such longer period as may be required to establish, exercise or defend legal claims.

PURPOSE 2: Managing orders, programme enrolments and customer relationships.
Data used: Name, contact details, billing and delivery address, payment records, order history, programme participation records.
Legal basis: Contractual necessity (Article 6(1)(b)) — processing is necessary for the performance of a contract to which you are party.
Retention: For the duration of the contractual relationship plus 7 years from the date of the last transaction, in line with standard UK accounting and tax record retention obligations.

PURPOSE 3: Managing and processing WhatsApp Business communications.
Data used: WhatsApp display name, telephone number, message content and metadata.
Legal basis: Legitimate interests (Article 6(1)(f)) — our legitimate interest in maintaining an efficient and responsive customer communications channel; and/or Contractual necessity where the communication relates to a specific order or service.
Retention: WhatsApp conversation histories retained for 12 months from the date of the last message in the relevant conversation thread, unless the conversation relates to an ongoing contractual matter, in which case the retention period in Purpose 2 applies.
Important: Meta Platforms Ireland Ltd processes your telephone number and message metadata as part of providing the WhatsApp service. Olea Legacy Ltd cannot control Meta’s own processing of your data. Please refer to Meta’s Privacy Policy at https://www.whatsapp.com/legal/privacy-policy for further information.

PURPOSE 4: Sending newsletters and marketing communications.
Data used: Name, email address.
Legal basis: Consent (Article 6(1)(a) UK/EU GDPR) — we will only send you marketing emails where you have actively subscribed and given your consent. You may withdraw your consent at any time by clicking the unsubscribe link in any email or by contacting info@olealegacy.com.
Legal obligation (UK): We also comply with the Privacy and Electronic Communications Regulations 2003 (PECR), which require that we obtain your prior consent before sending direct marketing by electronic means (email or text message), except where the ‘soft opt-in’ exemption applies for existing customers receiving marketing about similar products and services.
Retention: Until you withdraw your consent or unsubscribe, at which point your data will be removed from our marketing list within 30 days. We will retain a suppression record of your email address to ensure we do not accidentally contact you again.

PURPOSE 5: Website analytics and performance improvement.
Data used: IP address, pages visited, visit duration, device and browser information (collected via cookies — see Section 7).
Legal basis: Consent (Article 6(1)(a)) for non-essential analytics cookies under UK PECR and EU ePrivacy Regulation; Legitimate interests (Article 6(1)(f)) for necessary site performance data.
Retention: Google Analytics data is retained for 14 months on Google’s servers in accordance with our configuration. IP addresses are anonymised before being processed by Google Analytics.

PURPOSE 6: Targeted advertising via the Facebook Pixel (Meta).
Data used: Browsing behaviour on the Site, pages visited, device identifiers (collected via cookies — see Section 7).
Legal basis: Consent (Article 6(1)(a)) — the Facebook Pixel will only be activated if you have consented to advertising/marketing cookies via our cookie consent mechanism. You may withdraw consent at any time via the cookie settings on our Site.
Joint controllership: Olea Legacy Ltd and Meta Platforms Ireland Ltd act as joint data controllers in respect of data collected via the Facebook Pixel on our Site, in accordance with the CJEU’s Fashion ID ruling (C-40/17) and Meta’s Pixel Controller Addendum. This means that both Olea Legacy Ltd and Meta are each responsible, independently, for ensuring that their respective processing activities comply with applicable data protection law. Meta’s privacy policy governs Meta’s own subsequent processing of Pixel data: https://www.facebook.com/privacy/policy.
Retention: Cookie and Pixel data as per Meta’s data retention practices. We do not independently store Pixel identifiers beyond the active cookie session unless you have also provided us with your contact details separately.

PURPOSE 7: Security, fraud prevention and legal compliance.
Data used: Any personal data held by us that is relevant to the specific security concern or legal obligation.
Legal basis: Legal obligation (Article 6(1)(c)) where processing is required by law; Legitimate interests (Article 6(1)(f)) — our legitimate interest in protecting the business and its customers from fraud and security threats.
Retention: As required by the specific legal obligation or for the duration of any related legal proceedings, plus 7 years.

5. LEGAL BASES FOR PROCESSING — SUMMARY
For transparency, and in accordance with the requirements of UK GDPR Article 13 and EU GDPR Article 13, we summarise below the legal bases upon which Olea Legacy Ltd relies to process personal data. More detail on each legal basis as applied to specific processing activities is set out in Section 4 above.

Consent (Article 6(1)(a)): Used for: newsletter marketing; non-essential analytics cookies; advertising cookies (Facebook Pixel). You have the right to withdraw consent at any time.
Contractual Necessity (Article 6(1)(b)): Used for: processing orders and programme enrolments; responding to pre-contractual enquiries; fulfilling delivery obligations.
Legal Obligation (Article 6(1)(c)): Used for: retaining financial and transactional records for tax and accounting purposes; responding to lawful requests from authorities; complying with data subject rights obligations.
Legitimate Interests (Article 6(1)(f)): Used for: responding to business enquiries; managing WhatsApp communications; analysing website performance; fraud prevention and security. We have carried out a legitimate interests assessment (LIA) in respect of each reliance on this basis and are satisfied that our interests are not overridden by data subjects’ rights and freedoms.

We do not engage in any automated decision-making or profiling that produces legal or similarly significant effects on individuals using only personal data we hold about them.

6. DATA RETENTION
We retain personal data only for as long as is necessary to fulfil the purpose for which it was collected, and thereafter only to the extent required to comply with our legal obligations, resolve disputes, or enforce our agreements. The following indicative retention periods apply:

Website contact form enquiries: 12 months from resolution of the enquiry, or up to 7 years if the enquiry relates to a transaction or potential legal claim — UK Companies Act 2006; Limitation Act 1980 (6-year limitation period for contract claims)
Order records and programme participation records: 7 years from the date of the last transaction — HMRC record-keeping requirements; VAT Act 1994; Limitation Act 1980
WhatsApp Business conversation records: 12 months from the date of the last message in the relevant thread, unless the conversation relates to an active order or claim — Legitimate interests; Limitation Act 1980 for claim-related conversations
Email correspondence: 12 months from resolution of the subject matter; up to 7 years for contract-related correspondence — Limitation Act 1980; legitimate interests
Newsletter and marketing subscriber data: Until unsubscription or withdrawal of consent, plus 30 days for removal processing. Suppression list retained indefinitely to prevent re-subscription without consent — Consent; PECR 2003
Website analytics data (Google Analytics): 14 months on Google’s servers, as configured by Olea Legacy Ltd; anonymised aggregate data may be retained indefinitely — Legitimate interests; consent for analytics cookies
Facebook Pixel / advertising cookie data: As per Meta’s data retention schedule (governed by Meta’s Privacy Policy) — Consent; Meta joint controllership arrangement
Financial and payment records: 7 years from the end of the relevant tax year — HMRC obligations; VAT Act 1994; Companies Act 2006

When data reaches the end of its retention period, it will be securely and permanently deleted or irreversibly anonymised. Where immediate deletion is not technically possible (for example, data held in encrypted backup archives), the data will be securely isolated and not accessed until deletion can be completed at the next available backup cycle.

7. COOKIES AND TRACKING TECHNOLOGIES
7.1 What Are Cookies?
Cookies are small text files placed on your device by a website when you visit it. They allow the website to recognise your device and store information about your preferences or past interactions. We also use related technologies including web beacons (pixel tags) and local storage, all of which are referred to collectively in this policy as “cookies”.
7.2 Our Legal Obligations Regarding Cookies
In the United Kingdom, the use of non-essential cookies is regulated by the Privacy and Electronic Communications Regulations 2003 (PECR), as amended, which require that we obtain your prior, freely given, specific, informed and unambiguous consent before placing any cookies on your device that are not strictly necessary for the provision of the service you have requested.
For EU visitors, the ePrivacy Directive (as implemented in each EU member state) and EU GDPR impose equivalent consent requirements.
CONSENT IS REQUIRED: We will not place non-essential cookies (including analytics and advertising cookies) on your device unless and until you have given your explicit consent via our cookie consent banner. You may withdraw or amend your consent at any time by accessing the cookie settings tool on our Site.
7.3 Categories of Cookies We Use

(a) Strictly Necessary Cookies
These cookies are essential for the website to function and cannot be switched off in our systems. They are usually set in response to actions you take, such as submitting a contact form. They do not store any personally identifiable information. No consent is required for strictly necessary cookies under PECR or EU ePrivacy law.

(b) Analytics Cookies (Google Analytics) — Consent Required
We use Google Analytics, provided by Google LLC (a subsidiary of Alphabet Inc.), to collect aggregated and anonymised information about how visitors use our Site. This helps us understand which pages are most visited, how long users stay on the Site, and how users navigate between pages, allowing us to improve our content and structure.
Google Analytics uses cookies to collect anonymised data about your visit. We have configured Google Analytics to anonymise IP addresses before they are processed or stored. Google LLC may process your data on servers located in the United States. We have entered into a Data Processing Agreement with Google in accordance with UK GDPR and EU GDPR requirements, relying on Standard Contractual Clauses for international data transfers.
You can opt out of Google Analytics tracking at any time by installing the Google Analytics Opt-Out Browser Add-on, available at: https://tools.google.com/dlpage/gaoptout.

(c) Advertising and Marketing Cookies (Facebook Pixel) — Consent Required
We use the Facebook Pixel, a tracking tool provided by Meta Platforms Ireland Ltd (“Meta”), to measure the effectiveness of our advertising and to deliver relevant advertisements to users on Meta’s platforms (Facebook and Instagram) who have previously visited our Site.
When you visit our Site and accept advertising cookies, the Facebook Pixel may collect information about your device, the pages you visit on our Site, and actions you take. This information may be used to show you tailored advertisements on Facebook or Instagram. The data collected via the Facebook Pixel is processed by Meta in accordance with Meta’s own Data Policy.
Joint Data Controllership: In accordance with the Court of Justice of the European Union’s judgment in Fashion ID (Case C-40/17) and the guidance of EU and UK data protection authorities, Olea Legacy Ltd and Meta Platforms Ireland Ltd are joint data controllers in respect of the collection and initial transmission of Pixel data from our Site to Meta. Each party is independently responsible for ensuring compliance with applicable data protection law in respect of its own processing activities. Meta’s privacy policy, which governs Meta’s subsequent processing, is available at: https://www.facebook.com/privacy/policy.
You can control how your data is used for advertising through your Facebook account settings at https://www.facebook.com/ads/preferences, or through the Digital Advertising Alliance opt-out tool at https://optout.aboutads.info.
7.4 Managing Your Cookie Preferences
When you first visit our Site, you will be presented with a cookie consent banner that allows you to accept or decline each category of non-essential cookie. You can update your preferences at any time by clicking the “Cookie Settings” link.
Most web browsers also allow you to control cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our Site. For guidance on managing cookies in your browser, visit: https://www.aboutcookies.org or https://www.allaboutcookies.org.

8. DATA SHARING AND DISCLOSURE
8.1 We Do Not Sell Your Personal Data
Olea Legacy Ltd does not sell, rent, trade, or otherwise transfer your personal data to third parties for their own independent commercial purposes, under any circumstances. This applies to all personal data categories and all data subjects, including California residents exercising rights under the CCPA (see Section 10.3).
8.2 Data Processors — Third Parties Acting on Our Behalf
We share personal data with the following categories of trusted third-party service providers (“data processors”) who process personal data solely on our instructions and for the specific purposes described:

Website Hosting Provider: Our Site is hosted by Namecheap, which processes server logs and any data submitted via our contact form. All data is processed by the hosting provider solely in its capacity as a data processor under a formal Data Processing Agreement.

WordPress Contact Form Plugin: Our website contact form is built using a standard WordPress plugin (plugin name: WPForms). Submitted form data is stored temporarily on our web server and delivered by email to our team. We ensure that form submissions are transmitted and stored securely.

Meta Platforms Ireland Ltd (WhatsApp Business): When you communicate with us via WhatsApp, your telephone number, display name and message content are processed by Meta Platforms Ireland Ltd as part of the WhatsApp service. Meta acts as both a data processor (in processing messages on our behalf) and an independent data controller (in processing data for its own platform purposes). Meta’s processing is governed by its own privacy policy at https://www.whatsapp.com/legal/privacy-policy. Olea Legacy Ltd cannot control Meta’s independent processing activities.

Google LLC (Google Analytics): Analytics data is processed by Google LLC pursuant to a Data Processing Agreement incorporating Standard Contractual Clauses for international transfers to the United States. Google processes this data solely to provide analytics services to us.

Meta Platforms Ireland Ltd (Facebook Pixel): As described in Section 7.3(c), Olea Legacy Ltd and Meta are joint data controllers for Pixel data collection. Meta’s processing after initial transmission is governed by Meta’s Data Policy.

Payment Processing Providers: Payment transactions are processed by our third-party payment service providers (card processors and/or PayPal). These providers act as independent data controllers in respect of your payment card data and are subject to their own privacy policies and PCI DSS obligations. Olea Legacy Ltd does not receive, store or have access to full payment card details.

Logistics and Courier Partners (Greece-based): For fulfilment of orders, we share your name and delivery address with our approved logistics partners in Greece, solely for the purpose of delivering your order. These partners act as data processors under appropriate data sharing arrangements.
8.3 Legal Disclosure
We may disclose personal data to competent authorities, courts, regulators or third parties where we are legally required to do so, including: (a) in response to a lawful court order, regulatory request or legal process; (b) to enforce our Terms and Conditions or other agreements; (c) to protect the rights, property or safety of Olea Legacy Ltd, our customers or others; or (d) to investigate, prevent or act on suspected fraud, illegal activity or a breach of security.
8.4 Business Transfers
In the event that Olea Legacy Ltd is involved in a merger, acquisition, asset sale, restructuring or business transfer, personal data we hold may be transferred to the relevant counterparties as part of that transaction. We would ensure that any such transfer is subject to appropriate confidentiality obligations and that the acquiring entity assumes equivalent data protection commitments. You would be notified of any material change in data controller identity or in the purposes for which your data is processed.

9. INTERNATIONAL DATA TRANSFERS
Olea Legacy Ltd is incorporated in England and Wales, and our production operations are based in Greece. Our service providers (including Google and Meta) are headquartered in the United States. This means that personal data we collect may be transferred to, and stored or processed in, countries outside the United Kingdom and the European Economic Area (EEA), including the United States and other jurisdictions that may not offer the same level of data protection as the UK or EU.
Wherever we transfer personal data internationally, we ensure that appropriate safeguards are in place to protect your data, including one or more of the following mechanisms:
Adequacy regulations: Transfer to countries that have been determined by the UK Secretary of State (for UK GDPR) or the European Commission (for EU GDPR) to provide an adequate level of data protection equivalent to that in the UK or EU.
Standard Contractual Clauses (SCCs): Use of the International Data Transfer Agreement (IDTA) approved for UK transfers, or the European Commission’s Standard Contractual Clauses for EU transfers, which contractually bind the recipient to protect your personal data to a standard essentially equivalent to UK/EU law.
Other appropriate safeguards: Such as binding corporate rules, approved certification mechanisms, or other transfer tools approved under applicable law.

Our specific transfer arrangements with key service providers are:
Google LLC (USA): Personal data is transferred under Standard Contractual Clauses and the EU-US Data Privacy Framework (where applicable).
Meta Platforms Ireland Ltd (EU-based entity for EEA data): Meta Platforms Ireland Ltd is established in the EU. For UK data subjects, Meta relies on the UK IDTA or equivalent mechanism for any onward transfer to the United States.
WhatsApp LLC (USA): Transfers of WhatsApp communication data are governed by Meta’s international transfer arrangements.

If you would like further information about the specific safeguards in place for any particular international transfer, please contact us at info@olealegacy.com.

10. YOUR DATA PROTECTION RIGHTS
10.1 Rights Under UK GDPR and EU GDPR
Under the UK GDPR and EU GDPR, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to limitations in certain circumstances, which we will always explain if they apply.

Right of Access (Article 15): You have the right to request confirmation of whether we process personal data about you and, if so, to receive a copy of that data together with information about how we process it. We will provide this in a commonly used electronic format, free of charge, ordinarily within one calendar month of receipt of a valid request (extendable by a further two months for complex or multiple requests).

Right to Rectification (Article 16): You have the right to require us to correct any inaccurate personal data we hold about you and to have incomplete data completed. We will act on a valid rectification request without undue delay and within one calendar month.

Right to Erasure / ‘Right to be Forgotten’ (Article 17): You have the right to request that we delete your personal data where: (a) it is no longer necessary for the purpose it was collected; (b) you withdraw your consent and there is no other legal basis for processing; (c) you object to processing and we have no overriding legitimate grounds; (d) your data has been unlawfully processed; or (e) erasure is required to comply with a legal obligation. We may decline or partially fulfil an erasure request where we are required by law to retain the data or where it is necessary for the establishment, exercise or defence of legal claims.

Right to Restriction of Processing (Article 18): You have the right to request that we restrict (i.e., pause) the processing of your personal data in certain circumstances, including while you contest the accuracy of your data, while your objection is being considered, or if processing is unlawful but you prefer restriction to erasure.

Right to Data Portability (Article 20): Where we process your personal data by automated means and on the basis of your consent or a contract, you have the right to receive a copy of that data in a structured, commonly used and machine-readable format, and to request that we transmit it directly to another data controller, where technically feasible.

Right to Object (Article 21): You have an absolute right to object at any time to the processing of your personal data for direct marketing purposes (including profiling for direct marketing), and we will cease such processing immediately upon receipt of your objection. Where we rely on legitimate interests as our legal basis, you may also object on grounds relating to your particular situation; we will then consider your objection and either cease processing or provide compelling legitimate grounds to continue.

Right to Withdraw Consent (Article 7(3)): Where we process your data on the basis of consent, you may withdraw that consent at any time by contacting us at info@olealegacy.com, by clicking the unsubscribe link in any marketing email, or by updating your cookie preferences on our Site. Withdrawal of consent will not affect the lawfulness of processing carried out before withdrawal.

Right to Complain to a Supervisory Authority: You have the right to lodge a complaint with the ICO (for UK residents) or with the relevant EU supervisory authority (for EU residents) if you believe we have processed your personal data unlawfully or in breach of applicable data protection law. Details of the ICO and the HDPA are set out in Section 2 of this policy. We would, however, always ask you to contact us first so that we may seek to resolve your concern directly before you escalate to a supervisory authority.

10.2 How to Exercise Your Rights
To exercise any of the rights described above, please submit a written request to us by email at info@olealegacy.com or by post to: Olea Legacy Ltd, 128 City Road, London, EC1V 2NX, United Kingdom. Please include sufficient information to allow us to identify you and locate your personal data (for example, the email address you used when contacting us or placing an order). We may ask you to provide additional verification of your identity before we can respond to sensitive requests, in order to protect your data from being disclosed to the wrong person.
We will respond to your request without undue delay and in any event within one calendar month of receipt (extendable by a further two months for complex requests, with notification). There is no charge for making a subject access request or exercising any other data subject right, unless requests are manifestly unfounded or excessive, in which case we reserve the right to charge a reasonable administrative fee or to decline the request, with written explanation.
10.3 California Privacy Rights (CCPA / CPRA)
If you are a resident of California, you are entitled to the following additional rights under the California Consumer Privacy Act 2018 (CCPA), as amended by the California Privacy Rights Act 2020 (CPRA):
Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, our business purpose for collecting it, and the categories of third parties with whom we share it.
Right to Delete: You may request deletion of personal information we have collected about you, subject to certain statutory exceptions.
Right to Correct: You may request correction of inaccurate personal information we hold about you.
Right to Opt Out of Sale or Sharing: Olea Legacy Ltd does not sell or share personal information as defined under the CCPA/CPRA. This right is honoured by default.
Right to Limit Use of Sensitive Personal Information: We do not process sensitive personal information as defined under the CPRA for purposes beyond those permitted without limitation.
Right to Non-Discrimination: You will not be denied goods or services, charged different prices, or treated differently for exercising any CCPA/CPRA right.

To exercise any California privacy right, please contact us at info@olealegacy.com. We will verify your identity and respond within 45 calendar days of receipt of a verifiable consumer request (extendable by a further 45 days with notice). You may also designate an authorised agent to submit requests on your behalf, provided you supply written authorisation and we can verify both your identity and the agent’s authority.

11. DATA SECURITY
Olea Legacy Ltd implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, in accordance with UK GDPR Article 32 and EU GDPR Article 32. These measures include:
Use of encrypted email communications and secure document transmission where applicable;
Restricted access to personal data on a need-to-know basis, with access controls and confidentiality obligations for all personnel;
Regular review of our data handling practices and security measures;
Use of reputable, security-assessed third-party processors (see Section 8);
Secure deletion of personal data at the end of its retention period.

Whilst we take all reasonable and industry-standard precautions, no method of electronic transmission or storage is entirely secure. We cannot guarantee the absolute security of personal data transmitted to us via the internet or over WhatsApp. You can help protect your data by using caution when sharing personal information online and ensuring your own devices and network connections are secure.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, Olea Legacy Ltd will notify the ICO without undue delay and within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay under UK GDPR Article 34.

12. CHILDREN’S PRIVACY
Our Site and services are not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you are under 13, please do not submit any personal information to us via our website, email or WhatsApp.
For users in the European Union, the age of consent for personal data processing in relation to information society services varies between 13 and 16 years depending on the member state (EU GDPR Article 8). Where a user is a minor under the applicable age of consent in their member state, parental or guardian consent is required.
If you are a parent or guardian and believe that your child has provided personal data to us without your consent, please contact us immediately at info@olealegacy.com. Upon verification, we will take prompt steps to delete the relevant data from our records.

13. RECORD OF PROCESSING ACTIVITIES (ROPA)
Under UK GDPR Article 30 and EU GDPR Article 30, data controllers are required to maintain a written Record of Processing Activities (RoPA) documenting all personal data processing operations. Olea Legacy Ltd maintains an internal RoPA that supplements the information published in this Privacy Policy. The RoPA is available to supervisory authorities upon request.

14. CHANGES TO THIS PRIVACY POLICY
We may update or revise this Privacy Policy from time to time to reflect changes in our processing activities, applicable law, or regulatory guidance. When we do so, we will update the “Last Updated” date at the top of this document and, where the changes are material, we will provide a more prominent notice on our Site or by email to data subjects who have provided us with their contact details.
You are encouraged to review this Privacy Policy periodically to stay informed about how we handle your personal data. Your continued use of our Site or services following the posting of an updated Privacy Policy constitutes your acknowledgement that you have read the revised policy.

15. CONTACT US
If you have any questions, concerns or requests in relation to this Privacy Policy or to the way in which Olea Legacy Ltd processes your personal data, please contact us using the details below. We will endeavour to acknowledge all privacy-related correspondence within two (2) business days and to respond fully within any timeframe required by applicable law.

Data Controller: Olea Legacy Ltd
Registered Address: 128 City Road, London, EC1V 2NX, United Kingdom
Company Number: 16875648 (Registered in England & Wales)
ICO Registration Number:  ZC101841
Email: info@olealegacy.com
Website: www.olealegacy.com
EU Representative: Evangelia Karapiperi

If you are not satisfied with our response to a privacy concern, you have the right to contact the ICO (see Section 2.2) or the relevant EU supervisory authority (see Section 2.4) to escalate your complaint.

OLEA LEGACY LTD
Company No. 16875648 | 128 City Road, London, EC1V 2NX, United Kingdom
info@olealegacy.com | www.olealegacy.com
Privacy Policy Version 1.1 | Last Updated: 05 March 2026