Privacy and Personal Data Protection Policy

Last updated: 2 June 2026

Family Web Diffusion, the company operating the loveandvibes.co.uk website, attaches the utmost importance to protecting the privacy of its customers and visitors. Given the particular nature of our business, namely the sale of intimate products and sexual wellness items, we are committed to processing your personal data with an enhanced level of discretion and security.

This Privacy Policy is intended to inform you, in a clear and transparent manner, of how we collect, use and protect your personal data, as well as of the rights available to you under the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

By browsing our website, creating an account or placing an order, you acknowledge that you have read this Policy.

The controller of your personal data is:
FAMILY WEB DIFFUSION, a French limited liability company (Société à responsabilité limitée) with a share capital of EUR 480,000, having its registered office at 1 rue Gustave Eiffel, 31780 Castelginest, France, registered with the Trade and Companies Register of Toulouse under number 530 155 167, VAT number FR66530155167.

For any question regarding the protection of your personal data or to exercise your rights, you can contact us using the following means:

• By email at the dedicated address: [email protected]
• Via the contact form available on our website
  
• By post to the registered office address mentioned above
  

As part of our business activity, we collect and process the following categories of data:

Identification and contact data: title, first name, last name, date of birth where applicable, postal address, delivery address, email address, telephone number.

Data relating to your customer account: login credentials, password (stored in hashed form), order history, purchase preferences, wish list, reviews submitted.

Payment data: chosen payment method, transaction amount. Please note that full banking data (card number, security code) is never collected or stored by Family Web Diffusion. This data is processed directly by our secure payment service providers, within a PCI-DSS certified environment.

Browsing and technical data: IP address, session identifiers, browser and operating system type, pages viewed, visit duration, data from cookies and trackers.

Data relating to your orders: products ordered, amounts, dates, delivery tracking, exchanges with our customer service.

Data from your communications with us: content of emails exchanged with our customer service, messages left via the contact form, post-purchase feedback and reviews.

Family Web Diffusion does not solicit or voluntarily collect special category data within the meaning of Article 9 of the UK GDPR (racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, sexual orientation or stated gender identity). However, we are aware that certain purchases made on our website may, by their context, reflect or suggest a part of your private or intimate life. This data therefore benefits from an enhanced level of confidentiality and security, detailed in section 9 of this Policy.

Your data is collected and processed for the following purposes, each based on a specific legal basis within the meaning of Article 6 of the UK GDPR:

This includes the creation of your customer account, the processing of your orders, the management of payments, the organisation of deliveries, the handling of returns and refunds, the management of after-sales service and any disputes.
Legal basis: performance of the contract of sale entered into between you and Family Web Diffusion (Article 6.1.b of the UK GDPR).

Retention of invoices and accounting documents, VAT management, legal archiving of transactions, fraud prevention, response to requests from competent authorities.
Legal basis: compliance with legal obligations to which the controller is subject (Article 6.1.c of the UK GDPR).

Sending of our newsletter, promotional offers and communications about our new products, subject to your prior consent expressed via a dedicated tick box upon your registration, the creation of your customer account or via the subscription form available on our website.
Legal basis: your express consent (Article 6.1.a of the UK GDPR). You may withdraw your consent at any time, in particular via the unsubscribe link in each of our emails or by contacting us directly.

Sending of invitations to leave a review on the products you have purchased, through our partner Avis-Verifies.
Legal basis: our legitimate interest in collecting feedback to improve the quality of our products and services (Article 6.1.f of the UK GDPR).

Adaptation of the website display according to your preferences, recommendations of products likely to interest you, management of your wish list.
Legal basis: your consent for personalised recommendations by email, and our legitimate interest for simple personalisation on the website (Articles 6.1.a and 6.1.f of the UK GDPR).

Understanding how our website operates, identifying areas for improvement, measuring the performance of our content and campaigns.
Legal basis: your consent, collected via our cookie banner during your first visit (Article 6.1.a of the UK GDPR).

Detection of attempted payment fraud, security of your account, protection against unauthorised access, retention of technical logs necessary for security.
Legal basis: our legitimate interest in ensuring the security of our website and our customers (Article 6.1.f of the UK GDPR).

Processing of your requests for access, rectification, erasure, objection or portability of your data.
Legal basis: compliance with our legal obligations (Article 6.1.c of the UK GDPR).

Dispatch of your orders in plain packaging, without external mention of the contents or of the Love and Vibes brand, and invoicing under the name of Family Web Diffusion.
Legal basis: performance of the contract and our legitimate interest in protecting the privacy of our customers (Articles 6.1.b and 6.1.f of the UK GDPR).

Family Web Diffusion does not carry out any automated profiling intended to infer your sexual orientation, your sexual preferences, your gender identity or any other element relating to your intimate life, from your orders or your browsing behaviour. No automated decision producing legal effects concerning you or significantly affecting you is taken on the basis of such information, in accordance with Article 22 of the UK GDPR.

Your personal data is accessible only to authorised personnel within Family Web Diffusion, strictly within the scope of their duties and on a need-to-know basis.
It is also communicated, to the extent strictly necessary for the performance of the purposes described above, to the following recipients:

Hosting provider

Always Data, a French company based in Paris, which hosts our website and our database in data centres located in France.

Payment service provider

Mollie, a Dutch company that aggregates various payment methods (Apple Pay, Klarna, Pay by Bank, Trustly). Payment by PayPal is processed directly by PayPal (Europe) acting as an autonomous data controller.

Carriers and logistics

Royal Mail, La Poste, Chronopost (which may subcontract to FedEx for certain international deliveries), Mondial Relay, Kuehne-Nagel, DHL. These carriers receive the data strictly necessary for delivery (name, address, email, telephone number of the recipient) and act as autonomous data controllers for the delivery part.

Customer review platform

Avis-Verifies (Skeepers group), a French provider, which collects and publishes post-purchase customer reviews according to an NF ISO 20488 certified process.

Affiliate platform and partner programmes

Awin Limited (United Kingdom), our marketing affiliate platform, which receives order tracking data (session identifier, order identifier, amount, currency, promotional code used) for tracking commissions of our affiliate partners. The data transfer from the European Union to the United Kingdom is covered by the adequacy decision of the European Commission of 28 June 2021.

Sovendus GmbH (Germany), based at c/o Design Offices Karlsruhe Bahnhofplatz, Bahnhofplatz 12, 76137 Karlsruhe, Germany, as part of the Sovendus Voucher Network which offers discount vouchers to our customers after purchase. Sovendus processes, as a processor on our behalf, your name, your title, pseudonymised transaction data and technical usage and session data. The legal basis is our legitimate interest in providing you with personal and secure access to the Sovendus Voucher Network and in enabling the anonymous settlement of redeemed vouchers. This data is retained for a maximum of 4 weeks. If you give your consent to additional functions offered by Sovendus, certain data will be transferred to Sovendus as an independent data controller; the categories of data and the purposes will then be specified to you as part of the collection of your consent. For more information on the processing by Sovendus, please consult the Sovendus privacy policy: https://web.sovendus.com/en/privacy​

Google Ads and Google Tag Manager

Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), for the delivery of targeted advertising, remarketing and conversion measurement of our advertising campaigns on the Google network. Google Tag Manager is also used to deploy and technically manage our measurement tags. The data processed includes your IP address, technical identifiers (Google advertising cookies, advertising identifier of your device), pages viewed on our website, actions taken (product view, add to basket, purchase), as well as the value and characteristics of your order for conversion measurement. The processing is carried out on the basis of your consent, collected via our cookie banner during your first visit. The transfer of this data to the United States is governed by Google's certification under the Data Privacy Framework. To understand how Google processes your data as part of our advertising services, please consult Google's dedicated site: https://business.safety.google/privacy/​

Microsoft Advertising (Bing Ads)

Microsoft Ireland Operations Limited (One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland), for the delivery of targeted advertising on the Bing network and the measurement of conversions of our Microsoft Advertising campaigns. The data processed includes your IP address, technical identifiers, pages viewed on our website and actions taken (in particular purchases for conversion measurement). The processing is carried out on the basis of your consent, collected via our cookie banner. The transfer of this data to the United States is governed by Microsoft's certification under the Data Privacy Framework.

Microsoft Clarity

Microsoft Ireland Operations Limited (One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland), for the anonymous behavioural analysis of navigation on our website via heatmaps and anonymised session recordings. The data processed includes mouse movements, clicks, page scrolling, navigation path and technical information (browser, operating system, screen resolution). Microsoft Clarity implements automatic masking of sensitive input fields in order to preserve the confidentiality of data entered. The processing is carried out on the basis of your consent, collected via our cookie banner. The transfer of this data to the United States is governed by Microsoft's certification under the Data Privacy Framework.

Email service provider

Brevo (formerly Sendinblue), a French company based in Paris, which handles the sending of our newsletter and our transactional emails (order confirmation, delivery tracking, etc.).

Audience measurement tool
​

Matomo, an audience measurement tool, used in compliance with the recommendations of supervisory authorities applicable to audience measurement tools.

Customer relationship management tool

Zendesk Inc., a US company, which handles the management of our customer service tickets. The transfer of data to the United States is covered by the Standard Contractual Clauses adopted by the European Commission and by the Data Privacy Framework certification held by Zendesk.

Cookie consent management tool

CookieHub, a cookie consent management tool, which allows the collection and retention of proof of user consent.

Accounting firm

Our accounting firm, which receives customer invoicing data for the keeping of our accounts, strictly within the scope of its assignments and subject to the confidentiality obligations of the profession.

Administrative, judicial and tax authorities

In the event of a legal obligation, judicial requisition or administrative inspection, your data may be communicated to the competent authorities strictly within the scope of their requests.
We have undertaken the formalisation of the data processing agreements provided for in Article 28 of the UK GDPR with all our service providers processing personal data on our behalf, in order to contractually frame the applicable security, confidentiality and retention conditions.
Your data is never sold or rented to third parties for commercial purposes.

We retain your data for the periods strictly necessary for the purposes described above, in accordance with the following durations:

Customer account: your data is retained as long as your account is active and you interact with our website or our communications. In the event of prolonged inactivity, your data may be deleted or anonymised, except where contractually necessary or where required by a legal retention obligation.

Order and invoicing data: 10 years from the closing of the accounting year, in accordance with applicable accounting obligations.

Prospecting data (newsletter, non-customer prospects): up to 3 years after the last contact or last interaction on your part.

Cookies and trackers: maximum duration of 13 months for cookies placed on your device. Proof of your consent is retained for a minimum of 6 months.

Connection logs and technical security data: 12 months from their collection, in accordance with applicable security recommendations.

Customer service tickets and email exchanges: 3 years after the closing of the last ticket.

Identity documents provided in the context of verification: maximum 30 days, except in the case of a fraud prevention procedure where retention may be extended for the time strictly necessary to resolve the procedure.

Upon expiry of these periods, your data is either anonymised, deleted, or archived with restricted access where a legal obligation requires us to do so.

The majority of our service providers are established in the European Union or in the European Economic Area, which guarantees a level of protection equivalent to the UK GDPR.
Certain transfers outside the United Kingdom and the European Union may nevertheless occur as part of our activity:
European Union: transfers between the United Kingdom and the European Union are covered by the adequacy decision of the European Commission of 28 June 2021 concerning the United Kingdom. No additional formalities are required.
United States: transfer to Zendesk Inc. for the management of customer service, framed by the Standard Contractual Clauses adopted by the European Commission and by the Data Privacy Framework certification held by this provider.
Country of destination of your order: for international deliveries, your details may be processed by local carriers in the country of destination, strictly within the scope of the performance of your order (Article 49.1.b of the UK GDPR).
In all cases, we ensure that transfers outside the United Kingdom are governed by appropriate safeguards within the meaning of Articles 44 to 49 of the UK GDPR.

In accordance with Articles 15 to 22 of the UK GDPR and the Data Protection Act 2018, you have the following rights regarding your personal data:

Right of access (Article 15): you can obtain confirmation that your data is being processed and receive a copy of it.

Right to rectification (Article 16): you can request the correction of inaccurate or incomplete data concerning you.

Right to erasure (Article 17): in accordance with your right to erasure, you can request the deletion of data that is no longer necessary for compliance with our legal and accounting obligations.

Right to restriction of processing (Article 18): you can request the suspension of the processing of your data in certain cases provided for by the UK GDPR.

Right to data portability (Article 20): you can receive your data in a structured, commonly used and machine-readable format, and transmit it to another controller.

Right to object (Article 21): you can object, at any time, to the processing of your data for reasons relating to your particular situation, and in particular to processing for direct marketing purposes.

Right to withdraw consent (Article 7.3): where the processing is based on your consent, you can withdraw it at any time, without this affecting the lawfulness of the processing carried out before such withdrawal.

Right relating to automated decisions (Article 22): you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you.

How to exercise your rights

• By email at [email protected]
• Via our contact form
• By post to the registered office address
  

In order to ensure the security of your data, we may ask you to prove your identity by any appropriate means.
We undertake to respond to your request within one month from its receipt, in accordance with Article 12.3 of the UK GDPR. This period may be extended by two additional months in the event of a complex request or multiple requests, in which case we will inform you accordingly.

​Right to lodge a complaint

If you consider that your rights have not been respected, you have the option of lodging a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom. Telephone: 0303 123 1113. Website: www.ico.org.uk​

Our website uses cookies and trackers for its proper operation, to measure its audience and, subject to your consent, to personalise your experience.

Categories of cookies used

Strictly necessary cookies: essential for the operation of the website (cart management, account login, security). These cookies do not require your consent.

Audience measurement cookies: allow us to analyse the functioning of the website and to identify improvements. Subject to your consent.

Functional cookies: improve your experience (display preferences, etc.). Subject to your consent.

Managing your consent

During your first visit to our website, an information banner allows you to accept, refuse or customise your consent to non-essential cookies. Your choice is then retained for a maximum period of 6 months.
You can change your preferences at any time by clicking on the Cookie management link in the footer of the website.

We implement appropriate technical and organisational measures to ensure the security of your personal data, in accordance with Article 32 of the UK GDPR:
On the technical side: encryption of communications via the HTTPS protocol throughout the website, passwords stored in hashed form, regular backups, security updates of our systems, protection measures against common attacks.
On the organisational side: access to data strictly limited to authorised personnel within the scope of their duties, employees with access to data are subject to a confidentiality obligation, data processing agreements being formalised with our service providers.
In the event of a data breach presenting a risk to your rights and freedoms, we undertake to notify the ICO within the legal deadlines and, where applicable, to inform you directly.

Given the nature of our products, we pay particular attention to the confidentiality of your purchase:

Plain packaging: all our parcels are shipped in plain packaging, without any logo or external reference to the contents or to the Love and Vibes brand. The displayed sender is Family Web Diffusion.

Anonymous invoicing: your bank statement will mention Family Web Diffusion and not Love and Vibes, except in case of payment via certain alternative methods (notably PayPal).

Limited internal access: only strictly authorised personnel within Family Web Diffusion access your order data, on a need-to-know basis.

Confidentiality obligation of employees: all our employees with access to data are subject to a formal confidentiality obligation, which in particular prohibits commenting on, sharing or disclosing any information relating to your order.

No profiling relating to private life: as indicated in section 3.10, we do not carry out any automated profiling intended to infer your intimate life from your orders.

This Privacy Policy may evolve to reflect changes in our business, in the tools we use, or in the applicable regulations.
In the event of a substantial change, we will inform you by any appropriate means, in particular by email or by a message on our website.
The date of the last update is indicated at the top of this Policy.

For any question, request or complaint relating to the protection of your personal data, you can contact us:
By email: [email protected]
Via contact form: accessible from loveandvibes.co.uk
By post:
Family Web Diffusion
Data Protection Service
1 rue Gustave Eiffel
31780 Castelginest
France