Privacy policy
Last updated: 10 mai 2026
This Privacy Policy explains how Kelyon Group LTD, trading as MARGO (“we”, “us”, “our”), collects, uses, stores and protects your personal data when you visit margo-paris.com or place an order. It complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and — for users resident in the European Union — Regulation (EU) 2016/679 (EU GDPR).
1. Data controller
Kelyon Group LTD
71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom
Companies House registration number: 17194219
Privacy contact: contact@margo-paris.com
We have not appointed a Data Protection Officer (DPO) as we do not meet the statutory thresholds requiring one. All privacy-related requests are handled by the Director of Kelyon Group LTD.
2. Categories of data we process
- Identity data: title, first name, last name, date of birth (where required for age verification)
- Contact data: email address, postal address, billing address, telephone number
- Order data: products purchased, amount, order date, order number, delivery preferences
- Payment data: card type, last four digits, transaction reference (full card number processed directly by our PCI-DSS payment provider, never stored by us)
- Account data: login email, hashed password, account preferences
- Connection and device data: IP address, browser, operating system, device identifiers, connection timestamps
- Browsing data: pages visited, time on page, traffic source, search terms, items added to wishlist or basket
- Marketing data: newsletter preferences, opening rates, click-through, segmentation tags
- Customer Care data: contents of your messages and any attachments sent to our team
3. Purposes of processing and legal bases
| Purpose | Legal basis |
|---|---|
| Process and ship your orders, manage returns and refunds | Performance of contract |
| Manage your customer account | Performance of contract |
| Respond to your Customer Care enquiries | Performance of contract / legitimate interests |
| Send marketing communications (newsletter, promotions) | Consent (which you may withdraw at any time) |
| Personalise the Site experience and product recommendations | Consent (via cookie banner) / legitimate interests |
| Prevent fraud, secure payments, monitor abnormal traffic | Legitimate interests / legal obligation |
| Analyse Site performance and improve our services | Consent (analytics cookies) |
| Comply with our legal obligations (HMRC, anti-money laundering, tax record-keeping) | Legal obligation |
| Defend our legal rights in case of dispute | Legitimate interests |
4. Retention periods
| Data type | Retention |
|---|---|
| Customer account data | Active during the lifetime of the account; deleted after 3 years of inactivity |
| Order and invoice data | 10 years (HMRC and EU accounting record-keeping obligations) |
| Payment authorisation data (last 4 digits, transaction ID) | 13 months for chargeback management |
| Marketing and prospect data | 3 years from the last contact or interaction |
| Analytics cookies and aggregated browsing data | 13 months maximum |
| Connection logs and security logs | 12 months |
| Customer Care correspondence | 3 years from the last exchange |
5. Recipients and processors
We share your data only with carefully selected processors, under data processing agreements that comply with Article 28 UK/EU GDPR. The categories of recipient are:
| Category | Provider (illustrative) | Location |
|---|---|---|
| Hosting | Hostinger International Ltd | Cyprus (EU) |
| Payment processing | [PAYMENT_PROVIDER_TBD] (e.g. Stripe Payments Europe Ltd, Adyen N.V., Mollie B.V., Checkout.com) | EU (with sub-processors in the US) |
| Buy Now Pay Later | Klarna Bank AB, Alma SAS, Scalapay (where eligible) | EU |
| Shipping carriers | Colissimo, Mondial Relay, Chronopost, DPD, DHL (depending on selection) | EU / Switzerland |
| Email and newsletter | [EMAIL_PROVIDER_TBD] (e.g. Klaviyo, Brevo, Mailchimp) | EU / US (SCCs in place) |
| Customer Care helpdesk | [HELPDESK_TBD] (e.g. Gorgias, Front, Crisp) | EU / US |
| Web analytics | [ANALYTICS_TBD] (e.g. Plausible, Matomo, Google Analytics 4) | EU / US |
| Advertising and remarketing (subject to your cookie consent) | Meta Platforms Ireland Ltd, Google Ireland Ltd, TikTok Technology Ltd | EU / US |
| Accounting and tax | [ACCOUNTANT_TBD] | UK |
| Public authorities | HMRC, ICO, courts, law enforcement, when required by law | UK |
We never sell your personal data to third parties.
6. International transfers
Some of our service providers (notably analytics and advertising) may transfer data outside the European Economic Area, in particular to the United States. Such transfers are framed by:
- Adequacy decisions of the European Commission and the UK government, where applicable
- Standard Contractual Clauses (EU SCCs and UK International Data Transfer Addendum)
- EU-US Data Privacy Framework certification, where the recipient is enrolled
Copies of the safeguards in place are available on request to contact@margo-paris.com.
7. Your rights
Subject to the conditions set out in the UK GDPR / EU GDPR, you have the following rights:
- Right of access: obtain a copy of the personal data we hold about you
- Right to rectification: correct inaccurate or incomplete data
- Right to erasure (“right to be forgotten”): request deletion of your data
- Right to restriction: temporarily suspend processing
- Right to data portability: receive your data in a structured, commonly used and machine-readable format
- Right to object: object to processing based on legitimate interests, including direct marketing
- Right to withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal
- Right not to be subject to a decision based solely on automated processing producing legal effects on you
- Post-mortem instructions (French Data Protection Act): you may give us instructions on the fate of your data after your death
To exercise your rights, contact us at contact@margo-paris.com. We respond within one (1) month, extendable by two months where required, in accordance with Article 12 GDPR. We may need to verify your identity before processing your request.
8. Right to lodge a complaint
If you consider that the processing of your data infringes the law, you may lodge a complaint with the supervisory authority of your country of residence:
- France: Commission Nationale de l’Informatique et des Libertés (CNIL) — www.cnil.fr
- Belgium: Autorité de protection des données (APD) — autoriteprotectiondonnees.be
- Luxembourg: Commission nationale pour la protection des données (CNPD) — cnpd.public.lu
- Germany: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) — bfdi.bund.de
- Italy: Garante per la protezione dei dati personali — garanteprivacy.it
- Spain: Agencia Española de Protección de Datos (AEPD) — aepd.es
- Portugal: Comissão Nacional de Protecção de Dados (CNPD) — cnpd.pt
- Switzerland: Federal Data Protection and Information Commissioner (FDPIC / PFPDT) — edoeb.admin.ch
9. Security
We implement appropriate technical and organisational measures to protect your data against unauthorised or unlawful processing, accidental loss, destruction or damage, including:
- SSL/TLS encryption for all data exchanges
- Encryption at rest of sensitive customer data
- Restricted access controls and password policies
- Two-factor authentication for administrative access
- Regular security updates of the platform and dependencies
- Backup and disaster recovery procedures
- Confidentiality obligations imposed on our processors
In the event of a personal data breach likely to result in a high risk for your rights and freedoms, we will notify you without undue delay, in accordance with Article 34 GDPR.
10. Children
The Site is not intended for persons under the age of 16. We do not knowingly collect data from minors. If you believe we have collected data from a minor without parental consent, please contact us immediately at contact@margo-paris.com so that we can delete it.
11. Cookies
Detailed information on the cookies and similar tracking technologies used on the Site is provided in our Cookie Policy.
12. Changes to this policy
This Privacy Policy may be updated to reflect changes in our practices or in applicable law. The version in force is the one published on the Site at the date of your consultation. Significant changes will be notified by email and/or by a prominent notice on the Site.