Privacy policy

Last updated: May 2026.

1. Who we are

This Privacy Policy explains how DM Brands Limited ("we", "us", "our"), trading as Folksom, collects and uses personal data when you visit folksom.co.uk or place an order with us.

DM Brands Limited is the data controller. Our details are:

DM Brands Limited
Registered in England and Wales, company number 07517652
Registered office: 79 Waterworks Road, Worcester, WR1 3EZ
VAT registration: GB 851 815 128
Email: privacy@folksom.co.uk
Phone: 01905 616006

2. What data we collect

We collect personal data in the following ways:

When you place an order:

Name, billing and delivery addresses
Email address and phone number
Payment details (processed by Shopify Payments and the underlying card networks — we never see your full card number)
Order history and preferences

When you create an account or sign up to our newsletter:

Name and email address
Any preferences you tell us about
A record of which emails you have opened and which links you have clicked (standard email metrics)

When you contact us:

Your name, email address, phone number where given, and the content of your message

When you browse the site:

Standard web analytics: pages viewed, time on site, device type, approximate location (city level, via IP address), referrer (which site sent you to us)
Cookies — see Section 6

3. How we use your data and why

What we use it for	Our lawful basis under UK GDPR
Processing your order, shipping it, providing customer service	Contract (Article 6(1)(b))
Sending order confirmations, dispatch emails, returns updates	Contract
Complying with our legal obligations (e.g. VAT records, fraud prevention)	Legal obligation (Article 6(1)(c))
Sending newsletters and marketing emails (only if you opt in)	Consent (Article 6(1)(a)) — withdrawable any time
Improving the site and understanding how people use it	Legitimate interest (Article 6(1)(f))
Preventing fraud and abuse	Legitimate interest

4. Who we share your data with

We do not sell or rent your data to anyone. We share it only with the service providers we need to run the business:

Shopify — our ecommerce platform (US/EU, Standard Contractual Clauses in place)
Shopify Payments / Stripe — payment processing
Royal Mail, DPD and other couriers — for shipping
Klaviyo or Mailchimp — for email marketing (only if you opt in)
Google Analytics — for aggregate website analytics
HMRC and other authorities — where required by law

Each of these processors is contractually bound to handle your data only on our instructions and to keep it secure.

5. International transfers

Some of our processors (notably Shopify and Google) are based in the United States. Where data is transferred outside the UK or EEA, we rely on the UK International Data Transfer Addendum and/or the EU Standard Contractual Clauses to protect it.

6. Cookies

We use a small number of cookies:

Strictly necessary — to make the site work (e.g. remembering what is in your basket, keeping you logged in). These cannot be disabled.
Analytics — to understand site usage in aggregate. You can decline these via our cookie banner.
Marketing — only set if you opt in via our cookie banner.

You can change your cookie choices any time via the "Cookie preferences" link in the footer.

7. How long we keep your data

Data type	Retention
Order records (for VAT and consumer-law obligations)	7 years after the order
Account data	Until you ask us to delete it, or 3 years of inactivity
Newsletter subscription	Until you unsubscribe
Contact form / email correspondence	2 years
Web analytics	26 months (Google Analytics default)

8. Your rights

Under UK GDPR you have the right to:

Access the personal data we hold about you
Rectify inaccurate data
Erase your data ("right to be forgotten") where there is no overriding legal reason to keep it
Restrict processing in certain situations
Portability — receive your data in a machine-readable format
Object to processing based on legitimate interest
Withdraw consent at any time for anything you consented to (e.g. marketing)

To exercise any of these rights, email privacy@folksom.co.uk. We will respond within one calendar month.

If you are unhappy with how we have handled your data, you can complain to the UK's Information Commissioner's Office at ico.org.uk or call them on 0303 123 1113.

9. Children

Folksom is not aimed at children under 16. We do not knowingly collect personal data from children. If you believe we have, please contact us and we will delete it.

10. Changes to this policy

We may update this policy from time to time. The "last updated" date at the top will always reflect the current version. Material changes will be highlighted via a notice on the site.