Skip to main content
Free 24-hour delivery over £75 · Same-day dispatch

Privacy

Privacy policy.

Last updated: 17 June 2026

Kovalabs is the trading name of Floww Group Ltd, a company registered in England and Wales (company number 15986643) with its registered office at 66 Paul Street, London, EC2A 4NE. Floww Group Ltd is the data controller for personal data collected on this site. We only collect what we need to fulfil orders and improve the service. You can contact us about your data at hello@kovalabs.co.uk, or by post at the address above.

What we collect

  • Name, email, billing and shipping address
  • Order history
  • Usage data about how you use the site. Before you accept optional cookies this is anonymous, single-visit data. If you accept, it includes a cookie that recognises your browser between visits, and session replays with typed text masked.

We do not store payment card details - those are handled by our PCI-compliant payment provider.

You do not have to give us any personal data. But if you place an order, we need your name, email and delivery address to enter into and fulfil the contract. Without them we cannot accept the order. Everything else, such as marketing sign-up and optional cookies, is entirely your choice.

How we use it

  • To process and ship your orders
  • To send transactional emails (order confirmations, tracking)
  • To send marketing emails - only if you opt in
  • To apply your referral discount and credit the referral partner who introduced you, where you arrive via a partner link or use a partner code

Marketing emails are sent through Customer.io (email marketing platform, EU data center), which processes your email address and order history on our behalf only when you have opted in.

We do not use automated decision-making, including profiling, that produces legal or similarly significant effects about you.

Our lawful bases

UK GDPR requires a lawful basis for each way we use your data. Ours are:

  • Contract - processing and shipping your order, taking payment, and sending transactional emails such as order confirmations and tracking updates.
  • Consent - marketing emails (opt-in only), the optional analytics and marketing cookies described in our Cookie Policy, and session replay. You can withdraw consent at any time.
  • Legitimate interests - anonymous, cookieless analytics about how the site is used, preventing fraud and abuse, and crediting referral partners for orders they introduce.
  • Legal obligation - keeping order and transaction records we are required to retain for tax and accounting purposes.

Who we share it with

We never sell your data. We share it only with the providers we need to run the store. Most process it on our instructions as our processors. Fena and Royal Mail are regulated businesses that also act as data controllers in their own right for the payment and postal services they provide to you, under their own privacy notices.

  • Fena - initiates your pay-by-bank payment. We never see or store your bank credentials.
  • Royal Mail and Sendcloud - receive your name and delivery address to create shipping labels and provide tracking.
  • Resend - sends our transactional emails (order confirmations, dispatch and delivery updates).
  • Customer.io - sends marketing emails (EU data center), only if you have opted in.
  • PostHog - analytics, hosted on EU servers.
  • Our hosting and infrastructure providers, which store order and account data in UK or EU regions.

Where a provider processes personal data outside the UK, we rely on the UK adequacy regulations or the UK International Data Transfer Addendum to the EU standard contractual clauses to protect it. You can ask for a copy of these safeguards by emailing hello@kovalabs.co.uk.

We protect your data with encryption in transit, access controls, and UK or EU hosting.

How long we keep it

  • Order and transaction records: 6 years from the end of the relevant financial year, as required for UK tax and accounting.
  • Account details: for as long as you hold an account, then deleted on request.
  • Marketing data: until you unsubscribe or ask us to remove you.
  • Cookies and similar storage: see the durations listed in our Cookie Policy.

Cookies and analytics

We run our analytics in a cookieless mode by default. That means we do not set any cookies for analytics until you accept the cookie banner. Anonymous, single-visit usage data is collected under our legitimate interest in understanding how the site is being used. If you would rather we did not collect even this single-visit data, you can object at any time by emailing hello@kovalabs.co.uk.

If you accept the optional cookies, we additionally remember your browser between visits so we can build more accurate funnel analytics, and we measure how you interact with pages (where you click, how far you scroll, which elements draw attention, sometimes shown as a heatmap) to improve the layout. With your consent we also use PostHog session replay, which records how you interact with pages (clicks, scrolling, pages viewed) so we can fix usability problems. Text you type is masked before it leaves your browser. You can change your choice at any time via the Cookie settings link in the footer. For a full list of the cookies we use, how long they last, and who provides them, see our Cookie Policy.

At checkout we also save the shipping address you submit to your browser's local storage on this device, so your next checkout can pre-fill the form. It never leaves your device. You can clear it any time from the link in the checkout form, and the full retention period is documented in our Cookie Policy.

Product verification & QR scans

Our products carry a QR code / batch verification link. When you scan it or open the link, we record the scan - including the batch code, the date and time, and limited technical information about the request - to confirm product authenticity, monitor for counterfeit activity, and understand how our certificates of analysis are accessed. Where you are already identified to us (for example, you are signed in, or you have an existing first-party analytics identifier from our site), we may associate the scan with you. We process this on the basis of our legitimate interests in protecting product integrity and improving our service. You can object to analytics processing at any time via our cookie settings; verification itself does not require you to be identified.

Your rights

Under UK GDPR you have the right to:

  • ask for a copy of the personal data we hold about you (access)
  • ask us to correct data that is wrong or incomplete (rectification)
  • ask us to delete your data, where this applies (erasure)
  • ask us to limit how we use your data while a question is resolved (restriction)
  • receive the data you gave us in a machine-readable format (portability)

Your right to object

You can object at any time to us using your personal data for direct marketing. This right is absolute. If you object, we will stop straight away. Use the unsubscribe link in any marketing email, or email hello@kovalabs.co.uk.

You can also object to processing we carry out under legitimate interests, such as our cookieless analytics. Email hello@kovalabs.co.uk. We will stop unless we have compelling legitimate grounds to continue.

Withdrawing consent

Where we rely on your consent, you can withdraw it at any time. Use the unsubscribe link in any marketing email, or the Cookie settings link in the footer for optional cookies. Withdrawing consent does not affect processing that happened before you withdrew.

To exercise any of these rights, email hello@kovalabs.co.uk. We will respond within one calendar month.

Complaints

If you are unhappy with how we have handled your data, please contact us first and we will try to put it right. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk, helpline 0303 123 1113, or Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.