Privacy Policy

Last updated 10 May 2021

This Privacy Policy describes how your Private Information is collected, used, and shared when you visit or make a purchase from EMMA & TOM via its Site. For avoidance of doubt, the following paragraphs and references to the Site apply to both the EMMA & TOM iOS and Android mobile application (together the “Mobile App”) and the Internet Landing Page (the “Website” with URL


1.1 This notice (together with our Terms and Conditions of Service) applies to your use of:

  • The EMMA & TOM Mobile App once you have downloaded a copy of the application onto your mobile telephone or handheld device (“Device”).
  • Any of the services accessible through the Mobile App or other websites of ours (“Services”).

1.2 This notice sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. This Mobile App is not intended for children and we do not knowingly collect data relating to children. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

Information about us and contact details

2.1 We are High Street Technologies Ltd, a company registered in England and Wales (“us”, “we”, trading under “EMMA & TOM”). Our company registration number is 13309105 and our registered address is at Tapestry Apartments, Flat 82, 5 Canal Reach, N1C 4AZ London. Our registered VAT number is [tbd].

2.2 We are committed to protecting your personal data and respecting your privacy.

2.3 We are a controller of your personal data. Other entities in the High Street Technologies group may also process your data. If you have any questions about this privacy notice, please contact us using the details set out below.

Our full details are:

  • Full name of legal entity: High Street Technologies Ltd
  • Email address:
  • Registered address: Tapestry Apartments, Flat 82, 5 Canal Reach, N1C 4AZ London

Data we collect about you

The Personal Data we collect from you depends on your specific relationship with us. Below we describe what kind of data we collect and for what purposes:

3.1 Processing when using our Services

a) Data concerned

When accessing our Website, our Mobile App or using other Services, we or our web hosting provider, collects data on the basis of each access to the server (so-called server log files). Server log files may include the following information:

  • the browser types and versions used;
  • the operating system used by the accessing system;
  • the date and time of an access;
  • the pages of our Service that you visit;
  • referrer URL (the previously visited page)
  • the Internet Protocol (IP address);
  • unique device identifiers and other diagnostic data;
  • information regarding your location.

When you access the Service by or through a website, device or app, we may collect certain information automatically, including, but not limited to,

  • the type of mobile device you use;
  • your mobile device unique ID;
  • the IP address of your mobile device;
  • your mobile operating system;
  • the type of mobile internet browser;
  • unique device identifiers and other diagnostic data.

Processing of location data: Within the course of using our Mobile App, the location data as collected by the device or as otherwise entered by the user are processed. The use of the location data serves only to provide the respective functionality of our Mobile App, according to its description to the users or its typical and expectable functionality.

b) The purpose of processing and lawful basis

We use the collected data to provide contractual services and customer support, deliver and optimize the content of our Services correctly and to ensure the long-term viability and technical security of our systems. This purpose constitutes our legitimate interest in data processing pursuant to Art. 6 para. 1 f GDPR.

We use the information regarding your location to provide and maintain our Service and to provide features of our Service. The lawful basis for such processing is Art. 6 para. 1 f GDPR. Personal data that you voluntarily submit to us, e.g. via email or a contact form, will be stored for the purpose of processing or for contacting you. The lawful basis for such processing is Art. 6 para. 1 f GDPR.

c) Sharing your data

We will share your data with third parties who store your data on their servers. The types of third parties with whom we share your data include:

  • IT service providers: including cloud providers for data storage purposes;
  • External support service providers;
  • Public bodies if the appropriate statutory provisions exist (e.g. tax authorities and customs authorities) on the basis of Art. 6 para 1 c UK GDPR.

d) Duration of storage

The duration of the data storage depends on the statutory storage obligations (for example where we need to retain data for tax purposes it will be kept for 6 years).

3.2 Cookies

Cookies are text files which are stored on a computer system via an internet browser. Cookies are primarily used to store information about a user during or after her or his visit within an online service. The information stored can include, for example, the language settings on a Website, the login status or a shopping basket. The term "cookies" also includes other technologies that fulfil the same functions as cookies (e.g. if user information is stored using pseudonymous online identifiers, also referred to as "user IDs").

a) The following types and functions of cookies are distinguished:

Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online service and closed his browser.

Permanent cookies: Permanent cookies remain stored even after closing the browser. For example, the login status can be saved or preferred content can be displayed directly when the user visits a Website again. The interests of users who are used for range measurement or marketing purposes can also be stored in such a cookie.

First-Party-Cookies: First-Party-Cookies are set by ourselves.

Third party cookies: Third party cookies are mainly used by advertisers (so-called third parties) to process user information.

Necessary (also: essential) cookies: Cookies can be necessary for the operation of a Website (e.g. to save logins or other user inputs or for security reasons).

Statistics, marketing and personalisation cookies: Cookies are also generally used to measure a Website's reach and when a user's interests or behaviour (e.g. viewing certain content, using functions, etc.) are stored on individual websites in a user profile. Such profiles are used, for example, to display content to users that corresponds to their potential interests. This procedure is also referred to as "tracking", i.e. tracking the potential interests of users.

b) Lawful basis for the use of cookies

The lawful basis on which we process your Personal Data with the help of cookies depends on whether we ask you for your consent. If this applies and you consent to the use of cookies, the lawful basis for processing your data is your declared consent. Otherwise, the data processed with the help of cookies will be processed on the basis of our legitimate interests (e.g. in a business operation of our online service and its improvement) or, if the use of cookies is necessary to fulfil our contractual obligations.

c) Duration of storage

Unless we provide you with explicit information on the retention period of permanent cookies (e.g. within the scope of a cookie “opt-in”), the retention period can be up to two years.

d) General information on withdrawal of consent and objection (Opt-Out)

Respective of whether processing is based on consent or legal permission, you have the option at any time to object to the processing of your data using cookie technologies or to revoke consent (collectively referred to as "opt-out"). You can initially explain your objection using the settings of your browser, e.g. by deactivating the use of cookies (which may also restrict the functionality of our Services).

3.3 Processing of customer/ prospective customer data

a) Data concerned

When you create a customer or user account via our Services or if you engage with us in associated contractual or pre-contractual actions and communications, we will collect the following data from you:

  • Identity data (e.g. name, addresses);
  • Contact data (e.g. e-mail, telephone numbers);
  • Delivery and invoice address;
  • Payment data (e.g. credit card, paypal, invoices, payment history, etc);
  • Usage data (e.g. websites visited, interest in content)
  • Meta/communication data (e.g. device information, IP address).

b) The purpose of processing and lawful basis

We process the data of our customers or prospective customers in order to enable them to select, purchase or order the selected products, goods and related services, as well as their payment, for delivery, performance or other services. For the processing of payment transactions, we use the services of banks and payment service providers. The required details are identified as such in the course of the ordering or comparable purchasing process and include the details required for delivery, or other way of making the product available and invoicing as well as contact information in order to be able to hold any consultation.

The lawful basis for this is performance of a contract and prior requests (Article 6 para 1 lit. b UK GDPR), Compliance with a legal obligation (Article 6 para 1 c UK GDPR), Legitimate Interests (Article 6 para 1 f UK GDPR).

c) Sharing your data

We will share your data with third parties who store your data on their servers. The types of third parties with whom we share your data include:

  • external service providers or other contractors (e.g. for data processing and hosting, for order processing and execution, payment providers, feedback and survey providers, customer service and call centers;
  • other external bodies, provided that the data subject has given his or her consent or if transmission is permitted for reasons of overriding interest, e.g. for creditworthiness information, for the electronic transmission of information, for quality assurance purposes on the basis of Art. 6 Para. 1 a and f UK GDPR;
  • Public bodies if the appropriate statutory provisions exist (e.g. tax authorities and customs authorities) on the basis of Art. 6 para 1 c UK GDPR.

Information that you provide to payment service providers in the context of payment processing will not be passed on to us by them. We only receive the information that a payment transaction has been successful.

d) Duration of storage

We delete the data after expiry of statutory warranty and comparable obligations, i.e. in principle after expiry of 4 years, unless the data is stored in a customer account or must be kept for legal reasons (e.g., 6 years when necessary for tax purposes). If you terminate your customer account, your data will be deleted with regard to the customer account, subject to retention being required for legal reasons.

e) Single Sign-on Authentication

“Single Sign-On" or "Single Sign-On Authentication or Logon" are procedures that allow users to log in to our online services using a user account with a provider of Single Sign-On services (e.g. a social network). The prerequisite for Single Sign-On Authentication is that users are registered with the respective Single Sign-On provider and enter the required access data in the online form provided for this purpose, or are already logged in with the Single Sign-On provider and confirm the Single Sign-On login via the button.

Authentication takes place directly with the respective single sign-on provider. Within the scope of such authentication, we receive a user ID with the information that the user is logged in with the respective single sign-on provider under this user ID and an ID that cannot be used for other purposes (so-called "user handle"). Whether we receive further data depends solely on the single sign-on procedure used, the data releases selected as part of authentication and also which data users have released in the privacy or other settings of the user account with the single sign-on provider. Depending on the single sign-on provider and the user's choice, there can be different data, usually the e-mail address and the user name. The password entered by the single sign-on provider as part of the single sign-on procedure is neither visible to us nor is it stored by us.

Users are requested to note that their data stored with us may be automatically connected with their user account with the single sign-on provider, but this is not always possible. If, for example, the e-mail addresses of users change, users must change these manually in their user account with us.

We can use single sign-on authentication, provided that it has been agreed with users in the context of pre-fulfilment or fulfilment of the contract, in the context of consent processing and otherwise use it on the basis of our legitimate interests and the interests of users in an effective and secure authentication system.

Should users decide to no longer want to use the link of their user account with the Single Sign-On provider for the Single Sign-On procedure, they must remove this link within their user account with the Single Sign-On provider.

Data Transmission within the group of companies, merger, join venture

a) We may transfer Personal Data to other companies within our group of companies or otherwise grant them access to this data. Insofar as this disclosure is for administrative purposes, the disclosure of the data is based on our legitimate business and economic interests or otherwise, if it is necessary to fulfil our contractual obligations or if the consent of the data subjects or otherwise a legal permission is present.

b) We only share your data with our personnel and with personnel of other companies of the High Street Technologies group if this is necessary for the purposes described above.

c) We may also share your data if we should enter into a joint venture, buy, sell or merge with another company. In such a case, your data may be shared with the target company, our new business partners or owners or their advisors.

International Data Transmission

In some cases, the Personal Data collected from you may be processed outside the UK. These countries may not have the same level of data protection as the UK. However, we are obliged to ensure that the Personal Data processed by us and our partners outside the UK are protected in the same way as if they were processed within the UK. Therefore, if your data is processed outside the UK, there are certain safeguards in place. We ensure similar protection by ensuring that at least one of the following safeguards is in place:

  • Your Personal Data will be transferred to countries whose level of data protection is considered appropriate by the UK;
  • we use the standard contractual clauses approved by the UK.


6.1 We use strong technologies and policies to ensure that your Personal Data we hold is appropriately protected.

6.2 We take measures to protect your data from unauthorized access and unlawful processing, accidental loss, destruction and damage.

6.3 Unfortunately, the transmission of data over the internet is not completely secure. Although we take steps to protect your Personal Data, we cannot guarantee the security of the information you transmit to us; any transmission is at your own risk. Once we have received your information, we will apply strict procedures and security features to prevent unauthorized access.

Your rights

According to data protection legislation, you may have a number of rights regarding the data we hold about you. If you wish to exercise any of these rights, please contact us at the contact details set out above.

a) The right to be informed. You have the right to be provided with clear, transparent and easily understandable information about how we use your data and what your rights are. For this reason, we provide you with the information in this privacy statement.

b) The right of access. You have the right to access your data (if we process it). This will enable you, for example, to check that we use your data in accordance with data protection law.

c) The right to rectification. You have the right to have your data corrected if it is inaccurate or incomplete. You may request that we rectify any errors in the data we hold.

d) The right to erasure. This "right to be forgotten" enables you to request the deletion or removal of certain data that we have stored about you. This right is not absolute and only applies in certain circumstances.

e) The right to restrict processing (blocking of data). You have the right to “block” or “restrict” the further use of your data. If processing is restricted, we may still store your data, but will not process it further.

f) The right to data portability. You have the right to obtain your Personal Data in an accessible and transferable format so that you can re-use it for your own purposes across different service providers. However, this is not an absolute right and there are exceptions.

g) The right to lodge a complaint. You have the right to lodge a complaint about the way we handle or process your information with a competent data protection authority.

h) The right to withdraw consent. You have the right to withdraw any consent given to us (if we rely on the consent as a lawful basis for the processing of certain data) at any time with effect for the future. The legality of the processing carried out on the basis of the consent prior to the withdrawal remains unaffected.

i) The right to object to processing. You have the right to object to the processing of Personal Data concerning you based on Art. 6para 1 e or f UK GDPR. This also applies, inter alia, to any direct marketing, analysis and tracking based on these provisions.

j) Automated decision in individual cases. You have the right not to be subject to any decision based solely on automated processing, including profiling, that has any legal effect on you or that might similarly significantly affect you].