PREDICT YOUR KLAVIYO REVENUE IN 30 SECONDS - TRY THE ROI TOOL

Privacy Policy

Last updated: 10 July 2026

We're Email Kong — a London-based email marketing agency. We help e-commerce brands send email their customers actually want. That work involves personal data, and this page explains, in plain English, what we collect, why, what we do with it, and the rights you have.

No legal maze. If anything here is unclear, email us at support@emailkong.com and a human will answer.

Who we are

Email Kong Limited, a company registered in England and Wales.

  • Company number: 13692934
  • Registered office: 20-22 Wenlock Road, London, England, N1 7GU
  • Privacy contact: support@emailkong.com

We don't have a statutory Data Protection Officer (we're not required to appoint one), but we do have a named privacy lead who owns everything on this page. The email above reaches them directly.

The two hats we wear

This is the most important section of this policy, because an email agency handles data in two very different ways.

Hat one: data controller

For some data, we decide what's collected and why. That makes us the "controller" under UK GDPR, and this policy governs it. We're the controller for:

  • Website visitors — people browsing emailkong.com and our campaign pages at go.emailkong.com
  • Leads and subscribers — people who download our resources (like our flow swipe file), use our tools, or join our email list
  • Job applicants — people who apply to work with us
  • Client and prospect contacts — the business people we work with day to day

Hat two: data processor

Our clients are e-commerce brands. When we build and run email programmes inside their Klaviyo (or other email platform) accounts, we handle their customers' personal data — names, email addresses, purchase histories, engagement data.

For that data, the brand is the controller and we are a processor. In practice this means:

  • We only touch that data under a data processing agreement with the client, and only on their documented instructions.
  • We never use a client's customer data for our own purposes, never mix it between clients, and never use it to build our own lists.
  • If you're a customer of one of our clients and want to exercise your privacy rights (access, deletion, unsubscribe and so on), the fastest route is to contact the brand itself — they control the data and their own privacy policy applies. If you contact us instead, we'll pass your request to them without delay.

What we collect (when we're the controller)

Visitors: technical data (IP address, device/browser type, pages viewed), collected via cookies and similar technologies — see Cookies below.

Leads and subscribers: whatever you give us when you opt in — typically name, email address, company/store URL, and answers to short qualifying questions (for example your revenue band). Plus how you interact with our emails (opens, clicks) via Klaviyo.

Clients and prospects: business contact details, correspondence, meeting notes, and — where we record calls — meeting recordings and transcripts (see the AI section).

Job applicants: covered in their own section below.

We don't collect special category data (health, beliefs, biometrics and so on) in the normal course of business, and we never ask for it.

Marketing, cookies and tracking

Our own marketing: if you join our list (usually by downloading something useful), we'll email you. Every email has a working unsubscribe link, and unsubscribing takes effect immediately. We use Klaviyo to manage this — yes, we use the same platform we recommend to clients.

Analytics: we use Google Analytics 4 to understand how people use our sites.

Advertising: we use the Meta Pixel on our sites, which supports retargeting and custom/lookalike audiences on Meta platforms (Facebook, Instagram). If you've visited our site, you may see our ads there.

Cookies: essential cookies (needed to make the site work) don't require consent. Non-essential cookies — analytics and advertising — are used with your consent under PECR, and you can also block or delete cookies any time through your browser settings.

Job applicants

If you apply for a role at go.emailkong.com/apply (or by email), here's exactly what happens to your data.

What we collect: your name and email address, your answers to the screening questions (including a short attention-to-detail exercise and writing samples), and a link to your CV hosted wherever you choose (Google Drive, Dropbox, etc.). At the start of the application you tick a box acknowledging this processing and this policy.

What we don't collect: if a role's requirements mean we can't take your application further (for example, right to work in the UK, or the role's location requirements) and the application ends early, your answers are not stored anywhere — nothing is saved unless you complete and submit an application.

Our legal basis: processing your application is a step taken at your request prior to a possible employment contract (UK GDPR Article 6(1)(b)), supported by our legitimate interest in hiring well. The tick-box is there for transparency — so you know exactly what you're agreeing to before you start.

Where it lives: submitted applications are stored in our internal hiring pipeline (built on Notion). Our team is notified of new applications in our internal Slack. Access is limited to the people involved in hiring.

How decisions are made: by humans. Every application is read and assessed by a person. We do not use AI scoring, automated shortlisting, or any automated decision-making in hiring. (Our application form includes a small attention-to-detail exercise — that's graded by a human too.)

How long we keep it: if you're unsuccessful, we delete your application 6 months after the recruitment process closes (we keep it that long in case of follow-up questions or a similar role opening). If you join us, your application becomes part of your personnel file. If you'd like your application deleted sooner, just ask — support@emailkong.com.

Fair treatment: we assess applications on capability and fit for the role, and nothing else.

AI at Email Kong

We're one of the more technically advanced Klaviyo agencies in the UK, and we're open about the fact that we run an AI-assisted delivery stack. Here's what that means for personal data — and the principles that govern it.

Where we use AI:

  • Content and copy assistance — drafting and refining campaign copy and creative
  • Analysis — summarising campaign performance and research
  • Meetings — recording and transcribing client calls using tl;dv, so we can focus on the conversation instead of note-taking
  • Internal automation — workflow tooling built on Anthropic's Claude

Our AI principles:

  1. AI assists; humans decide. No decision that affects an individual — including every hiring decision — is made by an automated system. People make the calls; AI saves them time.
  2. Client data is protected. Where client or customer data touches an AI tool, it does so under contractual safeguards, and we configure tools so that data is not used to train third-party models wherever that control exists.
  3. You'll know when you're recorded. Meeting participants are told when a call is being recorded and transcribed, and can decline — we'll take notes the old-fashioned way.
  4. Providers are vetted. AI vendors go through the same scrutiny as any other processor on the list below.
  5. Nothing is sold. AI changes how we work; it doesn't change the rule that your data is never sold.

Who we share data with

We use a small set of carefully chosen service providers ("processors") to run our business. They process data only on our instructions:

ProviderWhat for
KlaviyoEmail marketing (our lists, and client programmes in client-owned accounts)
GoogleAnalytics (GA4) and business tools (Workspace)
MetaAdvertising and retargeting (Meta Pixel)
WebflowHosting emailkong.com
VercelHosting go.emailkong.com (campaign pages and application form)
NotionInternal workspace, including our hiring pipeline
SlackInternal team communication and notifications
tl;dvMeeting recording and transcription
AnthropicAI tooling (Claude)

Beyond these: professional advisers (accountants, lawyers) where needed, and authorities where the law requires it. If Email Kong were ever sold or merged, personal data may transfer as part of that transaction — under the same protections.

International transfers: some providers process data outside the UK (mainly the US). Where they do, transfers are protected by UK adequacy decisions or International Data Transfer Agreements / Standard Contractual Clauses with the UK addendum, plus each provider's own safeguards.

How long we keep things

DataKept for
Website analyticsUp to 26 months
Our email listWhile you're subscribed; unsubscribing stops emails immediately
Enquiries and prospect recordsUp to 2 years after last contact
Client records and contractsDuration of the relationship + 6 years (legal/limitation periods)
Meeting recordings and transcriptsFor the duration of the client engagement, unless agreed otherwise
Unsuccessful job applications6 months after the process closes
Client customers' dataPer the client's instructions and our DPA — returned or deleted at contract end

Security

Data is encrypted in transit, access is limited to the people who need it, accounts are protected with strong authentication, and our providers (above) each maintain their own certified security programmes. No internet service can promise perfection — but if a breach ever put your rights at risk, we would notify you and the ICO as UK GDPR requires.

Your rights

Under UK GDPR you can:

  1. Access your data — ask what we hold and get a copy
  2. Correct anything inaccurate
  3. Delete your data ("right to be forgotten")
  4. Restrict how we use it while a question is resolved
  5. Object to processing based on legitimate interests, and to direct marketing (which we'll always stop)
  6. Port your data — receive it in a usable format
  7. Withdraw consent at any time, where consent is the basis (e.g. cookies, our email list)
  8. Not be subject to automated decisions with legal or similarly significant effects — we don't make any

To exercise any of these, email support@emailkong.com. We'll respond within one month, free of charge. If you think we've got something wrong, you can complain to the UK's supervisory authority: the Information Commissioner's Officeico.org.uk, 0303 123 1113. (We'd appreciate the chance to fix it first.)

Remember: for data we process on behalf of a client brand, the brand is the controller — contact them first, and we'll support the request from our side.

Children

Our services and websites are for businesses and are not directed at anyone under 18. We don't knowingly collect children's data.

Changes to this policy

When we change this policy, we'll update it here with a new "last updated" date. Significant changes affecting how we use your data will be flagged more prominently (for example, by email to our list).

Contact

Email Kong Limited

20-22 Wenlock Road, London, N1 7GU

support@emailkong.com

ready to get started?

get your custom email marketing audit and see exactly where you’re leaving money on the table.