Privacy Policy
Last updated: 10 July 2026
We're Email Kong — a London-based email marketing agency. We help e-commerce brands send email their customers actually want. That work involves personal data, and this page explains, in plain English, what we collect, why, what we do with it, and the rights you have.
No legal maze. If anything here is unclear, email us at support@emailkong.com and a human will answer.
On this page
Who we are
Email Kong Limited, a company registered in England and Wales.
- Company number: 13692934
- Registered office: 20-22 Wenlock Road, London, England, N1 7GU
- Privacy contact: support@emailkong.com
We don't have a statutory Data Protection Officer (we're not required to appoint one), but we do have a named privacy lead who owns everything on this page. The email above reaches them directly.
The two hats we wear
This is the most important section of this policy, because an email agency handles data in two very different ways.
Hat one: data controller
For some data, we decide what's collected and why. That makes us the "controller" under UK GDPR, and this policy governs it. We're the controller for:
- Website visitors — people browsing emailkong.com and our campaign pages at go.emailkong.com
- Leads and subscribers — people who download our resources (like our flow swipe file), use our tools, or join our email list
- Job applicants — people who apply to work with us
- Client and prospect contacts — the business people we work with day to day
Hat two: data processor
Our clients are e-commerce brands. When we build and run email programmes inside their Klaviyo (or other email platform) accounts, we handle their customers' personal data — names, email addresses, purchase histories, engagement data.
For that data, the brand is the controller and we are a processor. In practice this means:
- We only touch that data under a data processing agreement with the client, and only on their documented instructions.
- We never use a client's customer data for our own purposes, never mix it between clients, and never use it to build our own lists.
- If you're a customer of one of our clients and want to exercise your privacy rights (access, deletion, unsubscribe and so on), the fastest route is to contact the brand itself — they control the data and their own privacy policy applies. If you contact us instead, we'll pass your request to them without delay.
What we collect (when we're the controller)
Visitors: technical data (IP address, device/browser type, pages viewed), collected via cookies and similar technologies — see Cookies below.
Leads and subscribers: whatever you give us when you opt in — typically name, email address, company/store URL, and answers to short qualifying questions (for example your revenue band). Plus how you interact with our emails (opens, clicks) via Klaviyo.
Clients and prospects: business contact details, correspondence, meeting notes, and — where we record calls — meeting recordings and transcripts (see the AI section).
Job applicants: covered in their own section below.
We don't collect special category data (health, beliefs, biometrics and so on) in the normal course of business, and we never ask for it.
Why we use it, and our legal grounds
UK GDPR requires a lawful basis for every use of personal data. Here's the honest map:
| What we do | Lawful basis |
|---|---|
| Run and secure our websites | Legitimate interests |
| Analytics and advertising cookies (GA4, Meta Pixel) | Consent |
| Send our own emails to subscribers (swipe file, resources, offers) | Consent (you opted in) |
| Respond to enquiries and sales conversations | Legitimate interests / steps prior to a contract |
| Deliver services to clients (contacts, project comms, billing) | Contract |
| Record and transcribe meetings | Legitimate interests — participants are told and can decline |
| Process job applications | Steps prior to a contract + legitimate interests (see recruitment section) |
| Keep accounting and tax records | Legal obligation |
| Handle client customers' data inside client accounts | We act as processor — the client's lawful basis applies |
We never sell personal data. To anyone. For anything.
Marketing, cookies and tracking
Our own marketing: if you join our list (usually by downloading something useful), we'll email you. Every email has a working unsubscribe link, and unsubscribing takes effect immediately. We use Klaviyo to manage this — yes, we use the same platform we recommend to clients.
Analytics: we use Google Analytics 4 to understand how people use our sites.
Advertising: we use the Meta Pixel on our sites, which supports retargeting and custom/lookalike audiences on Meta platforms (Facebook, Instagram). If you've visited our site, you may see our ads there.
Cookies: essential cookies (needed to make the site work) don't require consent. Non-essential cookies — analytics and advertising — are used with your consent under PECR, and you can also block or delete cookies any time through your browser settings.
Job applicants
If you apply for a role at go.emailkong.com/apply (or by email), here's exactly what happens to your data.
What we collect: your name and email address, your answers to the screening questions (including a short attention-to-detail exercise and writing samples), and a link to your CV hosted wherever you choose (Google Drive, Dropbox, etc.). At the start of the application you tick a box acknowledging this processing and this policy.
What we don't collect: if a role's requirements mean we can't take your application further (for example, right to work in the UK, or the role's location requirements) and the application ends early, your answers are not stored anywhere — nothing is saved unless you complete and submit an application.
Our legal basis: processing your application is a step taken at your request prior to a possible employment contract (UK GDPR Article 6(1)(b)), supported by our legitimate interest in hiring well. The tick-box is there for transparency — so you know exactly what you're agreeing to before you start.
Where it lives: submitted applications are stored in our internal hiring pipeline (built on Notion). Our team is notified of new applications in our internal Slack. Access is limited to the people involved in hiring.
How decisions are made: by humans. Every application is read and assessed by a person. We do not use AI scoring, automated shortlisting, or any automated decision-making in hiring. (Our application form includes a small attention-to-detail exercise — that's graded by a human too.)
How long we keep it: if you're unsuccessful, we delete your application 6 months after the recruitment process closes (we keep it that long in case of follow-up questions or a similar role opening). If you join us, your application becomes part of your personnel file. If you'd like your application deleted sooner, just ask — support@emailkong.com.
Fair treatment: we assess applications on capability and fit for the role, and nothing else.
AI at Email Kong
We're one of the more technically advanced Klaviyo agencies in the UK, and we're open about the fact that we run an AI-assisted delivery stack. Here's what that means for personal data — and the principles that govern it.
Where we use AI:
- Content and copy assistance — drafting and refining campaign copy and creative
- Analysis — summarising campaign performance and research
- Meetings — recording and transcribing client calls using tl;dv, so we can focus on the conversation instead of note-taking
- Internal automation — workflow tooling built on Anthropic's Claude
Our AI principles:
- AI assists; humans decide. No decision that affects an individual — including every hiring decision — is made by an automated system. People make the calls; AI saves them time.
- Client data is protected. Where client or customer data touches an AI tool, it does so under contractual safeguards, and we configure tools so that data is not used to train third-party models wherever that control exists.
- You'll know when you're recorded. Meeting participants are told when a call is being recorded and transcribed, and can decline — we'll take notes the old-fashioned way.
- Providers are vetted. AI vendors go through the same scrutiny as any other processor on the list below.
- Nothing is sold. AI changes how we work; it doesn't change the rule that your data is never sold.
Who we share data with
We use a small set of carefully chosen service providers ("processors") to run our business. They process data only on our instructions:
| Provider | What for |
|---|---|
| Klaviyo | Email marketing (our lists, and client programmes in client-owned accounts) |
| Analytics (GA4) and business tools (Workspace) | |
| Meta | Advertising and retargeting (Meta Pixel) |
| Webflow | Hosting emailkong.com |
| Vercel | Hosting go.emailkong.com (campaign pages and application form) |
| Notion | Internal workspace, including our hiring pipeline |
| Slack | Internal team communication and notifications |
| tl;dv | Meeting recording and transcription |
| Anthropic | AI tooling (Claude) |
Beyond these: professional advisers (accountants, lawyers) where needed, and authorities where the law requires it. If Email Kong were ever sold or merged, personal data may transfer as part of that transaction — under the same protections.
International transfers: some providers process data outside the UK (mainly the US). Where they do, transfers are protected by UK adequacy decisions or International Data Transfer Agreements / Standard Contractual Clauses with the UK addendum, plus each provider's own safeguards.
How long we keep things
| Data | Kept for |
|---|---|
| Website analytics | Up to 26 months |
| Our email list | While you're subscribed; unsubscribing stops emails immediately |
| Enquiries and prospect records | Up to 2 years after last contact |
| Client records and contracts | Duration of the relationship + 6 years (legal/limitation periods) |
| Meeting recordings and transcripts | For the duration of the client engagement, unless agreed otherwise |
| Unsuccessful job applications | 6 months after the process closes |
| Client customers' data | Per the client's instructions and our DPA — returned or deleted at contract end |
Security
Data is encrypted in transit, access is limited to the people who need it, accounts are protected with strong authentication, and our providers (above) each maintain their own certified security programmes. No internet service can promise perfection — but if a breach ever put your rights at risk, we would notify you and the ICO as UK GDPR requires.
Your rights
Under UK GDPR you can:
- Access your data — ask what we hold and get a copy
- Correct anything inaccurate
- Delete your data ("right to be forgotten")
- Restrict how we use it while a question is resolved
- Object to processing based on legitimate interests, and to direct marketing (which we'll always stop)
- Port your data — receive it in a usable format
- Withdraw consent at any time, where consent is the basis (e.g. cookies, our email list)
- Not be subject to automated decisions with legal or similarly significant effects — we don't make any
To exercise any of these, email support@emailkong.com. We'll respond within one month, free of charge. If you think we've got something wrong, you can complain to the UK's supervisory authority: the Information Commissioner's Office — ico.org.uk, 0303 123 1113. (We'd appreciate the chance to fix it first.)
Remember: for data we process on behalf of a client brand, the brand is the controller — contact them first, and we'll support the request from our side.
Children
Our services and websites are for businesses and are not directed at anyone under 18. We don't knowingly collect children's data.
Changes to this policy
When we change this policy, we'll update it here with a new "last updated" date. Significant changes affecting how we use your data will be flagged more prominently (for example, by email to our list).
Contact
ready to get started?
get your custom email marketing audit and see exactly where you’re leaving money on the table.
