Coterie Holdings Group Privacy Policy

Last Updated: 13 October 2025

1. Introduction

This privacy policy applies to Coterie Holdings UK Limited and its subsidiary companies, collectively referred to as the "Coterie Holdings Group," "we," "us," or "our". The Coterie Holdings Group is committed to protecting and respecting your privacy.

This policy outlines our practices concerning the collection, use, and sharing of your personal data. It explains what personal data we collect, why we collect it, how we use it, your rights and the controls you have over your personal data, and the procedures we have in place to protect it.

This policy covers the following companies within our group:

• Coterie Holdings UK Limited
• Coterie Vaults Limited
• Global Wine Solutions Limited
• Hallgarten Wines Limited
• Coterie Amphorae Company Limited(Jera)
• Lay & Wheeler Limited
• Lay & Wheeler Trading Limited

2. Who We Are and How to Contact Us

For the purpose of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Coterie Holdings UK Limited is the data controller responsible for group-level data processing. The individual companies within the group may also act as data controllers for the data they process in their direct interactions with you.

If you have any questions about this privacy policy or wish to exercise your data protection rights, please contact our Data Protection Manager:

• By email: privacy@coterieholdings.com
• By post: Data Protection Manager, Coterie Holdings UK Limited, 58 Grosvenor Street, London, W1K 3JB

3. The Personal Data We Collect

We may collect, use, store, and transfer different kinds of personal data about you, which we have grouped together as follows:

• Identity Data: Includes first name, last name, username or similar identifier, marital status, title, date of birth, and gender .
• Contact Data: Includes billing address, delivery address, email address, and telephone numbers .
• Financial Data: Includes bank account and payment card details.
• Transaction Data: Includes details about payments to and from you and other details of products and services you have purchased from us .
• Technical Data: Includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our websites .
• Profile Data: Includes your username and password, purchases or orders made by you, your interests, preferences, feedback, and survey responses .
• Usage Data: Includes information about how you use our websites, products, and services .
• Marketing and Communications Data: Includes your preferences in receiving marketing from us and our third parties and your communication preferences .

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

4. How We Collect Your Personal Data

We use the following methods to collect data from and about you:

• Direct Interactions: You may give us your Identity, Contact, and Financial Data by filling in forms or by corresponding with us by post, phone, email, or otherwise. This includes personal data you provide when you create an account, purchase our products, subscribe to our services, or request marketing materials .
• Automated Technologies or Interactions: As you interact with our websites, we automatically collect Technical Data about your equipment and browsing patterns. We collect this data using cookies and similar technologies. Please see our Cookie Policy for more details .
• Third Parties or Publicly Available Sources: We may receive personal data about you from various third parties, including :
  • Technical Data from analytics providers like Google.
  • Contact, Financial, and Transaction Data from providers of technical, payment, and delivery services.

5. How We Use Your Personal Data and Our Lawful Bases

We will only use your personal data when the law allows us to. We rely on the following lawful bases for processing your data:

• Performance of a Contract: Where we need to perform the contract we are about to enter into or have entered into with you (e.g., to process an order) .
• Legitimate Interests: Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests .
• Legal Obligation: Where we need to comply with a legal or regulatory obligation.
• Consent: Where you have given us explicit consent to use your personal data for a specific purpose .

Below is a description of how we use your personal data and the lawful bases we rely on:

Purpose/Activity	Type of Data	Lawful Basis for Processing (including legitimate interest)
To register you as a new customer	Identity, Contact	Performance of a contract with you
To process and deliver your order, including managing payments and collecting debts	Identity, Contact, Financial, Transaction	Performance of a contract with you; Legitimate interests (to recover debts due to us)
To manage our relationship with you (e.g., notifying you of changes to our terms)	Identity, Contact, Profile	Performance of a contract with you; Legal obligation; Legitimate interests (to keep our records updated)
To enable you to participate in a prize draw, competition, or complete a survey	Identity, Contact, Profile, Usage	Performance of a contract with you; Legitimate interests (to study how customers use our products/services)
To administer, protect, and improve our business and websites (including troubleshooting, data analysis, and system security)	Identity, Contact, Technical	Legitimate interests (for running our business, provision of IT services, network security); Legal obligation
To deliver relevant website content, advertisements, and measure their effectiveness	Identity, Contact, Profile, Usage, Marketing & Communications, Technical	Legitimate interests (to develop our products/services and grow our business)
To send you marketing communications about our goods and services	Identity, Contact, Marketing & Communications	Legitimate interests (for existing customers, regarding similar products/services); Consent (for new customers or where otherwise required by law)
To use data analytics to improve our website, products, services, and marketing	Technical, Usage	Legitimate interests (to define customer types, to keep our website updated and relevant, to develop our business strategy)

You have the right to object to processing of your personal data based on legitimate interests and an absolute right to opt out of direct marketing at any time.

6. Data Sharing and Disclosures

We may need to share your personal data with the parties set out below for the purposes outlined in the table above:

• Internal Third Parties: Other companies in the Coterie Holdings Group. They may act as independent controllers for their own customer relationships or as processors providing services to the wider group .
• External Third Parties:
  • Service providers acting as processors who provide IT, system administration, and other business services.
  • Professional advisers including lawyers, bankers, auditors, and insurers acting as processors or independent controllers.
  • HM Revenue & Customs, regulators, and other authorities based in the United Kingdom who require reporting of processing activities in certain circumstances.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process it for specified purposes and in accordance with our instructions.

7. International Transfers

Some of our external third parties may be based outside the United Kingdom, so their processing of your personal data will involve a transfer of data outside the UK.

Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by implementing legally approved safeguards. This includes:

• Transferring data to countries that have been deemed to provide an adequate level of protection for personal data by the UK Government.
• Using specific legal contracts approved for use in the UK, such as the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs) , which give personal data the same protection it has in the UK.

8. Data Security

We have implemented appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, accessed in an unauthorised way, altered, or disclosed. Access to your personal data is limited to employees, agents, and contractors who have a business need to know and are subject to a duty of confidentiality.

We have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

9. Data Retention

We will only retain your personal data for as long as is reasonably necessary to fulfil the purposes we collected it for, including satisfying any legal, regulatory, tax, accounting, or reporting requirements.

To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorised use, the purposes for which we process it, and applicable legal requirements.

For example, by law, we are required to keep basic information about our customers (including Contact, Identity, Financial, and Transaction Data) for seven years after they cease being customers for tax and accounting purposes.

10. Your Legal Rights

Under UK data protection law, you have the following rights in relation to your personal data:

• Right to be Informed: To be informed about how we use your personal data (which is the purpose of this policy) .
• Right of Access: To request access to the personal data we hold about you .
• Right to Rectification: To request the correction of inaccurate personal data .
• Right to Erasure: To request that we delete your personal data, in certain circumstances .
• Right to Restrict Processing: To request that we suspend the processing of your personal data, in certain circumstances .
• Right to Data Portability: To request the transfer of your personal data to you or a third party in a structured, machine-readable format .
• Right to Object: To object to our processing of your personal data where we are relying on a legitimate interest .
• Right to Withdraw Consent: Where we are relying on consent to process your data, you can withdraw that consent at any time .

To exercise any of these rights, please contact our Data Protection Manager using the details in Section 2.

You also have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).

11. Cookies

Our websites use cookies to distinguish you from other users. This helps us provide you with a good experience when you browse our sites and allows us to improve them. For detailed information on the cookies we use and the purposes for which we use them, please see our dedicated Cookie Policy.

12. Changes to This Privacy Policy

We keep this privacy policy under regular review. Any changes will be posted on this page and, where appropriate, notified to you by email.