Privacy policy
Effective date: 27 March 2026
1. Who We Are
Brett Johnson ("we", "us", "our") is a luxury men's fashion house headquartered in Milan, Italy, with manufacturing in Tuscany and Umbria. We operate the website brettjohnson.co (the "Site") through which we sell products and communicate with customers worldwide.
For the purposes of the EU General Data Protection Regulation (GDPR) and the UK General Data Protection Regulation (UK GDPR), Brett Johnson is the data controller responsible for your personal data.
2. Data We Collect
We collect personal data in the following ways:
When you place an order or create an account:
Full name
Email address
Delivery and billing address
Phone number
Payment information (processed by our payment provider — we do not store card details)
Order history and transaction records
When you browse the Site:
IP address and approximate location (country/city)
Device type, browser, and operating system
Pages visited, time on site, and referring URL
Interactions with products (views, clicks, wishlist additions)
When you contact us or sign up for communications:
Name and email address
Message content and correspondence history
Marketing preferences
From third-party sources:
Where you interact with our social media channels, we may receive data consistent with your privacy settings on those platforms.
3. How We Use Your Data
- Purpose | Legal Basis
- Processing and fulfilling your orders | Performance of a contract
- Managing your account | Performance of a contract
- Sending order confirmations and shipping updates | Performance of a contract
- Responding to customer service enquiries | Legitimate interests / contract
- Sending marketing emails (with your consent) | Consent
- Personalising your browsing experience | Legitimate interests
- Analysing Site performance and improving our service | Legitimate interests
- Fraud prevention and security | Legitimate interests / legal obligation
- Complying with legal and tax obligations | Legal obligation
Where we rely on legitimate interests, we have assessed that our interests do not override your rights and freedoms. You may object to processing based on legitimate interests at any time (see Section 8).
Where we rely on consent (e.g. marketing emails, non-essential cookies), you may withdraw consent at any time without affecting the lawfulness of prior processing.
4. Cookies and Tracking
We use cookies and similar technologies on the Site. Full details of the cookies we use, their purposes, and how to manage them are set out in our Cookie Policy at brettjohnson.co/pages/cookie-policy.
5. Who We Share Your Data With
We share personal data only where necessary, and only with trusted parties:
Shopify Inc. — Our e-commerce platform provider processes order and account data on our behalf. Shopify is certified under EU-US and UK-US Data Privacy Framework. shopify.com/legal/privacy (https://www.shopify.com/legal/privacy)
Payment processors — Shopify Payments and/or other processors handle payment card data under PCI-DSS compliance. We do not receive or store full card numbers.
Shipping and logistics partners — Delivery address and contact details are shared with couriers and logistics providers to fulfil your order.
Google LLC — We use Google Analytics (via Google Tag Manager) to understand how visitors use the Site. Data is pseudonymised. policies.google.com/privacy (https://policies.google.com/privacy)
Meta Platforms (Facebook/Instagram) — We use the Meta Pixel to measure advertising effectiveness and, where you have consented, to show you relevant ads. facebook.com/privacy/policy (https://www.facebook.com/privacy/policy)
Email marketing platform — We may use a third-party email service provider to send marketing communications to subscribers.
Professional advisers — Lawyers, accountants, and auditors bound by duties of confidentiality.
Legal and regulatory authorities — Where required by law, court order, or to protect our rights.
We do not sell your personal data to third parties.
6. International Data Transfers
Brett Johnson is based in Italy and operates within the European Economic Area (EEA). Some of our service providers are based outside the EEA, including in the United States. Where we transfer data outside the EEA or UK, we ensure appropriate safeguards are in place, including:
Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions
Data Privacy Framework certification (for transfers to the US)
You may request details of the specific safeguards applied to your data by contacting us at info@brettjohnson.co.
7. Data Retention
We retain personal data for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, and reporting obligations.
Order records: 10 years (Italian and EU tax law requirements)
Account data: For the life of your account, plus 2 years following closure
Marketing consent records: 3 years from last interaction
Browsing/analytics data: Up to 26 months (pseudonymised)
Customer service correspondence: 3 years
When data is no longer required, it is securely deleted or anonymised.
8. Your Rights
Under GDPR and UK GDPR, you have the following rights regarding your personal data:
Access — Request a copy of the data we hold about you
Rectification — Ask us to correct inaccurate or incomplete data
Erasure — Request deletion of your data ("right to be forgotten"), subject to legal obligations
Restriction — Ask us to restrict processing in certain circumstances
Portability — Receive your data in a structured, machine-readable format
Object — Object to processing based on legitimate interests or for direct marketing
Withdraw consent — Where processing is based on consent, withdraw it at any time
To exercise any of these rights, contact us at info@brettjohnson.co. We will respond within 30 days. We may need to verify your identity before processing your request.
If you are dissatisfied with our handling of your data, you have the right to lodge a complaint with:
Italy: Garante per la protezione dei dati personali — garanteprivacy.it (https://www.garanteprivacy.it)
UK: Information Commissioner's Office (ICO) — ico.org.uk (https://ico.org.uk)
Your local supervisory authority if you are located in another EU member state
9. California Residents (CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA:
Right to know what personal information we collect, use, disclose, and sell
Right to delete personal information we have collected from you
Right to correct inaccurate personal information
Right to opt out of sale or sharing of personal information — we do not sell personal information
Right to non-discrimination for exercising your privacy rights
To submit a California privacy request, contact us at info@brettjohnson.co with the subject line "California Privacy Request."
10. Children's Privacy
The Site is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, please contact us immediately and we will delete it.
11. Security
We implement appropriate technical and organisational security measures to protect your data against unauthorised access, alteration, disclosure, or destruction. These include SSL/TLS encryption, access controls, and regular security assessments. However, no transmission over the internet is completely secure, and we cannot guarantee absolute security.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have an account or are a subscriber) and update the "Effective date" at the top of this page. Continued use of the Site after changes constitutes acceptance of the updated policy.
13. Contact Us
For any questions about this Privacy Policy or to exercise your rights:
Brett Johnson
Via Manzoni, 38
Milan, Italy 20121
info@brettjohnson.co
+39 02 763 40743