top of page

Privacy Policy

Oliabo Global Privacy Policy
Last Updated: November 18, 2025

 

Oliabo, LLC (“Oliabo,” “we,” “our,” or “us”) is committed to protecting your privacy. This Global Privacy Policy explains how we collect, use, disclose, and protect personal data when you visit our websites, use our services, make purchases, or interact with us in other ways.

This policy uses a unified global structure:
•    Applies to All – baseline rules that apply to everyone, worldwide.
•    UK/EU Additional – overlays required by the EU/EEA General Data Protection Regulation (GDPR) and the UK GDPR.
•    US Additional – overlays for applicable US state privacy laws (e.g., California/CPRA).

 

This policy is for transparency and compliance. It does not create contractual or third-party beneficiary rights. If you are an Independent Representative, additional privacy requirements apply (see the Independent Representative Privacy Annex embedded within our Terms & Conditions).
 
1) Scope & Who We Are (Applies to All)
•    Controller: Oliabo, LLC, [business address], Murray, Utah, USA
•    Email: legal@oliabo.com
•    Coverage:
o    oliabo.com and related pages, including replicated distributor websites operated via our direct-selling platform.
o    Ecommerce and checkout flows, subscriptions, and customer accounts.
o    Customer support channels (e.g., Zendesk), marketing communications (e.g., Klaviyo/SendGrid), analytics (e.g., GA4/Vimeo), advertising technologies (e.g., Meta/TikTok/Google Ads), payments (e.g., Stripe/PayPal), logistics and fulfillment (e.g., Landmark Global, 3PLs, carriers).
•    Not for resale (NFR) shipments: Some international orders are offered NFR from the United States and are subject to local import rules.

If local law requires, we will publish the details of our EU and UK Article 27 representatives here once appointed (see Section 14).
 
2) Definitions (Applies to All)
•    Personal Data / Personal Information: Information that identifies or can reasonably be linked to an individual.
•    Processing: Any operation performed on personal data (collecting, storing, using, disclosing, etc.).
•    Controller / Business: The entity that determines the purposes and means of processing personal data.
•    Processor / Service Provider: An entity that processes personal data on behalf of a controller/business.
•    Sensitive Data: Data subject to enhanced protections in some regions (e.g., precise geolocation, certain health data).
•    Cookies & Similar Technologies: Small text files, SDKs, pixels, tags, local storage, and similar tools used for site functionality, measurement, and advertising—see Cookie Policy.
 
3) What We Collect (Applies to All)

We collect the following categories of data (depending on your use of our services):
•    Identity & Contact: name, email, phone, billing and shipping addresses.
•    Account & Profile: login credentials, role (customer or representative), preferences, saved items, subscription settings, order history.
•    Orders & Transactions: products purchased, amounts, taxes/VAT, masked payment tokens (we do not store full card numbers on our systems).
•    Device/Technical: IP address, device and browser type, operating system, cookie identifiers, advertising IDs, diagnostics, approximate location derived from IP.
•    Communications & Support: messages you send us, form submissions, and support tickets/notes (e.g., via Zendesk).
•    Marketing & Engagement: your communication preferences and consent records; campaign attribution; open/click activity.
•    Inferences (non-sensitive): basic preferences inferred from your interactions to help us improve relevance and support.

Children: We do not knowingly collect data from children under 13 (US) or under 16 (UK/EU). If you believe a child has provided personal data, contact us to request deletion.
 
4) Sources of Personal Data (Applies to All)
•    Directly from you (checkout, forms, account actions, support).
•    Automatically via cookies and similar technologies on our sites and embedded services (see Cookie Policy).
•    From vendors/service providers (payments, logistics, analytics, support) who help us operate the services.
•    From Independent Representatives (limited, need-to-know customer details to serve you and for team development).
 
5) How We Use Personal Data (Applies to All)

We use personal data to:
1.    Provide and improve the services – run the websites and replicated sites; process orders, payments, subscriptions, and shipments; provide support; fix bugs and improve performance.
2.    Security and fraud prevention – protect accounts and systems; investigate suspicious activities.
3.    Analytics and product development – measure usage (e.g., GA4/Vimeo) and improve user experiences.
4.    Marketing and personalization – send transactional and (where lawful) promotional messages; personalize content/ads; measure campaign performance.
5.    Compliance – meet legal, tax, and regulatory requirements (including customs, accounting, and sanctions screening where applicable).

We do not use personal data for fully automated decision-making that legally or similarly significantly affects you.
 
6) Our Legal Bases (UK/EU Additional)

Where GDPR/UK GDPR applies, we rely on one or more of the following:
•    Contract necessity (e.g., to fulfill your purchase, manage your account, provide support).
•    Legitimate interests (e.g., to maintain and improve services, prevent fraud, perform analytics, limited B2B outreach), after performing a balancing test.
•    Consent (e.g., for non-essential cookies, certain marketing in the UK/EU, and ad personalization where required).
•    Legal obligations (e.g., recordkeeping, tax and accounting, responding to lawful requests).
•    Vital interests (rare; e.g., safety issues).
 
7) Disclosures & Categories of Recipients (Applies to All)

We disclose data to trusted vendors who assist in operating the services, each under contract and subject to confidentiality and security obligations:
•    Hosting/Platform: website host(s), ecommerce/replicated site platform(s).
•    Payments: payment processors (e.g., Stripe, PayPal)—we do not store full card numbers on our systems.
•    Logistics/Fulfillment: 3PLs, Landmark Global, and shipping carriers.
•    Support: Zendesk (ticketing and support).
•    Analytics: Google Analytics 4, Vimeo analytics.
•    Advertising/Marketing: Meta, TikTok, Google Ads; email/SMS providers such as Klaviyo/SendGrid.
•    Professional services: auditors, advisors, or legal counsel as necessary.
•    Corporate events: In connection with a merger, acquisition, or sale of assets, data may transfer as part of the transaction (subject to this policy or a successor policy with comparable protections).

We do not sell personal data for money. Some US state laws define “sell” or “share” to include certain targeted advertising or cross-context behavioral advertising disclosures. See US Additional for your opt-out rights.

We provide Independent Representatives limited, need-to-know data (e.g., your name, country, relevant order or volume metrics) to serve you and for compensation/organizational purposes, subject to the Independent Representative Privacy Annex.
 
8) International Transfers (UK/EU Additional)

When we transfer UK/EU personal data to countries lacking an adequacy decision (e.g., to the US), we rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) and, for the UK, the IDTA/Addendum, plus supplementary measures (e.g., encryption in transit, strict access control, minimization, and documented transfer assessments). Where available and appropriate, applicable data transfer frameworks may be used by eligible vendors.
 
9) Data Retention (Applies to All)

We keep personal data only as long as necessary to fulfill the purposes above or to meet legal requirements:
•    Transactions & invoices: typically ~7 years (tax/accounting).
•    Accounts: active life of the account + an inactivity period (e.g., ~24 months) before deletion/anonymization.
•    Marketing records: until consent is withdrawn or an inactivity threshold is reached.
•    Support tickets: typically ~3 years.
•    Analytics: commonly 14–26 months (platform configuration).
•    System logs: typically ~12 months.
See our Global Data Retention & Deletion Policy for details. Legal holds or disputes may require temporary retention beyond schedule.
 
10) Security (Applies to All)

We implement technical and organizational measures appropriate to the risk, including encryption in transit, least-privilege access controls, monitoring, and vendor due diligence. No system can be 100% secure; you are responsible for safeguarding your credentials and devices. Notify us immediately if you suspect unauthorized activity.
 
11) Your Privacy Choices (Applies to All)
•    Cookies & similar tech: Use our cookie banner/consent manager to accept/reject non-essential categories and to withdraw consent later (see Cookie Policy).
•    Marketing: Unsubscribe using message links or by contacting support.
•    Replicated sites: We endeavor to mirror cookie and footer controls on replicated distributor sites.
 
12) Your Rights

12.1 UK/EU Additional (GDPR/UK GDPR)

You have the rights to access, rectify, erase, restrict, object (including to direct marketing), portability, and to withdraw consent (without affecting prior lawful processing). You may also lodge a complaint with your local Supervisory Authority. We typically respond within one month, extendable in complex cases as permitted.

12.2 US Additional (Selected State Laws)

Where applicable (e.g., CA/CPRA and similar laws), you may have the rights to know/access, delete, correct, and to opt out of “selling”/“sharing” for cross-context behavioral advertising. We honor Global Privacy Control (GPC) signals where required. Response timelines typically are 45 days (extendable as permitted).

How to exercise rights: Email legal@oliabo.com or use site links where available. We may take steps to verify your identity (and, if applicable, your authorized agent’s authority).
 
13) Cookies & Similar Technologies (Applies to All)

We use cookies, pixels/tags, SDKs, and local storage to make our services work, measure performance, and—where permitted—personalize content/ads.
•    Strictly necessary cookies are always on.
•    Functional, Analytics, and Advertising cookies are subject to consent in the UK/EU and opt-out models in certain US states.
•    See our Global Cookie Policy and manage settings through the banner or “Manage Cookie Settings” link in the footer. In the US, use “Do Not Sell/Share” where required; we honor GPC signals as applicable.
 
14) Regional Representatives & Contact (UK/EU Additional)

Where required under GDPR Article 27 and UK GDPR Article 27, we will appoint and publish details for our EU and UK representatives here:
•    EU Representative: [To be published after appointment]
•    UK Representative: [To be published after appointment]

These representatives act as contact points for Supervisory Authorities and data subjects in their respective regions.
 
15) California “Notice at Collection” (US Additional)

Categories collected: Identifiers; customer records; commercial information; internet/technical activity; geolocation (approximate); inferences (non-sensitive). Sources: you, your devices, vendors, and representatives. Purposes: provide and improve services; security; analytics; marketing; compliance. Disclosures: service providers, processors, and as otherwise described in Section 7. Retention: see Section 9. Sale/Share: We do not sell for money; certain ad-tech disclosures may be deemed “selling”/“sharing”—you may opt out via our site links; we honor GPC.
 
16) International Users (Applies to All)

By using the services, you understand your data may be transferred, processed, and stored outside your country of residence (see Section 8 for UK/EU safeguards).
 
17) Changes to This Policy (Applies to All)

We may update this policy to reflect legal, technical, or operational changes. The “Last Updated” date will change when updates are posted. Material changes will be highlighted in a reasonable manner.
 
18) How to Contact Us (Applies to All)
•    Email: legal@oliabo.com
•    Mail: Oliabo, LLC, [business address], Murray, Utah, USA

For UK/EU, you may also contact the applicable Supervisory Authority. Once appointed, our EU/UK representatives will be listed in Section 14.
 
Annex A — GDPR / UK GDPR Addendum (Integrated)

This Annex forms part of and is incorporated into the Oliabo Global Privacy Policy for UK/EU processing.

A1. Additional Definitions
•    Supervisory Authority: An independent public authority responsible for monitoring data protection law compliance.
•    International Transfer: Sending personal data to a country outside the EEA/UK or to an international organization.
•    DPIA: Data Protection Impact Assessment.

A2. Lawful Bases by Purpose (Illustrative Mapping)
Purpose    Examples    Lawful Bases
Provide Services    Checkout, shipping, support    Contract necessity; Legitimate interests
Security/Fraud    Access controls, monitoring    Legitimate interests; Legal obligations
Analytics/Improvement    GA4/Vimeo, A/B tests    Legitimate interests; Consent (where required)
Marketing/Personalization    Email/SMS, ads, measurement    Consent; Legitimate interests (soft opt-in)
Compliance    Tax, customs, accounting    Legal obligations

Where we rely on legitimate interests, we conduct balancing tests considering your rights and reasonable expectations.

A3. Your GDPR/UK GDPR Rights & Timelines
•    Access; Rectification; Erasure; Restriction; Objection (incl. direct marketing); Portability; Withdraw Consent.
•    Standard response time: 1 month, extendable where permitted for complex requests.
•    You may lodge a complaint with your local Supervisory Authority.

A4. Processors & Sub-processors

We impose contractual obligations on processors, including confidentiality, security measures, assistance with rights requests, sub-processor management, breach notice, and deletion/return upon termination.

A5. International Transfers & Safeguards

Where required, we execute EU SCCs and the UK IDTA/Addendum, and apply supplementary measures (e.g., encryption in transit, strict access control, minimization, documented assessments). We track transfer mechanisms for key vendors.
 
Annex B — US “Selling/Sharing” & Opt-Out Controls (Integrated)

Certain ad-tech disclosures may be treated as “selling” or “sharing” personal information under US state privacy laws.
•    You can opt out via our site links (e.g., “Do Not Sell/Share”) and through cookie preferences.
•    We honor Global Privacy Control (GPC) signals where required.
•    We do not sell personal information for money.
 
Annex C — Region-Specific Notes (Integrated)
•    Cooling-off (UK/EU consumers): You may have a 14-day right to cancel certain distance purchases (subject to exceptions, e.g., hygiene-sealed items once opened). See Terms & Conditions and Return/Refund Policy.
•    Direct marketing (UK/EU): Promotional emails/SMS typically require consent unless the “soft opt-in” applies for similar goods to existing customers.
•    DPO: We have not appointed a DPO at this time. If required in the future, we will update this policy.
 
Annex D — Contact Points (Integrated)
•    Oliabo, LLC – legal@oliabo.com
•    EU Article 27 Representative: [To be published after appointment]
•    UK Article 27 Representative: [To be published after appointment]
 

bottom of page