This Privacy Policy explains how MILKIES Ltd ("MILKIES", "we", "us", or "our") collects, uses, discloses, and safeguards Personal Data in connection with the Inner Circle Partner Program available at https://innercircle.love (the "App") and related services covering the MILKIES®, DIY by MILKIES®, MOMENTS®, KeepMoments.de, and MOMENTS® DIY JEWELRY KIT brands (collectively, the "Services").
MILKIES is committed to protecting your privacy and processing Personal Data in a transparent, lawful manner consistent with the UK General Data Protection Regulation ("UK GDPR"), the EU General Data Protection Regulation (Regulation (EU) 2016/679, "EU GDPR"), the UK Data Protection Act 2018, and all other applicable data protection legislation (collectively, "Data Protection Laws").
By creating an account, logging in via Google or Facebook, applying to the Program, or otherwise using the App, you acknowledge that you have read and understood this Privacy Policy.
The data controller for Personal Data processed through the App is:
MILKIES Ltd
85 Great Portland Street, London W1W 7LT, England, United Kingdom
Registered in England & Wales — Company No. 10195739
Email: privacy@innercircle.love
Telephone: +44 (0)20 3890 7353
Source: Provided by you.
Includes: name, email address, password (stored in hashed form), preferred language, time zone, contact telephone number, postal/billing address, company name, VAT/tax identification number.
Source: Third-party login provider (Google or Facebook), with your authorisation.
Includes: Google or Facebook user ID, verified email address, display name, profile picture URL, OAuth access token (short-lived).
Source: Provided by you.
Includes: answers to eligibility questions, declared promotional channels, website URLs, social media handles, audience demographics, geographic reach, marketing plans.
Source: Generated by the App; provided by you; MILKIES e-commerce platforms.
Includes: referral code, click-through events, order identifiers, product SKUs, gross and net sales values, currency, commission rate, accrued commissions, payout history, self-billing invoices, PayPal account ID, bank IBAN/BIC, payout preferences.
Source: Automated collection.
Includes: IP address, device type, operating system, browser type and version, referral URL, session timestamps, App event logs, cookies, Facebook Pixel identifiers, Google Analytics identifiers.
Source: Provided by you.
Includes: support requests, emails, chat messages, feedback forms, marketing opt-in/opt-out records.
Source: Generated by the App; derived from transaction and technical data.
Includes: geographic origin of sales (based on customer IP, shipping address, and store domain/language), attribution source analysis (direct referral vs. coupon platform vs. browser extension), transaction pattern analytics, Permitted Territory compliance data, fraud risk indicators.
We do not knowingly collect data from individuals under 18 years of age. The Program is restricted to persons aged 18 and over. If we learn that we have collected Personal Data from a child, we will delete it promptly.
We process your Personal Data on one or more of the following lawful bases:
To assess your application, create and administer your partner account, generate referral links, track and attribute sales, calculate commissions, process payouts, and perform our obligations under the Terms of Service.
To protect the integrity of our Services, detect and prevent fraud or abuse (including coupon hijacking, code leaking, geographic attribution fraud, and self-referral schemes), conduct aggregated analytics on partner and campaign performance, improve the App, enforce our Terms of Service, and protect our commercial interests. We have conducted a Legitimate Interests Assessment and concluded that these interests are not overridden by your rights and freedoms.
To comply with tax, accounting, anti-money-laundering, and other statutory obligations (including HMRC requirements, EU VAT regulations, and applicable financial reporting duties).
For optional marketing communications and where your jurisdiction requires consent for certain cookies or tracking technologies. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
We use your Personal Data to:
(a) evaluate and process partner applications;
(b) authenticate you and manage secure login sessions;
(c) generate unique partner codes, attribute referrals, and display real-time commission dashboards;
(d) issue self-billing invoices and execute payouts via PayPal or bank transfer;
(e) detect fraudulent clicks, invalid traffic, coupon platform attribution, geographic mismatches, and breaches of Program rules (see Section 13);
(f) validate that sales constitute Qualifying Sales under the Terms of Service;
(g) send operational notices (e.g., sale confirmations, payout status, policy updates, audit notifications);
(h) provide technical and customer support;
(i) comply with financial, tax, and bookkeeping regulations;
(j) conduct aggregated analytics on partner performance, campaign effectiveness, and App stability;
(k) send optional promotional updates about new MILKIES products, where permitted;
(l) defend legal claims and enforce our Terms of Service.
We share Personal Data strictly on a need-to-know basis with:
Internal Teams — authorised staff of MILKIES Ltd and its EU/US subsidiaries involved in partner management, finance, fraud detection, and customer support.
Service Providers — vetted data processors acting on our instructions under written data processing agreements, including: hosting and infrastructure providers (e.g., AWS EU-West-1), payment processors (PayPal, banking partners), analytics tools (Google Analytics), email service providers, and fraud detection services.
Professional Advisers — auditors, accountants, lawyers, or insurers bound by professional confidentiality obligations.
Authorities — HM Revenue & Customs, Companies House, courts, regulators, or law enforcement where required by law or to protect our rights.
Business Transfers — in the event of a merger, acquisition, or asset sale, subject to appropriate safeguards and notification.
We never sell or rent your Personal Data.
Some of our service providers (including PayPal, Google, and Meta/Facebook) operate in jurisdictions outside the UK and European Economic Area that may not provide equivalent data protection. Where we transfer Personal Data internationally, we ensure appropriate safeguards are in place, including:
(a) Adequacy regulations issued by the UK Government or European Commission;
(b) Standard Contractual Clauses (SCCs) approved by the UK ICO or European Commission; and/or
(c) Supplementary measures where required following a Transfer Impact Assessment, in accordance with the principles established in Schrems II (Case C-311/18).
A copy of relevant safeguards can be requested by contacting us at privacy@innercircle.love.
We retain Personal Data only for as long as necessary to fulfil the purposes for which it was collected:
Data CategoryRetention PeriodAccount & Transaction DataLife of partner account + 7 years after closure (tax/accounting obligations)Technical & Usage Logs12 months from collection, unless required for security investigationsMarketing Consent RecordsDuration of consent + 3 years thereafterApplication Data (rejected applicants)24 months from decision, then securely deletedFraud Detection Data (confirmed fraud)3 years from determinationFraud Detection Data (no fraud found)12 months from analysis completion
On request or account deletion, we will pseudonymise or erase data not required by law.
The App employs first-party cookies and similar technologies to:
(a) maintain authenticated sessions;
(b) attribute referral clicks to partner codes;
(c) measure aggregated traffic and improve usability;
(d) analyse campaign performance via Facebook Pixel and Google Analytics.
Essential cookies (authentication, security, referral attribution) are necessary for the App to function and do not require consent.
Analytics and marketing cookies are only activated with your consent, obtained via our cookie consent banner. You may manage your preferences at any time through the cookie settings in the App or by adjusting your browser settings. Blocking non-essential cookies will not affect core App functionality.
For detailed cookie information, see our Cookie Notice within the App.
We implement appropriate technical and organisational measures to protect Personal Data, including:
(a) TLS 1.3 encryption in transit; AES-256 encryption at rest;
(b) single sign-on via Google/Facebook OAuth 2.0 with short-lived tokens;
(c) role-based access controls and two-factor authentication for staff;
(d) ISO 27001-certified cloud infrastructure;
(e) regular penetration testing and vulnerability scanning;
(f) data protection impact assessments for high-risk processing activities;
(g) incident response procedures and staff training.
11.1. In the event of a Personal Data breach that is likely to result in a risk to your rights and freedoms, MILKIES will:
(a) notify the UK Information Commissioner's Office (ICO) and/or the relevant EU supervisory authority within 72 hours of becoming aware of the breach, where required by law;
(b) notify affected Partners without undue delay, providing: a description of the breach, the categories of data affected, likely consequences, and measures taken or proposed to address the breach.
11.2. MILKIES maintains an internal breach register and incident response plan in accordance with Articles 33–34 of the UK GDPR / EU GDPR.
Subject to applicable Data Protection Laws, you have the right to:
Access — obtain confirmation of processing and a copy of your Personal Data.
Rectification — correct inaccurate or incomplete data.
Erasure — request deletion where processing is no longer lawful or necessary.
Restriction — temporarily halt processing under certain conditions.
Portability — receive data you provided in a structured, machine-readable format and transmit it to another controller.
Objection — object to processing based on legitimate interests or direct marketing.
Withdraw Consent — at any time, without affecting the lawfulness of prior processing.
Not be subject to solely automated decisions — including profiling that produces legal or similarly significant effects (see Section 13).
To exercise any right, please use the in-App "Delete Account" button (for erasure) or email privacy@innercircle.love. We will respond within one month (extendable by two further months for complex requests, with prior notification).
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or the relevant supervisory authority in your EU Member State.
MILKIES uses automated systems to analyse transaction data, geographic attribution patterns, and referral source information to detect potential fraud, coupon hijacking, and unauthorised code distribution. This automated processing may result in:
(a) flagging of specific transactions for manual review;
(b) temporary withholding of Commissions pending investigation;
(c) classification of transactions as non-qualifying.
In accordance with Article 22 of the UK GDPR / EU GDPR, no decision that produces legal effects or similarly significantly affects you is based solely on automated processing. All automated fraud flags are subject to human review by authorised MILKIES staff before any final determination is made regarding Commission withholding, account suspension, or termination.
Fraud detection processing uses the following data: geographic origin of sales (customer IP geolocation, shipping country, store domain/language), attribution source metadata, transaction timestamps and patterns, discount code usage frequency and distribution, comparison against known Coupon Platform signatures, and Permitted Territory compliance data.
You have the right to:
(a) obtain meaningful information about the logic involved in automated fraud detection;
(b) request human review of any automated determination;
(c) express your point of view and contest a decision.
To exercise these rights, contact privacy@innercircle.love.
Fraud detection data is retained for 3 years where fraud is confirmed, and 12 months where no fraud is found, after which it is securely deleted or anonymised.
If you are a California resident, the following additional provisions apply under the California Consumer Privacy Act / California Privacy Rights Act:
14.1. Categories of Personal Information Collected:
Identifiers, commercial information, internet/electronic activity, geolocation data, and professional information (as detailed in Section 3).
14.2. Business Purpose:
All Personal Data is collected and used for the business purposes described in Section 5. We do not sell or share (as defined by the CCPA/CPRA) your Personal Information for cross-context behavioural advertising.
14.3. Your California Rights:
You have the right to know, delete, correct, and opt out of sale/sharing. To exercise these rights, email privacy@innercircle.love. We will not discriminate against you for exercising your rights.
Referral links direct end-customers to MILKIES e-commerce domains. Those sites are governed by their own privacy policies. We are not responsible for the privacy practices of third-party websites.
We may update this Privacy Policy to reflect changes to our practices, legal requirements, or processing activities. Material changes will be communicated via email or in-App banner at least 14 days before taking effect. The "Last updated" date reflects the current version.
Questions, requests, or complaints concerning this Privacy Policy or our data-processing practices should be directed to:
Data Protection Lead — MILKIES Ltd
85 Great Portland Street, London W1W 7LT, UK
Email: privacy@innercircle.love
Telephone: +44 (0)20 3890 7353
Last updated: March 19, 2026