For all our services, the data controller (the company that’s responsible for your privacy) is Craft Kits N Bits Ltd.
As a UK business, we operate primarily from our address in Hampshire, UK:
24c Nightingale Ave.
As a company registered in England & Wales, registration number 12472491 - we are required by law to tell you that our registered office address is: 27 Old Gloucester Street, London, United Kingdom, WC1N 3AX.
Please don’t use our registered office address to return things or contact us as we can only receive company correspondence at this address.
Whilst we do hope you take the time to read the full policy, as your privacy is important to us; we’ve tried to highlight some of the key points of the policy in this section. This summary is provided only for convenience and doesn’t replace the full policy.
You have lots of rights regarding how we process your data which you can find below. You can contact us at any time to exercise these rights using the contact details above.
If you’re on our checkout page and provide your email address we will use this to:
email you regarding your cart if you fail to checkout for any reason
email you regarding your order whilst we’re processing it
email you providing the ability for you to review the product you receive
open an account if you choose to set a password after checkout
All emails we send contain industry standard open and click tracking.
You can opt out of our abandoned cart and review requests at any time by clicking the unsubscribe link in an email you receive, or by contacting us at the address above.
If you place an order we will share additional personal data with specialist third parties so that we are able to fulfill your order. This includes payment, shipping and transactional email providers.
We will not add you to our marketing mailing lists unless you explicitly consent to receiving “updates and offers” on our checkout page or sign up to our newsletter by providing your email address. You will then need to confirm your email address. This is known as a double opt-in.
We use various third party service providers to run our store. We describe how each of these is used in detail below.
What personal data do we collect and why?
Essential data we collect
In operating our store, it is essential for us to capture some information about your devices, your IP address and information related to your visit when you browse our store. For example, this might include time-stamp, the last page, or product you visited, the indication that you logged in.
We do that in order to:
remember who you are after you log in so that you do not need to authenticate at each click
monitor if our website is running with the high performance we are dedicated to providing;
let you browse between products without having to start back from the home page at each click
remember if you put something in your shopping cart before you decide to checkout
and control that your data is processed securely.
Our legal basis for this processing is legitimate interest as we would be unable to operate a store on the internet without this.
Order information you expressly provide
If you buy something from our store, we will need more specific information about you. To fully process your order and ship the products you chose, we need your personal data such as your first and last name, your email address and your shipping and billing address. We will ask you to provide this information in our “checkout page” before letting you finalize your purchase with the payment. We also use your contact and order information to send you communications related to the processing of your order.
We need to transfer this information to our third party service providers - Klaviyo (transactional email) and ShipStation (shipping provider). Our legal basis for this processing is Contract. We require this information to process your order.
You can sign up for an account if you’d like but this isn’t required to order. This will make us happy because it confirms your interest in our store. It should also make you happy because we will remember your information and when you decide to buy our products, you do not have to provide all of your information over again -- you just have to log-in.
Our legal basis for this processing is consent as you are knowingly creating an account that allows you to store your information for a future date. We’re continuing to store your personal data to make it easier for you to use our site in the future. This is entirely optional and orders can be placed without creating an account. If you decide to create an account you can also withdraw your consent at any time by asking us to delete your account by contacting us using the details above.
Creating an account may also allow us to provide further personalisation, but only if you consent separately to this by allowing our Targeting; Advertising - see the Personalisation section below for more information.
We may add a loyalty scheme linked to your account at a later date, this will also use consent as a basis for processing but we will request this consent separately, and you will still be able to have an account without joining the loyalty scheme. If you wish to hear about this please sign up to our mailing list.
If you have started to buy one of our products, but have not completed the purchase, you may have provided partial information, such as your email address. In that case, we might send you emails to remind you about your interest. If you are not comfortable in receiving further emails of this kind, we will give you a simple opportunity to opt-out at the end of the email. Your privacy means a lot to us and we will stop sending you these communications right away. You may also use the contact details at the top of this page if you have any questions about this. We use a third party service provider called Klaviyo to send these emails.
Our legal basis for this processing is legitimate interest. You’ve provided your email address to place an order and then not proceeded for some reason. We can’t be sure that this was a deliberate choice and so we want to make it easy for you to continue with your order. In case it was a deliberate choice to stop purchasing, we also allow you to opt-out of future emails.
If you have completed a purchase, we will send you an email to ask you to review the product you bought. We want to be sure that whether you love your purchase or have a complaint, you can share your opinion with other customers.
Our legal basis for this processing is legitimate interest. You’ve provided your email address to place an order and we would like to be sure that you’re 100% satisfied with your order.
We also use some specific information related to your visits, such as the timestamp of your visit, the page, or the product you viewed, where you are coming from (if you came to our store because you clicked on an advertisement or you just opened our direct link). This is very similar to the “essential information,” but we use it to provide you with a personalized experience. The information on your visit provides us with insights on your interests and allows us to send you relevant communications.
The hashed data sent to Facebook and Pinterest allows you to remain anonymous unless you have separately consented to provide this same information to them directly, in which case it will be matched. You can read more about how this hashing process works on the Facebook’s advertising website
Our legal basis for this processing is Consent. We only process your personal data in this way if you have accepted our Targeting; Advertising cookies.
We may use your email address to contact you with offers and updates on our store. We will send these emails and identify if they have been successfully received and read by using our third party service provider Klaviyo. We will only send emails in this way if you have explicitly consented to us doing so during checkout, by choosing to allow updates and offers, or if you have subscribed to our mailing list. Our email marketing requires you to confirm the subscription by email. This is known as a double opt-in.
Our legal basis for this processing is Consent. You can manage your email preferences or withdraw your consent at any time by using the links at the bottom of our emails. You can also contact us using the details at the top of this page if you need any help with this.
How do we process your data?
We use an external provider to run our store, BigCommerce. BigCommerce is based in the US and is a participant in the EU-US Privacy Shield Framework and committed to providing best-in-class service and data protection. Privacy Shield requires that US-based companies provide the same protections for data export from the EU and UK that are required under EU and UK law, including GDPR.
You can check a company’s participation in the Privacy Shield here on the official site of The International Trade Administration (ITA), U.S. Department of Commerce. Through BigCommerce, we also use other, highly specialized external providers to provide the most competitive services. Partnering with highly specialized external companies allows us to focus on what we do best: choosing and selling products for you to enjoy.
We carefully review the privacy policies and data security practices of any external third party service providers before we choose to use them. This section includes information about the third party service providers we use and how we use them.
Payment: Our store is PCI-DSS compliant (a very strict industry standard with requirements for the security of credit card information) and we only use accredited companies to process your credit card information. Our vendor is currently Square.
Shipping: We integrate with a number of shipping companies to fulfill your orders. We do this using ShipStation. Our main shipping vendor is currently MyHermes.
Analytics: We use analytics systems on our site to optimise our website for our customers. Our current vendor is Google Analytics.
Email: We use an external email service provider to send both our transactional and marketing emails. This vendor is Klaviyo.
Targeting/Advertising: We use various third parties to provide targeted advertising. Our current vendors are Facebook and Pinterest and more information about how this works can be found on their websites: https://www.facebook.com/about/basics/advertising and https://business.pinterest.com/en-gb/promote-on-pinterest
How can you control your personal data?
You have the rights listed below. If you cannot exercise your rights on your account page or if you do not have an account with us, please reach out to us using the contact details at the top of this page and we will be more than happy to help.You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Your rights under data protection laws:
Your right of access - You have the right to ask us for copies of your personal information held by us.
Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.
Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
How long do we keep your data?
We keep your data for as long as you have an account with us. We also keep some data for security investigation. Most importantly, we have specific obligations for fraud detection and tax reasons. Therefore, we might need to retain certain data even if you ask to delete it.
Do we have any legal obligations when handling your data?
Many. We have legal obligations regarding your rights as mentioned above but we also might need to share your personal information to comply with applicable legal obligations - for example, a court order. If we have a legal obligation to process your data then you no longer have a right to erasure, right to data portability, or right to object.
More information about this can be found on the ICO website: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legal-obligation/
How to complain
If you have any concerns about our use of your personal data, you can make a complaint to us at the address above.
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk