Last updated: 27th January 2022
For all our services, the data controller (the company that’s responsible for your privacy) is Craft Kits N Bits Ltd.
As a UK business, we operate primarily from our registered office address in Hampshire, UK.
As a limited company we are required by law to tell you some specific information about us:
We are registered in England & Wales under registration number 12472491
Our registered office address is: 6 Rectory Road, Oakley, Basingstoke, RG23 7LJ.
Our VAT registration number is 352 3080 29, effective 1st August 2020.
Whilst we do hope you take the time to read the full policy, as your privacy is important to us; we’ve tried to highlight some of the key points of the policy in this section. This summary is provided only for convenience and doesn’t replace the full policy.
You have lots of rights regarding how we process your data. You can contact us at any time to exercise these rights using the contact details above.
If you’re on our checkout page and provide your email address we will use this to:
create a contact profile in our email sending system - Klaviyo
email you regarding your cart if you fail to checkout for any reason
email you regarding your order whilst we’re processing it
email you providing the ability for you to review the product you receive
open an account on our website i if you choose to set a password after checkout
send you offers and updates — if you choose to allow this by ticking the box
You can opt out of our abandoned cart and review requests at any time by using the manage preferences link in any email you receive from us, or by contacting us at the address above.
If you place an order we will share additional personal data with specialist third parties so that we are able to fulfill your order. This includes payment and shipping providers. We may also ship directly from a supplier, in which case your personal data will be shared with them for this purpose only.
We will not add you to our marketing mailing lists unless you explicitly consent to receiving “updates and offers” on our checkout page or sign up to our newsletter by providing us with your email address. If you sign up outside of our checkout flow you will need to confirm your email address again, this is known as a double opt-in.
Your data is never sold. We do however use various third party service providers to run our store. We describe how each of these is used in detail below. We could not operate our store without these third parties involved and they can not use your data other than to provide the services we require.
What personal data do we collect and why?
Essential data we collect
In operating our store, it is essential for us to capture some information about your devices, your IP address and information related to your visit when you browse our store. For example, this might include time-stamp, the last page, or product you visited, the indication that you logged in.
We do that in order to:
remember who you are after you log in so that you do not need to authenticate at each click
monitor if our website is running with the high performance we are dedicated to providing;
let you browse between products without having to start back from the home page at each click
remember if you put something in your shopping cart before you decide to checkout
and control that your data is processed securely.
For more information on cookies visit the Information Commissioners Office website https://ico.org.uk/your-data-matters/online/cookies/
Our legal basis for this processing is legitimate interest as we would be unable to operate a store on the internet without this.
Order information you expressly provide
If you buy something from our store, we will need more specific information about you. To fully process your order and ship the products you chose, we need your personal data such as your first and last name, your email address, phone number and your shipping and billing address. We will ask you to provide this information in our “checkout page” before letting you finalize your purchase with the payment. We also use your contact and order information to send you communications related to the processing of your order.
We need to transfer this information to our third party service providers as outlined below. Our legal basis for this processing is Contract. We require this information to process your order.
You can sign up for an account if you’d like but this isn’t required to order. This will make us happy because it confirms your interest in our store. It should also make you happy because we will remember your information and data collection preferences and when you decide to buy our products, you do not have to provide all of your information over again — you just have to log in.
Our legal basis for this processing is consent as you are knowingly creating an account that allows you to store your information for a future date. We’re continuing to store your personal data to make it easier for you to use our site in the future. This is entirely optional and orders can be placed without creating an account. If you decide to create an account you can also withdraw your consent at any time by asking us to delete your account by contacting us using the details above.
We may add a loyalty scheme linked to your account at a later date, this will also use consent as a basis for processing but we will request this consent separately, and you will still be able to have an account without joining the loyalty scheme. If you wish to hear about this please sign up to our mailing list.
If you have started to buy one of our products, but have not completed the purchase, you may have provided partial information, such as your email address. In that case, we might send you emails to remind you about your interest. If you are not comfortable in receiving further emails of this kind, we will give you a simple opportunity to opt-out at the end of the email. Your privacy means a lot to us and we will stop sending you these communications right away. You may also use the contact details at the top of this page if you have any questions about this. We use a third party service provider to send these emails as outlined below.
Our legal basis for this processing is legitimate interest. You’ve provided your email address to place an order and then not proceeded for some reason. This is known as a soft opt-in. We can’t be sure that it was a deliberate choice to not proceed and so we want to make it easy for you to continue with your order. In case it was a deliberate choice to stop purchasing, we also allow you to opt-out of future emails.
If you have completed a purchase, we will send you an email to ask you to review the product you bought. We want to be sure that whether you love your purchase or not, you can share your opinion with other customers. If something is wrong - please let us know so we can try and resolve the problem for you.
Our legal basis for this processing is legitimate interest. You’ve provided your email address to place an order and we would like to be sure that you’re 100% satisfied with your order.
We also use some specific information related to your visits, such as the timestamp of your visit, the page, or the product you viewed, where you are coming from (if you came to our store because you clicked on an advertisement or you just opened our direct link). This is very similar to the “essential information,” but we use it to provide you with a personalized experience. The information on your visit provides us with insights on your interests and allows us to send you relevant communications if you have also opted into receiving marketing emails.
This information is collated in our third party service provider Klaviyo, and may be converted to codes (hashed) and sent to third parties such as Google, Facebook and Pinterest. We may also use this information to build profiles so that we may find other people with similar interests who may like our products.
The hashed data sent to third parties allows you to remain anonymous unless you have separately consented to provide this same information to them directly, in which case it will be matched. You can read more about how this hashing process works on Facebook’s advertising website.
Our legal basis for this processing is Consent. We only process your personal data in this way if you have accepted our Targeting; Advertising cookies.
We may use your email address to contact you with offers and updates on our store. We will send these emails and identify if they have been successfully received and read by using our third party service provider Klaviyo. We will only send emails in this way if you have explicitly consented to us doing so during checkout, by choosing to allow updates and offers, or if you have subscribed to our mailing list. Our email marketing requires you to confirm the subscription by email. This is known as a double opt-in.
Our legal basis for this processing is Consent. You can manage your email preferences or withdraw your consent at any time by using the links at the bottom of our emails. You can also contact us using the details at the top of this page if you need any help with this.
How do we process your data?
We use an external provider to run our store, BigCommerce. BigCommerce is based in the US and is a participant in the EU-US Privacy Shield Framework and committed to providing best-in-class service and data protection. Privacy Shield requires that US-based companies provide the same protections for data export from the EU and UK that are required under EU and UK law, including GDPR.
You can check a company’s participation in the Privacy Shield here on the official site of The International Trade Administration (ITA), U.S. Department of Commerce. Through BigCommerce, we also use other, highly specialized external providers to provide the most competitive services. Partnering with highly specialized external companies allows us to focus on what we do best: choosing and selling products for you to enjoy.
We carefully review the privacy policies and data security practices of any external third party service providers before we choose to use them. This section includes information about the third party service providers we use and how we use them.
Payment: Our store is PCI-DSS compliant (a very strict industry standard with requirements for the security of credit card information) and we only use accredited companies to process your credit card information. Our vendors currently include Square, Stripe, PayPal and Klarna.
Shipping: We may integrate with a number of shipping companies to fulfill your order. Our main shipping vendor is currently Royal Mail, but we may change this depending on the order.
Analytics: We use analytics systems on our site to optimise our website for our customers. Our current vendor is Google Analytics.
Email: We use an external email service provider to send both our transactional and marketing emails. This vendor is Klaviyo.
Targeting/Advertising: We use various third parties to provide targeted advertising. Our current vendors are Google, Facebook and Pinterest and more information about how this works can be found on their websites: https://support.google.com/ads/answer/2662922?hl=en-GBhttps://www.facebook.com/about/basics/advertising and https://business.pinterest.com/en-gb/promote-on-pinterest
How can you control your personal data?
You have the rights listed below. If you cannot exercise your rights on your account page or if you do not have an account with us, please reach out to us using the contact details at the top of this page and we will be more than happy to help.You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Your rights under data protection laws:
Your right of access - You have the right to ask us for copies of your personal information held by us.
Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.
Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
How long do we keep your data?
We keep your data for as long as you have an account with us. We also keep some data for security investigation. Most importantly, we have specific obligations for fraud detection and tax reasons. Therefore, we might need to retain certain data even if you ask to delete it.
Do we have any legal obligations when handling your data?
Many. We have legal obligations regarding your rights as mentioned above but we also might need to share your personal information to comply with applicable legal obligations - for example, a court order. If we have a legal obligation to process your data then you no longer have a right to erasure, right to data portability, or right to object.
More information about this can be found on the ICO website: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legal-obligation/
How to complain
If you have any concerns about our use of your personal data, you can make a complaint to us at the address above.
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk