1. Who we are and how to contact us (controller/processor disclosure)

1. Company name: Croft & Wylde Limited
2. Data controller status: Croft & Wylde Limited is the Data Controller for the personal information collected on this Site, determining the purposes and means of processing that data. We remain compliant with our data controller obligations under UK GDPR.
3. Registered address: 86-90 Paul Street, London EC2A 4NE
4. Company number: 16913372

For all privacy-related questions or to exercise your legal rights, please contact us. You can also find our contact details below:

• Email: hello@croftwylde.co.uk
• Postal address: Data Protection Office, Croft & Wylde Limited, 86-90 Paul Street, London EC2A 4NE

2. The personal data we collect and methods of collection

Personal information is any information about you which can be used to identify you. This includes information about you as a person, your devices, and how you use our services. Information we collect falls into two main categories:

1. Voluntarily provided information (direct collection): This is information you knowingly and actively provide us, typically when interacting directly with the Site's features:
   1. Identity & contact data: Name, title, email address, billing/shipping address, phone number (used for order fulfillment, account creation, customer support etc.).
   2. Profile data: Username, password, purchase history, saved items, feedback, and survey responses (used for managing your account and personalizing your experience).
   3. Marketing data: Your preferences in receiving marketing from us (used for direct marketing where consent is given).
   4. Comments data: Content of comments and contact form submissions (used for public interaction, communication and support).
2. Automatically collected information (indirect collection): This information is collected automatically by website analytics as you interact with the Site:
   1. Transactional data: Details about payments (excluding full card numbers), products purchased (collected via payment processors and internal systems).
   2. Log data: Your device’s Internet Protocol (IP) address, browser type and version, the pages you visit, time/date of visit, time spent on each page, actions taken on page, and details about site errors and the circumstances surrounding their occurrence (collected via Automated technologies such as server logs.
   3. Technical/device data: Device type (mobile/desktop), operating system, time zone, unique device identifiers (collected via automated technologies such as cookies and analytics).
   4. Usage data: Clickstream data, pages viewed, site navigation patterns and actions (collected via automated technologies such as cookies and analytics).

3. Lawful basis and purposes for processing

We will only collect and use your personal information when we have a legitimate reason (Lawful Basis) for doing so under UK GDPR.

4. Cookies, consent, and direct marketing (PECR compliance)

1. Cookies and similar technologies: We use cookies and similar technologies. Under PECR, we must gain your prior consent for non-essential cookies. If you do not make a choice about cookies using our opt-out banner, we may assume soft consent. You can find out more about the specific cookies we collect in our cookie policy.
   1. Essential cookies: Used for basic Site functions (e.g., keeping items in the basket). These do not require consent.
   2. Non-essential cookies: We will ask for your informed, affirmative consent before setting these.
2. Direct marketing: We rely on different rules for email marketing:
   1. Consent: For new customers or general inquiries, we rely on your Consent (opt-in) to send you promotional communications.
   2. Soft opt-in: If you purchase goods or services from us, we may use your email address to send you marketing about our own similar products and services, provided you are given a clear opportunity to opt-out both at the time of collection and in every subsequent communication, as this type of communication is considerd legitimate interest.

5. Third-party sharing and international transfers

1. Disclosure of personal information to third parties: We may disclose personal information to the following categories of third parties:
   1. Service providers (processors): IT hosting and cloud providers, analytics providers (e.g., Google Analytics), customer support platforms, and email delivery platforms (where we have Data Processing Agreements in place).
   2. Payment processors: Companies that securely handle payment card transactions (e.g. PayPal, Stripe etc.).
   3. Delivery partners: Couriers and shipping companies to fulfill your orders.
   4. Professional advisers & regulators: Lawyers, auditors, and regulators (where required by legal obligation).
   5. Third-party provided content: We may indirectly collect publicly available information about you (e.g. from social media profiles) for marketing research and improving the Site's experience.
2. International transfers: If personal data is transferred outside the UK, we ensure a similar degree of protection is afforded to it by relying on approved safeguards, such as the UK Extension to the EU Standard Contractual Clauses or adequacy regulations.

6. Data security and retention

1. Data security and breach notification: We employ both technical and organisational measures to protect your personal data. You are responsible for maintaining the security and confidentiality of any password associated with your account. In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the ICO as required by UK GDPR.
2. Data retention (information no longer required): We keep your personal information only for as long as necessary for the purposes for which we collected it and to satisfy any legal, accounting, or reporting requirements.
   1. Deletion or anonymisation: When your personal information is no longer required for its original purpose, we will either delete it securely or anonymise it (so it can no longer be associated with you) for research or statistical purposes. We may retain information for legal compliance (e.g., transactional data for six years for tax and audit purposes).

7. Your legal rights (data subject rights)

Under UK GDPR, you have the right to be informed, and the following rights regarding your personal data. To exercise any of these rights, please contact us using the details in Section 1.

1. Right of access or Data Subject Access Request (DSAR): You may request a copy of the personal information that we hold about you at any time. We aim to fulfill this request as soon as possible and within 30 days.
2. Right to rectification: If you believe that any information we hold about you is inaccurate, out of date, or incomplete, you have the right to have that data corrected or completed.
3. Right to erasure (The 'Right to be Forgotten'): You can ask for your personal data to be erased, particularly if the data is no longer necessary for the purpose for which it was collected, or if you withdraw consent (where consent was the legal basis). This right is not absolute and may not apply if retention is legally required.
4. Right to portability: You have the right to obtain some of your personal data from us in a structured, commonly used, and machine-readable format and to transmit that data to another organisation where technically feasible.
5. Right to restrict processing: You have the right to request that we restrict the processing of your personal information if you are concerned about its accuracy, believe the processing is unlawful, or need the data for a legal claim.
6. Right to object: You have the right to object to processing of your personal information that is based on our legitimate interests or public interest, including objection to direct marketing.
7. Right to withdraw consent: Where we rely on consent as the legal basis for processing, you may withdraw your consent at any time. This will not affect the lawfulness of any processing carried out before you withdraw your consent.

1. Non-discrimination: We will not discriminate against you for exercising any of your rights over your personal information.
2. Right to complain to the Information Commissioner’s Office (ICO): You have the right to make a complaint at any time to the ICO, the UK supervisory authority for data protection issues. We encourage you to contact us first so we can try to resolve your concern.

8. Business transfers and policy limits

1. Business transfers: If we or our assets are acquired, or in the event that we go out of business or enter bankruptcy, we would include data, including your personal information, among the assets transferred to any parties who acquire us. You acknowledge that such transfers may occur, and the acquiring party may continue to use your personal information according to this policy.
2. Children’s data and external sites:
   1. Children’s data: Our website is not intended for children, and we do not knowingly collect data relating to children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to remove that information from our servers.
   2. External sites: Our website may link to external sites that are not operated by us; we have no control over the content and policies of those sites and cannot accept responsibility or liability for their privacy practices.

9. Changes to this privacy policy

1. Policy updates: At our discretion, we may change our privacy policy to reflect updates to our business processes, current acceptable practices, or legislative changes.
2. Notification: The latest version will always be posted on the Site, and the "Last Updated" date will be revised. If the changes are significant, we will notify you directly (based on your selected communication preferences).