Privacy Policy
(Updated on 27th June 2024)
1. Introduction
Welcome to Cranxs, the leading online marketplace for cycling enthusiasts. Our platform connects riders with a comprehensive range of cycling products, from complete bicycles to specialised components and accessories.
At Cranxs, we recognise that the security of your personal information is paramount. This privacy policy outlines our commitment to protecting your data and ensuring a safe experience as you engage with our digital marketplace.
We believe in transparency and want you to fully understand how we collect, use, and safeguard your information. This policy covers all aspects of your interaction with Cranxs, including our website, mobile applications, and any other services we offer. Whether you're buying, selling, or simply browsing, this policy applies to all information shared with us.
Our dedication to your privacy is fundamental to our operations. We implement robust security measures and adhere to strict data protection standards to ensure your information remains secure at all times.
By using Cranxs, you're entrusting us with your information, and we take this responsibility seriously. We encourage you to read this policy carefully to understand our practices and your rights regarding your personal data.
At Cranxs, we're committed to fostering a thriving community of cycling enthusiasts while rigorously protecting your privacy. This policy is designed to give you confidence that your data is in good hands as you explore everything our marketplace has to offer.
2. Information We Collect
At Cranxs, we collect various types of information to provide and improve our services. This information falls into three main categories:
2.1 Personal Information
From Buyers:
- Full name
- Email address
- Shipping address
- Billing address (if different from shipping)
- Payment information (such as credit card details or PayPal account information)
- Phone number
- Purchase history
- Wishlist items
- Product reviews and ratings
From Sellers:
- Full name or business name
- Email address
- Physical business address
- Phone number
- Bank account information for payments
- Company number & VAT number where appropriate
- Product listings and descriptions
- Sales history
- Customer service interactions
2.2 Non-Personal Information
Device Information:
- Type of device used (e.g., desktop, mobile, tablet)
- Operating system
- Browser type and version
- Device identifiers (e.g., IP address)
Usage Data:
- Pages visited on our platform
- Time spent on each page
- Links clicked
- Search queries
- Products viewed
- Interaction with features (e.g., use of filters, sorting options)
Cookies and Tracking Technologies:
- We use cookies, web beacons, and similar technologies to enhance your experience, analyse trends, and administer the website
- This may include information on how you arrived at our site, your browsing behavior, and your interactions with our marketing communications
2.3 Information from Third Parties
We may collect information about you from other sources, including:
- Social media platforms (if you choose to connect your Cranxs account with social media)
- Credit check agencies (for sellers, to verify business information)
- Public databases
- Marketing partners
- Other users who may provide information about you (e.g., if they send a product to you as a gift)
We collect and process this information only when necessary for the operation of our platform, to fulfill our contractual obligations, or when we have a legitimate interest to do so, always in compliance with applicable data protection laws.
3. How We Use Your Information
At Cranxs, we use your information for various purposes to provide, maintain, and improve our services. All data processing is conducted in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Here's how we use your information:
3.1 Core Platform Functions
- Account Creation and Management: We use your personal information to create and maintain your Cranxs account, allowing you to access personalised features, save preferences, and manage your profile.
- Transaction Processing: Your information is essential for processing purchases, sales, and payments. This includes verifying transactions, issuing receipts, and facilitating refunds when necessary.
- Communication Between Buyers and Sellers: We enable secure communication between parties to discuss products, arrange shipments, and resolve any issues related to transactions.
3.2 Platform Improvement
- Analytics and Performance Optimisation: We analyse user behavior and platform performance to identify areas for improvement, enhance user experience, and optimise our services.
- Product Development: Insights gained from usage data help us develop new features, refine existing ones, and make informed decisions about our product roadmap.
3.3 Marketing and Advertising
- Personalised Recommendations: We use your browsing and purchase history to suggest products that may interest you.
- Marketing Communications: With your consent, we may send you newsletters, promotional offers, and updates about Cranxs services via email or push notifications.
- Targeted Advertising: We may use your information to display relevant advertisements on our platform and on third-party websites, in compliance with UK advertising regulations.
3.4 Legal and Security Purposes
- Fraud Prevention: We use data analytics to detect and prevent fraudulent activities, protecting both buyers and sellers on our platform.
- Legal Compliance: We process your information to comply with legal obligations, including responding to lawful requests from public authorities and maintaining required business records.
- Platform Security: Your data helps us monitor and enhance the security of our platform, protecting against unauthorised access, data breaches, and other potential threats.
- Dispute Resolution: In case of disputes between users or legal issues, we may use relevant information to resolve conflicts and enforce our terms of service.
All data processing activities are conducted on the lawful bases set out in the UK GDPR, including contract performance, legal obligation, legitimate interests, and consent where required. We do not engage in automated decision-making or profiling that would produce legal effects or similarly significant impacts on our users.
We retain your information only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required or permitted by law. You have the right to object to certain uses of your information, and you can learn more about your data protection rights in the "User Rights" section of this policy.
4. Information Sharing and Disclosure
At Cranxs, we understand the importance of your privacy and are committed to sharing your information only when necessary to provide our services or as required by law. Here's how we may share your information:
4.1 Sharing Between Users (buyers and sellers)
- To facilitate transactions, we share certain information between buyers and sellers:
- Buyers: When you make a purchase, we provide the seller with your name, shipping address, and any specific instructions you've given for the order.
- Sellers: When you list an item, we share your shop name, general location, and any public profile information you've chosen to display.
- We enable direct communication between buyers and sellers through our platform's messaging system, but we do not share personal contact details unless explicitly authorised by both parties.
4.2 Service Providers and Partners
- We engage trusted third-party service providers to perform various functions on our behalf. These may include:
- Payment processors to handle transactions securely
- Shipping and logistics partners to facilitate product delivery
- Cloud storage providers to host our data securely
- Analytics services to help us understand and improve our platform's performance
- These service providers are contractually obligated to use your information solely for the purposes of providing services to Cranxs and must comply with strict data protection requirements in line with UK GDPR.
4.3 Legal Requirements and Business Transfers
- Legal Compliance: We may disclose your information if required to do so by law, or in response to valid requests from public authorities (e.g., a court or government agency).
- Protection of Rights: We may share information to enforce our terms of service, protect our rights, privacy, safety, or property, and that of our users or others.
- Business Transfers: If Cranxs is involved in a merger, acquisition, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal information.
4.4 With User Consent
- Other than as described in this policy, we will only share your personal information with third parties when we have your explicit consent to do so.
- You may choose to share your own information publicly, such as by posting product reviews or participating in community forums. Please be aware that any information you share in these ways becomes public and may be collected and used by others.
We ensure that any third parties with whom we share your information are subject to strict data protection obligations and are compliant with UK data protection laws. We do not sell your personal information to third parties.
When transferring data outside the UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office.
You have the right to object to certain types of data sharing. For more information on your rights and how to exercise them, please refer to the "User Rights" section of this policy.
5. User Choices and Controls
At Cranxs, we believe in empowering our users with control over their personal information. We provide several ways for you to manage your data and privacy preferences:
5.1 Account Information
- Access and Update: You can review and update your account information at any time by logging into your Cranxs account and visiting your account settings page.
- Data Portability: You have the right to request a copy of the personal data we hold about you in a structured, commonly used, and machine-readable format.
- Deletion: You can request the deletion of your account and associated personal data. Please note that some information may be retained for legal or legitimate business purposes.
To exercise these rights, please contact our Data Protection Officer at privacy@cranxs.co.uk. We will respond to your request within one month, as required by UK GDPR.
5.2 Communication Preferences
- Marketing Communications: You can opt-out of receiving marketing emails from Cranxs at any time by:
- Clicking the "unsubscribe" link at the bottom of our marketing emails
- Adjusting your communication preferences in your account settings
- Contacting our customer support team
- Transactional Emails: You will continue to receive transaction-related communications (e.g., order confirmations, delivery updates) as these are essential to our service.
- Push Notifications: You can manage push notifications from the Cranxs app through your device settings.
5.3 Cookies and Tracking Technologies
- Cookie Preferences: When you first visit our website, you'll be presented with a cookie banner allowing you to manage your cookie preferences. You can change these settings at any time by clicking on the "Cookie Settings" link in our website footer.
- Essential Cookies: Please note that certain cookies are necessary for the functioning of our website and cannot be disabled.
- Do Not Track: We honor Do Not Track (DNT) signals. When DNT is enabled in your browser, we will not use analytics or advertising cookies.
- Third-Party Tracking: You can opt-out of third-party tracking networks using tools like the Digital Advertising Alliance's WebChoices tool.
- Browser Settings: Most web browsers allow you to control cookies through their settings preferences. However, limiting cookies may impact your experience using our website.
Remember, while you have the right to object to certain processing of your data, this may affect our ability to provide specific services to you.
We are committed to respecting your choices and will make every effort to honor your preferences. If you have any questions or concerns about your privacy controls, please don't hesitate to contact us at privacy@cranxs.co.uk.
We regularly review and update our privacy practices to ensure compliance with UK data protection laws, including the UK GDPR and the Data Protection Act 2018. Any significant changes to these controls will be communicated to you through our website or via email.
6. Data Retention and Deletion
At Cranxs, we are committed to retaining your personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.
6.1 Retention Periods
- Active Accounts: We retain your personal data for as long as you maintain an active account with Cranxs.
- Inactive Accounts: If your account becomes inactive, we will retain your data for a period of 24 months, after which it will be deleted or anonymised unless retention is necessary for legal or regulatory reasons.
- Transaction Data: We retain transaction data for 6 years to comply with UK tax laws and to handle any potential disputes.
- Communication Records: Customer service communications are retained for 2 years to ensure continuity of service and address any ongoing issues.
- Marketing Data: If you've opted in to receive marketing communications, we retain your contact details for this purpose until you opt out or request deletion.
6.2 Account Deletion Process
- Initiation: Contact our Data Protection Officer at privacy@cranxs.co.uk to request account deletion.
- Verification: We'll verify your identity to ensure the request is legitimate.
- Review: We'll review your account for any outstanding obligations (e.g., ongoing transactions, unresolved disputes).
- Deletion: Once cleared, we'll proceed with the deletion of your account and personal data.
- Confirmation: You'll receive a confirmation email once the deletion is complete.
Please note that the deletion process may take up to 30 days to complete. Some information may be retained for legal or legitimate business purposes, such as fraud prevention or to comply with our legal obligations.
6.3 Data Anonymisation
Where possible, rather than deleting data entirely, we may choose to anonymise it. This process removes all personally identifiable information, leaving only non-personal data that we may use for analytical purposes. Our anonymisation process ensures that it is not possible to re-identify individuals from the retained data.
- Usage Data: After the retention period, we anonymise usage data to gain insights into overall platform performance and user behaviour without identifying specific individuals.
- Transaction Records: While personal details are removed, anonymised transaction data may be retained for statistical and business intelligence purposes.
We regularly review our retention periods and anonymisation processes to ensure they align with UK data protection laws, including the UK GDPR and the Data Protection Act 2018.
If you have any questions about our data retention practices or wish to request the deletion of your data, please contact our Data Protection Officer at privacy@cranxs.co.uk. We are committed to handling your request promptly and in accordance with applicable UK data protection regulations.
7. Data Security Measures
At Cranxs, we take the security of your personal data very seriously. We implement and maintain appropriate technical and organisational measures to protect your information against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
7.1 Technical Safeguards
- Encryption: We use industry-standard encryption protocols (SSL/TTLS) to protect data in transit between your device and our servers. Sensitive data, such as payment information, is encrypted at rest using strong encryption algorithms.
- Access Controls: We implement strict access controls and authentication mechanisms to ensure that only authorised personnel can access user data. This includes multi-factor authentication for our staff and role-based access control.
- Firewalls and Intrusion Detection: Our infrastructure is protected by advanced firewalls and intrusion detection systems to prevent unauthorised access attempts.
- Regular Security Updates: We conduct regular security updates and patches to all our systems to address any known vulnerabilities.
- Data Backups: We perform regular backups of our data to ensure quick recovery in case of any unforeseen events, while maintaining the security and integrity of the backed-up data.
7.2 Organisational Safeguards
- Staff Training: All Cranxs employees undergo regular data protection and security awareness training to ensure they understand their responsibilities in handling personal data.
- Data Protection Officer: We have appointed a Data Protection Officer to oversee our data protection strategy and ensure compliance with UK data protection laws.
- Information Security Policies: We maintain comprehensive information security policies that are regularly reviewed and updated to address evolving threats and regulatory requirements.
- Incident Response Plan: We have a robust incident response plan in place to quickly address any potential data breaches or security incidents.
7.3 Third-Party Security Practices
- Vendor Assessment: We carefully select our third-party service providers and assess their security practices to ensure they meet our high standards for data protection.
- Contractual Obligations: Our contracts with third-party providers include strict data protection clauses that require them to maintain appropriate security measures and comply with UK data protection laws.
- Regular Audits: We conduct regular security audits of our third-party providers to ensure ongoing compliance with our security requirements.
- Data Transfer Safeguards: When transferring data outside the UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office.
While we implement these security measures, it's important to note that no method of transmission over the Internet or electronic storage is 100% secure. We encourage users to take their own precautions to protect their personal data, such as using strong passwords and not sharing account credentials.
If you have any concerns about the security of your data or notice any suspicious activities, please contact us immediately at security@cranxs.co.uk.
We continually evaluate and enhance our security measures to protect your data in accordance with UK data protection laws, including the UK GDPR and the Data Protection Act 2018. Our commitment to data security is ongoing, and we strive to stay ahead of emerging threats and best practices in information security.
8. Children's Privacy
At Cranxs, we are committed to protecting the privacy of children and complying with all applicable laws and regulations regarding the online privacy of minors, including the UK GDPR and the Age Appropriate Design Code (also known as the Children's Code).
8.1 Age Restrictions
- Cranxs is not intended for use by individuals under the age of 18.
- We do not knowingly collect or solicit personal information from anyone under the age of 18 or knowingly allow such persons to register for our services.
- If you are under 18, please do not attempt to register for Cranxs or send any personal information about yourself to us.
8.2 Handling of Minors' Data
- Inadvertent Collection: If we learn that we have collected personal information from a person under age 18 without verification of parental consent, we will take steps to remove that information from our servers as quickly as possible.
- Parental Rights: If you believe we might have any information from or about a child under 18, please contact us immediately at privacy@cranxs.co.uk. We will promptly investigate and take appropriate action.
- Notification: In the event we discover that a child under 18 has provided us with personal information, we will notify the parent or guardian and seek consent for the retention of this data or proceed with its deletion.
- No Targeting: We do not target our marketing or products to children under 18, nor do we knowingly allow children under 18 to use our services.
8.3 Special Considerations
- Content Filtering: While our platform is not intended for minors, we understand that cycling can be a family activity. We make efforts to ensure that content visible on our public pages is appropriate for all ages.
- Educational Resources: We provide clear, age-appropriate explanations of how we use personal data in our privacy notices and terms of service.
- Data Minimisation: In the unlikely event that we need to process a minor's data (e.g., as part of a family account), we will collect only what is necessary and use it only for the purpose it was collected.
We are committed to complying with the ICO's Age Appropriate Design Code, which sets out 15 standards for online services to follow to protect children's privacy. This includes:
- Always acting in the best interests of the child
- Providing high privacy settings by default
- Collecting and retaining only the minimum amount of personal data necessary
If you have any questions or concerns about our Children's Privacy practices, please contact our Data Protection Officer at privacy@cranxs.co.uk.
We regularly review and update our practices to ensure ongoing compliance with UK data protection laws and to maintain the highest standards of privacy protection for all our users, especially minors.
9. International Data Transfers
As a UK-based company, Cranxs primarily processes and stores data within the United Kingdom. However, in some instances, we may need to transfer your personal data outside the UK to provide our services effectively. We are committed to ensuring that your privacy rights are protected, even when your data crosses borders.
9.1 Cross-border Data Flow Information
- Data Storage: While our primary data storage is in the UK, we may use cloud services with servers located in other countries, particularly within the European Economic Area (EEA).
- Service Providers: Some of our third-party service providers may be based outside the UK, which could result in your data being processed in those countries.
- International Transactions: If you engage in transactions with sellers from other countries, some of your data may need to be transferred to facilitate these transactions.
9.2 Compliance with International Regulations
- UK GDPR Compliance: As a UK company, we comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. These regulations provide strict guidelines for international data transfers.
- Adequacy Decisions: Where possible, we prioritise data transfers to countries that have received an adequacy decision from the UK government, meaning they provide an equivalent level of data protection to the UK.
- Appropriate Safeguards: For transfers to countries without an adequacy decision, we implement appropriate safeguards as required by the UK GDPR, such as:
- Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office
- Binding Corporate Rules for intra-group transfers (if applicable)
- Codes of Conduct or Certification Mechanisms approved under the UK GDPR
- European Union: While the UK is no longer part of the EU, we continue to align our practices with the EU GDPR to facilitate smooth data flows with EU countries and to protect the rights of any EU residents who may use our services.
- Other International Regulations: Although we primarily operate in the UK, we respect and comply with other international data protection regulations where applicable, such as:
- The California Consumer Privacy Act (CCPA) for any California residents who may use our services
- The Australian Privacy Principles (APPs) for Australian users
- The Personal Information Protection and Electronic Documents Act (PIPEDA) for Canadian users
9.3 Transparency and Control
- We are committed to transparency regarding international data transfers. You can request information about the specific countries where your data may be processed by contacting our Data Protection Officer.
- You have the right to object to the international transfer of your personal data. If you wish to exercise this right, please contact us at privacy@cranxs.co.uk.
9.4 Risk Mitigation
- We conduct regular risk assessments for international data transfers and implement additional measures where necessary to ensure an adequate level of protection for your personal data.
- In the event that we cannot ensure an adequate level of protection for your data in a particular country, we will seek your explicit consent before transferring your data to that location, or we will not proceed with the transfer.
We continuously monitor changes in international data protection laws and update our practices accordingly to ensure ongoing compliance and protection of your personal data, regardless of where it is processed.
If you have any questions or concerns about our international data transfer practices, please don't hesitate to contact our Data Protection Officer at privacy@cranxs.co.uk.
10. User Rights
At Cranxs, we are committed to upholding your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. As a user of our platform, you have several rights concerning your personal data:
10.1 Access to Personal Information
- You have the right to request access to the personal data we hold about you.
- We will provide you with a copy of your data in a clear, concise, and easily accessible format.
- We aim to respond to access requests within one month, as required by law.
10.2 Correction and Update of Information
- You have the right to request that we correct any inaccurate personal data we hold about you.
- You can update most of your information directly through your Cranxs account settings.
- For information that you cannot update yourself, please contact us, and we will make the necessary corrections promptly.
10.3 Data Portability
- You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
- You can request that we transfer this data directly to another data controller where technically feasible.
- This right applies to automated data that you have provided to us based on consent or for contract fulfilment.
10.4 Right to be Forgotten
- You have the right to request the erasure of your personal data under certain circumstances, such as when the data is no longer necessary for the purpose it was collected.
- We will comply with such requests unless we have a legal obligation to retain the data.
- Please note that exercising this right may affect our ability to provide you with certain services.
10.5 Withdrawal of Consent
- Where we process your data based on consent, you have the right to withdraw that consent at any time.
- Withdrawing consent will not affect the lawfulness of processing based on consent before its withdrawal.
- You can withdraw consent for marketing communications through your account settings or by contacting us directly.
10.6 Additional Rights
- Right to Restrict Processing: You can request that we restrict the processing of your personal data in certain circumstances.
- Right to Object: You have the right to object to processing based on legitimate interests or for direct marketing purposes.
- Rights Related to Automated Decision Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.
10.7 How to Exercise Your Rights:
To exercise any of these rights, please contact our Data Protection Officer at privacy@cranxs.co.uk.
We will respond to your request within one month, as required by law. In complex cases, we may extend this period by an additional two months, but we will inform you of any such extension within the first month.
10.8 Verification:
To protect your privacy, we may need to verify your identity before processing your request. We may ask for additional information to confirm your identity.
10.9 No Fee Usually Required:
You will not have to pay a fee to access your personal data or to exercise any of the other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive.
We are committed to facilitating the exercise of your rights and ensuring that you have control over your personal data. If you have any questions about your rights or how to exercise them, please don't hesitate to contact us.
11. Third-Party Links and Services
At Cranxs, we strive to provide a comprehensive cycling marketplace experience. In doing so, we may include links to third-party websites or integrate with external services. This section outlines our policy regarding these third-party connections.
11.1 Disclaimer about External Sites and Services
- External Links: Our platform may contain links to other websites or services that are not owned or controlled by Cranxs. These links are provided for your convenience and information.
- No Endorsement: The presence of any third-party links on our platform does not imply endorsement or approval of these sites by Cranxs. We do not take responsibility for the content, privacy policies, or practices of any third-party sites or services.
- Independent Entities: These third-party websites and services are independent entities. Clicking on their links or enabling those connections may allow them to collect or share data about you.
- Limited Control: We do not control and are not responsible for the privacy practices of these third parties. Once you leave our website or use a third-party service linked from our platform, you are no longer governed by this Privacy Policy or our Terms of Service.
11.2 Encouragement to Review Third-Party Privacy Policies
- Due Diligence: We strongly encourage you to read the privacy policies and terms of service of any third-party websites or services you visit or use through links or integrations on our platform.
- Informed Decisions: Understanding how these third parties collect, use, and share your information will help you make informed decisions about using their services.
- Varying Practices: Be aware that privacy practices can vary significantly between different websites and services. What is acceptable to share on one platform may not align with your preferences on another.
- Regular Reviews: As privacy policies can change over time, we recommend periodically reviewing the policies of third-party services you frequently use in connection with Cranxs.
11.3 Specific Third-Party Services
- Payment Processors: We use reputable third-party payment processors to handle transactions. While we carefully select these partners, their use of your financial information is governed by their respective privacy policies.
- Social Media Integrations: If you choose to connect your Cranxs account with social media platforms, please review the privacy settings on your social media accounts and the relevant platform's privacy policy.
- Analytics and Advertising: We may use third-party analytics and advertising services. These services may use cookies and similar technologies to collect data about your use of our platform.
11.4 Protection Measures
- Data Minimisation: We strive to share only necessary information with third-party services to facilitate their functions.
- Contractual Safeguards: Where possible, we enter into agreements with third-party service providers to ensure they handle your data responsibly and in compliance with applicable data protection laws.
If you have any questions or concerns about how a third-party service linked from our platform may use your information, we encourage you to contact that third party directly.
If you believe a linked third-party service is not adhering to adequate privacy standards, please inform us at privacy@cranxs.co.uk, and we will review the situation promptly.
12. Changes to the Privacy Policy
At Cranxs, we are committed to maintaining the accuracy and relevance of our Privacy Policy. We recognise that privacy regulations, our business practices, and our users' needs may evolve over time. As such, we may update this Privacy Policy periodically to reflect these changes.
12.1 Process for Updating the Policy
- Regular Reviews: We conduct regular reviews of our Privacy Policy to ensure it remains current with our practices, legal requirements, and industry standards.
- Legal Compliance: Our legal team and Data Protection Officer work together to ensure any updates comply with UK data protection laws, including the UK GDPR and the Data Protection Act 2018.
- Approval Process: Any proposed changes to the Privacy Policy undergo a thorough internal review and approval process before implementation.
- Version Control: We maintain a versioning system for our Privacy Policy, with each update clearly marked with its effective date.
- Archived Versions: Previous versions of our Privacy Policy are archived and remain accessible for reference.
12.2 Notification of Significant Changes
We believe in transparency and want to ensure you're always aware of how we handle your personal data. Here's how we'll notify you of changes to our Privacy Policy:
- Website Notice: We will post a prominent notice on the Cranxs website to inform users of any significant changes to our Privacy Policy.
- Email Notifications: For material changes that significantly affect your rights or how we use your personal data, we will send an email notification to the email address associated with your Cranxs account.
- In-App Notifications: Users of our mobile app will receive an in-app notification about significant Privacy Policy updates.
- Effective Date: The top of the Privacy Policy will always show the date it was last updated.
- Grace Period: For material changes, we will provide a reasonable grace period before the new terms become effective, giving you time to review the changes and decide if you want to continue using our services.
- Consent: In some cases, where required by law or where we believe it's appropriate, we may ask for your explicit consent to continue using our services under the updated Privacy Policy.
12.3 Your Responsibility
- We encourage you to review our Privacy Policy periodically to stay informed about how we protect your personal data.
- Your continued use of Cranxs services after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.
- If you do not agree with the changes to our Privacy Policy, you should discontinue using our services and contact us to close your account.
12.4 Questions or Concerns
If you have any questions or concerns about changes to our Privacy Policy, please don't hesitate to contact our Data Protection Officer at privacy@cranxs.com. We're always happy to provide clarification or additional information about our privacy practices.
Remember, your privacy is important to us, and we strive to be as transparent as possible about how we handle your personal data. By keeping our Privacy Policy up-to-date and notifying you of significant changes, we aim to maintain your trust and ensure you can make informed decisions about your data.
13. Contact Information
At Cranxs, we value your privacy and are committed to addressing any questions, concerns, or requests you may have regarding your personal data. We have dedicated resources to ensure your privacy-related enquiries are handled promptly and effectively.
For all privacy-related matters, you can reach out to our Data Protection Officer (DPO) and privacy team at privacy@cranxs.co.uk
Our DPO is responsible for overseeing compliance with UK data protection laws and serves as your primary point of contact for privacy-related matters.
13.1 Process for Submitting Privacy-Related enquiries or Complaints
We are committed to addressing your privacy concerns promptly and transparently. Here's how you can submit an inquiry or complaint:
- Online Form: Visit our website at www.cranxs.co.uk/contact to fill out our contact form.
- Email: Send your inquiry or complaint directly to privacy@cranxs.co.uk. Please include "Privacy Inquiry" or "Privacy Complaint" in the subject line.
When submitting an inquiry or complaint, please provide:
- Your full name
- Your Cranxs account email address (if applicable)
- A detailed description of your inquiry or complaint
- Any relevant documentation or evidence
13.2 Our Response Process:
- Acknowledgement: We will acknowledge receipt of your inquiry or complaint within 3 business days.
- Investigation: Our privacy team will thoroughly investigate your concern, which may involve consulting with relevant departments within Cranxs.
- Response: We aim to provide a substantive response within 30 days, as required by UK GDPR. If the matter is complex and requires more time, we will inform you of the delay and provide regular updates.
- Resolution: We will work diligently to resolve your inquiry or complaint to your satisfaction, in compliance with applicable data protection laws.
- Appeal: If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO). We will provide you with the necessary information to do so.
13.3 Your Right to Lodge a Complaint:
While we hope to resolve all privacy matters internally, you have the right to lodge a complaint with the UK's supervisory authority:
Information Commissioner's Office (ICO)Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: https://ico.org.uk
Helpline: 0303 123 1113
We are committed to protecting your privacy rights and maintaining your trust. Don't hesitate to contact us with any privacy-related questions or concerns. Your feedback helps us continually improve our privacy practices and ensure we meet the highest standards of data protection.
14. Jurisdiction-Specific Provisions
14.1 United Kingdom (UK GDPR and Data Protection Act 2018)
Legal Basis for Processing:
Under the UK GDPR, we process your personal data on the following legal bases:
- Contract: Processing necessary for the performance of our contract with you
- Legitimate Interests: Processing necessary for our legitimate interests, provided your rights do not override these interests
- Consent: Where you have given clear consent for us to process your personal data for a specific purpose
- Legal Obligation: Processing necessary for compliance with a legal obligation to which we are subject
Data Subject Rights:
As a UK resident, you have the following rights:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure ('right to be forgotten')
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision making and profiling
To exercise these rights, please contact our Data Protection Officer as outlined in Section 13.
Data Transfers Outside the UK:
When transferring data outside the UK, we ensure appropriate safeguards are in place, such as:
- Adequacy decisions issued by the UK government
- Standard Contractual Clauses approved by the UK Information Commissioner's Office
- Binding Corporate Rules (if applicable)
14.2 International Users
While Cranxs primarily operates in the UK, we recognize that users may access our services from other countries. If you are accessing Cranxs from outside the UK:
- Your personal data may be transferred to, stored, and processed in the UK or other countries where our servers are located
- By using our services, you consent to any transfer of your personal data
- We will ensure that transfers of your personal data are carried out in accordance with applicable data protection laws and that appropriate safeguards are in place
14.3 European Economic Area (EEA) Users
For users in the EEA, we comply with the principles of the EU GDPR:
- We may rely on adequacy decisions issued by the European Commission for data transfers to the UK
- You have the right to lodge a complaint with your local data protection authority in the EEA
14.4 Other Relevant Jurisdictions
As Cranxs expands its operations, we are committed to complying with local data protection laws in any jurisdiction where we operate. This includes:
- Monitoring changes in international data protection regulations
- Updating our practices and this policy to reflect new legal requirements
- Appointing local representatives where required by law
If you are accessing our services from a country other than the UK and have specific data protection queries related to your jurisdiction, please contact our Data Protection Officer for clarification.
We are committed to maintaining high standards of data protection regardless of your location. If you have any questions about how your data is handled in your specific jurisdiction, please don't hesitate to contact us.
15. Dispute Resolution
At Cranxs, we are committed to addressing and resolving any privacy-related concerns you may have. We believe in fair, transparent, and efficient dispute resolution processes. This section outlines how we handle privacy-related disputes and the applicable legal framework.
Process for Resolving Privacy-Related Disputes
- Initial Contact:
- We encourage you to first contact our Data Protection Officer with any privacy-related concerns or complaints, as detailed in Section 13 (Contact Information).
- Email: privacy@cranxs.co.uk
- Internal Review:
- Upon receiving your complaint, our Data Protection Officer will conduct an initial review within 5 business days.
- We will acknowledge receipt of your complaint and provide an estimated timeframe for resolution.
- Investigation:
- Our privacy team will thoroughly investigate your concern, which may involve reviewing relevant data, consulting with internal departments, and examining our privacy practices.
- We aim to complete our investigation within 30 days, but complex issues may require more time.
- Resolution Proposal:
- Following our investigation, we will propose a resolution to your dispute.
- This may include explanations of our practices, corrections to your data, changes to our processes, or other appropriate remedies.
- Dialogue and Negotiation:
- We are open to discussing our proposed resolution with you and will make every reasonable effort to address your concerns satisfactorily.
- This may involve further correspondence or discussions to reach a mutually agreeable outcome.
- Alternative Dispute Resolution (ADR):
- If we cannot resolve the dispute through direct negotiation, we offer the option of participating in a non-binding ADR process.
- We work with [Insert name of ADR provider], an independent dispute resolution service specializing in privacy matters.
- Regulatory Recourse:
- If you are unsatisfied with the outcome of our internal process or ADR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection authority.
Applicable Law and Jurisdiction
- Governing Law: This Privacy Policy and any disputes arising from it are governed by the laws of England and Wales.
- Jurisdiction: Any legal proceedings related to this Privacy Policy or your personal data shall be brought exclusively in the courts of England and Wales.
- Applicable Regulations: Our privacy practices and dispute resolution processes comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
- International Users: If you are accessing our services from outside the UK, please note that your information may be transferred to, stored, and processed in the UK. By using our services, you consent to this transfer, storing, and processing in accordance with this Privacy Policy.
- Conflict of Laws: In the event of any conflict between the English version of this Privacy Policy and any translation into another language, the English version shall prevail.
We are committed to resolving disputes fairly and efficiently. Our goal is to maintain your trust and ensure that your privacy rights are respected. If you have any questions about our dispute resolution process or need to initiate a complaint, please don't hesitate to contact our Data Protection Officer.
Remember, you also have the right to seek judicial remedy or to lodge a complaint directly with the ICO at any time, regardless of our internal dispute resolution process.
16. Definitions
To ensure clarity and understanding throughout this Privacy Policy, we've provided clear explanations of key terms used:
Personal Data
Any information relating to an identified or identifiable natural person ('data subject'). This includes names, identification numbers, location data, online identifiers, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
Processing
Any operation performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Controller
The entity that determines the purposes and means of the processing of personal data. In this case, Cranxs Ltd is the data controller.
Data Processor
An entity that processes personal data on behalf of the controller.
Data Subject
The individual to whom the personal data relates, typically a user of Cranxs services.
Consent
Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
Legitimate Interest
A lawful basis for processing personal data, where the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
Data Protection Officer (DPO)
The person appointed to oversee data protection strategy and implementation to ensure compliance with GDPR requirements.
Cookies
Small text files placed on your device to store data that can be recalled by a web server in the domain that placed the cookie.
IP Address
A unique address that identifies a device on the Internet or a local network.
Encryption
The process of converting information or data into a code to prevent unauthorised access.
Pseudonymisation
The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.
Data Portability
The right for a data subject to receive personal data concerning them in a structured, commonly used, and machine-readable format, and to transmit those data to another controller.
Profiling
Any form of automated processing of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Cross-border Processing
Processing of personal data which takes place in the context of the activities of establishments in more than one country.
Supervisory Authority
An independent public authority established by a Member State (in the UK, this is the Information Commissioner's Office).
UK GDPR
The United Kingdom General Data Protection Regulation, the UK's data privacy law based on the EU GDPR but adapted for the UK context.
Data Protection Act 2018
The UK's data protection law that works alongside the UK GDPR.
Special Category Data
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.
Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
These definitions are provided to help you understand the terminology used throughout our Privacy Policy. If you have any questions about these terms or how they apply to your personal data, please contact our Data Protection Officer.