Privacy Policy
Last updated: 3 February 2026
1. Introduction
Crateful is a trading name of CRTYX HOLDINGS LIMITED, a company registered in England and Wales under company number 12383952("we", "us", "our").
We are the data controller responsible for your personal data. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use the Crateful platform ("the Service").
We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data Protection Officer
For any questions about this Privacy Policy or our data practices, please contact us:
Email: privacy@crateful.app
3. Information We Collect
3.1 Information You Provide
When you register and use the Service, we collect:
- Account Information: Email address, password (stored securely hashed), business name, contact name
- Business Details: Business address, telephone number, VAT number (where applicable)
- Profile Information: Company logo, brand colours (for wholesalers)
- Transaction Data: Stock lists, orders, product information, pricing data
- Communications: Contact form submissions, support requests, order notes
3.2 Information Collected Automatically
When you use the Service, we automatically collect:
- Technical Data: IP address, browser type and version, device type, operating system
- Usage Data: Pages visited, features used, timestamps of actions
- Cookie Data: As described in our Cookie Policy
3.3 Information from Third Parties
We may receive information from:
- Payment Processor (Stripe): Payment status, subscription details, billing information
- Connected Integrations: If you connect Shopify, WooCommerce, or Discogs, we receive data necessary to provide integration features
4. Lawful Bases for Processing
We process your personal data on the following lawful bases under UK GDPR:
| Purpose | Lawful Basis |
|---|---|
| Providing the Service | Contract performance |
| Processing payments | Contract performance |
| Sending transactional emails (orders, deadlines) | Contract performance |
| Responding to support requests | Contract performance / Legitimate interests |
| Preventing fraud and abuse | Legitimate interests |
| Improving the Service | Legitimate interests |
| Legal compliance | Legal obligation |
| Marketing communications | Consent (where required) |
5. How We Use Your Information
We use your personal data to:
- Create and manage your account
- Provide the Service and its features
- Process orders and transactions between wholesalers and stores
- Send transactional notifications (new stock lists, order confirmations, deadline reminders)
- Process subscription payments through Stripe
- Respond to your enquiries and provide customer support
- Detect, prevent, and address fraud, abuse, or technical issues
- Improve and develop the Service
- Comply with legal obligations
- Enforce our Terms of Service
6. Sharing Your Information
We share your personal data with:
6.1 Connected Business Users
When you connect with other users on the platform:
- Stores can see wholesaler business names, contact information, and stock lists
- Wholesalers can see store business names, contact information, and order details
6.2 Service Providers
We use trusted third-party service providers:
- Stripe (USA): Payment processing. See Stripe Privacy Policy
- SendGrid/Twilio (USA): Transactional email delivery. See Twilio Privacy Policy
- MongoDB Atlas (Various): Database hosting. See MongoDB Privacy Policy
- UploadThing (USA): File storage and CDN. See UploadThing Privacy Policy
- Vercel (USA): Application hosting. See Vercel Privacy Policy
6.3 Optional Integrations
If you choose to connect third-party services, we share data necessary for those integrations:
- Shopify: Product data for creating store listings
- WooCommerce: Product data for creating store listings
- Discogs: Product data for marketplace listings
6.4 Legal Requirements
We may disclose your information if required by law, court order, or governmental authority, or to protect our rights, property, or safety, or that of others.
7. International Data Transfers
Some of our service providers are located outside the UK. When we transfer your personal data internationally, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner
- Transfers to countries with adequate data protection laws
- Binding Corporate Rules where applicable
8. Data Retention
We retain your personal data for the following periods:
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 7 years for tax/legal compliance |
| Transaction records | 7 years (UK tax requirements) |
| Support communications | 3 years after resolution |
| Server logs | 90 days |
| Password reset tokens | 1 hour |
| Invite tokens | 7 days |
After account deletion, we anonymise or delete your data within 30 days, except where retention is required for legal compliance or legitimate business purposes.
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data:
- Encryption in transit (TLS/HTTPS) and at rest
- Secure password hashing using bcrypt with appropriate cost factor
- JWT-based authentication with secure token handling
- Rate limiting to prevent brute force attacks
- Input validation and sanitisation
- Regular security assessments
- Access controls limiting data access to authorised personnel
- Secure credential storage (API keys, integration tokens)
10. Your Rights
Under the UK GDPR, you have the following rights regarding your personal data:
- Right of Access: Request a copy of your personal data
- Right to Rectification: Request correction of inaccurate data
- Right to Erasure: Request deletion of your data ("right to be forgotten")
- Right to Restrict Processing: Request limitation of how we use your data
- Right to Data Portability: Receive your data in a machine-readable format
- Right to Object: Object to processing based on legitimate interests
- Rights Related to Automated Decision-Making: We do not use automated decision-making that produces legal effects
To exercise any of these rights, please contact us at privacy@crateful.app. We will respond within one month.
You can also export your data or delete your account through your account settings.
11. Account Deletion
You can delete your account at any time through your account settings. When you request account deletion, we use an anonymisation approach rather than complete data deletion. This ensures:
- Your personal information is removed and replaced with anonymised placeholders
- Historical business records are preserved for other users (e.g., order history)
- Referential integrity is maintained across the platform
- Legal and tax compliance requirements are met
11.1 What Happens When You Delete Your Account
Upon account deletion, we immediately:
- Anonymise identifying information: Your email, business name, contact name, and other personal details are replaced with generic placeholders (e.g., "Deleted Wholesaler" or "Deleted Store")
- Remove sensitive data: Your password, phone numbers, VAT number, address, and any uploaded logos are permanently deleted
- Cancel active subscriptions: Any Stripe subscriptions are cancelled immediately
- Disconnect business relationships: For wholesalers, all connected stores are disconnected. For stores, you are removed from all wholesaler connections
- Delete user-specific data: Notifications, pending invitations, saved templates, and integration credentials are permanently deleted
- Invalidate your account: Your login credentials are invalidated, preventing any future access
11.2 What Is Preserved
To maintain business records for other users, certain structural data is retained in anonymised form:
- Order records: Historical orders are preserved so that counterparties (stores or wholesalers) can maintain their transaction history. These records will show the anonymised name instead of your original business name.
- Stock list records: For wholesalers, stock lists are closed and archived but retained for stores who may have ordered from them.
11.3 Deletion Confirmation
To prevent accidental deletion, you must confirm your identity by entering your password and typing "DELETE MY ACCOUNT" before the deletion process begins. This action is immediate and irreversible.
12. Cookies
We use cookies and similar technologies to operate the Service. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.
13. Children's Privacy
The Service is intended for business use and is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service, and update the "Last updated" date.
We encourage you to review this Policy periodically. Your continued use of the Service after changes become effective constitutes acceptance of the updated Policy.
15. Complaints
If you have concerns about how we handle your personal data, please contact us first at privacy@crateful.app. We will work to resolve your concerns.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk
Telephone: 0303 123 1113
16. Contact Us
For any questions about this Privacy Policy or our data practices:
CRTYX HOLDINGS LIMITED
Trading as Crateful
Company Number: 12383952
Email: privacy@crateful.app