Privacy Policy

Home » Privacy Policy

This Privacy Policy governs the way Croftech Ltd collects, uses, maintains, and discloses information collected from users (each, a “User”) of the website (“Site”). This privacy policy applies to the Site and all products and services offered by Croftech Ltd.


By accessing or using the Site, you agree to this privacy policy. This privacy policy may change from time to time (see Changes to Our Privacy Policy). Your continued use of the Site after we make changes is deemed to be acceptance of those changes, so please check the policy periodically for updates.


  1. CROFTECH LTD, a company registered in England and Wales with company number 13093853 and having its registered address at 20-22 Wenlock Road, London, England, N1 7GU (“the Data Controller”).
  2. All individuals whose Personal Data is collected and processed by the Data Controller (“Data Subjects”).

1. Background

  • Croftech Ltd collects and uses Personal Data to namely:
    • To provide and improve our services.
    • To develop new services.
    • To protect the security or integrity of our services.
    • To personalise services and enhance your experience.
    • To better understand how users interact with our services.
    • To improve our services, develop new features or services; and
    • To customize our services to your interests and preferences.
  • This Privacy Policy sets out how Croftech Ltd will collect and process Personal Data and ensure it is done in accordance with the relevant data protection laws applicable in the United Kingdom, in particular the General Data Protection Regulation (EU) 2016/679 (“UK GDPR”) as enshrined in the Data Protection Act 2018 (“DPA 2018”) in England and Wales (together “the Data Protection Laws”).
  • The Data Protection Laws define “Personal Data” as any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity’.
  • Data Subjects have certain rights over their Personal Data which are set out in this Privacy Policy, including the rights of access, rectification, erasure, restriction of processing.

2. Definitions

  • Company”, “we”, “us”, and “our” refers to Croftech Ltd.
  • “you” and ““your” refers to the user or customer.
  • Personal data” means any information relating to an identified or identifiable natural person.
  • Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • Special category data” refers to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
  • Data subject” means a living, identified or identifiable individual about whom we hold personal data.
  • References to the “Controller” and “Processor” are references to the definitions in the UK GDPR and DPA 2018.

3. Information we collect about you

  • Types of Information Collected. We may collect and process the following types of personal information about you:
    • Identity data including first name, last name, username or similar identifier, marital status, title, date of birth and gender.
    • Contact data including billing address, delivery address, email address and telephone numbers.
    • Financial data including payment card details, bank account details.
    • Transaction data including details about payments to and from you and other details of purchases and orders made by you.
    • Technical data including internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
    • Profile data including your username and password, purchases or orders made by you, your interests, preferences, feedback, and survey responses; and
    • Usage data including information about how you use our website, products, and services.
  • Sources of Information. We will collect personal information directly from you and from third parties.
  • Special Categories of Personal Data. We do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data).
  • Purposes of Collection. We only collect and use your personal information when the law allows us to.

4. How we use your information

  • We will only process your Personal Data where we have a lawful basis to do so. The lawful bases we rely on are:
    • Performance of a contract: Where your Personal Data needs to be processed for the performance of a contract with you, or in order to take steps at your request prior to entering into a contract.
    • Legitimate interests: We may process your Personal Data for our legitimate business interests, such as to provide and improve our services, to prevent fraud and for direct marketing.
  • We will process your Personal Data for the following purposes:
    • To deliver services to you as requested, such as ERP Support and Development Services.
    • To manage our relationship with you, including notifying you about changes to our terms or privacy policy and asking you to leave a review or take a survey.
    • To administer your account, process payments and keep our records updated.
    • To operate, protect, improve, and optimise our services, systems, and website.
    • To send marketing communications to you where you have opted in to receive these. You can opt-out at any time by contacting us or clicking the unsubscribe link in any marketing message.
  • Where we process any special category data, such as health data, we will obtain your explicit consent in accordance with Article 9 of the UK GDPR.
  • We will not transfer your Personal Data outside of the European Economic Area.

5. Disclosure of your information

  • We may disclose your personal information to third parties in order to:
    • Provide you with the services, products, or information you have requested.
    • Comply with our legal obligations or assist law enforcement.
    • Prevent fraud or other illegal activities; and
    • As part of a sale, merger or change of control.
  • The categories of third parties with whom we may share your personal information include:
    • Service providers who help us to provide our services to you such as payment processors, analytics providers, and cloud storage providers; and
    • Other selected third parties we may disclose your personal information to such as other companies in our group.
  • We will only share your personal information with third parties where:
    • You have provided your consent for us to do so.
    • It is necessary to perform any contract we have with you.
    • It is necessary for our legitimate interests and not overridden by your data protection rights; or
    • We are legally required to share your personal information.
  • If we transfer personal information outside the UK or EEA, we will only do so where:
    • The country or organisation we are transferring personal information to has been deemed adequate by the European Commission; or
    • We have used specific tools approved by the European Commission to safeguard your personal information, such as the Standard Contractual Clauses.
  • You have the right to object to or restrict the processing of your personal information for disclosure purposes.
  • We will take reasonable steps to ensure any third parties we share your personal information with keep it secure and confidential consistent with this Privacy Policy.

6. International transfers of your information

  •  Transfers to countries with adequacy decisionsThe European Commission has decided some non-EEA countries provide adequate protection. Croftech Ltd may transfer personal information to the following countries without additional safeguards:
    • Japan
    • New Zealand
    • Switzerland
  • Transfers subject to appropriate safeguardsFor transfers to countries without adequacy decisions, Croftech Ltd will ensure personal information is transferred subject to appropriate safeguards, including:
    • Standard data protection clauses approved by the European Commission
    • Binding corporate rules
    • Approved codes of conduct
    • Certification mechanisms
  • Transfers subject to derogationsTransfers may also be made where one of the derogations in Article 49 of the UK GDPR applies, such as where:
    • The data subject has explicitly consented to the proposed transfer
    • The transfer is necessary for performance of a contract or legal claim
    • Important reasons of public interest
  • Rights of data subjectsData
    subjects have the right to request a copy of any safeguards used for transfers outside the EEA.

7. Data security

  • The Data Controller shall implement appropriate technical and organisational security measures to protect Personal Data from unauthorised or unlawful processing and accidental loss, destruction, or damage.
  • Such measures shall ensure a level of security appropriate to the risk, including as appropriate:
    • the pseudonymisation and encryption of Personal Data.
    • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
    • the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
    • a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
  • The Data Controller shall restrict access to Personal Data to authorised personnel who require such access for the purposes of this Privacy Policy.
  • In the event of a Personal Data breach, the Data Controller shall without undue delay notify the relevant supervisory authority and Data Subjects in accordance with its legal obligations.
  • The Data Controller shall take steps to ensure any third-party Data Processors handle Personal Data securely and in compliance with the Data Protection Laws.
  • The Data Controller shall review and audit its security policies and measures on a regular basis to ensure they remain compliant with the Data Protection Laws and identify areas and opportunities for improvement.

8. Data retention

  • The Data Controller shall retain Personal Data in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is processed.
  • The Data Controller shall retain Personal Data for the following periods for the processing purposes described:
    • Customer/client management – 6 years from the end of the provision of services/goods to the Data Subject for accounting purposes; 3 years from collection for direct marketing purposes.
    • Accounting records – 6 years from the end of the relevant tax year in accordance with applicable tax law.
  • The criteria used to determine the retention periods described in clause 7.2 include applicable statutory limitation periods and ongoing business needs.
  • At the end of the relevant retention period set out in clause 7.2, the Data Controller shall securely erase the Personal Data including by ensuring back-ups and archived copies are also deleted.
  • Personal Data may be retained for a longer period where expressly permitted by applicable law, to comply with legal/regulatory obligations, to prevent fraud, or to establish, exercise or defend legal claims.
  • Personal Data will be retained in an identifiable format while needed and anonymized/aggregated after the relevant retention period.

9. Your legal rights

  • Right of access. You have the right to request details of the personal information we hold about you under the UK GDPR and DPA 2018. You can request a copy of the personal information we hold by contacting us using the details set out in the ‘Contact’ section. We will provide this information to you within one month of your request, free of charge.
  • Right to rectification. You have the right to require us to rectify any inaccurate personal data or complete any incomplete personal data held about you without undue delay. You can do this by contacting us using the details set out in the ‘Contact’ section. We will respond to your request and provide the rectified or completed data within one month of your request, free of charge.
  • Right to erasure. You have the right to request that we erase your personal data where: (i) it is no longer necessary for us to retain such data; (ii) you withdraw your consent (where our processing was based on your consent); (iii) you object to the processing and there are no overriding legitimate grounds for the processing; (iv) your data has been unlawfully processed; or (v) your data must be erased for compliance with a legal obligation to which we are subject. We will respond to your request and erase the relevant personal data within one month of your request, free of charge.
  • Right to restriction of processing. You have the right to request that we restrict the processing of your personal data where: (i) you contest the accuracy of the personal data; (ii) processing is unlawful but you oppose erasure; (iii) we no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defence of legal claims; or (iv) you have objected to processing, pending the verification of that objection. We will confirm any restriction of processing to you within one month of your request, free of charge.
  • Right to data portability. Upon your request, we will provide you with your personal data which you provided to us in a structured, commonly used, and machine-readable format. You may also request us to transmit this data directly to another controller, where technically feasible.
  • Right to object. You have the right to object to our processing of your personal data where such processing is carried out on the basis of our legitimate interests. We will stop processing your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms or where we need to process your data to establish, exercise or defend legal claims.
  • Rights related to automated decision-making including profiling. You have rights related to any decision that is based solely on automated processing of your personal data, including profiling, where such decision produces legal effects or similarly significantly affects you. We do not carry out any automated decision making.

10. Changes to this privacy policy

  • We may update this privacy policy from time to time to ensure it remains up-to-date and accurately reflects how and why we use your personal data.
  • If any updates are material, we will notify you by email prior to the change becoming effective (the “Effective Date”) and update the version date at the bottom of this page.
  • By continuing to use the Services after the Effective Date, you accept the amended privacy policy.
  • If you do not agree to any changes we may make, you must stop using our Services.
  • We will notify you of any material changes to how we use your personal data and give you the opportunity to opt out of any new processing activities.
  • The latest version of this privacy policy will always be available on our website.

11. Complaints

  • If you wish to make a complaint about how your personal data is processed by Croftech Ltd, please contact our Data Protection Officer at
  • We will acknowledge receipt of your complaint within 3 working days of receipt and provide a full response within 28 calendar days. If we are unable to provide a full response within this timeframe, we will notify you along with a timeframe for response.
  • You also have the right to lodge a complaint with the Information Commissioner’s Office. You can contact the ICO via their website (, by telephone on 0303 123 1113 or in writing to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
  • We will retain records of all complaints and our responses for 5 years.