Master Privacy Policy
This Master Privacy Policy describes how Crocker Digital Ltd handles personal data across every product in our portfolio. Each product also has its own Privacy Policy on its own domain, describing the specific categories of data it collects and how long it keeps them.
Contents
- Who we are (data controller)
- Scope of this Policy
- Personal data we collect
- Where we get it from
- Why we process it (lawful bases)
- Special category data
- Who we share it with
- International transfers
- How long we keep it
- Your rights
- Security
- Cookies and tracking
- Children
- Automated decision-making
- Changes to this Policy
- Contact and complaints
1. Who we are (data controller)
Crocker Digital Ltd is the data controller for personal data processed through every product in our portfolio.
- Company
- Crocker Digital Ltd, a private limited company registered in England and Wales.
- Companies House number
- 17008789
- Registered office
- 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
- ICO registration
- ZC128626 (we pay the statutory data protection fee and are on the ICO's public register of controllers)
- Contact
- privacy@crockerdigital.co.uk — reply during normal UK business days
2. Scope of this Policy
This Master Policy covers entity-level principles that apply across every product: who the controller is, what lawful bases we rely on, which sub-processors we use across the whole portfolio, how international transfers are safeguarded, what your rights are, and how long we keep data as a general framework.
Each product's own Privacy Policy supplements this one by describing the specific categories of personal data that product collects, the specific retention periods for those categories, and any product-specific processing (for example, the statutory-records retention that tenancy or compliance products may require). Where the two documents describe the same point, the product-specific Privacy Policy is the more detailed reference for that product.
3. Personal data we collect
Across the portfolio, we collect the following general categories. Each product's Privacy Policy lists the specific fields collected by that product.
- Identity and contact data — name, email address, organisation, role, billing address.
- Account data — login credentials (hashed), authentication tokens, multi-factor authentication state, account preferences.
- Payment data — billing history, subscription state, tier, invoices. Full card details are handled by Stripe under PCI-DSS; we never see or store them.
- Usage data — records of actions you take within a product (for example, creating a document, running a tool, exporting a file), timestamps, IP address at the time of the action, user agent.
- Customer Data you put into a product — whatever content, documents, records, or inputs you enter to get the product's service. The specific categories vary sharply by product and are described in each product's own Privacy Policy.
- Support and communications data — emails you send us, feedback you submit in-product, records of our replies.
- Technical and analytics data — aggregate traffic patterns, page views, performance metrics, error reports. See Cookies and tracking.
4. Where we get it from
We collect personal data:
- Directly from you when you sign up, use a product, make a payment, or contact us;
- Automatically when you interact with a product (for example, session logs, usage telemetry, error reports);
- From our payment processor (Stripe) about your subscription and billing state;
- Very occasionally, from publicly available sources where we need to verify something about a business customer (for example, confirming a Companies House record).
We do not buy personal data from data brokers, and we do not use marketing lists acquired from third parties.
5. Why we process it (lawful bases)
Under UK GDPR, every processing activity needs a lawful basis. We rely on the following:
- Contract (Article 6(1)(b)) — to provide the product you have signed up for, bill you, give you support, and perform our obligations under the Terms. This covers most of our processing of your account and Customer Data.
- Legitimate interests (Article 6(1)(f)) — for the security of our products, fraud prevention, product improvement based on aggregate usage patterns, non-marketing transactional communications, and basic analytics needed to run the service. Where we rely on legitimate interests we balance them against your rights and interests; we have documented this assessment internally and will share the summary on request.
- Legal obligation (Article 6(1)(c)) — for keeping financial records (HMRC requirements), responding to lawful requests from public authorities, and complying with other UK statutory obligations.
- Consent (Article 6(1)(a)) — where we rely on consent, we ask for it clearly and you can withdraw it at any time. Typical examples: optional marketing emails, or any product feature that processes data beyond the baseline service description.
6. Special category data
Some of our products may process special category data under UK GDPR Article 9 (for example, health and safety records in compliance products, or data that could reveal health conditions in tenancy or workplace contexts). Where a specific product processes special category data, its own Privacy Policy identifies this explicitly and sets out the Article 9 condition we rely on (typically Article 9(2)(g) substantial public interest for compliance-record-keeping, or Article 9(2)(b) employment/social security obligations).
As a general portfolio rule, we do not process special category data unless a specific product's workflow requires it and the product's Privacy Policy documents the legal basis.
7. Who we share it with
We use the following sub-processors to run our products. Each is bound by a data-processing agreement or equivalent contractual terms that require them to protect your data to the standard UK GDPR requires.
| Sub-processor | Purpose | Primary processing location |
|---|---|---|
| Supabase | Database, authentication, file storage | European Union (eu-west-1) |
| Netlify | Website and application hosting, CDN | Global edge network (primary: United States) |
| Stripe Payments UK Ltd | Payment processing, subscription billing, customer portal, invoice generation | United Kingdom / Ireland |
| Resend | Transactional email delivery (receipts, notifications, account actions) | United States |
| Sentry | Error tracking and performance monitoring | United States |
| Upstash | Redis cache and rate limiting | European Union (primary: eu-west-1), global replicas |
| Cloudflare | DNS, bot protection (Turnstile CAPTCHA), edge security | Global edge network |
| Microsoft 365 | Business email, calendar, shared mailboxes for support and admin addresses | European Union / United Kingdom |
| GoatCounter | Cookieless, aggregate website analytics | European Union (Germany) |
We may engage additional sub-processors from time to time. When we do, we update this list, and existing customers can object to material changes — if an objection cannot be reasonably accommodated (for example, if the new sub-processor is essential to running the service), you can terminate the affected subscription and receive a pro-rata refund of prepaid fees for the period after termination.
We do not sell personal data. We do not share it with advertising networks or data brokers.
8. International transfers
Some of our sub-processors are based in, or process data from, countries outside the United Kingdom. Where a sub-processor processes personal data outside the UK, we rely on one or more of the following safeguards as permitted under UK GDPR:
- Adequacy decisions — for transfers to EEA countries and other jurisdictions the UK government has recognised as providing an adequate level of protection.
- International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses — for transfers to countries without an adequacy decision (for example, the United States). The IDTA / SCCs oblige the recipient to protect the data to a standard equivalent to UK GDPR.
- UK–US Data Bridge — where the US recipient is certified under the UK–US Data Bridge scheme.
We have carried out a transfer risk assessment for each sub-processor that processes UK data outside the UK, considering the local laws of the recipient country and supplementary measures where appropriate. A summary is available on request.
9. How long we keep it
As a general framework:
- Account data — for the duration of your subscription plus 30 days grace on cancellation (during which you can reactivate), then deleted or anonymised. A minimal pseudonymised record may be retained where required by law (for example, to meet HMRC's six-year record-keeping requirement for financial transactions).
- Customer Data — for the duration of your subscription. On cancellation, we retain it for a grace period (typically 30 days) during which you can export it via the product's export features, then delete it. Product-specific retention periods may be longer where a product is designed to keep a statutory compliance record (for example, a product that keeps audit trails required by a specific regulation); those are set out in the relevant product's own Privacy Policy.
- Billing and financial records — six years from the end of the financial year they relate to, to meet HMRC record-keeping obligations.
- Support communications — typically two years from the date of last contact, longer if the matter is ongoing or a dispute has been raised.
- Security and audit logs — typically 12 months, longer for specific events that need preservation for incident investigation.
- Cookieless analytics — aggregated indefinitely; individual session-level events typically 12 months.
Each product's own Privacy Policy specifies retention periods for that product's specific data categories.
10. Your rights
Under UK GDPR you have the following rights in relation to your personal data. We respond to requests within one month of receipt (extendable by two further months where a request is complex or you have made several, with notice to you).
- Access — you can ask for a copy of the personal data we hold about you, and information about how we process it.
- Rectification — you can ask us to correct inaccurate or incomplete data. Most account information can be corrected directly in-product; for other corrections, email us.
- Erasure ("right to be forgotten") — you can ask us to delete your personal data. This right is not absolute; we may need to retain some data to meet legal obligations (for example, HMRC financial records). Where we can delete, we will; where we cannot, we will explain the specific reason.
- Restriction of processing — you can ask us to limit how we process your data in defined circumstances (for example, while we verify the accuracy of data you have challenged).
- Objection — you can object to processing we base on legitimate interests. We will stop unless we can show compelling legitimate grounds that override your interests, or the processing is needed for establishing, exercising, or defending legal claims.
- Portability — for data you have provided to us and that we process based on consent or contract, you can ask for a copy in a common, machine-readable format. Most products provide this via built-in export features.
- Withdraw consent — where we rely on your consent for a processing activity, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.
- Complaint to the ICO — you have the right to lodge a complaint with the Information Commissioner's Office (see Contact and complaints below). We would prefer to resolve the matter with you first, but the ICO route is always available to you.
To exercise any of these rights, email privacy@crockerdigital.co.uk. We may ask for reasonable proof of identity before acting on a request.
11. Security
We take reasonable technical and organisational measures to protect personal data against unauthorised access, loss, alteration, or disclosure, appropriate to the risk. These include:
- Encryption in transit (TLS 1.2 or higher) for all connections to our products;
- Encryption at rest for databases and file storage at our hosting sub-processors;
- Hashed passwords using industry-standard algorithms (bcrypt or equivalent), with password-compromise detection against the Have I Been Pwned database;
- Bot protection on authentication flows (Turnstile CAPTCHA);
- Role-based access controls and tenant isolation within our database (row-level security policies);
- Logging and monitoring for security-relevant events;
- Regular patching and dependency updates;
- Limited internal access on a need-to-know basis;
- Data-processing agreements with all sub-processors.
No system is perfectly secure. If we become aware of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the ICO within 72 hours and notify you without undue delay where required by law.
12. Cookies and tracking
This website (crockerdigital.co.uk) uses only strictly necessary cookies — it does not set marketing, advertising, or analytics cookies. Our aggregate website analytics (GoatCounter) is cookieless by design and captures only anonymised traffic patterns.
Individual products in our portfolio may set additional cookies or local-storage items needed to run that product (for example, a session cookie after login, a preference cookie for display settings, a CAPTCHA cookie set by Cloudflare Turnstile). Each product's own site describes its cookie use and, where relevant, provides a cookie preference control.
13. Children
Our products are not directed at, or intended for use by, children under 18. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child under 13 without verified parental consent (the UK statutory threshold for children's data), we will delete it. If you believe a child has provided us with personal data, please contact us.
14. Automated decision-making
We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing. Some of our products include automated features that support your own decision-making (for example, suggesting likely answers to a questionnaire, or classifying a substance under a regulatory schema); in those cases the output is a tool for you to review, not an automated decision that we apply without human involvement. The relevant product's own Privacy Policy explains this for that product.
15. Changes to this Policy
We may update this Master Privacy Policy from time to time. When we do, we will change the "Last updated" date at the top of this page. Material changes that affect how we handle your personal data will be notified to you by email at least 30 days before taking effect, using the email address associated with your account. Non-material changes (for example, adding a new product to the portfolio, updating a sub-processor entry, clarifying wording) take effect when published.
16. Contact and complaints
For any privacy question, to exercise a right, or to make a complaint, contact us first:
- privacy@crockerdigital.co.uk
- Post
- Crocker Digital Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
You also have the right to complain to the UK supervisory authority:
- Information Commissioner's Office (ICO)
- Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- Telephone: 0303 123 1113
- Website: ico.org.uk/make-a-complaint
We would appreciate the chance to resolve any concern with you first, but complaining to the ICO is always your right.