Privacy Policy — Grabzies

We may collect date of birth solely for the purpose of verifying age eligibility. This data is not used for marketing and is retained only as necessary for compliance.

Important: This policy reflects processing under UK data protection law (including the UK GDPR and the Data Protection Act 2018). If you are outside the UK, your data may still be transferred to and processed in the United Kingdom.

1. What personal information we collect

We collect information you provide directly and data collected automatically when you use our Website or Services. Typical categories include:

• Contact details: name, email, telephone number, billing/shipping address.
• Account data: username, password hash (we never store plaintext passwords), account preferences.
• Transaction data: order history, invoices, payment method metadata (note: full card data is handled by our payment processor and not stored by us).
• Technical & usage data: IP address, device details, browser type, pages visited, referral URL, cookies and analytics data.
• Communications: support requests, emails, call notes, and chat transcripts related to your account or orders.
• Marketing preferences: opt-in status, subscription preferences.

2. How we use your information

We use personal information for the following purposes (not exhaustive):

• To provide and deliver products and services, process orders and administer accounts.
• To communicate about orders, updates, security, and support.
• To personalise and improve our Website and services, and to analyse usage for product development.
• To process payments, prevent fraud and comply with legal obligations.
• To send marketing where you have consented (we provide simple unsubscribe options).

3. Lawful bases for processing

Under the UK GDPR, we rely on one or more lawful bases to process your data:

• Performance of a contract: processing necessary to provide the service you requested (e.g. build, host, or maintain a site).
• Legal obligation: where we must comply with law (e.g. tax, accounting, court orders).
• Consent: for marketing emails and non-essential cookies when you opt in.
• Legitimate interests: for fraud prevention, platform security, and business analytics — we balance these interests against your rights and freedoms.

4. Cookies and similar technologies

We use cookies and similar technologies for essential site functionality, analytics and optional marketing. You can control cookie settings via the cookie banner (where shown) or through your browser.

Categories we use:

• Essential: required for shopping cart, login, security and accessibility.
• Analytics: to measure and improve site performance (e.g. Google Analytics—anonymised where possible).
• Marketing: for advertising and remarketing (only with your consent where required).

For a full list of cookies we use, see our Cookie Policy.

5. Sharing and recipients

Unless otherwise disclosed in a written agreement, all third-party vendors and subprocessors are treated as proprietary. Vendor names are intentionally represented as “Your Name Here”.

We may share your personal data with:

• Trusted service providers and processors (payment processors, hosting providers, email delivery, analytics).
• Professional advisers and auditors where required to comply with legal obligations.
• Law enforcement, tax authorities, or courts if required by law.

We require processors to maintain appropriate security and process data only under our documented instructions. A non-exhaustive list of categories of processors we use (replace placeholders with vendor names as applicable):

• Payment processing: Your Name Payment Processor — e.g. Stripe / PayPal
• Hosting & storage: [Hosting Provider — e.g. AWS / DigitalOcean]
• Analytics & email delivery: [Analytics Provider / Email Provider]

6. International transfers

Your data may be transferred to, stored in, or processed in the United Kingdom and (where our processors operate) other countries. When transfers occur outside the UK/EEA we apply appropriate safeguards (e.g. EU/UK standard contractual clauses, binding corporate rules, or reliance on an adequacy decision) to protect your rights.

7. Data retention

We retain personal data only as long as necessary to fulfil the purposes described above, to comply with legal obligations (for example, accounting records), resolve disputes, and enforce our agreements. Typical retention periods include:

• Account information: retained while account is active and for up to 6 years after (for tax and accounting purposes).
• Transactional records and invoices: retained for 6 years (UK tax requirements).
• Marketing data: retained until you withdraw consent or unsubscribe.

8. Security

We implement organisational, technical and administrative measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Measures include encryption in transit, access controls, regular vulnerability testing and staff data protection training.

Despite these measures, no method of transmission over the Internet is 100% secure; we cannot guarantee absolute security.

9. Your rights

Under UK data protection law you may have the right to:

• Request access to personal data we hold about you (subject access request).
• Rectify inaccuracies in your personal data.
• Request erasure (right to be forgotten) in limited circumstances.
• Request restriction of processing.
• Object to processing where we rely on legitimate interests (including profiling).
• Request data portability where processing is based on consent or contract and carried out by automated means.
• Withdraw consent to marketing communications at any time.

To exercise any right, contact help@grabzies.com. We will respond in accordance with statutory timeframes (usually within one month). We may request identity verification to process certain requests.

11. Automated decision-making

We do not carry out automated decision-making that produces legal or similarly significant effects for individuals. If we introduce such processing we will notify you and provide information about the logic involved and your rights.

12. Complaints

If you are unhappy with our handling of your personal data you can:

• Contact us first at help@grabzies.com so we can attempt to resolve the issue; and
• If unresolved, you may complain to the UK Information Commissioner's Office (ICO): ico.org.uk (telephone: 0303 123 1113).

13. Changes to this policy

We may update this Privacy Policy from time to time. Where changes are material we will provide a prominent notice on our Website or send notice to affected users. The “Last updated” date at the top indicates when the policy was last revised.

14. Contact

Data Controller: Grabzies (United Kingdom)

Email: help@grabzies.com

Postal address: [Insert company registered address — replace with official address]

DPA — Controller / Processor relationship

This Data Processing Addendum forms part of the Privacy Policy and sets out the responsibilities and obligations of Grabzies (the Controller) and its Processors with respect to processing of personal data on behalf of our customers.

1. Roles

Controller: Grabzies

Processors: third-party service providers engaged by Grabzies to perform specific services (e.g. payment, hosting, analytics). Examples: [Payment Processor], [Hosting Provider], [Email Provider]. Replace placeholders with names of actual processors used.

2. Processing instructions

Processors shall only process personal data in accordance with Grabzies’ documented instructions and for the purposes described in the Privacy Policy and any specific service agreement between the parties.

3. Security measures

Processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including but not limited to:

• Access controls and authentication
• Encryption of data in transit
• Regular patching and vulnerability management
• Secure backup and recovery procedures
• Employee training and confidentiality obligations

4. Sub-processing

Processors must not engage sub-processors without our prior written authorisation. Where sub-processors are authorised, the processor must flow down equivalent data protection obligations to the sub-processor.

5. Assistance to controller

Processors shall assist Grabzies with data subject requests, security incidents, and with obligations under applicable data protection legislation (e.g. breach notification).

6. Return or deletion

Upon termination or expiry of the contractual relationship, processors shall, at Grabzies’ choice, return or securely delete personal data in their possession unless required by law to retain it.

7. Audit rights

Grabzies reserves the right to audit processors for compliance with this DPA and may request evidence of controls, certifications (e.g. ISO 27001), and data processing records.

8. Contact point

For matters relating to this DPA and data protection, contact: help@grabzies.com