Craftd

GDPR Policy

Last updated: 22 December 2025

1. Introduction

This GDPR Policy explains how Craftd ("we", "our", or "us") complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy applies to all personal data we process about individuals in the UK and EEA.

UK GDPR came into effect on 1 January 2021 and provides enhanced data protection rights for individuals. We are committed to protecting your personal data and respecting your privacy rights.

2. Legal Basis for Processing

We process your personal data under the following legal bases:

2.1 Contractual Necessity

We process your data to perform our contract with you, including:

  • Creating and managing your account
  • Processing your artwork generations
  • Processing purchases and payments
  • Fulfilling print orders
  • Processing artist commissions and payouts

2.2 Legitimate Interests

We process data for our legitimate business interests, including:

  • Improving and optimizing our platform
  • Preventing fraud and ensuring security
  • Analyzing usage patterns
  • Sending important service notifications

2.3 Consent

Where we rely on consent, you have the right to withdraw it at any time. This includes:

  • Marketing communications (if applicable)
  • Optional profile information
  • Cookie preferences

2.4 Legal Obligations

We may process data to comply with legal obligations, such as:

  • Tax and accounting requirements
  • Financial record keeping
  • Responding to legal requests
3. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

3.1 Right to Be Informed

You have the right to be informed about how we collect and use your personal data. This information is provided in our Privacy Policy and this GDPR Policy.

3.2 Right of Access

You have the right to request a copy of the personal data we hold about you (a "data subject access request"). This includes:

  • What personal data we hold
  • Why we are processing it
  • Who we share it with
  • How long we keep it

We will respond to your request within one month. If your request is complex, we may extend this by a further two months, and we will inform you of this.

3.3 Right to Rectification

You have the right to have inaccurate personal data corrected and incomplete data completed. You can update most of your information directly through your account settings, or you can contact us to request corrections.

3.4 Right to Erasure ("Right to Be Forgotten")

You have the right to request deletion of your personal data in certain circumstances, including when:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • The data must be erased to comply with a legal obligation

Note: We may not be able to delete all data if we have a legal obligation to retain it (e.g., financial records for tax purposes).

3.5 Right to Restrict Processing

You have the right to request that we restrict processing of your personal data in certain circumstances, such as:

  • You contest the accuracy of the data
  • Processing is unlawful and you oppose erasure
  • We no longer need the data but you need it for legal claims
  • You have objected to processing pending verification

3.6 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. This applies to:

  • Data you provided to us
  • Data processed by automated means
  • Data processed based on consent or contract

3.7 Right to Object

You have the right to object to processing of your personal data when:

  • Processing is based on legitimate interests
  • Processing is for direct marketing purposes
  • Processing is for scientific/historical research or statistical purposes

If you object, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

3.8 Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Currently, we do not use automated decision-making that would fall under this category.

4. How to Exercise Your Rights

To exercise any of your rights, please contact us:

  • Email: [Your contact email]
  • Subject Line: "GDPR Request - [Your Request Type]"

Please include:

  • Your full name
  • Your account email address
  • A clear description of the right you wish to exercise
  • Any relevant details to help us locate your data

We may need to verify your identity before processing your request. We will respond within one month (or two months for complex requests).

5. Data Transfers

Some of our service providers are located outside the UK/EEA. When we transfer your data internationally, we ensure appropriate safeguards are in place.

All transfers are made in accordance with UK GDPR requirements and include appropriate safeguards such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO).

6. Data Retention

We retain personal data only for as long as necessary:

6.1 Account Data

Retained while your account is active. Deleted or anonymized within 30 days of account deletion, except where legal obligations require longer retention.

6.2 Financial Records

Retained for 7 years as required by UK tax and accounting laws.

6.3 Generated Artwork

Retained while your account is active. You can request deletion of specific generations, subject to any purchase obligations.

6.4 Purchase Records

Retained for 7 years for accounting and legal purposes.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption of data in transit (HTTPS/TLS)
  • Secure database access controls
  • Regular security assessments
  • Limited access to personal data on a need-to-know basis
  • Secure authentication mechanisms
8. Data Breaches

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will:

  • Notify the UK Information Commissioner's Office (ICO) within 72 hours
  • Notify affected individuals without undue delay
  • Provide clear information about the nature of the breach
  • Explain the likely consequences
  • Describe measures taken or proposed to address the breach
9. Your Right to Complain

If you are not satisfied with how we have handled your personal data or responded to your requests, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Website: https://ico.org.uk
Phone: 0303 123 1113

10. Updates to This Policy

We may update this GDPR Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by posting the updated policy on this page and updating the "Last updated" date.

11. Contact Us

For questions about this GDPR Policy or to exercise your rights, please contact us at charlie@bristol-apps.com.