Overview

This Privacy Policy explains how www.engicrafts.com (“we,” “our,” or “us”) collects, uses, and protects your personal information when you interact with our website and services (“Services”). By accessing or using our Services, you agree to the terms outlined in this Privacy Policy. If you disagree, please discontinue using our Services.

​

Table of Contents

   1. Information We Collect
   2. How We Use Your Information
   3. Legal Basis for Processing (By Region)
   4. Data Sharing/Transferring and Third-Party Processors
   5. Data Retention
   6. Security Measures
   7. Your Rights
   8. Minors
   9. Updates to This Privacy Policy
   10. Contact Information

1. Information We Collect

We collect and process personal data in accordance with applicable laws, including the UK General Data Protection Regulation (UK GDPR), EU GDPR, the California Consumer Privacy Act (CCPA), the Personal Information Protection and Electronic Documents Act (PIPEDA - Canada), and the Australian Privacy Act 1988. The categories of personal data we collect are detailed below.

1.1 Information You Provide Directly

We collect personal information that you voluntarily provide when:

• Creating an account on our Website.

• Placing an order for products or services.

• Contacting customer support via email, phone, or web forms.

• Subscribing to our newsletter or promotional emails.

• Participating in surveys, promotions, or giveaways.

• Leaving product reviews or other user-generated content.

​

Examples of personal data collected directly from users:

• Identity & Contact Information: Full name, email address, phone number, shipping and billing addresses.  

• Account Information: Username, password, account preferences, and order history.

• Payment Information: Transaction details such as payment method and billing information. We do not store full credit card numbers. These are securely processed by Wix Payments, PayPal, or other third-party payment processors.

• Customer Support & Communication Data: Messages, inquiries, and feedback submitted to us.

​

1.2 Information We Collect Automatically

​

Technical Data:

• Internet Protocol (IP) address.

• Browser type and version.

• Operating system and device identifiers.

• Referring website or source (e.g., social media, search engines).

​

Usage Data:

• Pages visited and time spent on each page.

• Clickstream data (links clicked, navigation patterns).

• Interaction with advertisements and marketing campaigns.

    
Approximate Location Data:

• Country and city based on IP address.

1.3 Information from Third Parties

​

• Payment Processors (e.g., Wix Payments, PayPal): To confirm payments and prevent fraud.

• Shipping & Fulfilment Partners: To process and track deliveries.

• Advertising & Analytics Providers (e.g., Google Analytics, Meta Ads): For marketing insights and performance tracking.

• Social Media Platforms: If you interact with our brand via Facebook, Instagram, or Twitter, we may receive your public profile details and engagement data.

​

1.4 Cookies and Tracking Technologies

​

We use cookies, web beacons, and other tracking technologies to:

• Improve user experience and site functionality.

• Conduct analytics and measure engagement.

• Deliver personalised marketing and advertisements.

​

For more details, refer to our Cookie Policy.

2. How We Use Your Information

We process personal data for various purposes in compliance with applicable laws, including UK GDPR, EU GDPR, CCPA, PIPEDA, and Australia’s Privacy Act 1988. Below is a detailed breakdown of our data processing activities.

​

2.1 Service Delivery and Order Fulfilment

We collect and process personal data to:

• Process and fulfil orders, including payments, shipping, and returns.

• Verify transactions and prevent fraud by confirming payment details and delivery addresses.

• Manage customer accounts, including login authentication and profile management.

• Provide customer support by responding to inquiries, troubleshooting issues, and resolving disputes.

• Send transactional communications, such as order confirmations, shipping notifications, and service updates.

Legal Basis: Contractual necessity (to fulfil our agreement with you) and legal obligations (fraud prevention and record-keeping compliance).

​

2.2 Personalisation and User Experience

We use personal data to:

• Customise website content, showing personalised product recommendations based on browsing history and past purchases.

• Store user preferences, including saved items, default language settings, and personalised shopping carts.

• Improve website navigation and usability, ensuring a seamless shopping experience across devices.

Legal Basis: Legitimate interests (to improve our website and provide a better user experience).

2.3 Marketing, Promotions and Advertising

​

With your consent, we process data for:

• Sending promotional emails, newsletters, and special offers based on your purchase history and interests.  

• Running targeted advertising campaigns via third-party platforms (e.g. Google Ads, Facebook, Instagram) based on user preferences and engagement data.

• Conducting surveys and contests, enabling participation and prize distribution.

​

Opt-Out Mechanism: Users can opt out of marketing communications at any time by clicking the “unsubscribe” link in emails or adjusting account settings.

Legal Basis: Consent (for direct marketing) and legitimate interests (for general business marketing activities).

2.4 Security, Fraud Prevention and Compliance

​

We process personal data to:

• Monitor transactions and user activity to detect and prevent fraudulent or suspicious behaviour.

• Ensure network and information security, protecting against unauthorised access, cyber threats, and data breaches.

• Comply with legal obligations, including tax compliance, financial reporting, and regulatory requirements.

• Enforce our Terms and Conditions, investigating policy violations and taking necessary action.

Legal Basis: Legal obligation (fraud detection, regulatory compliance) and legitimate interests (security and risk mitigation).

2.5 Business Analytics and Service Improvements

We use aggregated and anonymised data to:

• Analyse website traffic, sales performance, and user engagement trends.

• Enhance product offerings and optimise customer experience based on purchasing behaviour and feedback.

• Test new features, services, and technologies to improve our platform.

Legal Basis: Legitimate interests (business operations and continuous improvement).

​

2.6 Legal Claims and Regulatory Compliance

​

We may process personal data when necessary to:

• Protect our business, employees, and users from legal disputes and claims.

• Cooperate with law enforcement or government authorities when legally required.

• Retain records for financial and tax reporting purposes.

​

Legal Basis: Legal obligation (for regulatory compliance) and legitimate interests (defending legal claims and ensuring business continuity).

3. Legal Basis for Processing (By Region)

We process personal data in compliance with relevant data protection laws based on the region of our users. Below, we outline the legal bases applicable to different regulatory frameworks.

​

3.1 United Kingdom & European Union (UK GDPR & EU GDPR)

Under the UK GDPR and EU GDPR, we process personal data based on the following legal grounds:

3.1.1 Consent

We obtain user consent before:

• Sending marketing communications (emails, SMS, newsletters, promotions).

•  Using cookies and tracking technologies for targeted advertising. 

• Collecting optional survey responses and customer feedback.

• Processing user-generated content such as reviews and testimonials.

Users can withdraw consent at any time by adjusting account settings or contacting us.

3.1.2 Contractual Necessity

​

Processing is required when necessary to fulfil a contract, such as:

• Processing orders, payments, and deliveries.

• Providing customer support and responding to service inquiries.  

• Managing user accounts and authentication.

• Ensuring website functionality and performance.

​

Failure to provide necessary data may result in service limitations.

3.1.3 Legal Obligations

​

We process personal data to comply with statutory and regulatory requirements, including:

• Tax compliance and financial record-keeping.

• Fraud detection and cybersecurity measures.

• Responding to law enforcement or regulatory authorities.

​

3.1.4 Legitimate Interests

​

We may process data under our legitimate business interests, provided user rights are not overridden. This includes:

• Improving website performance and usability.

• Enhancing customer experience through analytics.

• Preventing fraudulent transactions.

• Protecting our business from legal claims.

​

Users may object to processing based on legitimate interests by contacting us.

​

3.1.5 Vital Interests

​

Personal data may be processed to protect the life or safety of individuals in emergency situations.

​

3.2 United States (CCPA & CPRA - California Residents)

​

For California residents, we process personal data in accordance with the CCPA and CPRA.

​

3.2.1 Right to Know

​

Users have the right to request:

• What personal data we collect.

• Why we collect it.

• How it is used and shared.

​

3.2.2 Right to Delete

​

Users may request deletion of personal data, except where retention is legally required (e.g., tax compliance, fraud prevention).

​

3.2.3 Right to Opt-Out of Sale or Sharing

​

We do not sell personal data, but California users can opt out of data sharing for targeted advertising. Users can exercise these rights by contacting us.

3.2.4 Right to Non-Discrimination

We will not deny services or charge different prices based on privacy preferences.

3.3 Canada (PIPEDA)

​

Under PIPEDA, we process personal data based on:

• Consent (for marketing, surveys, optional data collection).

• Contractual Necessity (order fulfilment, account management).

• Legal Compliance (tax, security, fraud prevention).

• Legitimate Interests (business operations, analytics, security).

Canadian users have the right to access, correct, or withdraw consent for data processing.

3.4 Australia (Privacy Act 1988)

​

For users in Australia, we comply with the Privacy Act 1988, which governs:

• Fair and lawful data collection.

• Transparency in data processing.

• Right to access and correct personal information.

• Restrictions on direct marketing (users can opt-out).    

​

Users in Australia can lodge privacy complaints with the Office of the Australian Information Commissioner (OAIC).

​

3.5 International Compliance

​

If required, we apply Standard Contractual Clauses (SCCs) and data protection measures when transferring personal data outside the UK/EU to ensure regulatory compliance.

4. Data Sharing/Transferring and Third-Party Processors

We share personal data with third-parties only when necessary for the provision of our Services, legal compliance, security, and operational efficiency. The third parties with whom we share data fall into the following categories:

​

4.1 Service Providers and Data Processors

We engage trusted third-party service providers to help us operate our business efficiently. These providers process data strictly in accordance with this Privacy Policy and applicable laws. Categories of service providers include:

4.1.1 Website Hosting & Infrastructure

• Wix.com (website hosting, payment processing, data storage, and infrastructure management).

• Cloud storage providers for secure data backups and redundancy.

​

4.1.2 Payment Processing Partners

​

To facilitate secure transactions, we share payment details (not full credit card numbers) with:

• Wix Payments (primary payment gateway).

• PayPal and other alternative payment options supported by Wix.com. 

• Other financial institutions and fraud prevention services (where required by law).

​

4.1.3 Shipping & Order Fulfilment

​

To process and deliver customer orders, we share the necessary details with:

• Logistics and courier services (such as FedEx, UPS, or regional delivery services).

• Customs and regulatory authorities for international shipments (where applicable).

​

4.1.4 Analytics & Marketing Services

​

To enhance user experience and improve our marketing efforts, we work with:

• Google Analytics (for website traffic and user behaviour insights).

• Meta (Facebook & Instagram) Ads (for targeted advertising and remarketing campaigns).

• Other advertising platforms (only where consent has been obtained).

​

4.1.5 Customer Support & Communication Tools

​

We use third-party platforms to provide seamless communication and support:

• Email marketing providers (for newsletters and promotional content).

• Live chat or helpdesk tools (for customer support inquiries).

​

4.2 Legal Compliance and Law Enforcement Requests

We may disclose personal data when required by law or to comply with:

• Regulatory requests (such as tax authorities, financial regulators).

• Law enforcement agencies (in case of fraud investigations, subpoenas, court orders).

• Dispute resolution or legal claims (when defending against claims or enforcing rights).

We will not share personal data with law enforcement unless legally required or necessary to prevent harm.

4.3 Business Transfers and Mergers

​

If EngiCrafts undergoes a merger, acquisition, restructuring, or sale, personal data may be transferred to the new entity, provided that:

• The data remains protected under equivalent privacy terms.

• Users are notified of material changes affecting their rights. 

Users will have the right to delete their personal data if they disagree with a business transition involving their information.

4.4 International Data Transfers

​

Since we operate globally, personal data may be transferred, stored, and processed in jurisdictions outside of your country of residence. We take appropriate measures to ensure that such transfers comply with applicable data protection laws, including UK GDPR, EU GDPR, CCPA, PIPEDA, and Australia’s Privacy Act 1988.

​

4.4.1 Data Transfer Safeguards

​

To protect personal data transferred outside the UK, EU, or other regulated jurisdictions, we implement the following safeguards:

• Standard Contractual Clauses (SCCs): When transferring personal data to countries without an adequacy decision from the UK or EU, we rely on Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office (ICO) and the European Commission.

• UK & EU Data Protection Mechanisms: For transfers outside the UK & EU, we ensure recipients implement data protection measures equivalent to those required under UK GDPR and EU GDPR.

• Data Processing Agreements (DPAs): We require all third-party service providers and business partners who process personal data on our behalf to sign Data Processing Agreements (DPAs) ensuring compliance with applicable laws.

• Privacy Shield & Equivalent Frameworks: If transferring data to the United States, we ensure the recipient participates in recognised privacy frameworks(such as the UK Extension to the EU-U.S. Data Privacy Framework where applicable) or adheres to SCCs.

• Localised Data Hosting: Where required by local laws, we store data within the jurisdiction of collection (e.g., in Canada or Australia for residents of those countries).

​

For details on specific data transfers, users may contact us.

​

4.4.2 Cross-Border Transfers & User Rights

​

Users have rights regarding international data transfers, including:

• The right to request details on cross-border data transfers.

• The right to object to transfers where local laws allow.

• The right to receive copies of relevant safeguards applied to transferred data.

​

Users can exercise these rights by contacting us.

​

4.4.3 Risks of International Transfers

​

While we implement robust safeguards, users should be aware that:

• Some countries may not provide the same level of data protection as their home country.

• Data transferred to certain jurisdictions may be subject to law enforcement requests or surveillance laws that differ from UK/EU privacy standards.

​

Users who have concerns about international data transfers can request data localisation options where feasible.

5. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes outlined in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements. If legal or regulatory obligations require a longer retention period, we will retain the data accordingly. Users will be notified if their data is retained longer than the standard periods due to legal or compliance requirements.

​

5.1 General Retention Periods

5.1.1 User Account Data

​

• Retained as long as the user maintains an active account.

• Deleted upon user request or automatically after 24 months of inactivity.

5.1.2 Order & Transaction Data

​

• Retained for six (6) years to comply with tax, accounting, and legal obligations (UK HMRC and EU regulatory requirements).

• Includes order details, billing information, and receipts.

​

5.1.3 Customer Support & Communication Records

​

• Retained for three (3) years from the date of last interaction.

• Includes emails, chat records, and support inquiries.

​

5.1.4 Marketing & Promotional Data

​

• Retained until the user opts out or withdraws consent.

• Includes email subscriptions, marketing preferences, and engagement analytics.

​

5.1.5 Analytics & Website Usage Data

​

• Retained for up to 26 months for performance analysis and service improvements.

• Data is anonymised where possible to reduce privacy risks.

​

5.1.6 Security, Fraud Prevention & Compliance Data

​

• Retained for as long as legally required to detect and prevent fraudulent transactions, ensure network security, and comply with legal investigations.

5.2 Data Deletion and Anonymisation

​

Upon expiration of retention periods, we will either:

• Permanently delete personal data from our systems.

• Anonymise data so it can no longer be associated with an individual (for statistical and research purposes).

​

Users may request deletion of their personal data at any time by contacting us. However, certain legal and regulatory requirements may prevent the immediate deletion of some data. Deleted data cannot be recovered. Users should ensure they back up any necessary information before requesting deletion.

​

5.3 Exceptions to Standard Retention Periods

​

We may retain personal data beyond the stated periods under the following circumstances:

• Legal Proceedings: If the data is required for ongoing or potential legal disputes.

• Regulatory Investigations: Where retention is necessary for government or regulatory requests.

• Contractual Obligations: If a user has an ongoing business relationship with EngiCrafts.

6. Security Measures

We take the security of personal data seriously and implement appropriate measures to protect it from unauthorised access, disclosure, alteration, or destruction. Our security practices align with industry standards and regulatory requirements, including UK GDPR, EU GDPR, CCPA, PIPEDA, and Australia’s Privacy Act 1988.

​

6.1 Data Protection Measures

We employ a combination of technical, organisational, and procedural safeguards to ensure data security:

6.1.1 Encryption & Secure Data Storage

​

• SSL (Secure Socket Layer) encryption is used to protect data transmissions between users and our servers.

• Sensitive data (such as payment details) is encrypted at rest and in transit.

• All payment transactions are processed through PCI-DSS-compliant third-party payment processors (e.g., Wix Payments, PayPal), ensuring no financial details are stored directly on our servers.

​

6.1.2 Access Controls & Authentication

​

• Role-based access controls (RBAC) ensure that only authorised personnel can access specific data.

• Multi-factor authentication (MFA) is implemented where applicable to protect user accounts and administrative systems.

• Employees handling personal data undergo security training to prevent unauthorised disclosure.

​

6.1.3 Network & Infrastructure Security

​

• Firewalls, intrusion detection, and monitoring tools protect against cyber threats.

• Regular security audits, penetration testing, and vulnerability assessments are conducted.

• DDoS (Distributed Denial of Service) protection is implemented to prevent malicious attacks.

​

6.1.4 Data Anonymisation & Minimisation

​

• Where possible, personal data is anonymised or pseudonymised to reduce privacy risks.

• We only collect and store the minimum amount of data necessary to provide our services.

​

6.2 Data Breach Prevention and Response

​

Despite our best efforts, no system is completely secure. In the event of a data breach, we follow a structured response plan:

​

6.2.1 Immediate Risk Assessment

​

• Identify the nature and scope of the breach.

• Assess potential impacts on users and regulatory compliance.

6.2.2 Containment & Mitigation

• Implement measures to contain the breach and prevent further unauthorised access.

• Restore affected systems and data from secure backups.

6.2.3 User & Regulatory Notification

​

• If required under GDPR, CCPA, or other laws, we will notify affected users and relevant Data Protection Authorities (DPAs) within the legally mandated timeframe.

• Users will receive guidance on protective actions they should take if their data is affected.

​

6.3 User Responsibilities for Security

​

While we take extensive measures to protect data, users also play a role in maintaining security:

• Use strong, unique passwords and change them periodically.

• Enable two-factor authentication (2FA) where available.

• Be cautious of phishing attempts and avoid sharing login credentials.

• Regularly update devices and software to minimise security vulnerabilities.

​

Users who suspect unauthorised access to their account should contact us immediately at engihandicrafts@gmail.com.

7. Your Rights

We respect your rights regarding the collection, use, and storage of your personal data. Depending on your location, you may have the following rights under UK GDPR, EU GDPR, CCPA, PIPEDA, and Australia's Privacy Act 1988.

​

7.1 Rights Under UK GDPR & EU GDPR

If you are located in the United Kingdom (UK) or the European Union (EU), you have the following rights regarding your personal data:

• Right to Access: You may request a copy of the personal data we hold about you and details on how it is used.

• Right to Rectification: You may request corrections to any inaccurate or incomplete personal data we store.

• Right to Erasure (Right to be Forgotten): You can request that we delete your personal data, except where we are legally required to retain it.

• Right to Restrict Processing: You may request to limit how your data is processed if you dispute its accuracy or object to processing.

• Right to Data Portability: You may request a copy of your data in a structured, commonly used format for transfer to another service provider.

• Right to Object: You can object to processing for direct marketing or based on legitimate interests.

• Right to Withdraw Consent: If processing is based on consent, you have the right to withdraw it at any time.

• Right to Lodge a Complaint: You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) or the relevant EU Data Protection Authority. 

​

To exercise these rights, please contact us.

7.2 Rights Under CCPA (California Residents)

​

If you are a California resident, you are entitled to specific rights under the CCPA and CPRA:

• Right to Know: You may request details on what personal data we collect, use, and share.

• Right to Delete: You may request deletion of your personal data, subject to legal retention exceptions.

• Right to Opt-Out of Sale or Sharing: We do not sell personal data, but you may opt out of targeted advertising data sharing.

• Right to Non-Discrimination: We will not deny services, charge different prices, or provide a different level of service based on your privacy preferences.

​

California residents can submit requests by contacting us.

​

7.3 Rights Under PIPEDA (Canada)

​

If you are located in Canada, you have the following rights under the PIPEDA:

• The right to access and correct personal information.

• The right to challenge the accuracy of personal data and request corrections.

•  The right to withdraw consent for certain data uses.

• The right to file a complaint with the Office of the Privacy Commissioner of Canada.

​

To exercise these rights, please contact us.

​

7.4 Rights Under the Australian Privacy Act 1988

​

If you are an Australian resident, you have the right to:

• Request access to the personal information we hold about you.

• Request corrections to inaccurate or outdated data.

• Opt-out of direct marketing communications.

• File a complaint with the Office of the Australian Information

Commissioner (OAIC) if you believe your privacy rights have been breached.

To make a privacy request, please contact us.

8. Minors

We are committed to protecting the privacy of children and minors. Our Services are not intended for individuals under the age of 18, and we do not knowingly collect, store, or process personal data from children.

​

8.1 Age Restrictions

• Users must be at least 18 years old to create an account or make purchases through our Website.

• We do not knowingly solicit or collect personal data from children under 18 years of age.

• If we learn that we have collected personal data from a minor, we will take immediate steps to delete the information.

Parents or guardians who believe their child has provided personal data should contact us immediately at engihandicrafts@gmail.com.

8.2 Compliance with Child Privacy Laws

We comply with applicable child data protection laws, including:

• Children’s Online Privacy Protection Act (COPPA - USA): We do not knowingly collect information from children under 13. 

• UK GDPR & EU GDPR: We do not process personal data of children under 16 without verified parental consent.

• Australia’s Privacy Act 1988 & Canada’s PIPEDA: We do not knowingly collect data from minors under applicable national regulations.

​

If required, we will implement parental consent mechanisms before processing minor-related data in compliance with local laws.

​

8.3 Limited Exceptions for Educational or Legal Purposes

​

In rare cases where we must process personal data related to minors (e.g., educational programs, legal compliance), we will:

• Obtain explicit parental or guardian consent.

• Use the data strictly for the intended purpose and ensure appropriate safeguards.

• Delete the data once it is no longer necessary for the stated purpose.

​

We will always prioritise the safety and privacy of minors in any permitted data processing activities.

9. Updates to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our data processing practices, legal requirements, or business operations. We encourage users to review this page regularly to stay informed about how we protect personal data.

​

9.1 How We Notify Users of Changes

If we make significant changes to this Privacy Policy, we will notify users through:

• A prominent notice on our Website.

• An email notification sent to registered users (where applicable).

• An update to the "Last Updated" date at the top of this policy.

​

Continued use of our Services after an update constitutes acceptance of the revised Privacy Policy.

​

9.2 Material vs. Non-Material Changes

​

• Material Changes: If updates significantly impact user rights, require new consent, or involve changes to data collection methods, we will obtain explicit user consent where legally required.

• Non-Material Changes: Minor updates for clarity, legal compliance, or formatting do not require direct notification but will be reflected in the latest version of this policy.

​

9.3 User Responsibilities

​

• Users are responsible for reviewing this Privacy Policy periodically.

• If users disagree with any updates, they may stop using our Services and request data deletion by contacting us.
   

10. Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or our data practices, you can contact us using the details below:

​

EngiCrafts
146 York Way, London N1 0AE, United Kingdom
engihandicrafts@gmail.com   

​

For any direct concerns, please contact us first so we can resolve the issue promptly. If you still believe your data protection rights have been violated after communicating with us, you may file a complaint with:

• UK Residents: ICO Complaint Page (https://ico.org.uk/make-a-complaint/)

• EU Residents: Your national Data Protection Authority (https://edpb.europa.eu/about-edpb/about-edpb/members_en)

• California Residents: California Attorney General’s Consumer Privacy Page

• Canada Residents: Office of the Privacy Commissioner of Canada (https://www.priv.gc.ca/)

• Australia Residents: Office of the Australian Information Commissioner (OAIC) (https://www.oaic.gov.au/)