Cafexpress Ltd is committed to protecting your privacy and maintaining the security of any personal information (personal data) received from you. We strictly adhere to the requirements of the EU General Data Protection Regulation 2016/679 (GDPR).
The purpose of this policy is to explain to you what personal data we collect, how we may use it, your rights over it, how we keep it secure, how we report on it, and how to complain about our use of it.
Your rights under the GDPR include:
- Right to access - you are entitled to a copy of your personal data, free of charge
- Right to restrict processing - under certain circumstances you can request the restriction of use
- Right to rectification - you are entitled to ensure any data held is accurate
- Right to erasure - under certain circumstances you can request your data is removed (known as the "right to be forgotten")
- Right to data portability - you are entitled to a copy of your data in a common electronic format
- Right to object to automated decision-making - under certain circumstances, you can request that your data is not used to make automated decisions about you that could have legal consequences
- Right to complain - you can lodge a complaint with the ICO
How we collect and use your personal information
When you place an initial order with us, we collect sufficient data to allow us to process and fulfil your order. This includes your:
- Name, Billing Address, Email Address, Telephone Number, Company Name and VAT Registration Number (where applicable)
We collect additional information (data) in order to comply with the GDPR and EU Rules governing the supply of Digital Services. This includes your:
- IP Address, Hostname, Country Location, Device Used, Date and Time
You have the right to withhold any personal data that is not required for the order process, but you must give your consent to our Terms and Conditions in order for us to provide you with our services.
We use the personal data collected to notify you of your purchase and to communicate with you in connection with all matters relating directly to our services, until termination of the services.
From time to time we may send you updates of our products and services. We will only contact you if we have acquired your specific consent.
We do not sell, rent, share, or exchange your personal data with any third party for commercial reasons. We will only share your personal data with any organisation, agency, or regulatory body if required to do so by law.
We do not collect sensitive data about you.
You can ask us what personal data we hold on you at any time, free of charge. In order to maintain the accuracy of the data, you can check, update, amend, or remove personal data by logging into your Bluepark Account. You can also contact us directly - please see below.
How we use third parties for storing and processing your information
We use third party agencies (known as Subprocessors) to process your personal data only as is necessary to provide you with our services, maintain appropriate records for regulatory and taxation purposes, and keep your personal data secure.
Any Subprocessor engaged in the processing of personal information is also required to be GDPR compliant.
Where your personal data is transferred outside of the EEA (European Economic Area), specific protections are required. Certain agencies require access to your personal data. For example, a bank or card processing agency may need to verify your personal information for authorisation outside the EEA.
Under the GDPR, transfers of personal data outside the EEA are restricted unless the receiving entity has obtained an "adequacy decision" from the EU Commission or there is a valid data transfer mechanism in place. For example, QuickBooks (Intuit) participates in the EU-US and Swiss-US Privacy Shield Frameworks.
How long we retain your personal information
Your personal data is retained for as long as is necessary in order to provide the services agreed with you. Other types of data, for example, order data, may be retained for differing periods of time, including following the termination of our services. Legal and Statutory requirements determine how long we are required to retain certain types of data. Broadly, these include:
- Taxation Laws
- Value Added Tax Laws (at least 6 years)
- Employment Law
- Administrative Law (the body of Law and legal work that deals with Government agencies)
In the absence of any legal requirements, personal data will only be retained as long as is necessary to provide you with the agreed services. Data will be erased if you withdraw consent to the data being processed or held and request it be erased, except where any data may be required to be held for Statutory, Historical or Statistical purposes.
From time to time during the retention period, the need to retain identified data will be reviewed. In particular, the type of data and its purpose for processing will be re-considered and whether there remain lawful grounds for its continued processing. Out of date information will be archived.
Following the expiration of the applicable retention period, personal data may not necessarily be completely erased, if it is considered sufficient to anonymise the data. This may, for example, be achieved by means of:
- Erasure of any unique identifier which enables the allocation of particular data to an individual person
- Erasure of single pieces of personal data that identify an individual person
- Separation of personal data from non-identifying information, for example, an order number from a Client's name and address
- Aggregation of personal data in a way that no allocation to any individual person is possible
If no fixed retention period has been determined, because of the limited amount of personal data retained, we will provide the criteria used to determine the rationale for retention of any particular data, upon request.
How we maintain the security of your personal information
We follow strict security procedures in the storage and disclosure of information you have given us, to prevent unauthorised access in accordance with the EU GDPR.
Passwords are encrypted and may be automatically generated by our system. We recommend that you use strong Passwords to access both your Bluepark Account and your Admin Console and change them regularly.
The data held by us is stored on servers located within the RapidSwitch facility in Maidenhead, Berkshire. RapidSwitch is one of the UK's leading server hosting providers and is recognised as one of the longest established in the UK. It is part of the AIM-listed Iomart Group PLC, with fully owned world class resilient infrastructure end to end. It is ISO 27001 and 9001 accredited. It has multiple levels of security and staff on-site 24x7x365.
You will be notified of any breach in the security of your personal data by either accidental or deliberate causes, without undue delay. Where required, in respect of certain types of breach identified, we will comply with the GDPR and report to the appropriate authority within the regulatory 72 hours.
A personal data security breach is defined as leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
How to complain
If you have a complaint about our use of your personal information, you can contact the Information Commissioner's Office (ICO) via their website:
How to contact us
If you have any questions about privacy or about any aspect in connection with your personal information, you can contact us by email at firstname.lastname@example.org, by telephone on 0845 703 123, or via our website: