Skip to content
Craft·Cert

Privacy Policy

Last updated: 16 April 2026

1. Who we are

CraftCert is a product of Crocker Digital Ltd, registered in England and Wales (Company No. 17008789). Crocker Digital Ltd is the data controller for any personal data collected through this website.

Registered with the UK Information Commissioner's Office under reference ZC128626.

Contact: support@craftcert.co.uk

2. What data we collect

  • Account data: your email address, name (if provided), and account preferences — collected when you create an account.
  • Product and formulation data: product names, ingredient lists, concentrations, hazard classifications, and generated labels that you enter into CraftCert.
  • Payment data: billing details are collected and processed by Stripe. We store your Stripe customer ID but never see or store your card details.
  • Analytics: we use GoatCounter, a privacy-focused analytics tool that does not use cookies and does not collect personal data. It provides aggregate page-view data only.
  • Error tracking: we use Sentry to monitor application errors. Sentry may receive technical data such as browser type, error stack traces, and request metadata. It does not receive your formulation or ingredient data.

3. Why we collect it (lawful basis)

  • Contract performance (Article 6(1)(b) UK GDPR): to provide the CraftCert service, including classification, label generation, and compliance evidence.
  • Legitimate interest (Article 6(1)(f)): to send essential account notifications, improve the product, and monitor for errors and abuse.
  • Consent (Article 6(1)(a)): for optional marketing emails. You can opt out at any time from your account settings or by contacting us.

4. How your data is stored and processed

Your data is processed by the following services (see our Subprocessors page for full details):

  • Supabase — authentication and database hosting. Stores your account data, product data, formulations, labels, and evidence records. Supabase sets session cookies (prefixed sb-) for authentication.
  • Stripe — payment processing. Processes billing data for paid subscriptions.
  • Resend — transactional email delivery. Receives your email address to send account notifications.
  • Netlify — website hosting and deployment.
  • GoatCounter — privacy-focused analytics (no cookies, no personal data).
  • Sentry — error monitoring and performance tracking.
  • Upstash — rate limiting to protect the service from abuse. Processes IP addresses and user IDs temporarily.

5. International data transfers

CraftCert is operated from the United Kingdom, and the production database (Supabase, AWS London — `eu-west-2`) is located in the UK. Several of our processors are US-based or have US management operations. When personal data is transferred outside the UK, Crocker Digital Ltd relies on the lawful transfer mechanisms recognised by UK GDPR Chapter V: the UK's adequacy decisions (for the EEA and Gibraltar), the UK Extension to the EU-US Data Privacy Framework (“UK-US Data Bridge,” effective 12 October 2023) where a processor is self-certified, the UK International Data Transfer Agreement (“IDTA”), or the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module 2: controller-to-processor) supplemented by the UK International Data Transfer Addendum (“UK Addendum”).

The specific mechanism for each processor is set out below. A signed Data Processing Agreement (DPA) is in place with every processor that handles identifiable personal data on our behalf.

ProcessorHosting locationTransfer mechanism for UK data
SupabaseUK (AWS eu-west-2, London)EU/UK adequacy for storage. Management-plane access by Supabase Inc (US) is governed by the Supabase DPA, which incorporates the EU SCCs (2021, Module 2) and the UK Addendum.
StripeStripe Payments UK Ltd (UK) and Stripe Payments Europe Ltd (Ireland), with onward transfer to Stripe Inc (US).UK → Ireland: EU adequacy. Ireland → US: Stripe's Global DPA, which relies on the UK-US Data Bridge for certified Stripe entities and, as a fallback, the EU SCCs (2021, Module 3: processor-to-processor) with the UK Addendum.
ResendUS (Delaware), with an EU sending region optionally used for UK and EU recipients.Resend Data Processing Addendum, incorporating the EU SCCs (2021, Module 2) and the UK Addendum for UK → US transfers. Where Resend is self-certified under the UK-US Data Bridge, that mechanism is relied on in parallel.
SentryFunctional Software Inc, operating the Sentry US region (primary) and EU region (available).Sentry DPA, which incorporates the EU SCCs (2021, Module 2) with the UK Addendum. Functional Software Inc is self-certified under the EU-US Data Privacy Framework and its UK Extension (Data Bridge), which serves as the primary transfer mechanism where applicable.
NetlifyNetlify Inc (US Delaware), with edge/CDN presence worldwide.Netlify Data Processing Addendum, incorporating the EU SCCs (2021, Module 2) and the UK Addendum. Netlify is self-certified under the UK-US Data Bridge; that certification is the primary transfer mechanism where applicable.
UpstashUpstash Inc (US Delaware). CraftCert's Upstash deployment uses an EU region.Data at rest stays in the EU (EU adequacy applies). Management-plane access by Upstash Inc (US) is governed by the Upstash DPA, which incorporates the EU SCCs (2021, Module 2) and the UK Addendum.
GoatCounterIreland (EU)No third-country transfer. Processing takes place within the EU and relies on the UK adequacy decision for the EEA. (GoatCounter also does not process personal data in the first place — it records aggregate page-view counts only.)

If, for any reason, a particular transfer cannot be carried out under one of the mechanisms above, we will not make the transfer. The UK-US Data Bridge is an operational convenience; our binding fallback in every case is the EU SCCs supplemented by the UK Addendum (or, equivalently, the standalone UK IDTA).

Copies of the relevant DPAs and, where applicable, the executed Addenda are available to regulators and to you on request from support@craftcert.co.uk.

6. Sharing

We share personal data only with the subprocessors listed above, solely for the purposes described. We do not sell, rent, or trade your personal data. We do not share your formulation or product data with any third party.

7. Data retention

We retain your data while your account is active. When you delete your account, your data is held in a soft-deleted state for 90 days during which it can be restored on request, and is then permanently deleted. See our Retention & Deletion policy for the exact timer math and the restoration procedure.

8. Your rights (UK GDPR)

Under the UK General Data Protection Regulation, you have the right to:

  • Access the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data (Article 17).
  • Portability — request a copy of your data in a portable format (available via Settings > Export).
  • Restriction — ask us to limit processing in certain circumstances.
  • Object — object to processing based on legitimate interest.
  • Lodge a complaint with the UK Information Commissioner's Office. You can contact the ICO at ico.org.uk/make-a-complaint/ or on 0303 123 1113.

To exercise any of these rights, email support@craftcert.co.uk. We aim to respond within 30 days.

9. Subject Access Requests (SAR / DSAR)

A SAR is a formal request for a copy of the personal data we hold about you. To make one:

  • Email support@craftcert.co.uk from the email address on your account. If your account has been deleted, send us enough context (rough signup month, any product names) to verify.
  • We'll verify your identity (usually by confirming details from your account — last subscription, product count, approximate signup month).
  • We'll respond within 30 calendar days. Where a request is complex we may extend this by up to two further months, and we'll tell you why.
  • SARs are free. We may charge a reasonable fee (or refuse the request) only where a request is manifestly unfounded or excessive — for example, a repeat request for the same data within a short period.
  • If you want a machine-readable export of your own data (UK GDPR portability right, Article 20), use Settings > Export your data in the dashboard for the full JSON blob without needing a SAR.

10. Automated decision-making (UK GDPR Article 22)

CraftCert runs an automated CLP classification engine. When you add a formulation, the engine applies the UK CLP addition method to your declared ingredients, sums concentrations against hazard category generic-concentration limits, and produces a draft label specification (pictograms, signal word, H- and P-statements). That draft determines whether CraftCert will produce a finished-label PDF for you: if the engine flags unresolved hazards or missing ingredient data, we refuse to emit the PDF until the data is supplied.

This is automated processing that can have a significant practical effect on your business (you can't print a label CraftCert refuses to render). You have the right to:

  • Obtain human review. Email support@craftcert.co.uk asking us to review a specific classification. Include the product name and the reason you disagree with the output. We'll respond within 30 days, either confirming the engine's result or explaining a manual override.
  • Express your point of view and contest the decision.
  • Understand the data used. Classification inputs are limited to: the ingredient names you typed, their CAS numbers (if supplied), their concentration percentages, and the product form you selected. The engine also reads published hazard data from the GB MCL (see the version stamped on your evidence-pack PDF).

The engine does not use profile data, billing history, or any behavioural signal in classification decisions. Results depend only on the chemistry you declare.

11. Service emails and the PECR soft opt-in basis

We send a small number of transactional and service-related emails: account confirmations, deletion confirmations, trial- expiry reminders, payment-issue notices, and occasional updates about changes to the service you use. We rely on PECR Regulation 22(3) (the “soft opt-in” basis): you gave us your email when you signed up for a directly- related service, and every service email carries a clear opt- out. We do not send marketing emails under this basis — marketing requires separate consent.

You can stop service emails by replying “unsubscribe” to any one, or by emailing support@craftcert.co.uk. We may still send strictly essential account messages (for example, a final deletion confirmation if you asked us to delete your account) because the service cannot operate without them.

12. Data breaches

If a personal-data breach is likely to result in a risk to your rights and freedoms, we notify the ICO within 72 hours of becoming aware, and where the risk is high we notify affected users directly. Our full breach-response process is published at /security/breach-process.

13. Cookies

CraftCert uses essential cookies only. See our Cookies Policy for full details. We do not use advertising or tracking cookies.

14. Changes to this policy

We may update this policy from time to time. We will notify account holders of material changes by email. The “last updated” date at the top of this page indicates the most recent revision.

15. Contact

If you have any questions about this privacy policy or how we handle your data, please contact us:

support@craftcert.co.uk
Crocker Digital Ltd, Company No. 17008789
Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
ICO registration: ZC128626