Who is responsible for your data
CANTON CORE COMPANY LTD, trading as Canton Core, is the data controller for the personal data described in this policy. We are a company registered in United Kingdom and we sell physical organization kits to customers worldwide from our United Kingdom operation.
- Postal address: 86 Alison Lea East Kilbride, G74 3HW, United Kingdom
- Email: support@cantcore.shop
- Phone: +44 7614912465
- Support hours: Monday to Friday, 09:00–17:00 UK time
We have not appointed a statutory Data Protection Officer because we are not required to. Privacy questions go to the address above and are handled by our support team.
What we collect
We collect only what an order, an enquiry or a membership actually requires.
- Order and delivery data: your name, email address, phone number, and the shipping address you give us — street address, town or city, postal code and country; the kits ordered, quantities and the USD order value. This is the data we need for order fulfilment: picking and packing your kit, handing the parcel to a carrier and proving delivery.
- Payment data: the payment status, the last four digits and card brand, and the Stripe identifiers for the session and payment. We never receive or store your full card number, expiry date or security code.
- Account and membership data: the email address on the membership, the plan and billing period, the renewal date, and subscription status changes.
- Support and enquiry data: the name, email, optional phone number, country, subject and message you send through the contact form; for wholesale enquiries, also your company name, kits of interest and indicative volume.
- Technical data: server logs containing IP address, user agent, requested page and timestamp, generated when your browser requests a page.
We do not collect identity documents, national insurance or social security numbers, or special category data such as health, biometric, political or religious information. Do not send these to us; if you do, we delete them.
Collection sources: where we collect it from
We use four collection sources, and no others. We do not buy personal data from data brokers, we do not scrape it from third-party sources, and we do not receive it from advertising networks.
- Directly from you: when you complete the checkout form, the contact form, the wholesale enquiry form, or start a membership.
- Automatically from your device: the technical data in our server logs, and the strictly necessary storage described under Cookies.
- From our payment processor: Stripe tells us whether a payment succeeded, failed, was refunded or disputed, along with the billing name and country you gave Stripe.
- From our delivery carriers: tracking status and delivery confirmation for your parcel.
Why we use it and our legal bases
Under the UK GDPR and EU GDPR we must have a legal basis for each use of your personal data. Ours are set out below.
- Order fulfilment — using your shipping address and phone number to pick, pack and dispatch your kit, to let the carrier deliver it and contact you about the delivery, and to handle returns, exchanges and refunds afterwards. Legal basis: performance of a contract with you.
- To take payment and prevent fraud — passing the order total and your billing details to Stripe, and acting on refunds and chargebacks. Legal basis: performance of a contract and our legitimate interests in preventing fraudulent transactions.
- To run memberships — activating, renewing, upgrading, downgrading and cancelling a membership, and dispatching the quarterly edition to Core Studio members. Legal basis: performance of a contract.
- To answer enquiries and provide support — replying to your contact or wholesale message. Legal basis: legitimate interests in responding to people who contact us, or steps prior to entering a contract.
- To retain an incomplete checkout — when you confirm the checkout form we record your details before you are sent to Stripe, so that we can help if the payment does not complete. Legal basis: consent, given by the checkbox on the checkout form, which you may withdraw at any time.
- To keep accounting and tax records — retaining transaction records as required of a company in United Kingdom. Legal basis: legal obligation.
- To keep the site secure and working — server logs used to diagnose faults and detect abuse. Legal basis: legitimate interests in operating a secure service.
We do not send marketing email unless you ask us to, and we do not sell or share your personal data for cross-context behavioural advertising.
International transfers
We are based in United Kingdom and ship worldwide, so your data may be processed outside the UK and the European Economic Area — in particular in the United States, where Stripe, Vercel and Supabase operate infrastructure.
Where data leaves the UK or EEA, we rely on the UK International Data Transfer Addendum and the European Commission's Standard Contractual Clauses, together with the technical safeguards our processors apply, such as encryption in transit and at rest. If you order from outside the UK, your delivery details are necessarily transferred to the carrier serving your country in order to perform our contract with you.
How long we keep it
- Order, payment and delivery records: seven years from the end of the financial year of the order, to meet United Kingdom accounting and tax record-keeping requirements.
- Membership records: for the life of the membership and then seven years, on the same accounting basis.
- Contact and wholesale enquiries: up to 24 months from your last message, then deleted.
- Incomplete checkout records: up to 24 months, then deleted; deleted sooner if you withdraw consent.
- Server logs: up to 30 days.
Your rights
If you are in the UK or the EEA, the UK GDPR and EU GDPR give you the right to: access a copy of your personal data; correct inaccurate data; erase data where we no longer need it; restrict or object to processing based on legitimate interests; receive your data in a portable format; and withdraw consent at any time where consent is the basis, without affecting processing before withdrawal.
If you are a California resident, the CCPA as amended gives you the right to know what personal information we collect and why, to request deletion or correction, to opt out of sale or sharing, and not to be discriminated against for exercising these rights.
Do Not Sell or Share My Personal Information. We do not sell your personal information, and we do not share it for cross-context behavioural advertising. There is nothing to opt out of, and no financial incentive is offered for your data.
To exercise any right, email support@cantcore.shop or write to us at the postal address above. We reply within one month. We may ask you to confirm the email address used on the order so we do not disclose data to the wrong person; an authorised agent may act for you with written authority.
Security
The site is served over HTTPS and personal data is encrypted in transit and at rest by our hosting and database providers. Card data is handled entirely by Stripe, a PCI DSS Level 1 certified provider, so it never touches our systems. Access to order and enquiry data is limited to the staff who need it, protected by authentication and reviewed periodically.
No online service is completely secure. If a breach affects your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours where required, and tell you without undue delay when the risk to you is high.
Automated decisions and children
We do not make decisions about you by automated means that produce legal or similarly significant effects, and we do not profile you. The Core Kit Builder maps your four answers to a fixed rule set to suggest a kit; it does not analyse you or store your answers.
Our store is not intended for children. You must be at least 13 to use this site. If you are between 13 and 17 you may only use it and place an order with the consent and supervision of a parent or guardian, who takes responsibility for the order. We do not knowingly collect data from children under 13; if you believe a child has given us personal data, email support@cantcore.shop and we will delete it.
Complaints and contact
Please contact us first at support@cantcore.shop — most concerns are resolved quickly.
If you are not satisfied, you can complain to the UK Information Commissioner's Office at ico.org.uk, by calling 0303 123 1113, or in writing to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. If you are in the EEA you may instead complain to the supervisory authority in your country of residence.
We review this policy at least once a year and when our processing changes. Material changes are announced on this page, and the date below always shows the current version. This policy is governed by the laws of Scotland, United Kingdom.
Questions about this policy? Email support@cantcore.shop or use the contact form. We reply within one business day, Monday to Friday, 09:00–17:00 UK time.