This site is operated by The Cap Crafter ("we", "us", "our"). This policy explains how we collect, use, store, and protect personal information when you visit our website, place an order, or get in touch with us.

For the purposes of UK GDPR, we are the data controller of any personal information you provide.

We collect the following types of information:

• Order details: name, email address, delivery and billing address, phone number, items ordered
• Payment information: processed securely through our payment providers — we never see or store your full card details
• Account information: if you create an account, your login credentials and order history
• Communication: emails, contact form submissions, and any other messages you send us
• Device and usage data: IP address, browser type, device type, pages visited, time spent on the site, referring URL
• Marketing preferences: if you've opted in to our newsletter

We collect information directly from you when you:

• Place an order
• Create an account
• Sign up for our newsletter
• Send us a message or email
• Browse the site (via cookies and analytics tools — see section 08)

We use the information we collect for the following purposes:

• Processing and shipping your orders
• Communicating with you about your order, account, or enquiries
• Sending newsletters or promotional emails (only if you've opted in)
• Preventing fraud and protecting our site and customers
• Improving our products, website, and customer experience
• Complying with legal and regulatory obligations

We never sell your personal information to third parties. Ever.

Under UK GDPR, we process your data on one of the following legal grounds:

• Contract: when processing is necessary to fulfil your order or provide a service you've requested
• Legitimate interests: for fraud prevention, site security, and improving our services
• Consent: for marketing communications and non-essential cookies — you can withdraw consent at any time
• Legal obligation: when we're required to keep records for tax, accounting, or other regulatory reasons

We share your information only with trusted third parties who help us run the business. These include:

• Shopify: our e-commerce platform, which hosts the site and processes orders
• Payment providers: Stripe, PayPal, Klarna, Clearpay, Apple Pay, Google Pay — used to process your payment securely
• Shipping carriers: Royal Mail, DPD, and international couriers — to deliver your order
• Email providers: for transactional emails (order confirmations, shipping updates) and marketing emails (newsletters)
• Analytics providers: Google Analytics or similar, used in anonymised form to understand site traffic
• Authorities: if legally required to disclose information for tax, fraud, or legal proceedings

All of these providers are bound by their own data protection policies and are required to handle your information securely.

Some of our service providers (including Shopify) are based outside the UK and EU. When your data is transferred internationally, we ensure it's protected by appropriate safeguards, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO).

Our site uses cookies — small text files stored on your device — to make the site work properly and improve your experience. We use:

• Essential cookies: required for the site to function (e.g. keeping items in your cart, remembering your login)
• Analytics cookies: help us understand how the site is used — anonymised and aggregated
• Marketing cookies: only set if you've opted in — used for retargeting and personalised ads

You can manage cookies through your browser settings or our cookie banner. Disabling essential cookies may affect how the site works.

We keep your information only as long as we need to:

• Order records: 7 years (required for UK tax and accounting purposes)
• Account information: until you ask us to delete it, or after extended inactivity
• Marketing data: until you unsubscribe or withdraw consent
• Analytics data: typically 14–26 months in anonymised form

After these periods, your information is deleted or fully anonymised.

Under UK GDPR, you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate or incomplete information
• Request deletion of your data (the "right to be forgotten")
• Object to or restrict how we process your data
• Withdraw consent for marketing or non-essential cookies at any time
• Request a copy of your data in a portable format
• Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk

To exercise any of these rights, email us at privacy@thecapcrafter.com. We'll respond within 30 days.

We take reasonable steps to protect your information:

• SSL encryption across the entire site (the padlock in your browser)
• Payment processing via PCI-DSS compliant providers — we never store card details
• Restricted access to customer data within our team
• Regular software and security updates

No system is 100% secure, but we treat your data with the same care we'd want for our own.

Our site and products are not directed at children under 16. We don't knowingly collect personal data from anyone under that age. If you believe a child has provided us with their information, contact us and we'll delete it immediately.

We may update this policy from time to time to reflect changes in how we operate or in the law. The "effective" date at the top will always show the most recent version. For material changes, we'll notify you by email if you have an account or have subscribed to our newsletter.

For any privacy-related questions, requests, or complaints, email us at privacy@thecapcrafter.com. We'll respond personally, usually within a few business days.

If you're not satisfied with our response, you have the right to complain to the UK Information Commissioner's Office at ico.org.uk.