Privacy Policy

This Privacy Policy explains how Care Franchising Limited ("we", "us", "our") collects, uses, stores, and protects personal data when you visit or buy from the Care Franchising Compliance store at carefranchisingcompliance.myshopify.com (the "Store").

We are the data controller of personal data collected through the Store.

1. Who we are

Care Franchising Limited Companies House number: 16271445 Registered office: Kingscott Dix, Goodridge Court, Goodridge Avenue, Gloucester, GL2 5EN General contact: hello@carefranchising.co.uk Director / commercial contact: vierka.hiscock@carefranchising.co.uk Data protection enquiries: hello@carefranchising.co.uk (subject line "Data Protection")

We are registered with the Information Commissioner's Office (ICO) under registration number ZB959091 (current registration valid to 17 August 2026; renewed annually).

We are not required to appoint a Data Protection Officer under UK GDPR Article 37 because we do not undertake large-scale or systematic monitoring of individuals, do not process special category data on a large scale, and are not a public authority. Data protection enquiries are handled by the company director, Vierka Hiscock.

2. The personal data we collect

When you browse the Store:

  • IP address and approximate location
  • Device type, browser type, and operating system
  • Pages viewed, time on page, and click behaviour (analytics)
  • Cookies — see section 8

When you contact us:

  • Name, email address, phone number (if provided)
  • The content of your message
  • Any attachments you send

When you place an order:

  • Name and (where provided) job role
  • Billing email address
  • Billing address
  • Organisation name and (where applicable) Companies House/charity / CQC registration details
  • Payment information — note that card details are processed and stored by our payment processor (Shopify Payments / Stripe / PayPal), not by us
  • Order history
  • Communications you exchange with us about the order

When you create an account:

  • Email address and password (we store the password as a hashed value, not in readable form)
  • Order history linked to your account
  • Any preferences you save

When you subscribe to our email list:

  • Email address
  • Date of subscription
  • Source of subscription (homepage popup, footer form, post-purchase, etc.)
  • Whether you have opened or clicked any of our emails (campaign analytics)

3. Why we collect it (lawful basis under UK GDPR)

What we use it for

Lawful basis

Processing your order and delivering your downloads

Performance of a contract

Sending order confirmation, download links, and post-purchase support

Performance of a contract

Responding to your enquiries

Legitimate interest (responding to your contact request)

Marketing emails (if you have subscribed)

Consent (you can withdraw at any time)

Marketing emails to existing customers about similar products

Legitimate interest under the "soft opt-in" rule (you can opt out at any time)

Detecting fraudulent orders and chargebacks

Legitimate interest (fraud prevention)

Analytics and improving the Store

Legitimate interest (improving our service)

Meeting legal obligations (tax records, accounting, regulatory)

Legal obligation

4. How long do we keep your personal data

Type of data

Retention

Order records (as required by HMRC for tax purposes)

6 years from the end of the relevant tax year

Customer account (while active)

Until you close the account

Customer account (inactive)

Closed and deleted after 3 years of no activity

Email subscribers (active)

Until you unsubscribe

Email subscribers (after unsubscribe)

Email address retained on suppression list to honour your unsubscribe request, no other data

Contact/enquiry records (no purchase made)

2 years from last contact

Website analytics (anonymised)

14 months (Google Analytics 4 default)

Cookie data

Per individual cookie expiry — see section 8

5. Who we share your personal data with

We do not sell your personal data. We share it only with the following categories of recipients, only as necessary, and only under appropriate data processing agreements:

  • Shopify Inc. — provides the e-commerce platform that hosts our Store. Shopify is our processor.
  • Payment processors (Shopify Payments / Stripe / PayPal, depending on the payment method you choose) — process your payment. Each is a separate data controller for the payment transaction.
  • Email service provider — sends transactional and marketing emails on our behalf. Processor.
  • Digital delivery app — delivers your purchased files. Processor.
  • Analytics provider (Google Analytics 4 or equivalent) — provides aggregated, anonymised analytics. Processor.
  • HMRC and other tax authorities — where required for tax compliance.
  • Our accountant — Kingscott Dix Limited, an ICAEW-supervised firm based at Goodridge Court, Goodridge Avenue, Gloucester GL2 5EN — for the management of our financial records. Processor under a professional duty of confidentiality. Kingscott Dix is also our registered office provider and our Authorised Corporate Service Provider for Companies House identity verification.
  • Our solicitors and advisers — only where required, for legal or regulatory advice.
  • A successor entity — if we sell or transfer the business, your personal data will transfer to the new owner under equivalent protections.

We do not share your personal data with marketing partners or sell it to third parties.

6. International transfers

Some of our processors (notably Shopify and Google) host data in the United States and other locations outside the UK. Where this is the case, the transfer is protected by:

  • The UK International Data Transfer Addendum (UK IDTA), or
  • The EU Standard Contractual Clauses (where the recipient also serves the EEA), or
  • An adequacy decision of the UK Government, where one is in place

We do not transfer your data internationally unless one of these protections applies.

7. Your rights

Under the UK GDPR, you have the following rights:

  • Right of access — to obtain a copy of the personal data we hold about you
  • Right to rectification — to correct inaccurate or incomplete data
  • Right to erasure ("right to be forgotten") — to ask us to delete your data, subject to legal retention obligations
  • Right to restriction — to limit how we use your data while a query is resolved
  • Right to data portability — to receive your data in a structured, machine-readable format
  • Right to object — to processing based on legitimate interest, including direct marketing
  • Right to withdraw consent — where we are processing based on consent
  • Right to complain to the ICO — see section 11

To exercise any of these rights, email us at hello@carefranchising.co.uk with the subject line "Data Protection". We will respond within 30 calendar days (the UK GDPR statutory deadline). We will not charge a fee unless your request is manifestly unfounded or excessive.

8. Cookies

We use cookies to make the Store work and to improve your experience.

Strictly necessary cookies (no consent required) — these are essential for the Store to function:

  • Shopify session cookies (cart, checkout, account log-in)
  • The cookie consent record itself

Analytics cookies (consent required) — these help us understand how visitors use the Store:

  • Google Analytics 4 (_ga, _ga_*, etc.) — aggregated, anonymised behaviour analytics

Marketing cookies (consent required) — only used if you have given specific consent:

  • Email retargeting and abandoned-cart cookies

You can give, refuse, or change your cookie consent at any time using the cookie banner on the Store, or by clearing cookies in your browser.

9. Marketing communications

We will only send you marketing emails if:

  • You have actively subscribed (popup, footer form, etc.) — consent basis, OR
  • You are an existing customer who has bought a similar product, and we are emailing you about other similar products you may find useful — on a legitimate-interest "soft opt-in" basis.

In both cases, every marketing email contains an unsubscribe link. Clicking it immediately removes you from our marketing list.

We do not buy or rent marketing lists.

10. Security

We take the security of your data seriously. Our measures include:

  • Shopify's PCI-DSS-compliant infrastructure
  • HTTPS / TLS encryption on every page of the Store
  • Two-factor authentication on our admin accounts
  • Strict access controls — only staff who need access to your data have it
  • Regular review of access logs
  • Card payment data is never stored on our systems (handled by certified payment processors)
  • Documented incident response procedures, including UK GDPR breach notification (to ICO within 72 hours where required)

No system is 100% secure. If a breach occurs affecting your personal data and posing a risk to your rights, we will notify you in line with our UK GDPR obligations.

11. Complaints

If you believe we have mishandled your personal data, please contact us at hello@carefranchising.co.uk (subject line "Data Protection") first — we take complaints seriously and will investigate.

If you remain unsatisfied, you have the right to complain directly to the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practice or in the law. The most current version is always the version on the Store. We will notify subscribed customers by Email if changes are material.

13. Contact

For all data protection enquiries, exercising your rights, or any other privacy questions:

Care Franchising Limited, Kingscott Dix, Goodridge Court, Goodridge Avenue, Gloucester, GL2 5EN Email: hello@carefranchising.co.uk Companies House number: 16271445 ICO registration number: ZB959091

This Privacy Policy was last updated on 26 April 2026.

Version 1.0.