This privacy policy explains how Casa Crew ("we," "us," "our") collects, uses, and protects your personal information when you visit our website or buy from us. We're committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

N° 01 · WHO WE ARE

Who's behind this.

Casa Crew is the trading name of the business operating this website. If you have any questions about this policy or how we handle your data, contact us at hello@casacrew.com.

For the purposes of UK GDPR, we are the "data controller" of your personal information.

N° 02 · WHAT WE COLLECT

The information we hold.

— You give us

• Contact details — name, email, phone, billing and delivery addresses
• Account info — encrypted password and saved preferences (if you create one)
• Order history — products purchased, dates, amounts, fulfilment status
• Payment information — processed by our payment providers; we never see or store full card numbers
• Communications — messages sent via contact form, email, social DMs
• Marketing preferences — what you've subscribed to and what you've opted out of

— Auto-collected

• Device & browser — IP address, browser type, OS, screen size, language
• Site behaviour — pages visited, products viewed, time on site, navigation paths
• Referral source — which website or ad sent you here
• Cookies & identifiers — small files for cart, login, analytics (see Section 05)
• Approximate location — derived from IP, used for shipping & currency
• Crash & error data — to help us identify and fix technical issues

N° 03 · HOW WE USE IT

What it's for.

Every piece of data we hold serves one of these purposes. If it doesn't fit one, we don't have it.

N° 04 · LEGAL BASIS

Why we're allowed to.

Under UK GDPR, we rely on the following legal bases:

• Contract — processing necessary to fulfil our agreement with you (delivering your order)
• Legal obligation — keeping records required by tax, accounting, and fraud-prevention laws
• Legitimate interests — running the business, improving the site, preventing fraud
• Consent — for marketing communications and non-essential cookies (you can withdraw anytime)

N° 05 · COOKIES

The cookies, demystified.

Cookies are small text files saved by your browser. We use four categories — you can turn off the optional ones any time via the cookie banner or your browser settings.

Type	Purpose	Disable?
Essential REQUIRED	Cart, checkout, login session, fraud prevention	No
Analytics OPTIONAL	Aggregated data via Shopify Analytics & Google Analytics 4	Yes
Marketing OPTIONAL	Personalised ads on Meta, TikTok, Google & effectiveness measurement	Yes
Preferences OPTIONAL	Language, currency, display choices	Yes

N° 06 · WHO WE SHARE WITH

Who else sees your data.

We only share data when we have to — and always with vendors that meet our security standards. Here's the full list.

• Shopify — hosts our store, processes orders, manages inventory and accounts
• Payment processors — Shopify Payments, Stripe, PayPal, Klarna, Apple Pay, Google Pay. They handle card details directly
• Couriers — Royal Mail, DPD, Evri, FedEx and our chosen international carriers receive what's needed to deliver your order
• Email service providers — Klaviyo or Mailchimp for transactional and marketing email
• Analytics tools — Shopify Analytics and Google Analytics 4 for anonymised data
• Advertising platforms — Meta, TikTok, Google Ads (only with your cookie consent)
• Customer-service tools — any helpdesk software used to manage support enquiries
• Authorities — only if served with a lawful court order, subpoena, or law-enforcement request

N° 07 · YOUR RIGHTS

What you can ask us to do.

Under UK GDPR you have the following rights. Email hello@casacrew.com and we'll respond within 30 days.

N° 08 · DATA RETENTION

How long we keep it.

Order & transaction data	7 years (UK tax law)
Account data	Until deleted, or 3 years inactive
Marketing data	Until you unsubscribe
Customer-service messages	Up to 3 years
Analytics data	14–26 months (anonymised)

N° 09 · SECURITY

How we protect it.

• Encryption in transit (SSL/TLS on every page)
• Encryption at rest for sensitive data via Shopify's infrastructure
• Restricted access — only authorised team members can access customer data
• Regular security reviews of our vendors and processes
• PCI-DSS compliance through our payment processors

While no system is perfectly secure, we work hard to protect your data and respond promptly to issues. If a breach affecting your rights occurs, we'll notify you and the ICO within 72 hours, as required by UK GDPR.

N° 10 · INTERNATIONAL TRANSFERS

Outside the UK.

Some of our service providers (such as Shopify, Google, Meta) may store data outside the UK. Where this happens, we rely on:

• Standard Contractual Clauses approved by the UK government
• Adequacy decisions for countries deemed to provide equivalent protection
• Vendor compliance with UK GDPR through self-certified frameworks

N° 11 · CHILDREN'S DATA

For under-16s.

Our website and products are not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us and we'll delete it.

N° 12 · CHANGES TO THIS POLICY

When this updates.

We may update this privacy policy from time to time. The "Last updated" date at the top will reflect any changes. Material changes will also be communicated by email if you have an account or are subscribed to our marketing list.

N° 13 · CONTACT

Get in touch.

For any questions about this policy, your data, or to exercise your rights: