Skip to content
Canton Core concentric square markCanton Core

Legal

Privacy Policy

How CANTON CORE COMPANY LTD handles personal data for orders, deliveries, returns, support and memberships — and the rights you have over it.

Last updated 15 July 2026

01

Who is responsible for your data

CANTON CORE COMPANY LTD, trading as Canton Core, is the data controller for the personal data described in this policy. We are a company registered in United Kingdom and we sell physical organization kits to customers worldwide from our United Kingdom operation.

We have not appointed a statutory Data Protection Officer because we are not required to. Privacy questions go to the address above and are handled by our support team.

02

What we collect

We collect only what an order, an enquiry or a membership actually requires.

  • Order and delivery data: your name, email address, phone number, and the shipping address you give us — street address, town or city, postal code and country; the kits ordered, quantities and the USD order value. This is the data we need for order fulfilment: picking and packing your kit, handing the parcel to a carrier and proving delivery.
  • Payment data: the payment status, the last four digits and card brand, and the Stripe identifiers for the session and payment. We never receive or store your full card number, expiry date or security code.
  • Account and membership data: the email address on the membership, the plan and billing period, the renewal date, and subscription status changes.
  • Support and enquiry data: the name, email, optional phone number, country, subject and message you send through the contact form; for wholesale enquiries, also your company name, kits of interest and indicative volume.
  • Technical data: server logs containing IP address, user agent, requested page and timestamp, generated when your browser requests a page.

We do not collect identity documents, national insurance or social security numbers, or special category data such as health, biometric, political or religious information. Do not send these to us; if you do, we delete them.

03

Collection sources: where we collect it from

We use four collection sources, and no others. We do not buy personal data from data brokers, we do not scrape it from third-party sources, and we do not receive it from advertising networks.

  • Directly from you: when you complete the checkout form, the contact form, the wholesale enquiry form, or start a membership.
  • Automatically from your device: the technical data in our server logs, and the strictly necessary storage described under Cookies.
  • From our payment processor: Stripe tells us whether a payment succeeded, failed, was refunded or disputed, along with the billing name and country you gave Stripe.
  • From our delivery carriers: tracking status and delivery confirmation for your parcel.
05

Who we share it with

We share personal data only with the processors we need to run the store. Each is bound by contract to use it only on our instructions.

  • Payments — Stripe. Processes your card payment and membership billing, and holds the card data we never see. Stripe acts as an independent controller for fraud prevention and regulatory purposes.
  • Hosting — Vercel. Serves this website and processes the technical data in server logs.
  • Database — Supabase. Stores order enquiries, contact and wholesale messages.
  • Delivery carriers. For order fulfilment we pass the recipient name, the shipping address, postal code, country and phone number needed to deliver the parcel and, for cross-border parcels, the customs description and declared value. Carriers may use these details only to deliver your parcel, never for their own marketing.
  • Professional advisers. Our accountants and, where necessary, legal advisers, under a duty of confidentiality.
  • Authorities. Where we are legally required to disclose data, or to establish, exercise or defend legal claims.

If our business is ever sold or reorganised, personal data may transfer to the buyer, who would remain bound by this policy until you are told otherwise.

06

International transfers

We are based in United Kingdom and ship worldwide, so your data may be processed outside the UK and the European Economic Area — in particular in the United States, where Stripe, Vercel and Supabase operate infrastructure.

Where data leaves the UK or EEA, we rely on the UK International Data Transfer Addendum and the European Commission's Standard Contractual Clauses, together with the technical safeguards our processors apply, such as encryption in transit and at rest. If you order from outside the UK, your delivery details are necessarily transferred to the carrier serving your country in order to perform our contract with you.

07

How long we keep it

  • Order, payment and delivery records: seven years from the end of the financial year of the order, to meet United Kingdom accounting and tax record-keeping requirements.
  • Membership records: for the life of the membership and then seven years, on the same accounting basis.
  • Contact and wholesale enquiries: up to 24 months from your last message, then deleted.
  • Incomplete checkout records: up to 24 months, then deleted; deleted sooner if you withdraw consent.
  • Server logs: up to 30 days.
08

Your rights

If you are in the UK or the EEA, the UK GDPR and EU GDPR give you the right to: access a copy of your personal data; correct inaccurate data; erase data where we no longer need it; restrict or object to processing based on legitimate interests; receive your data in a portable format; and withdraw consent at any time where consent is the basis, without affecting processing before withdrawal.

If you are a California resident, the CCPA as amended gives you the right to know what personal information we collect and why, to request deletion or correction, to opt out of sale or sharing, and not to be discriminated against for exercising these rights.

Do Not Sell or Share My Personal Information. We do not sell your personal information, and we do not share it for cross-context behavioural advertising. There is nothing to opt out of, and no financial incentive is offered for your data.

To exercise any right, email support@cantcore.shop or write to us at the postal address above. We reply within one month. We may ask you to confirm the email address used on the order so we do not disclose data to the wrong person; an authorised agent may act for you with written authority.

09

Cookies and analytics

This site uses strictly necessary storage only. Your cart is held in your own browser's local storage so it survives a page reload, and a signed cookie is set only if a staff member signs in to the administration area. Neither is used to track you.

We run no advertising cookies, no third-party analytics and no tracking pixels. When you are sent to Stripe to pay, Stripe sets its own cookies for fraud prevention under its own privacy notice. Full detail is in our Cookie Policy.

10

Security

The site is served over HTTPS and personal data is encrypted in transit and at rest by our hosting and database providers. Card data is handled entirely by Stripe, a PCI DSS Level 1 certified provider, so it never touches our systems. Access to order and enquiry data is limited to the staff who need it, protected by authentication and reviewed periodically.

No online service is completely secure. If a breach affects your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours where required, and tell you without undue delay when the risk to you is high.

11

Automated decisions and children

We do not make decisions about you by automated means that produce legal or similarly significant effects, and we do not profile you. The Core Kit Builder maps your four answers to a fixed rule set to suggest a kit; it does not analyse you or store your answers.

Our store is not intended for children. You must be at least 13 to use this site. If you are between 13 and 17 you may only use it and place an order with the consent and supervision of a parent or guardian, who takes responsibility for the order. We do not knowingly collect data from children under 13; if you believe a child has given us personal data, email support@cantcore.shop and we will delete it.

12

Complaints and contact

Please contact us first at support@cantcore.shop — most concerns are resolved quickly.

If you are not satisfied, you can complain to the UK Information Commissioner's Office at ico.org.uk, by calling 0303 123 1113, or in writing to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. If you are in the EEA you may instead complain to the supervisory authority in your country of residence.

We review this policy at least once a year and when our processing changes. Material changes are announced on this page, and the date below always shows the current version. This policy is governed by the laws of Scotland, United Kingdom.

Questions about this policy? Email support@cantcore.shop or use the contact form. We reply within one business day, Monday to Friday, 09:00–17:00 UK time.