PRIVACY & DATA PROCESSING NOTICE
(UK GDPR – Business Customers)
Data Controller
1. Purpose of this Notice
This Privacy & Data Processing Notice explains how Crystalov Ltd (“we”, “us”, “our”) collects, uses, stores and shares personal and business data provided by our customers and their representatives in connection with the supply of alcoholic products and related compliance obligations. This Notice is provided in accordance with UK GDPR (Article 13) and the Data Protection Act 2018.
2. Data Controller
For the purposes of UK data protection law, Crystalov Ltd is the Data Controller of the personal data described in this Notice. All data protection enquiries should be directed to:
3. Categories of Data We Collect
We may collect and process the following categories of personal and business data:
3.1 Business Information
Company name and trading name Company registration number VAT number Nature of business
3.2 Contact Information
Names and job titles of directors, owners and authorised contacts Business email addresses Telephone numbers
3.3 Licensing & Compliance Information
Premises Licence details Designated Premises Supervisor (DPS) details Personal Licence details Licensed premises addresses
Where documents are uploaded through controlled website forms, files may be validated, malware-scanned, and stored in private infrastructure before compliance review.
3.4 Operational Information
Trading and delivery addresses Order, delivery and invoicing records
3.5 Financial Information (where applicable)
Bank details (for credit terms or refunds) Credit application and assessment information
3.6 Website Compliance Records
Where required for lawful website operation and compliance, we may process consent identifiers, cookie preference selections, consent timestamps, policy versions, source pages, pseudonymised network metadata, browser metadata, and current-session age verification state.
3.7 First-Party Website Analytics
Where you explicitly enable analytics, we may process minimal first-party website analytics records such as page views, key navigation or call-to-action interactions, page titles, page paths, referrer host or same-site path context, campaign parameters, device class, pseudonymous visitor/session identifiers, and event timestamps. We do not use these records for advertising, cross-site profiling, session replay, or social media tracking.
4. Purposes of Processing
We process personal data only where necessary for the following purposes: Customer registration and account management Alcohol licensing due diligence and AWRS compliance Verification of licensing status with HMRC and local authorities Processing and fulfilment of orders Delivery coordination and logistics Invoicing, payment processing and debt recovery Credit assessment and credit management (where requested) Website consent recording, access control and compliance evidence where required by law First-party website measurement and service improvement where analytics consent has been given Legal, regulatory and audit compliance This Privacy & Data Processing Notice applies in conjunction with Crystalov Ltd’s Terms & Conditions of Supply and Customer Registration, Licensing & Compliance procedures.
5. Lawful Bases for Processing
We process personal data on the following lawful bases under UK GDPR: Legal obligation – to comply with licensing law, HMRC and AWRS requirements and to keep records where consent is required by PECR or similar laws Contractual necessity – to perform or enter into a contract for the supply of goods Legitimate interests – to protect our business, prevent fraud and ensure lawful trading Consent – for optional first-party website analytics and similar technologies where required by PECR and UK GDPR. Optional analytics remains disabled by default until an explicit choice is made. We do not rely on consent as the primary basis for processing business customer data.
6. Data Sharing
We may share personal data only where necessary with: HMRC and other regulatory or enforcement authorities; local licensing authorities; delivery and logistics providers; credit reference agencies (where credit terms are requested); professional advisers (legal, accounting, audit), subject to confidentiality obligations; and technical service providers supporting secure website delivery, storage, document handling, or communications where such services are used under appropriate contractual controls. We do not sell personal data, do not share data for marketing purposes, and do not disclose first-party website analytics records to advertising networks or social media platforms.
7. International Transfers
Website data is stored on controlled infrastructure selected for lawful business operation. We do not knowingly disclose or transfer website personal data outside the United Kingdom unless this is required for a specific service, legal obligation, or technical safeguard, in which case appropriate protections will be applied and this Notice will be updated accordingly.
8. Data Retention
Personal data will be retained: For the duration of the trading relationship; For up to six (6) years after the final transaction, in line with legal, accounting and regulatory requirements; For website consent evidence and website onboarding records where required for compliance; and For up to thirteen (13) months for first-party website analytics records unless a longer retention period is required for incident investigation or legal obligations. Data is securely deleted or anonymised once retention periods expire.
9. Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration or disclosure. Access to personal data is restricted to authorised personnel only. Where files are submitted through controlled website forms, technical controls may include server-side validation, malware scanning, private storage segregation, and security logging. Where first-party analytics is enabled by consent, analytics events are stored on controlled infrastructure using pseudonymous identifiers and reviewed only by authorized personnel for service measurement, security, and compliance purposes.
10. Your Rights
Under UK GDPR, you have the right to: Access your personal data Request correction of inaccurate data Request erasure of data (where legally permissible) Request restriction of processing Object to processing based on legitimate interests These rights are subject to statutory limitations where processing is required by law. These rights are subject to statutory limitations, including where processing is required to comply with legal, regulatory, licensing, or accounting obligations. Requests may be made by contacting us at: info@crystalov.co.uk
11. Complaints
If you believe your data has been processed unlawfully, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
12. Changes to this Notice
This Privacy Notice may be updated from time to time. The latest version will always apply to the processing of personal data.