Data Protection

At Binder Beast, we take data protection seriously. We are fully committed to complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all applicable data protection laws. This Data Protection page outlines our principles, practices, and your rights regarding the personal data we process.

We act as the data controller for the personal information you provide to us. Our goal is to ensure your data is handled lawfully, fairly, transparently, and securely at all times.

We adhere to the following core data protection principles as required by UK GDPR:

Under UK GDPR, we must have a valid lawful basis to process your personal data. We rely on the following bases depending on the circumstances:

• Contract: Processing is necessary to fulfill our contract with you (e.g., processing orders, delivering products)
• Consent: You have given clear consent for us to process your data for specific purposes (e.g., marketing emails, cookies)
• Legal Obligation: Processing is necessary for us to comply with the law (e.g., tax records, fraud prevention)
• Legitimate Interests: Processing is necessary for our legitimate interests, provided your rights do not override them (e.g., website analytics, customer service improvement)
• Vital Interests: Processing is necessary to protect someone's life (rarely applicable in our business context)

Under UK GDPR, you have the following rights regarding your personal data. You can exercise these rights free of charge:

• Right to Be Informed: You have the right to be informed about the collection and use of your personal data (this page and our Privacy Policy fulfill this right)
• Right of Access: You can request a copy of all personal data we hold about you (Subject Access Request)
• Right to Rectification: You can request that we correct inaccurate or incomplete personal data
• Right to Erasure ("Right to Be Forgotten"): You can request deletion of your personal data in certain circumstances
• Right to Restrict Processing: You can request that we limit the processing of your data in specific situations
• Right to Data Portability: You can request your data in a structured, commonly used, machine-readable format
• Right to Object: You can object to processing based on legitimate interests or direct marketing
• Rights Related to Automated Decision-Making: You have rights not to be subject to solely automated decisions with significant effects (we do not use such systems)

To exercise any of these rights, please contact our Data Protection Officer using the contact details below. We will respond within one calendar month of receiving your request.

We implement a comprehensive range of technical and organisational security measures to protect your personal data:

• SSL/TLS encryption for all data transmitted between your browser and our servers
• PCI DSS compliant payment processing — we never store your full credit card details on our servers
• Regular security audits, vulnerability assessments, and penetration testing
• Role-based access controls restricting personal data access to authorised personnel only
• Secure password hashing (bcrypt) and multi-factor authentication for staff accounts
• Firewall protection, intrusion detection systems, and anti-malware solutions
• Regular staff training on data protection and information security
• Incident response plan and breach notification procedures

Your personal data is primarily processed and stored within the United Kingdom. However, some of our service providers may be located outside the UK, including in countries within the European Economic Area (EEA) and occasionally in the United States.

When we transfer your data outside the UK, we ensure appropriate safeguards are in place:

• Transfers to EEA countries are permitted under UK GDPR adequacy decisions
• Transfers to the US and other non-adequate countries use Standard Contractual Clauses (SCCs) approved by the UK government
• We conduct Transfer Risk Assessments (TRAs) for all international data transfers
• All third-party providers must sign data processing agreements with adequate protection clauses

We use cookies and similar tracking technologies in accordance with the Privacy and Electronic Communications Regulations (PECR) and UK GDPR requirements:

• Strictly Necessary Cookies: Required for the website to function — these do not require consent
• Analytics Cookies: Help us understand how visitors interact with our website — deployed only with your consent
• Marketing Cookies: Used to deliver relevant advertisements — deployed only with your consent
• Preference Cookies: Remember your settings and choices — deployed only with your consent

When you first visit our website, you will see a cookie banner allowing you to manage your preferences. You can change your cookie settings at any time by clicking the "Cookie Settings" link in the footer.

We conduct Data Protection Impact Assessments (DPIAs) for any processing operations that are likely to result in a high risk to individuals' rights and freedoms. This includes:

• Systematic and extensive evaluation of personal aspects relating to natural persons
• Large-scale processing of special categories of data (we do not currently process such data)
• Large-scale, systematic monitoring of a publicly accessible area

Our DPIAs identify and minimise the data protection risks of our processing activities. Where necessary, we consult the ICO before processing begins.

As required by UK GDPR Article 30, we maintain detailed records of our processing activities. These records include:

• The purposes of processing
• Categories of personal data and data subjects
• Categories of recipients to whom data is disclosed
• Information about international transfers and safeguards
• Retention periods for different categories of data
• Technical and organisational security measures

These records are available to the ICO upon request and help us demonstrate our compliance with data protection obligations.

If you believe we have not handled your personal data in accordance with data protection laws, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent authority set up to uphold information rights.

We encourage you to contact us first so we can attempt to resolve any concerns directly. Our Data Protection Officer details are provided below.

We may update this Data Protection page from time to time to reflect changes in our practices, legal requirements, or business operations. When we make significant changes, we will:

• Post the updated notice on this page with a revised "Last Updated" date
• Notify registered users via email if the changes are substantial
• Display a prominent notice on our website for 30 days following material updates

We encourage you to review this page periodically to stay informed about how we protect your data.