Privacy Policy (EU & UK)

Effective date: 19 October 2025
Controller: GLOBAL SHIP AND SERVICE LTD (“we”, “our”, “us”)
Registered in: United Kingdom
Registered office: Ground Floor, Radley House, Richardshaw Road, Leeds, LS28 6LE
Company number: 16789042
Email: dmytro@modelcrate.shop

1) Who this policy applies to

This policy applies when you visit our website(s), place an order, create an account, contact customer support, sign up for marketing, participate in promotions, request warranty/repair services, or otherwise interact with us. It covers individuals in the United Kingdom and the European Economic Area (EEA).

2) What data we collect

a) Identity & contact data
Name, billing/shipping address, email, telephone, account credentials.

b) Order & support data
Cart contents, orders, invoices, delivery status, RMA/warranty/repair records (e.g., model, serial, fault description), communications with us.

c) Payment data
Payment method, transaction identifiers and status. We do not receive or store full card numbers; these are processed by our payment provider(s) [insert, e.g., Stripe/PayPal/Adyen].

d) Device & usage data
IP address, device/browser type, pages viewed, clicks, referring/exit pages, approximate location (city/country), session identifiers, error logs.

e) Marketing & cookie preferences
Your choices about newsletters, profiling for recommendations, and cookie consent settings.

f) User‑generated content
Product reviews, questions, images or videos you submit.

We do not intentionally collect special category data. Please do not provide it to us.

3) Why we use your data (legal bases)

Purpose	Examples	Legal basis (EU/UK GDPR)
Fulfilling orders & delivering products	Processing payments, arranging delivery, customer updates	Contract
Customer service & warranty/repairs	Diagnostics, replacements, returns, recalls	Contract; Legal obligation (product safety)
Account & site functionality	Authentication, preventing abuse, remembering preferences	Legitimate interests; Contract (for accounts)
Analytics & performance	Measuring pages that load slowly, improving UX	Legitimate interests; Consent where cookies are non‑essential
Marketing	Newsletters, offers for similar products, remarketing	Consent (EEA); Consent or soft opt‑in for existing UK customers under PECR (see Section 8)
Security & fraud prevention	IP reputation checks, chargeback investigations	Legitimate interests
Legal, tax & compliance	Accounting, record keeping, responding to authorities	Legal obligation

Where we rely on consent, you can withdraw it at any time (see Section 9).

4) Where we get your data

Directly from you (checkout, forms, support tickets, emails, phone).
Automatically from your device via cookies/SDKs (see Section 8).
From service providers (e.g., payment or delivery status updates).
Occasionally from partners—only where lawful and transparent.

5) Sharing your data

We share personal data only as needed with:

Payment processors (…) to process transactions.
E‑commerce/hosting & IT (OVH).
Delivery & logistics (e.g., Royal Mail, DPD, UPS).
Analytics & marketing tools (only where permitted by your consent/PECR).
Professional advisors (legal, accounting).
Authorities when required by law (e.g., tax, product safety recalls).

We require recipients to protect your data and only use it for our specified purposes.

6) International transfers

We are based in the UK and may transfer data:

Between the UK and EEA. The EU’s adequacy decisions for the UK remain in force and were extended until 27 December 2025, so personal data can continue to flow EEA→UK without extra safeguards during this period. (European Commission)
To the United States. Where we use US providers:
- For EU/EEA data, we may rely on the EU‑U.S. Data Privacy Framework (DPF) where the recipient is certified, alongside other GDPR safeguards as needed. (The DPF entered into force in July 2023 and was upheld by the EU General Court on 3 September 2025.) (Data Privacy Framework)
- For UK data, we may rely on the UK‑U.S. “Data Bridge” (UK Extension to the EU‑U.S. DPF) for certified US recipients, or other UK transfer tools where appropriate. (ICO)
Other countries. Where applicable, we use the EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA) and/or the UK Addendum to the SCCs, plus risk assessments and supplementary measures.

We can provide details of transfer safeguards on request.

7) How long we keep your data

We keep data only as long as needed for the purposes above, including legal/accounting requirements. Typical periods:

Orders, invoices & tax records: 6 years from the end of the financial year they relate to (statutory retention in the UK). (GOV.UK)
Warranty/repair files: duration of warranty plus up to 6 years (to handle claims).
Support tickets & chat: 2–3 years after last contact.
Marketing data: until you unsubscribe or your consent is withdrawn, then suppressed (kept only to respect your opt‑out).
Web analytics: per provider default or shorter where feasible.

8) Cookies & similar technologies

We use cookies and similar tech to run the site (e.g., cart, checkout, security) and—subject to your consent—for analytics and advertising.

Consent for non‑essential cookies. In the UK and EEA, we request opt‑in consent for non‑essential cookies via our cookie banner. You can change your choices at any time via “Cookie settings” in our footer. (ICO)
Soft opt‑in (UK email marketing). Separate from cookies, UK PECR allows a limited “soft opt‑in” to email existing customers about similar products if we gave you a clear chance to opt out when we collected your details and in every message. You can opt out at any time. (This rule does not apply to new prospects or bought lists.) (ICO)

See our Cookie Notice for a current list of cookies and partners.

9) Your rights (EU/UK)

Subject to conditions and exemptions, you have the right to:

Access your data;
Rectify inaccurate data;
Erase your data;
Restrict processing;
Object to processing (including direct marketing);
Data portability;
Withdraw consent (where we rely on consent);
Complain to a supervisory authority (see Section 11).

To exercise rights, email us at [insert privacy email]. We verify identity and respond within one month (extendable by two months for complex requests).

10) Children

Our site and products are intended for adults. We do not knowingly collect data from children under 13 (UK). In the EEA, we do not knowingly seek consent directly from children below the local digital‑consent age (typically 13–16 depending on the country). Parents/guardians who believe a child has provided data should contact us to delete it.

11) How to complain

If you are unhappy with how we handle your data, please contact us first. You also have the right to complain to a data protection authority:

United Kingdom (ICO): Submit a complaint via the ICO website or call 0303 123 1113. (ICO)
EEA: Contact your national supervisory authority (see the EDPB list of members for links to each authority). (European Data Protection Board)

12) Security

We use administrative, technical and physical safeguards appropriate to the risks (e.g., access controls, encryption in transit, hardened hosting, regular patching). No system is 100% secure; if we believe your data may be at risk, we will act promptly and, where required, notify you and/or authorities.

13) Automated decisions & profiling

We do not make decisions with legal or similarly significant effects based solely on automated processing. We may use limited profiling (e.g., purchase history, browsing) to tailor offers or product recommendations. You can object to direct marketing at any time (see Section 9).

14) Changes to this policy

We may update this policy to reflect changes in our services, laws or guidance. Material changes will be highlighted on this page and, where appropriate, emailed to account holders. Please review this page periodically.

15) Contact us

GLOBAL SHIP AND SERVICE LTD
Email: dmytro@modelcrate.shop
Postal: Ground Floor, Radley House, Richardshaw Road, Leeds, LS28 6LE