So we're all on the same page
Who are we?
We are HobbyBox.Club Limited (HobbyBox.Club/HBC/us/we) and trade under the name HobbyBox.Club
We are registered with the UK data protection authority (the Information Commissioner’s Office), and our registration number is ZA872594.
This document explains how and why we use your personal information when you register with or place orders via, our website. It also covers which third parties we share your information with, and how data is handled when you call us.
If you have any questions about this policy or wish to speak with our Data Protection Officer, you can contact us via firstname.lastname@example.org or write to us at HobbyBox.Club Limited, 4a Chesterton Place, Newquay, Cornwall, TR7 2RU
Your data journey ?
When accessing our website
Whilst browsing our website, we track basic details such as the page you’re on, or the IP address you’re connecting from. This information is collected by Tawk.to - our live chat platform.
When registering via our website
We only ask for your name and email address. We require no other personal details to register an account. This information is immediately shared with our payment partner (Stripe), to create a customer record within our payments system.
When placing an order, or setting up a subscription
Once your basket has been completed, we will pass your information back to Stripe, to process the payment. They will directly collect your payment details, billing address, and shipping address for your order.
Stripe then shares your shipping address with us, and the results of the payment that was processed. We do not receive your full payment details - these are held securely by Stripe.
When confirming your order
We will send confirmation emails of your order. To do this we have partnered with Mailgun (an outbound email processing service). They will be provided with your name and email address in order to deliver this email.
When fulfilling your order
In order to provide our service, we are required to share your personal details with our carriers. We will provide your name, contact number, and delivery address. We may share your email address where this is requested.
All parties involved will validate your data automatically.
We may share your email address with Trustpilot in order to gather feedback on your experience(s).
When contacting us via Live Chat
Our live support partner - Tawk.to - will have access to your computer’s information (location, and IP address), along with your name and email address, which we provide them when you begin a new conversation.
When contacting us via Telephone
Our telephony partner (Dial9) will record details of the call - the phone number, and regional details where associated. These are stored for analysis.
If you choose to leave us a voicemail, the recording (and any details stored within) will be available for us to download and review, for 30 days.
We will tell you if your call is being recorded during a conversation.
Information generated during your journey
At various stages, data and outcomes are generated by some of our partners. For example, Stripe provides us with fraud analysis information. We will store any details that are relevant to us in the duty of providing a service. We will not keep this data longer than legally necessary.
Information we get from other external sources
We utilise social media advertising in order to raise business. We do not provide your contact details to the networks (or sell your data), but we may track internally how you arrived at our website.
We may attempt to verify your address using a third-party service, or the Royal Mail database. Where this occurs, your personal data is not directly shared with them, but we process it internally.
Information we might share when things go wrong
In the course of resolving a complaint, we may have to share your details with other third parties. This will always be discussed with you, where appropriate.
When we are bound to provide details (in the case of banking disputes, or claims of fraud) we may not be able to advise of the specific information being shared, as requested by the financial partner.
Why we use your data ?
The General Data Protection Regulation (GDPR) states that we must have a lawful basis for collecting, using, and sharing your personal data. The majority of your data is used for the legitimate interest of providing a service, as per our contractual obligations. We may have a legal duty to process your data in specific ways (as outlined in the data journey).
We do not rely on your consent for processing data related to subscriptions as it is not possible to be a club member, receive shipments, whilst not providing consent for data processing. We will however honor any rights to remove your data under the articles of the GDPR
We will use your data under contractual obligations, in order to:
- Provide the service you have paid for
- Fulfill shipments associated with the order
- Provide support related to the service agreement
- Handle complaints raised by you
- Exercise our rights, as outlined in our terms and conditions
Your data will be used to comply with the law to:
- Verify your address for shipments
- Prevent fraudulent payments from being made
- Prevent illegal activities taking place within, or using our service
- Keep records of information we hold about you, in line with our legal obligations
- Complete any financial obligations and requirements (such as record-keeping, or supporting fraud investigations).
When we talk about legitimate interest, we reference the need to use your data for our interests, or those of a third party in the manner that you would expect us to. For example, you expect us to provide your delivery address to a courier in order to receive your shipments.
Who we share your data with ?
Some organisations that provide us with a service. This involves any company that provides us with services you use, and also services we use, to fulfill your orders. We share the smallest amount of data required, over secure connections.
- Payment Processors (like Stripe)
- Computing providers like Amazon Web Services, Krystal Hosting, and Katapult Cloud Computing
- Our support tools, such as Tawk.to or FreshDesk
- Any organisation that helps provide a communication service, such as Dial9, Twilio, or Mailgun
- Companies that support us with the fulfillment of your orders
- Organisations that print material containing personal data
Anyone you give us direct permission to share it with. When we are required to investigate issues on your behalf, we will ask you to confirm you’re happy for your details to be shared. We will advise why they require the information, and how they might use it.
Law enforcement and other external parties. Where we are compelled to share your details, we may:
- Provide authorities with information that allows us to prevent financial crime
- Share details with the police, courts, dispute resolution agencies, or debt recovery agencies where we have to
- Banking and payment providers who are investigating complaints about a payment you made
Your data is stored as long as necessary ?
But never longer than needed. Whilst you continue to be a club member, we will retain your details in full. When you terminate your service with us (by leaving the club), or after a period of inactivity, we will begin to expunge your data once any regulatory or financial obligations have been met.
In some circumstances, your data may be present in backups for a longer period of time, but these remain encrypted and reach the end of life after 30 days.
Your rights ✅
You own your data, and you have the right to
- Access the personal data we hold about you, or receive a copy of it
- Ask us for your data in machine-readable and portable formats
- Make us send your data to someone else
- Tell us to correct inaccurate data
- Ask us to delete your data (although for financial or legal reasons we may not be able to do so straight away)
- Say no to us using your data for direct marketing
- Withdrawn any consent you provided to us
If you wish to exercise these rights, you can find some options within our account dashboard, or you can contact us at email@example.com.
Where we store or send your data ?
Some of our third-party partners are based outside of the European Economic Area, however, we always request that your data is stored within the UK.
Where this is not possible and your data must be shared with their headquartered country, we always ensure this is a country that the Information Commission agrees has adequate data protection laws.
How to make a complaint ?
As with our standard terms, if you have a complaint about how we use your personal information, please write to us via firstname.lastname@example.org and we’ll do what we can to put things right.