Privacy Policy
This Privacy Policy describes how craigtodd.com ("we", "us", or "our") collects, uses, and shares your personal data when you use our website and related services. This policy complies with the UK GDPR, EU GDPR, and other applicable privacy laws.
1. Who We Are
We are the data controller responsible for your personal data under this policy:
Data Controller: Craig Todd
Email:
privacy@craigtodd.com
Website: https://craigtodd.com
2. What Information We Collect
We may collect:
- Contact information — name, email address, optional billing address, optional phone number
- Account credentials — username, hashed password, two-factor authentication seed, trusted-device markers
- Payment data — processed securely via Stripe. We never see, store, or transmit your full card number. We retain a tokenised reference (Stripe Customer ID + PaymentMethod ID), card brand, last 4 digits, and expiry month/year, in order to process refunds, send receipts, and (where you opt in) offer one-click repeat purchases
- Order data — products purchased, amount, currency, optional add-ons, affiliate referral code where applicable
- Technical data — IP address, browser type and version, device type, operating system, time of visit, referring URL
- Geo-derived data — country, city, and broad network details derived locally from your IP. The lookup happens on our server using a downloaded database; your IP is not transmitted to a third party for this purpose
- Security data — failed login attempts, lockout state, and breached-password checks (a partial hash prefix is sent to a public breach-corpus service to verify whether your chosen password has appeared in known breaches; your password itself never leaves our server)
- Usage and analytics data — pages viewed, time on page, country, and broad region, processed in cookieless, IP-anonymised form by our own self-hosted analytics (no third-party processor, no cross-site tracking). The visitor identifier is regenerated every 24 hours, so we cannot track you across days. There is no cross-site tracking, no fingerprinting, and no third party ever receives this data.
- Funnel and engagement data — when you start a checkout we record progression events (viewed, email entered, payment started, payment outcome, add-on accepted/declined). This lets us recover abandoned carts and improve conversion. Events include the product slug, source/campaign UTM parameters from your URL, device type, and timestamp
- Live activity display — once you complete a purchase, your first name and city may be shown to other visitors in an anonymised form (e.g. "Sarah · Manchester · 4 minutes ago"). No surname, email, IP, order amount, or product price is shown publicly
- Cookies — see Section 10
We do not knowingly collect data from children under 13. If you are under 16 and based in the EU, we recommend obtaining a parent or guardian's consent before submitting any personal data.
3. How We Collect It
- When you fill in a form, register an account, or make a purchase
- When you browse the site (automatically collected via standard server logs and CDN-edge headers)
- Via cookies or similar tracking technologies (see Section 10)
- Via webhooks from Stripe when a payment completes, fails, is refunded, or a subscription renews
- From an in-house affiliate session identifier set when you arrive via a referral link, persistent for 90 days, used solely to credit the referring affiliate when you purchase
- From magic links we email you for password-less account access (single-use, time-limited)
4. Legal Basis for Processing
We process your data under one or more of the following legal grounds:
| Activity | Lawful basis |
|---|---|
| Processing your order and delivering products | Contractual necessity (Article 6(1)(b)) |
| Sending receipts and order-related emails | Contractual necessity |
| Marketing emails to existing customers about similar products | Legitimate interests with opt-out (PECR soft opt-in) |
| Marketing emails to non-customers | Consent (Article 6(1)(a)) |
| Affiliate referral tracking | Legitimate interests (paying our partners) |
| Brute-force protection, IP blocking, breach-password checks | Legitimate interests (account security) |
| Geo-derived analytics | Legitimate interests (fraud prevention, market understanding) |
| Cookie storage of session, CSRF, trusted-device | Strictly necessary (no consent required) |
| Cart-abandonment recovery emails | Legitimate interests with one-click unsubscribe |
| Tax records and accounting | Legal obligation (HMRC, EU VAT) |
| CDN-level DDoS / WAF protection | Legitimate interests (infrastructure security) |
5. How We Use Your Data
- To provide and manage your access to digital content and accounts
- To process orders, deliver services, and issue receipts
- To send transactional emails (purchase confirmations, login codes, password resets, license keys, webinar reminders, replay links)
- To send marketing emails where you have consented or are an existing customer (with one-click unsubscribe in every email)
- To recover abandoned checkouts where you provided your email but did not complete payment
- To detect and prevent fraud, brute-force attacks, and abuse
- To meet legal and tax obligations
- To improve the website's performance, accessibility, and user experience
- To display anonymised recent-purchase activity on checkout pages
6. Sharing Your Data
We do not sell your personal data.
We may share it with:
- Stripe Payments Europe Ltd (Ireland, with US transfer under SCCs) — payment processing, fraud detection, saved-card management. Stripe is the processor of your card data; we are not
- Cloudflare, Inc. (US, EU data via SCCs) — CDN, DDoS protection, bot challenges. May temporarily process your IP, request headers, and timing to mitigate attacks
- Amazon SES (Amazon Web Services EMEA SARL, Luxembourg) — transactional and marketing email delivery
- Bunny.net (BunnyWay d.o.o., Slovenia, EU) — video and large-file content delivery, where video is hosted on Bunny
- A public breached-password service — only the first 5 characters of the hash of your password is sent. Your actual password never leaves our server
- HMRC and other legal authorities if required by law or in response to a lawful request
- Our affiliates — only the referral attribution event (purchase happened, commission owed); no buyer personal data is shared with affiliates
We do not share your data with advertising networks, ad-targeting platforms, or data brokers.
We may share anonymised or aggregated usage data (e.g., total orders by country) for performance tracking or marketing without identifying individuals.
All data processors act on our behalf under signed data processing agreements (where applicable) and are required to comply with applicable data protection laws.
7. International Transfers
Some services we use may process data outside the UK or EEA, primarily in the United States. When this happens, we rely on appropriate safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission and the UK ICO
- Adequacy decisions where they apply (e.g. EU↔UK)
- Participation in the EU–US Data Privacy Framework where applicable (Stripe, Cloudflare, AWS)
- EEA-hosted processing for video CDN (Bunny.net, Slovenia) so no cross-border transfer occurs for this service
You may request a copy of the relevant SCCs by contacting us at the address in Section 14.
8. How Long We Keep Data
| Data type | Retention period |
|---|---|
| Customer account data | While account is active + 1 year after closure (then anonymised) |
| Purchase / order records | 7 years (UK accounting requirements) |
| Stripe payment metadata (last4, brand, exp) | While Stripe Customer is retained (deleted with account) |
| Marketing email subscriber lists | Until you unsubscribe + 30 days |
| Cart abandonment events | 180 days, then deleted |
| Login attempt logs | 90 days, then deleted |
| Geo / IP logs | 180 days, rolled up to country-level monthly summaries thereafter |
| Webinar recordings (where applicable) | 90 days unless retained explicitly |
| Affiliate referral session (server-side) | 90 days |
| Server access logs | 30 days |
9. Your Data Rights (UK / EU GDPR)
You have the right to:
- Access the personal data we hold about you (Subject Access Request)
- Rectification of inaccurate or incomplete data
- Erasure ("right to be forgotten") of your data, subject to legal retention obligations
- Portability — receive your data in a structured, machine-readable format
- Restriction of processing
- Object to processing based on legitimate interests (including direct marketing — always honoured)
- Withdraw consent at any time where consent is the lawful basis
- Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or your local EU supervisory authority
To exercise your rights, email privacy@craigtodd.com. We will respond within one calendar month, as required by UK / EU GDPR. Identity verification may be requested before fulfilling the request.
10. Cookies
We use the minimum cookies required to operate the site. All cookies set by this site are strictly necessary for the service you have requested, and we do not display a consent banner because no non-essential cookies are set.
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
| Session cookies | Account login session | Session | Strictly necessary |
| CSRF token cookie | Cross-site request forgery protection | Session | Strictly necessary |
ctm_ref | Affiliate session identifier (opaque ID only; the actual referral data is stored on our server) | 90 days | Strictly necessary (functionality) |
| Trusted-device cookie | Skip two-factor on devices you trust | Configurable (default 30 days) | Strictly necessary |
Cloudflare cookies (cf_bm, cf_clearance) | Bot management / challenge-clearance | Up to 30 days | Strictly necessary |
We do not use third-party advertising or marketing cookies. Plausible Analytics does not use cookies.
You can disable cookies in your browser settings, but doing so will prevent you from logging in or completing purchases.
A full named-cookie reference (with detailed purpose and duration per cookie) is available here Cookie Policy.
11. Security Measures
We implement strong technical and organisational measures including:
- TLS 1.2+ encryption on all connections (HTTPS-only with HSTS preload)
- Industry-standard adaptive password hashing
- Two-factor authentication available on all accounts
- Rate limiting and IP-level brute-force protection
- A web application firewall blocking common injection and abuse patterns
- Content Security Policy headers preventing script injection
- Cryptographic webhook-signature verification on payment events
- Time-limited, signed download links
- File-system isolation for sensitive content
However, no system is 100% secure. In the event of a personal data breach likely to result in a high risk to your rights, we will notify the ICO within 72 hours and you without undue delay, as required by GDPR.
12. Updates to This Policy
We may update this policy from time to time to remain compliant with legal requirements and best practices. The "Last updated" date at the bottom of this page reflects the most recent change. Material changes will be notified to account holders by email.
13. Automated Decision-Making
We use automated systems for fraud and security decisions (for example, blocking IP addresses showing brute-force or injection patterns, and flagging unusual transaction velocity for human review). These do not produce legal effects on you and have human-review fallbacks. We do not use automated decision-making for credit, insurance, employment, or any decision producing legal or similarly significant effects.
You can request human review of any automated security decision (e.g. IP block) by contacting privacy@craigtodd.com.
14. Contact Us
If you have any questions or requests regarding this Privacy Policy or how your data is handled, contact:
Craig Todd
Email: privacy@craigtodd.com
Website: https://craigtodd.com
Last updated: 18 May 2026