Privacy Policy

Privacy Policy

Effective date: 25 August 2025

1. Who we are (Controller)

Avatar Craft (the “Website”) is operated by NEWBRIDGE CAPITAL BATH LTD (Company No. 15793827), the data controller for personal data processed via http://profile-art.com/. Registered office: Dept 6101, 43 Owston Road, Carcroft, Doncaster, United Kingdom, DN6 8DA. Contact (privacy): info@profile-art.com.

2. Scope of this Policy

This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you browse the Website, create an account, purchase digital content, or contact us. It applies to visitors and customers in the UK and EEA. We do not offer subscriptions; purchases are one‑off digital downloads (Pay‑In only).

3. Personal data we collect

We may collect the following categories of personal data:

• Identity & contact data: name, email address, country, billing details.
• Account data: username, password (hashed), order history, download/access logs.
• Order & payment meta: order ID, timestamps, amount/currency, masked card data and authorisation results (we do not store full card numbers).
• Device & usage data: IP address, device/OS/browser, language, referrer/attribution parameters, pages viewed, session identifiers.
• Support correspondence: messages, attachments, screenshots, and related metadata.
• Cookie/consent data: consent preferences and identifiers from our consent management platform (CMP).

4. Sources of data

• Directly from you when you browse, register, purchase, or contact support.
• Automatically via cookies, SDKs, and similar tech (see Cookie Policy).
• From payment processors, card schemes, and fraud‑prevention partners (authorisation responses, risk signals).

5. Purposes and legal bases

We process personal data for the purposes and on the legal bases below (UK GDPR Art. 6):

1. 1. Contract performance: to create and administer your account, process and deliver your order, provide access to downloads, and provide support.
2. 2. Legitimate interests: to protect our platform and users (fraud/risk/sanctions screening), prevent abuse and chargeback fraud, improve products, and maintain security. We balance these interests against your rights and freedoms.
3. 3. Legal obligations: to maintain records for tax and accounting, comply with consumer protection and e‑commerce laws, and respond to lawful requests.
4. 4. Consent: for non‑essential cookies/analytics/marketing (where used) and for email marketing where legally required. You may withdraw consent at any time.
5. Cookies & similar technologies

We use cookies and similar technologies for essential site functions (checkout, security), analytics/attribution, and user preferences. Non‑essential cookies are used only with your consent. For details, categories, and retention, see our Cookie Policy. Your consent choice is recorded by our CMP and can be changed at any time via the cookie preferences link.

7. How we share personal data

We share personal data with:

• Payment processors, acquiring banks, and card networks to authorise and settle your payments;
• Cloud hosting, content delivery networks (CDNs), and IT service providers that support our Website;
• Analytics and tag‑management providers (only if you consent to non‑essential cookies);
• Customer support tools (email/ticketing) to manage requests;
• Fraud‑prevention and security partners to protect our users and Services;
• Public authorities where required by law or to protect our legal rights.

8. International data transfers

Some recipients may be located outside the UK. Where we transfer data internationally, we rely on an adequacy decision (where available) or put in place appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs) plus the UK Addendum. Copies of relevant safeguards can be requested via our contact address.

9. Retention

We retain personal data only as long as necessary for the purposes set out above, including to comply with legal, accounting, or reporting requirements. Indicative retention periods are provided in Annex A and may be adjusted to reflect legal obligations and operational needs.

10. Security

• TLS encryption in transit;
• Access controls and least‑privilege permissions;
• Hashing/salting of passwords;
• Logging and monitoring;
• Vendor due diligence and data‑processing agreements with service providers.

11. Your rights

Subject to conditions and exemptions under UK GDPR, you have the right to access, rectify, erase, restrict, port, and object to certain processing. Where processing is based on consent, you can withdraw consent at any time. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO).

• To exercise rights, contact: info@profile-art.com. We respond within one month.
• ICO: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, https://ico.org.uk/

12. Automated decision‑making

We do not make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you. We may use automated fraud/risk screening to protect the platform; you may request human review where applicable.

13. Children’s data

Our Services are not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us and we will take appropriate steps to delete such data.

14. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated effective date.

15. Contact us

For privacy questions or requests, email info@profile-art.com.

Annex A — Data Categories, Purposes, Legal Bases & Retention

Category	Examples	Purpose	Legal basis	Typical retention
Identity & contact	Name, email, country, billing address	Account setup, order management, support	Contract (Art.6(1)(b))	Account lifetime + 24 months; orders: up to 6 years for tax/audit
Account data	Login, hashed password, order history, download logs	Access control; delivery of digital content; anti‑abuse	Contract; Legitimate interests	Account lifetime + 24 months
Order & payment meta	Order ID, timestamps, amount/currency, masked PAN, auth result	Process payment; fraud/chargeback handling	Contract; Legitimate interests; Legal obligations	6–7 years (accounting/tax)
Device & usage	IP, device/OS/browser, referrer, pages viewed	Security, service delivery, analytics (if consented)	Legitimate interests; Consent (analytics)	Up to 24 months (analytics); security logs up to 12 months
Support records	Emails, attachments, screenshots	Customer service; dispute resolution	Legitimate interests; Contract	24 months after closure
Cookie/consent	CMP consent string, preferences	Manage cookie choices; prove consent	Consent; Legal obligations (PECR)	Up to 24 months or per cookie TTL

Annex B — Cookies & Similar Technologies (summary)

Exact cookies depend on your choices and device. Typical examples include:

• Strictly necessary (session/checkout): site session identifiers; cart/checkout state; security tokens.
• Attribution/analytics (non‑essential; by consent): source/medium parameters (e.g., sbjs_*), tag‑manager controlled analytics cookies.
• Preference/consent: cookie storing your CMP choices.

See the Cookie Policy for the current inventory, purposes, and lifetimes.

© 2025 NEWBRIDGE CAPITAL BATH LTD — Avatar Craft. All rights reserved.