Privacy Notice

We are committed to preserving the privacy of all our visitors to www.cardfactory.co.uk (“the website”). We take the privacy and security of your personal information very seriously and we are committed to complying with our legal obligations under Data Protection legislation (the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)) and any subsequent updated legislation.

This notice explains how your personal data is created, used, stored and protected (“processed”) through your use of and access to the website. This notice may be amended from time to time, so please check back regularly to review any changes to how we use your data.

Note that this privacy notice also covers our web application, that is available on iOS and Android mobile devices (“the App”). If there are any differences between the Website and the App, we will make that clear. Otherwise, references to “the Website” will cover all platforms.

Who we are

The Website is operated by Sportswift Limited t/a cardfactory (a company registered in England and Wales with company number 03493972 whose registered office is at Century House, Wakefield 41 Industrial Estate, Wakefield, WF2 0XG (“cardfactory”). If you are a customer from the UK, cardfactory is the data controller of the data you provide and we are registered with the Information Commissioner’s Office, reference Z2121812

If you are accessing the site, or our products and services from the Republic of Ireland, the website also operates on behalf of Card Factory Ireland Limited, whose registered office is 6th Floor, 2 Grand Canal Square, Dublin 2 D02 A342 (“cardfactory Ireland”). Cardfactory Ireland is the Data Controller for your personal data.

For further information about your data in the UK or the EU please contact our Data Protection Officer at dpo@cardfactory.co.uk.

Your personal data

Your personal data will be processed by cardfactory when you register or otherwise access the site, and your use of the site is also subject to the Website’s general terms and conditions, which we also advise that you read.

We collect and use different personal data, depending upon what activities you perform on our Website.

How we use your data

This table provides a broad overview of how we may use your personal data in connection with the Website, and where it comes from:

Activity Type of data Purpose and Lawful basis Obtained from
Registering with the website Name, contact details, preferences, password information So that we can manage your registration, purchase history and to allow you to keep your details up to date and secure.

Legitimate Interest and/or performance of a contract (i.e. at your request in anticipation of a future purchase) 		You
Purchasing products from the website Name, contact details, payment information (not retained), purchase history, order information, images (if using our personalisation option), recipient information (if applicable) To fulfil orders placed by you via the website.

Performance of a contract (i.e. fulfilment of your purchase) 		You

Payment services provider
Communicating with us (for example emailing us) Name, contact details, correspondence history To answer questions you may have, manage customer service matters and communicate with you

Legitimate interest and/or performance of a contract 		You

Records held by us
Receiving Service Messages Name, contact details, technical usage data where applicable (for example browser, operating system, etc.). To provide you with service messages about changes to our website or your account, separate from marketing activity.

Legitimate interest 		You

Technical information created as you use the website
Improving our services to you (customer journey and products) Name, contact details/customer reference, purchase history, site browsing history, personal reminders you have set To provide you with relevant information about our products and services, including personalised recommendations.

To improve and develop our products and services, including through data aggregation and analysis.

Legitimate interest / consent 		You

Records created by us in the course of our relationship with you.

Data provided by third parties, where you have consented to this (for example via cookies or similar technologies).
Event Reminders Name, contact details, event type and date To remind you of specific events/dates that you have selected

Performance of a contract (i.e. at your request in anticipation of a purchase) 		You
Marketing Name, contact details, purchase history, preferences, browsing history, other customer account details, contact preferences. To provide you with marketing information about our products and services, including special events, discounts, basket reminders,

Consent/ legitimate interest 		You

Records created by us in the course of our relationship with you.

Data provided by third parties, where you have consented to this (for example via cookies or similar technologies).
Surveys and feedback Name, contact details Consent Social media or other sites, where you have contacted us/reviewed our services via that platform
Analysis, targeting and segmentation First name Legitimate Interest We will make use of information you have given us and your interactions with our Services, to help us predict your interests and tailor and personalise our communications in the future.
Use of our website Relevant technical information Legitimate Interest Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform; And information about your visit to the website, including the full Uniform Resource Locators (URL), clickstream to, through and from our website (including date and time), pages you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page

When we use your personal data for the purposes of our legitimate interests (as set out above), we will always consider if it is fair and balanced to do so and whether it would be within your reasonable expectations that we would use your data in this way.

We will not process any special category data.

Marketing

If you have opted into marketing, we will send you messages which are relevant to any preferences you have expressed, or which are related to products and services you have bought or which we feel may be of interest, including products and services, special offers, discounts or reminders.

Depending on preferences you may have expressed, we may send you information via any of the following methods:

  1. email;
  2. telephone;
  3. SMS text messages and other electronic messages such as picture messaging;
  4. Post; and/or
  5. social media.

Marketing emails and SMS messages will always include an ‘unsubscribe’ or ‘manage my preferences’ link.

Event Reminders

Where you have set personal event reminders, these are separate from Marketing, although you will be offered the opportunity to receive Marketing messages as part of this process.

If you opt out of marketing messages, you will continue to receive your personal event reminders, and service messages relating to this service, until you remove these from your account.

Who your data is shared with

Your data may be shared within the cardfactory group of companies, some of whom may be separate data controllers. Please also refer to your chosen platform’s privacy notice for more information.

We may also share your data where we are under a legal obligation to do so, or believe that there is a specific public interest in doing so (for example to report criminal activity or fraud).

We may also share your personal data with statutory and regulatory bodies (for example Companies House, Health and Safety Executive, Information Commissioner’s Office) where there is a legal requirement to do so. This might include, for example, for the purposes of registration and maintenance of statutory information.

We will share with new owners if we sell the business:
1.If the business is likely to be changing ownership, we may also share some information with potential new owners. You will be advised of this at the time;

2.Where appropriate we may also transfer your personal data to a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger or acquisition of any part of our business, or to other interested third parties (and their agents and advisors) in the case of any reorganisation or other potential transfer of any part of our business, provided that we inform the buyer (or relevant third party) it must use your personal information only for the purposes disclosed in this notice.

If we wish to use your personal data differently to that you have already agreed to and that we are reliant upon your consent to do so, we will ask you in advance.

Your rights in respect of your personal data

Under data protection law, you have a variety of rights. These include:

  1. Your right of access - You have the right to ask us for a copy of your personal data.
  2. Your right to rectification - You have the right to ask us to correct personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  3. Your right to erasure - You have the right to ask us to erase your personal information in certain limited circumstances.
  4. Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
  5. Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.
  6. Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are ordinarily not required to pay any charge for exercising your rights. If you make a request, we will endeavour to respond to you within one month, although this may be extended in more complex cases.

If you would like to carry out your right to erasure, please contact the Data Team at datateam@cardfactory.co.uk.

For any of the other rights, or if you have any other questions about the data we hold about you, please contact our Data Protection Officer at dpo@cardfactory.co.uk.

Any request relating to customer services, products or services or delivery information should be referred to cfonline@cardfactory.co.uk.

Cookies

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our website. For further information about the cookies that we use and what to do if you don’t want to receive cookies, please see our cookie policy.

Security of your personal data

We employ security measures to protect your information from access by unauthorised persons and against unlawful processing, accidental loss, destruction and damage, and we take all reasonable steps to keep your personal information confidential and secure while in our care. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to secure your data.

Data retention

We will retain your personal data for as long as it is needed to fulfil the purposes we collected it for, which will be further determined by relevant legal, regulatory, tax, accounting or reporting requirements. We may also retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

Third parties

In order to provide you with the services, cardfactory does employ third parties. These third parties are grouped into broadly the following types:

  1. Infrastructure, which includes all aspects of the website, eg the building of, maintenance, hosting;
  2. Service fulfilment, which includes the selection, design and delivery of the goods you buy from our website;
  3. Communications and marketing, which includes goods emailing update and notification services, assistance with our email and marketing campaigns.

Regardless of type, all our suppliers are required to conform to the same data protection standards that you expect from us. We ensure that appropriate due diligence activities are carried out prior to engaging with prospective suppliers, we only use contracts that can be legally upheld by English courts and audits are carried out with them as we need to.

Additionally our website may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

Data transfers

cardfactory is a UK company. However, we are part of a group of companies that also operate in other countries, and some of our service providers are located outside of the UK. Where we transfer personal data we ensure such transfers are done using either a transfer to a country with an adequacy ruling, or if a third country, using the relevant transfer mechanism such as the European Commission Standard Contractual Clauses or the UK International Data Transfer Agreement, or the UK Addendum to the Standard Contractual Clauses or the EU-US Data Privacy Framework; UK Extension to the EU-U.S. Data Privacy Framework and the relevant transfer impact/risk assessments.

Children

Our Website and App are not intended for children. While you may include children’s personal data on the personalised products you purchase, we do not knowingly collect data relating to children, nor is it needed to enable our Website or App to function.

Complaints

If you are unhappy about the way in which we store or process your personal data, we would prefer it if we could understand your concerns and have an opportunity to address these. Please contact our Data Protection Officer at dpo@cardfactory.co.uk regarding this.

You can also complain to the Information Commissioners’ Office (ICO) if you are unhappy with how we have used your data at www.ico.org.uk.

Changes to this Notice

We keep our privacy notice under regular review. We may amend and update this notice from time to time. Any changes in the future will be posted to the Website and where appropriate, through email.

All comments, queries and requests relating to our use of your information are welcomed and should be addressed to dpo@cardfactory.co.uk.

This policy was last updated in May 2025.