Privacy Policy - Evolve Custom Airsoft

Below is a UK GDPR–compliant privacy policy tailored to customairsoft.co.uk.

1) Who we are

Controller: Evolve Custom Airsoft (the “Company”, “we”, “us”, “our”), a Yorkshire‑based airsoft tech service specialising in AEG custom builds, upgrades and maintenance, plus a parts & gear shop.
Trading name: Evolve Custom Airsoft
Legal entity: Evolve Custom Airsoft by Mattias Beaumont and Bo Beaumont
Registered address: 2 Bywater Court, WF10 2JH
Website: https://customairsoft.co.uk
Contact: [email protected]
Representative/DPO: We have not appointed a Data Protection Officer; please contact us using the details above for privacy matters.
Audience and scope: Our services are intended for UK customers (players, squads, and game sites). This policy applies to personal data we collect via our website, forms, email/phone, and in the course of servicing/repairing replicas.

What we know from your site

Brand and activity: “Evolve Custom Airsoft is the shop front for airsoft tech team and brothers, Tias & Bo… specialising in AEG customisations, upgrades and maintenance… offer next‑generation tech support, with a unique Evolve Service History NFC tag on every RIF worked on” and “Parts & Gear Shop.”
Enquiry form fields: First name (Required), Email (Required), Phone (optional).

2) How we collect personal data

Directly from you: when you make enquiries, book services or repairs, request quotes, purchase products, subscribe to a service plan (e.g., “£18/mo – Subscribe”), or contact us by form, email, or phone.
From your use of our site: limited technical and usage information via cookies and similar technologies (see Cookies section).
From third parties: payment and billing providers (to confirm payments), delivery/courier partners (to fulfil deliveries), defence/eligibility verification providers (where applicable for RIF transactions), and fraud‑prevention partners.

3) Personal data we collect

Identity and contact: first name, last name, email address, phone number, billing/shipping address.
Order and service information: order details, service/repair instructions, RIF platform details, work performed, parts used, recommendations, photos/videos you share for troubleshooting, and status updates.
Account/subscription data (if accounts are used): Account username, subscription plan, renewal/cancellation status.
card numbers; these are processed by our payment providers.
Delivery: recipient name, address, preferred delivery options, and courier tracking numbers.
Defence/eligibility verification (if applicable): UKARA number or equivalent “defence” evidence (and verification outcome) to comply with UK law for RIF transactions.
Technical/usage data: IP address, device/browser type, pages visited, and interaction data collected via cookies/consent—only for the purposes you allow.
Marketing preferences: opt‑in status for email updates, your unsubscribe/opt‑out selections.

4) Special note on the Evolve Service History NFC tag

Purpose: We maintain a service history for each RIF we work on, including work done and recommendations, which may be associated with a unique identifier (e.g., an NFC tag linked to your item).
Data minimisation: We aim to link the service record to a unique item identifier. Any personal data in the service record is limited to what is necessary to maintain the service lifecycle and support you.
Access and security: We do not place personal data on the NFC tag itself except a unique reference (where feasible). The underlying record in our systems is access‑controlled. Contact us if you wish to restrict, access, or delete records, subject to legal retention obligations.

5) Purposes and legal bases

Responding to enquiries and providing quotes
- Data: identity/contact, details of your request, photos/videos you provide
- Legal basis: contract (pre‑contractual steps); legitimate interests (to respond efficiently)
Booking services, repairs, upgrades, and parts procurement
- Data: identity/contact, order/service details, delivery, transaction data
- Legal basis: contract; legal obligation (accounts/records)
E‑commerce orders and fulfilment (parts & gear)
- Data: identity/contact, delivery details, transaction data
- Legal basis: contract; legal obligation (tax/accounting)
Subscription/plan management (e.g., “£18/mo – Subscribe”)
- Data: identity/contact, plan details, billing status
- Legal basis: contract; legal obligation
Defence/eligibility verification for RIF supplies (if applicable)
- Data: defence IDs (e.g., UKARA number), verification result
- Legal basis: legal obligation; legitimate interests (prevent unlawful sales)
Service history and post‑service support (incl. NFC tag linkage)
- Data: service records, item identifier, communications
- Legal basis: contract; legitimate interests (quality assurance, warranty support)
Marketing communications (optional)
- Data: email, name, preferences and interaction with messages
- Legal basis: consent (and soft opt‑in under PECR for existing customers, where applicable); you can opt out anytime
Site safety, security, and fraud prevention
- Data: technical/usage data, transaction metadata
- Legal basis: legitimate interests; legal obligation (where applicable)
Analytics and performance (optional, non‑essential cookies)
- Data: technical/usage data
- Legal basis: consent (via cookie banner)

6) Who we share data with (recipients)

Hosting and IT: 20i, WordPress.
Payments and subscriptions: Stripe. We do not store full card details; payments are processed by these providers.
Email/CRM/Support: Google Workspace.
Delivery/couriers: Royal Mail, FedEx, Pacelforce to deliver orders and returns.
Defence verification (if applicable): UKARA or equivalent provider to validate your “defence.”
Analytics/consent management: Google Analytics
Professional advisers and authorities: accountants, insurers, legal advisers; regulators/law enforcement where required by law.
Some providers may process data outside the UK. Where this occurs, we ensure appropriate safeguards under the UK GDPR, such as Adequacy Regulations, the UK International Data Transfer Agreement/Addendum (SCCs), and supplementary measures where required. Details are available on request.

7) International transfers 8) Retention periods

Enquiry correspondence (no purchase): 24 months from last contact.
Customer/service records and invoices: 6 years from the end of the financial year (for tax and accounting).
Subscription records: 6 years]after cancellation (billing/audit).
Service history records linked to an item: for the lifetime of your relationship with us and then up to 6 years for warranty, disputes, and audit.
Defence verification logs (if applicable): Up to 12 months after verification unless retained longer for compliance or dispute handling.
Marketing lists: until you unsubscribe; suppression records retained to respect your opt‑out.
Cookie data: as per the durations set in the cookie banner/cookie policy.

9) Cookies and tracking

We use necessary cookies for core site functionality. With your consent, we may use analytics and performance cookies to understand site usage, and marketing cookies to measure the effectiveness of advertising.
You can manage consent via our cookie banner and change your preferences anytime. Browser settings can also limit or block cookies.
Cookie types and examples:
- Strictly necessary: site security, basket/checkout
- Analytics (consent): e.g., Google Analytics.
- Marketing (consent): e.g., Meta Pixel].

10) Your rights (UK GDPR)

You have the right to: access your data; rectification; erasure; restrict processing; data portability; object to processing; and withdraw consent at any time (where processing is based on consent).
You can object to direct marketing at any time (including profiling for marketing).
To exercise your rights, contact us using the details above. We may request proof of identity. We respond within one month, extendable by two months for complex requests.

11) Children

We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us so we can delete it.
Our services and products are intended for responsible use and lawful purchase in the UK. Where legal restrictions apply to certain transactions (e.g., RIF supply), we may need to verify eligibility.
We implement appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit where supported, least‑privilege access, and staff awareness. While no system is completely secure, we actively work to protect your information.
If you have concerns, please contact us first so we can help. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO): https://ico.org.uk. Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
We may update this policy from time to time to reflect changes in law or our processing activities. We will post updates on this page and update the effective date above.

12) Security 13) Complaints 14) Changes to this policy 15) Contact us

Email: [email protected]
Postal: 2 Bywater Court, WF10 2JH
Phone: 07808019625
Website: https://customairsoft.co.uk

Lawful‑basis matrix (summary)

Enquiries and quotes: Contract (pre‑contract) + Legitimate interests
Orders, repairs, upgrades, fulfilment: Contract + Legal obligation
Subscriptions/billing: Contract + Legal obligation
Defence/eligibility verification (if applicable): Legal obligation + Legitimate interests
Service history/NFC tag records: Contract + Legitimate interests
Marketing emails (optional): Consent (and PECR soft opt‑in where applicable)
Analytics/marketing cookies: Consent
Security/fraud prevention: Legitimate interests + Legal obligation (where applicable)

Summary