Crumple logo

Crumple Business Dashboard Privacy Policy

Effective Date: 19th April 2026

Last Updated: 19th April 2026

Crumple Receipts Ltd ("we," "our," "us") is committed to protecting the privacy of business dashboard users. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the Crumple Business Dashboard ("the Dashboard"). By accessing or using the Dashboard, you agree to the practices described in this Privacy Policy. If you do not agree, please refrain from using the Dashboard.

This policy applies to business owners, administrators, editors, and viewers who access the Dashboard. For information about how we handle the personal data of Crumple app consumers, please refer to our consumer Privacy Policy.

1. Information We Collect

1.1 Account and Profile Data

When you create or are invited to a Dashboard account, we collect:

  • Full name
  • Email address
  • Phone number (used for multi-factor authentication)
  • Role and access level within your business team

1.2 Business and Store Data

When you create or manage a business through the Dashboard, we collect information that you provide, including:

  • Trading name and registered business name
  • Company registration number
  • Tax registration numbers
  • Business phone number and website URL
  • Returns policy URL
  • Registered address (building name/number, street, city, postcode, country)
  • Business category
  • Business logo and branding assets
  • Store names, types, and addresses for each store you add

1.3 Technical and Usage Data

We automatically collect technical information when you use the Dashboard, including:

  • IP address
  • Browser type and version
  • Device information and operating system
  • Pages visited and features used within the Dashboard
  • Login and logout timestamps
  • Session duration and engagement metrics

1.4 Audit Log Data

The Dashboard records an audit log of certain actions taken by you and your team members, including:

  • API key operations: generation, rotation, and revocation
  • The user account that performed each action, the affected store, and the timestamp

Audit logs are retained to support security monitoring, incident investigation, and compliance obligations.

1.5 Team Invitation Data

When you invite a team member, we store the invitee's email address, the assigned role, the expiry date of the invitation, and a reference to the user who sent the invitation.

2. How We Use Your Information

We use the information collected for the following purposes:

  • To provide the Dashboard service: Creating and managing your account, enabling team access, and facilitating the issuance of digital receipts to Crumple app consumers via your stores.
  • To manage security and authentication: Verifying your identity, supporting multi-factor authentication, and detecting unauthorised access attempts.
  • To send transactional communications: Sending email notifications relating to your account, such as team invitations, email address change confirmations, and multi-factor authentication change alerts.
  • To improve the Dashboard: Using usage analytics to identify trends, diagnose issues, and enhance functionality.
  • To comply with legal obligations: Fulfilling legal and regulatory requirements applicable to us as a UK business.
  • To prevent abuse and fraud: Monitoring for suspicious activity and misuse of the Dashboard or Store API Keys.

3. Consumer Analytics Data Visible Through the Dashboard

As part of the Dashboard service, you can view analytics derived from receipts issued by your stores to Crumple app consumers. This analytics data is aggregated and summarised before being made available to you, and includes:

  • Receipt counts and transaction value summaries
  • Aggregated demographic breakdowns (age ranges and gender distributions) of consumers who have claimed receipts from your stores
  • Postcode-based customer location heatmaps showing approximate geographic distribution of your customers

This data is derived from consumer personal data for which Crumple Receipts Ltd acts as an independent data controller. We apply aggregation and anonymisation techniques to minimise the exposure of individual consumer data. You must not use this analytics data to attempt to identify or re-identify individual consumers.

4. Data Sharing and Disclosure

4.1 Third-Party Service Providers

We use trusted third-party service providers to help us operate the Dashboard. These providers process your data on our behalf and are contractually obligated to do so securely and in compliance with applicable laws. These include:

  • Google Firebase: Authentication, Firestore database, and Cloud Storage for business and user data.
  • Google Analytics: Dashboard usage analytics and engagement tracking.
  • Resend: Transactional email delivery (team invitations, security notifications).

4.2 Legal Compliance

We may disclose your information if required by law or in response to valid legal requests, such as subpoenas, court orders, or requests from regulatory authorities.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our business, your information may be transferred to the relevant third party. We will notify you of any such change via the Dashboard or by email.

5. Your Rights Under UK GDPR

As a data subject under UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:

5.1 Right of Access

You may request a copy of the personal information we hold about you and information about how we process it.

5.2 Right to Rectification

You may request that we correct any inaccurate or incomplete personal data we hold about you. You can update much of your account information directly through the Dashboard.

5.3 Right to Erasure

You may request deletion of your personal data, subject to applicable legal obligations. Note that certain data, such as audit logs and business records, may need to be retained for legal and compliance purposes even after you close your account.

5.4 Right to Restriction of Processing

You may request that we restrict the processing of your personal data in certain circumstances, such as while a dispute about accuracy is being resolved.

5.5 Right to Object

You may object to the processing of your personal data for purposes based on legitimate interests. We will stop processing unless we have compelling grounds to continue.

5.6 Right to Withdraw Consent

Where processing is based on your consent, you may withdraw that consent at any time. This will not affect the lawfulness of processing prior to withdrawal.

To exercise any of these rights, please contact us using the details provided in Section 10.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at https://ico.org.uk if you believe your data has been processed unlawfully.

6. Data Retention

We retain your personal data only for as long as necessary for the purposes outlined in this Privacy Policy or as required by law. Specific retention periods include:

  • Account and profile data: Retained for the duration of your account and for a reasonable period after closure to handle any outstanding queries or legal obligations.
  • Business and store data: Retained for as long as the business is active on the platform. Some business records may be retained after deletion for legal compliance.
  • Audit logs: Retained for a minimum of 12 months for security and compliance purposes.
  • Team invitation records: Retained for a short period following acceptance, expiry, or revocation.

When data is no longer needed, it is securely deleted or anonymised.

7. Data Security

We implement industry-standard security measures to protect your personal information, including:

  • Encryption of data in transit using TLS
  • Secure storage of data within Google Firebase infrastructure
  • SHA-256 hashing of Store API Keys (full keys are never stored in plaintext)
  • Role-based access controls limiting data access within your team
  • Multi-factor authentication (MFA) support to protect your account
  • Audit logging of sensitive operations

Despite these measures, no method of data transmission or storage is 100% secure. We cannot guarantee absolute security and encourage you to take appropriate steps to protect your own account credentials.

8. International Data Transfers

Your data may be processed and stored on servers located outside the United Kingdom, including within the European Economic Area and the United States, via our service providers (primarily Google Firebase). We ensure that all international data transfers comply with UK GDPR requirements, including relying on appropriate safeguards such as adequacy decisions or standard contractual clauses where applicable.

For more information about how Google handles data, please refer to:

Google Firebase TermsGoogle Privacy Policy

9. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, services, or applicable laws. Where changes are significant, we will notify you through the Dashboard or via email. We encourage you to review this policy regularly. Your continued use of the Dashboard following notification of changes constitutes your acceptance of the updated policy.

10. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us through our website:

https://crumple.digital

You can also refer to our Business Terms and Conditions for further information about your obligations when using the Dashboard.

By using the Crumple Business Dashboard, you acknowledge that you have read, understood, and agree to this Privacy Policy.