Privacy Policy

Privacy Notice

This Notice is effective from 27 November 2025.

Cardstream Limited (the “Company”) is a private limited company registered in England and Wales, registered with the Information Commissioner’s Office (the ICO) under registration number Z1970884, and with registered office at Birches Corner, Heron Gate, Taunton, Somerset, TA1 2LP.

The Company acts as data processors on behalf of our business clients, in the context of payment-processing and related services.

The Company is the operator of the website(s) at cardstream.com.

Website visitor data, however, is processed by us as data controller, because we determine the purpose and means of processing for website operation.

This policy concerns only the website-controller processing of how the Company (“we”, “us”, “our”) collects and uses personal information when individuals visit our websites.

Because our websites are informational and not transactional, we only collect personal information that is necessary for website operation and responding to general enquiries. This Notice therefore does not cover any payment-processing activity or data processed on behalf of our clients.

Personal Data We Collect

When you visit our website, we automatically collect information, some of which is personal information, such as:

IP address
Cookie ID
Browser type and version
Device information
Operating system
Date/time of access
Pages visited and navigation paths
Referring website
Error logs and diagnostic data

This information is collected to operate, secure, and improve the website. Please see our Cookie Notice for more information about cookies and similar technologies.

Data you voluntarily provide

If you contact us via:

Contact forms
Email links
Support enquiries
Partnership or business enquiry forms

We will process the information you provide, such as your:

Name
Email address
Organisation
Message content

We use this solely to respond to your enquiry.

How We Use Website Visitor Data

We use personal data collected through the website for:

Operating and managing the website
Ensuring network and information security
Analysing website performance
Responding to enquiries
Complying with legal obligations
Preventing misuse or attacks (e.g., DDoS mitigation, firewall logging)

We do not use website visitor data for profiling, automated decision-making or marketing without your consent.

Legal Bases for Processing

We process website visitor data on the following legal bases:

Legitimate interests: For operating, maintaining, and securing the website.
Consent: For optional cookies or analytics tools.
Legal obligations: Where we must retain logs or provide data necessary for security or regulatory compliance.

How Long We Keep Data

We retain:

Server logs: typically 30–180 days, unless needed for investigation
Contact-form enquiries: up to 12 months
Analytics data: as set by analytics providers, usually 12–26 months

Data may be retained longer if required for legal or security purposes.

Information Sharing

We may share website visitor data with:

Hosting providers
Security providers (e.g., CDN, WAF, DDoS protection)
Analytics providers
Professional advisers (if required for legal reasons)

International Transfers

If data is transferred outside the UK/EEA, we ensure appropriate safeguards such as UK and EU adequacy decisions, Standard Contractual Clauses (SCCs) and UK International Data Transfer Addendum (IDTA).

Your Rights

Under UK GDPR/GDPR, individuals have rights over their personal data. However, because we collect only minimal technical data (such as IP addresses and security logs) and do not maintain information that directly identifies individuals, we may be unable to identify you in order to fulfil certain requests.

You may request:

Access: To know whether minimal website data relating to you is processed. We may not be able to confirm this where we cannot link technical data (e.g., logs) to an identifiable individual.
Deletion / Erasure: We may not be able to erase specific log entries because they are system-generated and not linked to an identifiable user.
Restriction / Objection: Where processing is based on legitimate interests, you may object. However, essential security logging cannot be restricted.
Withdraw consent: If you have consented to optional analytics cookies, you may withdraw this at any time.

Identification limitation. Because we do not collect names, email addresses, account details, or other identifiers through the website, we may be unable to verify your identity. If we cannot identify you, we cannot action certain rights.

Security Measures

We use appropriate technical and organisational measures, such as:

Encryption (HTTPS/TLS)
Firewalls and intrusion detection
Access controls
Malware prevention
Network monitoring
Secure hosting environments

Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date indicates the latest revision.

Contact Us

If you have a question or a complaint about this policy or the way your personal information is processed, please contact us at dpo@cardstream.com.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_91329440_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.