Privacy policy

REDKEY USB LTD
PRIVACY AND DATA PROTECTION POLICY

Version: 9.0 (March 2026)
Effective Date: 11 March 2026
Previous Version: 8.0 (superseded in full)

Company Registration Number: 11257207 (England and Wales)
Registered Office: 128 City Road, London, EC1V 2NX, United Kingdom
Website: https://redkeyusb.com
Email: contact@redkeyusb.com

DATA CONTROLLER INFORMATION

For the purposes of applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller is:

Redkey USB Ltd
128 City Road
London EC1V 2NX
United Kingdom

Email: contact@redkeyusb.com

This Policy explains how we collect, use, disclose, and protect your personal data when you visit our website, purchase our products, use our software, or otherwise interact with us. It also covers our use of cookies and artificial intelligence technologies.

SECTION 1: SCOPE AND DEFINITIONS

1.1 Scope of This Policy

This Privacy and Data Protection Policy ("Policy") applies to:
(a) all personal data we collect, process, or hold;
(b) our use of cookies and similar tracking technologies;
(c) our use of artificial intelligence and automated processing; and
(d) all individuals whose personal data we process ("data subjects").

This Policy forms part of our Terms of Service. In case of conflict between this Policy and other documents regarding data protection, this Policy prevails.

1.2 Definitions

"Business Day" means any day other than Saturday, Sunday, or a public holiday in England and Wales.

"Cookie" means a small text file placed on your device when you visit our Website.

"Data Subject" means an identified or identifiable individual whose personal data we process.

"Personal Data" means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

"Special Category Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

"We", "us", "our" means Redkey USB Ltd.

"You", "your" means the data subject whose personal data we process.

SECTION 2: PERSONAL DATA WE COLLECT

2.1 Categories of Personal Data

We may collect and process the following categories of personal data:

Contact Data: Name, billing address, shipping address, email address, telephone number, and other contact information you provide.

Financial Data: Payment card details, bank account information, transaction history, billing records, and payment confirmation details. Full payment card details are processed by our payment processors and are not stored on our servers.

Account Data: Username, password (stored in encrypted form), account preferences, purchase history, and account activity logs.

Technical Data: IP address, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, device information, unique device identifiers, and other technology on the devices you use to access our Website.

Usage Data: Information about how you use our Website, products, and services including pages viewed, time spent on pages, page interaction information, navigation paths, search queries, and features used.

Communication Data: Records of correspondence with us including emails, support tickets, live chat transcripts, call recordings (where applicable), and feedback you provide.

Marketing and Preferences Data: Your preferences in receiving marketing communications, survey responses, participation in promotions, and communication preferences.

Software Activation Data: Device serial numbers, activation codes, hardware information, software version information, and geographic location data (derived from IP address) collected during software activation and update processes.

2.2 Data We Do Not Collect

We do not collect Special Category Data unless explicitly provided by you (for example, in a support request where you voluntarily disclose health information). Our software operates at a low level (sector/block) and does not read, interpret, or extract the content of your files or data in a usable form.

2.3 Anonymised and Aggregated Data

We may process anonymised or aggregated data that cannot reasonably be used to identify you. Such data is not personal data under applicable law and is not subject to this Policy.

SECTION 3: HOW WE COLLECT PERSONAL DATA

3.1 Direct Collection

We collect personal data directly from you when you:
(a) create an account on our Website;
(b) place an order or make a purchase;
(c) contact our customer support;
(d) subscribe to marketing communications;
(e) participate in surveys or promotions;
(f) use our software activation and update services;
(g) correspond with us by email, phone, or post; or
(h) provide feedback or reviews.

3.2 Automated Collection

We automatically collect certain data when you:
(a) visit our Website (via cookies, web beacons, and similar technologies);
(b) interact with our emails (we may use tracking pixels to measure open rates and click-throughs); or
(c) use our software (activation data, update checks, and usage analytics).

3.3 Third-Party Sources

We may receive personal data from:
(a) Shopify (our e-commerce platform provider);
(b) payment processors (for card verification and fraud prevention);
(c) delivery and logistics partners (for delivery confirmation and address verification); and
(d) fraud prevention and security services.

SECTION 4: LEGAL BASIS FOR PROCESSING

4.1 Lawful Bases for Processing

We process personal data only where we have a lawful basis under UK GDPR. The lawful bases we rely on are:

Contract Performance (Article 6(1)(b)): Processing necessary to perform our contract with you or to take steps at your request before entering into a contract. This includes processing for order fulfilment, payment processing, account management, and customer support.

Legal Obligation (Article 6(1)(c)): Processing necessary to comply with a legal obligation to which we are subject. This includes processing for tax records, regulatory compliance, and legal proceedings.

Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests or those of a third party, provided your interests and fundamental rights do not override those interests. Our legitimate interests include: operating and improving our business; developing new products and services; preventing fraud and ensuring security; understanding customer needs and preferences; and complying with legal obligations.

Consent (Article 6(1)(a)): Processing based on your specific consent. We rely on consent for: marketing communications; non-essential cookies; and certain types of data processing where required by law. You have the right to withdraw consent at any time.

Vital Interests (Article 6(1)(d)): Processing necessary to protect someone's vital interests. This is rarely applicable and typically only in emergency situations.

4.2 Legitimate Interests Assessment

Our legitimate interests in processing personal data include:
(a) selling and delivering products and services to customers;
(b) improving our products, services, and customer experience;
(c) preventing fraud, detecting security threats, and protecting our business and customers;
(d) understanding market trends and customer preferences;
(e) complying with legal and regulatory obligations; and
(f) defending our legal rights.

We have conducted a balancing test to ensure that our legitimate interests do not override your rights and freedoms. You have the right to object to processing based on legitimate interests as set out in Section 11.

4.3 Special Category Data

We do not normally process Special Category Data. If we do process Special Category Data, we will rely on an appropriate lawful basis under Article 9 of UK GDPR such as explicit consent or processing being necessary for legal claims.

SECTION 5: HOW WE USE PERSONAL DATA

5.1 Primary Purposes of Processing

We use personal data for the following purposes:

Order Fulfilment: Processing orders, taking payment, arranging delivery, providing order confirmations, and dealing with returns and refunds.

Account Management: Creating and managing accounts, authenticating users, maintaining account security, and providing account-related services.

Customer Support: Responding to enquiries, troubleshooting issues, providing technical assistance, and improving our support services.

Software Licensing: Activating software, managing licences, delivering updates, verifying authenticity, and preventing unauthorised use.

Marketing and Communications: Sending promotional materials (with consent), service announcements, policy updates, and other communications.

Fraud Prevention: Detecting and preventing fraudulent transactions, unauthorised access, and security breaches.

Legal Compliance: Complying with applicable laws, responding to legal requests, enforcing our terms and policies, and defending legal claims.

Business Operations: Analytics, reporting, product development, improving user experience, and business planning.

5.2 Marketing Communications

We will only send you marketing communications if:
(a) you have given your explicit consent; or
(b) you have purchased similar products from us and have not opted out (soft opt-in under UK law).

Every marketing email we send includes an unsubscribe link. You can also opt out by contacting us at contact@redkeyusb.com or updating your account preferences.

5.3 Automated Decision-Making and Profiling

We do not make decisions based solely on automated processing that produce legal or similarly significant effects concerning you, except for:
(a) fraud detection systems that may flag transactions for human review; and
(b) credit checking and payment verification.

Where such processing occurs, you have the right to:
(a) request human intervention;
(b) express your point of view; and
(c) contest the decision.

We do not engage in profiling that has legal or similarly significant effects.

SECTION 6: COOKIES AND TRACKING TECHNOLOGIES

6.1 What Are Cookies

Cookies are small text files placed on your device when you visit our Website. They help us recognise your device, remember your preferences, and provide essential functionality. Similar technologies include web beacons, pixels, and local storage.

6.2 Types of Cookies We Use

Essential Cookies: These cookies are strictly necessary for the Website to function and cannot be disabled. They enable core functionality such as account login, shopping cart, checkout process, and security features. These cookies do not require consent.

Analytics Cookies: These cookies help us understand how visitors interact with our Website by collecting and reporting information anonymously. They help us improve Website functionality and user experience. These cookies require your consent.

Marketing Cookies: These cookies are used to track visitors across websites to enable targeted advertising and measure campaign effectiveness. They may be set by us or by third-party advertising partners. These cookies require your consent.

Preference Cookies: These cookies remember your choices and settings such as language, region, and display preferences to enhance your experience. These cookies require your consent.

6.3 Information Collected by Cookies

Cookies may collect:
(a) IP address and general location;
(b) browser type, version, and settings;
(c) device type and operating system;
(d) pages visited and time spent;
(e) referring website and exit pages;
(f) clickstream data and interactions; and
(g) unique identifiers.

6.4 Cookie Duration

Session Cookies: These cookies are deleted when you close your browser.

Persistent Cookies: These cookies remain on your device for a specified period (up to 365 days) or until manually deleted.

6.5 Managing Cookies

You can manage cookies through:

Cookie Banner: Our Website displays a cookie banner when you first visit, allowing you to accept, reject, or customise cookie settings. You can change your preferences at any time by clicking the cookie settings link in the footer.

Browser Settings: You can configure your browser to block or delete cookies. Note that disabling essential cookies may prevent Website functionality.

Third-Party Tools: Various browser extensions and privacy tools can manage cookie preferences.

6.6 Withdrawing Cookie Consent

You can withdraw your consent to non-essential cookies at any time by:
(a) clicking the cookie settings link in the footer of our Website;
(b) adjusting your browser settings to block non-essential cookies; or
(c) contacting us at contact@redkeyusb.com.

Withdrawing consent does not affect the lawfulness of processing based on consent before withdrawal.

6.7 Third-Party Cookies

Our Website uses cookies from trusted third parties including:
(a) Shopify (e-commerce platform);
(b) Google Analytics (usage analytics); and
(c) payment processors (secure payment processing).

These third parties may collect data about your online activities over time and across different websites. Please review their privacy policies for more information.

SECTION 7: ARTIFICIAL INTELLIGENCE AND AUTOMATED PROCESSING

7.1 Our Approach to AI

We use artificial intelligence technologies responsibly and transparently to improve our services, enhance security, and develop better products. All AI use is subject to human oversight and complies with applicable laws and ethical standards.

7.2 How We Use AI

Customer Support: AI assists in drafting responses to customer enquiries. All AI-generated responses are reviewed by human staff before sending. Personal data is anonymised where possible before processing by AI systems.

Fraud Prevention: AI helps identify unusual patterns and potential fraudulent activity. Flagged transactions are reviewed by human staff before any action is taken.

Content Creation: AI assists in drafting website content, user guides, FAQs, and support materials. All AI-generated content is reviewed and approved by our team for accuracy and clarity.

Product Development: AI tools assist with coding, design ideas, and innovation during internal development. Our shipped products do not contain AI components and operate independently.

7.3 AI Governance and Oversight

Human Review: All AI outputs that affect customers are reviewed by human staff before implementation.

Data Protection: We do not use AI to process Special Category Data. Where AI processes personal data, it is anonymised where possible.

Transparency: We clearly explain our AI use in this Policy.

Regular Review: We conduct periodic reviews to ensure AI use remains ethical, effective, and compliant with industry standards.

No Automated Decision-Making: We do not use AI to make decisions that produce legal or similarly significant effects without human intervention.

7.4 Your Rights Regarding AI Processing

You have the right to:
(a) be informed about AI processing of your personal data;
(b) request human intervention in AI-assisted decisions;
(c) object to certain types of AI processing (where applicable); and
(d) request information about the logic involved in AI processing.

SECTION 8: DATA SHARING AND DISCLOSURE

8.1 Categories of Recipients

We may share personal data with the following categories of recipients:

Service Providers: Companies that perform services on our behalf including payment processing, order fulfilment, shipping, IT services, data analytics, cloud storage, and customer support. These providers are contractually bound to process personal data only for specified purposes and in accordance with our instructions.

Shopify: Our e-commerce platform provider, which processes personal data to provide and improve platform services.

Business Partners: Marketing and advertising partners (with appropriate consent where required).

Professional Advisers: Legal, accounting, and insurance professionals who provide professional services to us.

Regulatory Authorities: Government bodies, law enforcement agencies, and courts where required by law or necessary to defend our legal rights.

Corporate Transactions: In connection with mergers, acquisitions, business transfers, or sales of assets, personal data may be transferred to the acquiring party.

8.2 International Transfers

Your personal data may be transferred outside the United Kingdom to countries that may not have the same level of data protection as the UK.

Shopify processes data in multiple jurisdictions including the United States and Canada.

Some service providers may be located outside the UK.

We ensure appropriate safeguards are in place for international transfers including:
(a) Standard Contractual Clauses approved by the UK Information Commissioner's Office;
(b) transfers to countries with adequacy decisions under UK GDPR; and
(c) appropriate technical and organisational measures.

8.3 Third-Party Websites

Our Website may contain links to third-party websites. We are not responsible for their privacy practices. Please review their policies before providing personal data.

SECTION 9: DATA SECURITY

9.1 Security Measures

We implement appropriate technical and organisational measures to protect personal data:

Encryption: SSL/TLS encryption for data in transit; AES-256 encryption for stored data.

Access Controls: Restricted access to personal data on a need-to-know basis; role-based access controls; multi-factor authentication for administrative access.

Firewalls and Security Systems: Protection against unauthorised access, malware, and cyber attacks.

Regular Security Assessments: Vulnerability scanning, penetration testing, and security audits.

Staff Training: Data protection training for employees with access to personal data.

Incident Response: Procedures for detecting, reporting, and responding to data breaches.

9.2 Security Limitations

No security measures are perfect or impenetrable. While we strive to protect your personal data, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for any activity under your account.

9.3 Data Breach Response

In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and in any event within 72 hours of becoming aware of the breach. We will also notify the Information Commissioner's Office within 72 hours where required by law.

Our breach notification will include:
(a) the nature of the breach;
(b) the categories and approximate number of data subjects affected;
(c) the likely consequences; and
(d) the measures taken or proposed to address the breach.

SECTION 10: DATA RETENTION

10.1 Retention Principles

We retain personal data only as long as necessary for the purposes for which it was collected, including:
(a) fulfilling the purposes outlined in this Policy;
(b) complying with legal obligations;
(c) resolving disputes; and
(d) enforcing our agreements.

10.2 Retention Periods

Account Data: Retained while your account is active, plus 6 years after closure (for legal and tax purposes).

Transaction Data: Retained for 6 years (UK tax law requirement).

Marketing Data: Retained until you withdraw consent or object to processing.

Support Data: Retained for 3 years after issue resolution.

Software Activation Data: Retained for the duration of software support period (up to 10 years) for licence verification and fraud prevention.

10.3 Deletion and Anonymisation

When personal data is no longer required, we will:
(a) securely delete or destroy it; or
(b) anonymise it so it can no longer identify you.

10.4 Your Right to Erasure

You have the right to request deletion of your personal data in certain circumstances as set out in Section 11.3.

SECTION 11: YOUR DATA PROTECTION RIGHTS

11.1 Overview of Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right to Access (Article 15): Request copies of your personal data and information about how we process it.

Right to Rectification (Article 16): Request correction of inaccurate or incomplete personal data.

Right to Erasure ("Right to be Forgotten") (Article 17): Request deletion of your personal data in certain circumstances.

Right to Restrict Processing (Article 18): Request limitation of processing in certain circumstances.

Right to Data Portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing.

Right to Withdraw Consent: Withdraw consent at any time (does not affect processing carried out before withdrawal).

Right to Complain: Lodge a complaint with the Information Commissioner's Office (ICO).

11.2 Exercising Your Rights

To exercise any of these rights, contact us at:

Email: contact@redkeyusb.com
Postal Address: Redkey USB Ltd, 128 City Road, London, EC1V 2NX, United Kingdom

We will respond within one month of receiving your request. Complex requests may take up to three months, in which case we will inform you of the extension within one month.

11.3 Right to Erasure - Circumstances

You have the right to request deletion of your personal data where:
(a) the data is no longer necessary for the purposes for which it was collected;
(b) you withdraw consent and there is no other legal basis for processing;
(c) you object to processing and there are no overriding legitimate grounds;
(d) the data has been unlawfully processed; or
(e) the data must be erased for compliance with a legal obligation.

The right to erasure is not absolute and does not apply where processing is necessary for:
(a) exercising the right of freedom of expression;
(b) compliance with a legal obligation;
(c) performance of a task carried out in the public interest;
(d) establishment, exercise, or defence of legal claims; or
(e) other exceptions under UK GDPR.

11.4 Verification

We may need to verify your identity before processing your request. This is to protect your personal data from unauthorised access. We may request:
(a) proof of identity (passport, driving licence);
(b) proof of address (utility bill, bank statement); and
(c) other information necessary to verify your identity.

11.5 Fees

We do not charge for exercising your rights unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act.

SECTION 12: CHILDREN'S PRIVACY

12.1 Age Restrictions

Our Website and services are not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16.

12.2 Discovery of Children's Data

If we discover that we have collected personal data from a child under 16, we will delete that information as quickly as possible. If you believe a child has provided personal data, please contact us at contact@redkeyusb.com.

12.3 Parental Consent

If we learn that we have collected personal data from a child under 16 with verifiable parental consent, we will take steps to ensure that the parent's rights are respected including providing access to the child's data and allowing the parent to request deletion.

SECTION 13: MARKETING AND COMMUNICATIONS

13.1 Marketing Communications

We may send you marketing communications by email if:
(a) you have provided explicit consent; or
(b) you have purchased similar products from us and have not opted out (soft opt-in under UK law).

13.2 Opting Out

You can opt out of marketing communications at any time by:
(a) clicking the "unsubscribe" link in any marketing email;
(b) contacting us at contact@redkeyusb.com; or
(c) updating your account preferences.

13.3 Non-Marketing Communications

We may still send non-promotional communications related to:
(a) your account or orders;
(b) security updates;
(c) policy changes; and
(d) legal obligations.
These communications are necessary for the performance of our contract with you or for compliance with legal obligations.

SECTION 14: CHANGES TO THIS POLICY

14.1 Policy Updates

We may update this Policy from time to time to reflect:
(a) changes in applicable law;
(b) changes in our business practices;
(c) technological developments; and
(d) customer feedback.

14.2 Notice of Changes

Material changes will be notified by:
(a) posting the updated Policy on our Website with a revised effective date; and
(b) email notification to registered account holders for significant changes.

Minor changes may be made without prior notice but will be posted on our Website.

14.3 Continued Use

Your continued use of our Website and services after changes take effect constitutes acceptance of the updated Policy. If you do not agree to the updated Policy, you should stop using our services.

SECTION 15: COMPLAINTS AND SUPERVISORY AUTHORITY

15.1 Raising Concerns

If you have concerns about our data processing practices, please contact us first using the details in Section 16. We will respond promptly and work to resolve your concerns.

15.2 Information Commissioner's Office

If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Website: https://ico.org.uk
Telephone: 0303 123 1113

SECTION 16: CONTACT INFORMATION

For questions about this Policy, to exercise your rights, or to raise concerns:

Email: contact@redkeyusb.com
Website: https://redkeyusb.com/contact

Postal Address:
Redkey USB Ltd
128 City Road
London EC1V 2NX
United Kingdom

This Privacy and Data Protection Policy forms part of our Terms of Service.

Document Version: 9.0 (March 2026)
Last Updated: 11 March 2026
Next Review Date: March 2027

Copyright (c) Redkey USB Ltd. All rights reserved.