GDPR Compliant
Your Family's Privacy Comes First
We understand you're trusting us with sensitive family information. Here's exactly how we protect it.
Our Commitment
Our Privacy Promise
We never sell your data. Your trust is more valuable than any sale.
Your information, your family's information, and the data from your home monitoring system belongs to you. We never sell it or rent it, and your home monitoring data is never shared with marketers or data brokers. The only data we share for advertising is limited website usage data, sent to Meta so our adverts reach the families who would genuinely benefit from a system like this.
“We built Croft because we understand the trust you're placing in us. Your parents' independence and dignity matter more than any sale.”
We only use your information to:
Transparency
What Data Do We Collect?
Account Information
When you sign up, we collect:
- Your name and contact information
- Your parent's name and address
- Emergency contact details
- Payment information (processed securely by a fully regulated, PCI-compliant payment processor)
Home Monitoring Data
Our sensors collect:
- Motion detection (not video)
- Temperature readings
- Door/window events
- Light levels
- Device status
We Do NOT Collect
Privacy protected:
- Video or audio recordings
- GPS location tracking
- Biometric data
- Medical information
Security
How Do We Protect Your Data?
Bank-Level Encryption
All data is encrypted using the same technology banks use to protect financial transactions. This means even if someone intercepted the data, they couldn't read it.
Secure UK & European Data Centers
We host all data with Cloudflare, a trusted provider used by major UK banks and healthcare providers. Their data centres have physical security, backup systems, and round-the-clock monitoring.
Limited Access
Only essential Croft staff can access your data, and only when necessary to provide support or resolve issues. All access is logged and audited.
Secure Login
Family dashboard access requires strong passwords when accessing from outside the home to keep your account protected and private.
Access Control
Who Has Access to the Data?
You control who sees what.
- Your Parents:
- Can see their own home status and adjust settings. They control what family members can see and can disable monitoring at any time.
- Authorised Family Members:
- You choose who gets access to alerts and the family dashboard. Each person must be explicitly invited and can be removed at any time.
- Croft Support Team:
- Can access data only when troubleshooting issues or providing support, with your permission. All access is logged.
- Third Parties:
- We never sell your data, and your home monitoring data is never shared with anyone. We share limited website usage data with Meta purely so our adverts are shown to people who are likely to be interested in a system like this. Names, addresses and anything from inside the home are never included.
Your Rights
Your Rights (UK GDPR Compliance)
Under UK data protection law, you have the right to:
Access Your Data
Request a copy of all data we hold about you. We'll provide it within 30 days, free of charge.
Correct Your Data
Update incorrect or incomplete information at any time through your dashboard or by contacting us.
Delete Your Data
Request deletion of your account and all associated data. We'll permanently delete it within 30 days of your request.
Export Your Data
Download all your data in a standard format to take to another service provider.
Withdraw Consent
Object to how we use your data or withdraw consent at any time without affecting service quality.
Lodge a Complaint
If you're unhappy with how we handle your data, you can complain to the UK Information Commissioner's Office (ICO).
To exercise any of these rights, contact our Data Protection Officer:
Or email directly: privacy@croftsmarthomes.co.uk
We will respond within 30 days of receiving your request.
For Compliance Officers
Technical Details & Compliance
Technical Details
For security professionals and compliance officers
• Data in transit: TLS 1.3 (Transport Layer Security)
• Data at rest: AES-256 encryption
• End-to-end encryption for sensitive personal data
• Regular security audits and penetration testing
• Primary hosting: Cloudflare (UK & EU data centers)
• Certifications: ISO 27001, SOC 2 Type II
• GDPR-compliant data processing agreements in place
• Automatic daily backups with 30-day retention
• DDoS protection and WAF (Web Application Firewall)
• Legal basis: Contract performance and legitimate interest
• Data minimisation: Only collect necessary information
• Purpose limitation: Data used only for stated purposes
• Accuracy: Regular data quality checks
• Storage limitation: Automatic deletion after retention period
• Payment processing: Stripe (PCI DSS Level 1)
• Email service: Resend (GDPR-compliant)
• Newsletter subscriptions: Mailjet (GDPR-compliant, EU-based)
• Analytics: Google Analytics 4 and Microsoft Clarity (privacy-focused)
• Advertising: Meta Pixel and Conversions API via Cloudflare Zaraz (website events only, never home monitoring data)
• All processors have signed GDPR Data Processing Agreements
• Right to access (Article 15 GDPR)
• Right to rectification (Article 16 GDPR)
• Right to erasure / "Right to be forgotten" (Article 17 GDPR)
• Right to restriction of processing (Article 18 GDPR)
• Right to data portability (Article 20 GDPR)
• Right to object (Article 21 GDPR)
• Rights related to automated decision making (Article 22 GDPR)
• Notification to ICO within 72 hours of discovery
• Affected individuals notified without undue delay
• Documented breach response procedures
• 24/7 security monitoring and incident response
Data Management
How Long Do We Keep Your Data?
We only keep your data as long as necessary to provide the service and meet legal requirements.
- Active Account Data
- Kept for the duration of your subscription plus 12 months for billing and support purposes.
- After Account Deletion
- We permanently delete all personal data within 30 days of your deletion request. We can't recover it after that.
- Monitoring Data
- Home sensor data is kept for 90 days, then automatically deleted. You can delete it sooner anytime.
- Legal Requirements
- Some financial records may be retained for up to 7 years to comply with UK tax and accounting laws.
Questions About Privacy?
We know privacy is complicated. If you have any questions, we're here to help.
Contact UsLast updated: November 6, 2025