Coffee.CRM

Privacy Policy

Last updated: 21 May 2026

1. Who we are

Coffee company is the data controller for the personal information described in this policy.

2. What personal data we collect

We collect and process the following categories of personal data:

  • Customer contact details — company name, contact name, email address, telephone number, site address and postcode.
  • Service and repair records — machine details, fault descriptions, work carried out, parts used, visit dates and engineer notes.
  • Financial records — quotes, invoices and pricing information linked to service visits.
  • Communications — email messages sent through the platform regarding repair requests.
  • Engineer data — name, contact details, home postcode (for routing), timesheet records, skills and training history.
  • Site photographs — photos taken during engineer visits, where relevant to the repair.
  • Usage data — log-in records and activity within the portal necessary for security and audit purposes.

What we do not collect or do

  • We do not collect special category data (health, ethnicity, religion, biometric data, etc.).
  • We do not collect data for marketing, advertising, or profiling purposes.
  • We do not sell, rent, or otherwise transfer personal data to third parties for commercial gain.
  • We do not use personal data to train artificial intelligence or machine-learning models.
  • We do not use third-party analytics or advertising trackers on this platform.
  • We collect only the data that is strictly necessary to provide the service described in section 3 below (data minimisation principle, UK GDPR Art. 5(1)(c)).

3. Why we process your data and our lawful basis

Purpose Lawful basis (UK GDPR Art. 6)
Managing and fulfilling repair and service requests Performance of a contract (Art. 6(1)(b))
Sending job confirmations, visit schedules and completion notifications Performance of a contract (Art. 6(1)(b))
Issuing quotes and invoices Legal obligation / contract (Art. 6(1)(b) & (c))
Maintaining service history and compliance records Legitimate interests (Art. 6(1)(f))
Engineer scheduling, routing and timesheet management Performance of a contract / legitimate interests (Art. 6(1)(b) & (f))
Retaining financial records for tax and legal purposes Legal obligation (Art. 6(1)(c))

4. Who we share your data with

We share personal data only where strictly necessary to deliver the service. The following recipients may process personal data on our behalf:

  • Assigned engineers — receive the customer address, contact details and machine information needed to carry out the repair. Access is limited to the specific job assigned to them.
  • Coffee Engineer CRM (platform provider) — the software platform used to operate this service is provided and maintained by a third-party software provider. They act as a data processor under a Data Processing Agreement and process data only on our documented instructions. They do not access customer data for their own purposes.
  • Akamai Technologies / Linode — our hosting infrastructure is provided by Linode (an Akamai company). All data is stored on servers located in the United Kingdom or European Economic Area. Linode acts as a sub-processor under a data processing agreement compliant with UK GDPR.
  • HERE Technologies — engineer home postcodes may be submitted to HERE's routing API for journey planning. HERE acts as a data processor under a data processing agreement. See HERE's privacy policy. No customer personal data is submitted to HERE.
  • Email provider (SMTP) — outbound notifications (job confirmations, engineer dispatch) are sent via our configured email service. Only the minimum data required to deliver the email is transmitted.

We do not sell, rent, or otherwise transfer personal data to any third party for their own commercial purposes. All recipients are bound by contractual obligations to process data only as instructed and to apply appropriate security measures.

5. International data transfers

We take steps to ensure that personal data is processed within the United Kingdom or the European Economic Area wherever possible. Where any transfer outside the UK/EEA is required (for example, by a sub-processor with global infrastructure), we ensure adequate safeguards are in place, such as:

  • UK International Data Transfer Agreements (IDTAs); or
  • Standard Contractual Clauses (SCCs) approved under UK GDPR; or
  • An adequacy decision made by the UK Secretary of State.

You may request details of the safeguards in place for any specific transfer by contacting us at the address in section 9.

7. How long we keep your data

  • Service and repair records — retained for 6 years from the date of the last job, as required for VAT and tax purposes.
  • Financial records (invoices, quotes) — retained for 6 years in line with HMRC requirements.
  • Engineer timesheet records — retained for 3 years.
  • Inactive customer accounts — reviewed after 6 years. Personal identifying information will be anonymised unless there is a legal reason to retain it.

8. Your rights

Under UK GDPR you have the right to:

  • Access — request a copy of all personal data we hold about you (Subject Access Request).
  • Rectification — ask us to correct inaccurate data.
  • Erasure — request deletion of your personal data where there is no legal reason to retain it.
  • Restriction — ask us to limit how we use your data while a dispute is resolved.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.

To exercise any of these rights, contact us at the email address on your service correspondence. We will respond within one calendar month.

9. Cookies

This site uses only strictly necessary cookies:

  • sessionid — keeps you logged in during your visit. Expires when you close your browser or log out.
  • csrftoken — prevents cross-site request forgery attacks. Required for any form submission.

No analytics, advertising or tracking cookies are used. No cookie consent banner is required under PECR for strictly necessary cookies.

10. Security

We use HTTPS encryption for all data in transit. Sensitive credentials (such as third-party API keys) are encrypted at rest using AES-128 symmetric encryption. Access to personal data is restricted by role — engineers see only their own assigned jobs; customers see only their own records.

In the event of a personal data breach, we will notify the relevant data controller without undue delay and, where required, within 72 hours of becoming aware of the breach, in accordance with UK GDPR Art. 33. Where the breach is likely to result in a high risk to individuals' rights and freedoms, affected data subjects will also be notified without undue delay.

11. Automated decision-making and profiling

We do not carry out any automated decision-making or profiling that produces legal or similarly significant effects on individuals. All decisions regarding service delivery, scheduling, and billing are made by human staff using the data in the system as a tool, not as an automated decision engine.

12. Data Protection Officer

For any data protection queries, please contact us at the email address on your service correspondence.

13. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
ico.org.uk/make-a-complaint  |  0303 123 1113

14. Changes to this policy

We may update this policy from time to time. The date at the top of the page reflects when it was last revised. Continued use of the portal following any update constitutes acceptance of the revised policy.

Coffee company