Privacy & Data Protection

Last updated: 2026-05-08

1. Who we are

Platform operator: Oktcom LTD

Contact: contact@combivend.co.uk

Business address: 67 crescent drive north, Brighton, United Kingdom, BN2 6SL

Company number: 14560946

Oktcom LTD operates the Combivend platform. For platform accounts, checkout records, stock-code delivery, security, and support administration, Oktcom LTD acts as the data controller. Each seller/client is responsible for their own products, fulfilment, refunds, and customer support, and may also act as an independent controller for the customer information they receive through their storefront.

2. Personal data we process

• Customer checkout information, including email address, product choices, quantities, order references, Stripe payment status, and assigned or reserved stock-code records.
• Client and admin account information, including name, email address, invited role, client/storefront association, Google sign-in identity, session records, and account status.
• Seller/storefront information, including seller contact email, storefront names, vendor codes, product details, prices, stock records, Stripe connected-account status, and platform-fee settings.
• Technical, security, and audit information, including IP address, browser user agent, CSRF/session data, login attempts, checkout rate-limit records, webhook references, system events, and error logs.
• Support information you send to us, such as emails, issue reports, refund/payment queries, and any information needed to investigate a problem.

We do not intentionally collect special category data, criminal offence data, or information from children. Please do not send us unnecessary sensitive information.

3. Where data comes from

• Customers provide checkout details through Stripe Checkout and may contact us or the seller for support.
• Clients and admins provide account, storefront, product, stock, and support details through Combivend.
• Stripe provides payment, checkout, webhook, and connected-account status information.
• Google provides sign-in identity information when invited admins or clients use Google login.
• Our hosting, email, and security systems create technical logs needed to operate and protect the service.

4. Why we use data and our lawful bases

• To process checkout, reserve stock, send access codes, and provide transactional order messages: contract, legitimate interests, and where applicable steps needed to provide the service requested by the customer or seller.
• To provide client/admin portals, Google sign-in, account permissions, and storefront management: contract and legitimate interests.
• To operate Stripe Connect, payment status reconciliation, platform fees, refunds/support, and accounting records: contract, legitimate interests, and legal obligation.
• To secure the platform, prevent fraud or abuse, rate-limit checkout/login activity, investigate incidents, and maintain audit logs: legitimate interests and legal obligation where applicable.
• To respond to support, legal, tax, regulatory, or dispute requests: legitimate interests and legal obligation.

Where we rely on legitimate interests, those interests include running a secure payment and stock-code platform, preventing misuse, resolving disputes, supporting sellers and customers, and keeping accurate operational records. We consider whether those interests are balanced against the rights and freedoms of the people whose data is used.

5. Who data is shared with

• Stripe, for payment processing, Stripe Checkout, connected-account onboarding, fraud checks, payment status updates, refunds, and payment records.
• Google, where an invited admin or client chooses Google sign-in.
• Postmark or another configured email provider, for transactional email delivery such as order codes, seller notices, and support messages.
• The seller/client responsible for the storefront, so they can handle product support, fulfilment, refunds, legal duties, and customer queries.
• Hosting, database, backup, monitoring, logging, security, and professional service providers where needed to operate, maintain, and protect the platform.
• Authorities, regulators, payment partners, courts, insurers, accountants, or legal advisers where required by law, regulation, dispute handling, fraud prevention, or to defend legal rights.

6. Payment details

Stripe handles payment card details. Combivend stores payment references, checkout references, connected-account references, amounts, currency, order status, and stock-code fulfilment records, but does not store full card numbers or card security codes. Stripe may run its own fraud, compliance, and payment checks under its own terms and privacy notices.

7. International transfers

Some providers may process data outside the UK or European Economic Area. Where this happens, we rely on appropriate safeguards such as provider data-processing terms, adequacy arrangements, standard contractual clauses, or equivalent safeguards required by data protection law.

8. How long data is kept

We keep personal data only for as long as needed for the purposes described in this notice, then delete, anonymise, or restrict it where appropriate. Our normal retention targets are:

• Order, payment, fulfilment, tax, accounting, and dispute records: normally up to 7 years after the relevant transaction or longer if required for a legal claim, tax, regulatory, or fraud-prevention reason.
• Client/admin account records: while the account or client relationship is active, then normally up to 24 months unless needed for legal, accounting, audit, or dispute reasons.
• Security, login, checkout rate-limit, webhook, and audit logs: normally up to 24 months unless needed to investigate abuse, fraud, payment issues, or legal claims.
• Email delivery records and support correspondence: normally kept for as long as needed to confirm delivery, resolve support issues, and maintain order or seller records.

9. Cookie Notice

Combivend uses only essential cookies and similar technologies needed to provide and protect the service.

• Session cookies keep invited admin and client users signed in securely and expire after the configured session period.
• CSRF security cookies help protect forms from unauthorised submissions and are needed for account and portal security.
• Server-side checkout abuse-prevention records help limit repeated checkout attempts that could reserve stock unfairly.
• Stripe may use cookies or similar technologies when customers continue to Stripe Checkout.
• Google may use cookies or similar technologies when admin or client users choose Google sign-in.

We do not currently set advertising, marketing, or non-essential analytics cookies. If we add non-essential cookies or similar tracking technologies later, we will explain them and ask for consent before they are used.

10. Marketing

Combivend transactional emails, such as access-code emails, seller sale notices, login/security messages, and support replies, are sent to provide the service. We do not currently send marketing emails through the platform. If we introduce marketing emails, we will only do so where permitted by law and will provide any required opt-out or consent controls.

11. Security

We use technical and organisational measures intended to protect personal data, including role-based access, secure session cookies in production, CSRF protection, rate limiting, audit logs, Stripe webhook signature checks, and restricted admin/client access. No online service can be guaranteed completely secure, so please contact us promptly if you believe your account, order, or data may be at risk.

12. Your rights

Depending on your location and the circumstances, you may have rights to access, correct, delete, restrict, object to, or receive a copy of your personal data. You may also have the right to complain to a data protection regulator. To exercise rights, contact us using the details above. We may need to verify your identity and may need to keep some records where required for tax, accounting, legal, security, fraud-prevention, or dispute reasons.

If you are in the UK, you can complain to the ICO at ico.org.uk/make-a-complaint. If you are in the EEA, you may also contact your local data protection authority.

13. Updates

We will update this notice when the platform, providers, lawful bases, retention approach, or data use changes. If a change is material, we will take reasonable steps to bring it to the attention of affected users before or when the change takes effect.