Privacy Policy

MultiGoal Ltd is the data controller for personal data collected through multigoal.uk. We are a company registered in England & Wales. You can contact our data protection lead at privacy@multigoal.uk.

We only collect what we need to run the business and fulfil your order. Specifically:

• Identity and contact data: name, email, phone number, organisation, billing and shipping addresses.
• Account data: a hashed password, sign-in history and the IP address used at sign-up.
• Order data: the items you bought, the price you paid, the courier and tracking reference, and any notes attached to the order.
• Communications: emails, support tickets and enquiry-form submissions.
• Technical data: cookies set by our Site (see the Cookies page) and basic browser fingerprint where needed for fraud prevention.

We use your personal data to:

• Fulfil your order, manage delivery and process returns (lawful basis: performance of a contract).
• Operate your account and authenticate sign-ins (lawful basis: performance of a contract).
• Reply to your enquiries and provide customer support (lawful basis: legitimate interests).
• Send you transactional emails such as order confirmations (lawful basis: performance of a contract).
• Comply with UK accounting and VAT laws (lawful basis: legal obligation).
• Detect and prevent fraud (lawful basis: legitimate interests).

We only send marketing email where you have opted in. You can withdraw consent at any time from the link in the email or from Account → Settings.

We never sell your personal data. We share it with a small number of trusted processors who help us run the business:

• Payment processors (card schemes, PayPal and Apple Pay): to take and refund payments.
• Couriers (DPD, Parcelforce and pallet networks): to deliver your order.
• Cloud infrastructure providers (Neon for the database, our application host): to keep the Site running.
• Email provider: for transactional and consented marketing email.
• Professional advisors (accountants and lawyers) where required by law.

Each processor has a data processing agreement with us and is contractually required to handle your data in line with UK GDPR.

Some of our processors are based outside the UK. Where personal data is transferred internationally, we rely on UK adequacy regulations or the UK International Data Transfer Addendum to ensure your data is protected to UK GDPR standards.

• Order records: 7 years from the end of the financial year, as required by UK tax law.
• Account records: until you ask us to delete them or your account has been inactive for 5 years.
• Marketing consent: until you withdraw it.
• Support emails: 3 years from the last contact.

Under UK GDPR you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate data.
• Erase your data, subject to our legal retention obligations.
• Restrict how we use your data, or object to its use where we rely on legitimate interests.
• Receive your data in a portable format.
• Withdraw consent at any time for activities where we relied on consent.

To exercise any of these rights, email privacy@multigoal.uk. We aim to respond within one calendar month.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ico.org.uk) if you believe we have not handled your data lawfully.

We use industry-standard measures to protect your data, including encryption in transit (TLS), encryption at rest for sensitive fields, hashed passwords, role-based access control inside our admin, and audit logging of every administrative action.

We will update this page if we change how we handle personal data. The “Last updated” date at the top of this page reflects the current version.