Who We Are (Data Controller)
Company number: 16658144
1 Bishops Green, St. Swithins Close, Derby, England, DE22 3FX
United Kingdom
Email: [email protected]
Director: Pavel Bovsa
VINIKIS LTD is the data controller responsible for your personal data collected through the BookWalker platform. As a UK-registered company, we are subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where we process data of EU residents, we also comply with Regulation (EU) 2016/679 (GDPR).
We do not currently have a designated Data Protection Officer (DPO) as we do not engage in large-scale systematic processing. For all data protection enquiries, please contact: [email protected].
Scope of This Policy
This Privacy Policy applies to all personal data collected by VINIKIS LTD through:
- The BookWalker website and platform;
- Account registration and management;
- Subscription and payment processing;
- Email communications;
- Customer support interactions.
It does not apply to third-party websites linked from our Platform. We encourage you to review the privacy policies of any third-party services you use.
Personal Data We Collect
3.1 Data You Provide Directly
| Category | Data Points | When Collected |
|---|---|---|
| Account data | Full name, email address, password (hashed) | Registration |
| Payment data | Card type, last 4 digits, expiry month/year, billing name (full card numbers processed by payment processor only) | Subscription checkout |
| Communications | Email content, support ticket content | When you contact us |
3.2 Data Collected Automatically
| Category | Data Points | Purpose |
|---|---|---|
| Log data | IP address, browser type, operating system, referring URL, pages visited, timestamps | Security, analytics, debugging |
| Usage data | Books accessed, reading progress, session duration, feature interactions | Service improvement, personalisation |
| Device data | Device type, screen resolution, language preference | Platform optimisation |
| Cookie data | Session tokens, preference cookies, analytics identifiers | Authentication, analytics (see Cookie Policy) |
3.3 Data We Do Not Collect
We do not collect: full payment card numbers (handled exclusively by our payment processor); government-issued identity documents; biometric data; health or medical data; racial or ethnic origin data; political opinions; religious beliefs; or precise real-time location data.
How We Use Your Personal Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Account creation and authentication | Name, email, password hash | Contract performance |
| Providing the Service (platform access) | Account data, usage data | Contract performance |
| Processing subscription payments | Payment data, email | Contract performance |
| Managing recurring billing | Payment token, subscription record | Contract performance / Legal obligation |
| Customer support | Account data, communications | Contract performance / Legitimate interests |
| Sending transactional emails (receipts, billing alerts) | Email address | Contract performance |
| Sending service update notifications | Email address | Legitimate interests |
| Marketing emails (if opted in) | Email address | Consent |
| Fraud detection and prevention | IP address, payment data, usage patterns | Legitimate interests / Legal obligation |
| Legal compliance | All applicable data | Legal obligation |
| Platform analytics and improvement | Usage data, log data (aggregated/pseudonymised) | Legitimate interests |
We do not use your personal data for automated decision-making that produces legal or similarly significant effects, except fraud screening which may result in account suspension pending manual review.
Legal Bases for Processing (GDPR / UK GDPR)
Under Article 6 of the GDPR and UK GDPR, we rely on the following legal bases:
- Article 6(1)(b) โ Contract performance: Processing necessary for the performance of our contract with you (providing the Service, managing your Subscription, processing payments).
- Article 6(1)(c) โ Legal obligation: Processing required by law (e.g., financial record-keeping, responding to lawful requests from authorities).
- Article 6(1)(f) โ Legitimate interests: Processing for our legitimate business interests (fraud prevention, security, service improvement, sending service-related communications), provided these do not override your rights and interests.
- Article 6(1)(a) โ Consent: Processing based on your freely given, specific, informed consent (e.g., marketing emails, non-essential cookies). You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
Data Sharing & Disclosure
We do not sell, rent, or trade your personal data. We share data only in the following circumstances:
6.1 Service Providers (Data Processors)
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Payment processors (e.g. Stripe, Mollie) | Payment processing, subscription management, fraud prevention | Name, email, payment card data (tokenised) | USA / EU (SCCs in place) |
| Hosting provider | Server infrastructure, data storage | All platform data | EU / UK |
| Email delivery service | Transactional and notification emails | Name, email address | EU / UK / USA (SCCs) |
| Analytics provider | Aggregated usage analytics (consent required) | Pseudonymised usage data | EU / UK (where possible) |
| Affiliate tracking partner | Performance marketing attribution โ tracking conversions from advertising campaigns | Click identifier (clickid) โ no personal data such as name, email, or payment data is transmitted | EU / EEA |
| Meta (Facebook) Pixel | Advertising campaign measurement on the checkout page โ only loaded with your consent | Pseudonymised browser event data (PageView, Purchase) if consent given | USA (SCCs in place) |
All data processors are bound by Data Processing Agreements (DPAs) and are required to implement appropriate technical and organisational security measures.
6.2 Affiliate tracking
Where you arrive at BookWalker via an affiliate or advertising partner, we may transmit a click identifier (a pseudonymous tracking code assigned by the advertising network) to our affiliate tracking system to attribute your subscription to the correct marketing campaign. This transmission occurs server-side and does not include your name, email address, or any payment data. The legal basis for this processing is our legitimate interest in measuring advertising effectiveness (GDPR Art. 6(1)(f)).
6.3 Advertising measurement (Meta Pixel)
We use the Meta (Facebook) Pixel on our checkout page for advertising measurement purposes. The Pixel is only loaded if you have given your consent via our cookie consent banner. If you select "Necessary only", the Pixel is not loaded and no data is sent to Meta. The legal basis for this processing is consent (GDPR Art. 6(1)(a)).
6.4 Legal Disclosures
We may disclose personal data to competent authorities, courts, or regulators where required by applicable law, a court order, or to protect the rights, property, or safety of VINIKIS LTD, our users, or others.
6.5 Business Transfers
In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal data may be transferred to the acquiring entity, subject to equivalent privacy protections. We will notify affected users as required by law.
International Data Transfers
As a UK company serving EU and US users, personal data may be transferred outside the UK and European Economic Area. Where such transfers occur, we ensure adequate safeguards are in place:
- EU-UK adequacy decision: The European Commission has adopted an adequacy decision for the UK (Decision 2021/1772), permitting data flows from the EEA to the UK.
- Standard Contractual Clauses (SCCs): For transfers to third countries (e.g. the USA), we rely on EU Standard Contractual Clauses (2021/914/EU) and UK International Data Transfer Agreements (IDTAs) as appropriate.
- Adequacy decisions: Where applicable, transfers are made to countries with an EU or UK adequacy decision.
Data Retention
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data (active) | Duration of account + 30 days after deletion request | Service provision |
| Account data (inactive) | 3 years from last login, then deletion | Reactivation, legal claims |
| Payment records | 7 years from transaction date | UK tax law / HMRC requirements |
| Subscription records | 7 years from end of subscription | Legal / financial compliance |
| Support communications | 3 years from resolution | Legal claims, quality assurance |
| Server log files | 90 days | Security monitoring |
| Analytics data (aggregated) | 2 years | Service improvement |
| Marketing consent records | Duration of consent + 3 years | Compliance evidence |
Upon expiry of retention periods, data is securely deleted or irreversibly anonymised.
Your Rights Under GDPR & UK GDPR
You have the following rights in relation to your personal data:
Request a copy of the personal data we hold about you.
Request correction of inaccurate or incomplete data.
Request deletion of your data where there is no longer a lawful basis for processing.
Request that we restrict processing in certain circumstances.
Receive your data in a structured, machine-readable format.
Object to processing based on legitimate interests or for direct marketing.
Withdraw consent at any time where processing is consent-based.
Lodge a complaint with the ICO (UK) or your national supervisory authority (EU).
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (extendable by a further 60 days for complex requests, with notification). We may need to verify your identity before processing requests.
UK supervisory authority: Information Commissioner's Office (ICO) โ ico.org.uk โ 0303 123 1113
EU supervisory authorities: Your national Data Protection Authority โ full list at edpb.europa.eu
California Privacy Rights (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Right to Know: Request disclosure of the categories and specific pieces of personal information collected about you.
- Right to Delete: Request deletion of personal information we have collected, subject to exceptions.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioural advertising. No opt-out is required.
- Right to Limit Use of Sensitive Personal Information: We do not process sensitive personal information as defined by the CPRA beyond what is necessary for service provision.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
California residents may submit rights requests to [email protected]. We will respond within 45 days. You may designate an authorised agent to submit requests on your behalf.
Categories of personal information collected (CCPA categories):
- Identifiers (name, email, IP address)
- Commercial information (subscription records, purchase history)
- Internet or network activity (browsing history on our site, reading activity)
- Inferences drawn from above to create a profile about service preferences
Cookies
We use cookies and similar tracking technologies to operate the Platform. For full details of the cookies we use, their purposes, and how to manage your preferences, please see our separate Cookie Policy.
In summary: we use strictly necessary cookies (required for authentication and security), functional cookies (for preferences), and โ with your consent โ analytics cookies and the Meta (Facebook) Pixel for advertising measurement on our checkout page. If you consent to all cookies, the Meta Pixel loads and sends pseudonymised event data to Meta for campaign attribution. If you select "Necessary only", no advertising-related cookies or pixels are loaded.
Children's Privacy
The Service is not directed at children under the age of 18. We do not knowingly collect personal data from minors. If you are a parent or guardian and believe your child has provided us with personal data, please contact [email protected] immediately. We will delete such data without undue delay.
Security
We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:
- Encryption of data in transit using TLS 1.2 or higher;
- Password storage using bcrypt with a high cost factor;
- Access controls limiting data access to authorised personnel only;
- Regular security reviews of our infrastructure;
- Payment data handled exclusively by PCI-DSS compliant processors.
No method of electronic transmission or storage is 100% secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected individuals as required by law.
Changes to This Policy
We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email and/or by displaying a prominent notice on the Platform at least 30 days before the changes take effect. The updated Policy will display a revised "Last updated" date at the top.
Your continued use of the Service after the effective date constitutes acceptance of the updated Policy. If you do not accept the changes, you should discontinue use and may request deletion of your data.
Contact & Data Protection Enquiries
Email: [email protected]
Post: 1 Bishops Green, St. Swithins Close, Derby, England, DE22 3FX
Response time: within 30 days
For complaints to the UK supervisory authority: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Website: ico.org.uk.