Privacy Policy
Version 1.0 — Effective date 17 July 2026
Simple Packaging is a trading name of OXBEAK LTD, a company registered in England and Wales under company number 15926865, with registered office at Unit 7–8 Silverlink Business Park, Wallsend, United Kingdom NE28 9NX. In this Privacy Policy, “Simple Packaging”, “we”, “us” and “our” refer to OXBEAK LTD.
This Privacy Policy explains how we process personal data when business customers use the Simple Packaging platform. The platform is provided on a business-to-business basis. It does not provide legal advice and does not guarantee legal or regulatory compliance.
1. Data controller
OXBEAK LTD is the data controller for personal data processed through the Simple Packaging platform, other than personal data that a customer organisation enters into its own workspace, for which the customer organisation is the controller and OXBEAK LTD acts as processor.
2. Information we process
Depending on how the platform is used, we may process:
- account and user information (name, email, authentication metadata);
- organisation information (organisation name, roles and permissions);
- Product, SKU and packaging-component records entered by the customer;
- packaging materials, weights and configuration data;
- Market and jurisdiction selections;
- Document and evidence metadata (file names, timestamps, uploader);
- supplier contact information and evidence-request records entered by the customer;
- Assessment, Action Plan and Report records;
- subscription state and billing metadata received from Stripe;
- technical, security and audit logs, including IP address, user-agent and event timestamps;
- support correspondence sent to us by email;
- essential cookies and equivalent identifiers used to operate the service.
Simple Packaging does not store raw payment card numbers, CVCs or bank-account details. Payments are handled through Stripe-hosted billing surfaces. Simple Packaging does not automatically interpret or legally verify the contents of files uploaded to the platform.
3. Purposes and lawful bases
We process personal data under UK GDPR on the following lawful bases:
- Contract — to provide the platform to the customer organisation, including account management, workspace access, packaging-readiness information, Reports and support.
- Legitimate interests — to operate, secure and improve the service, prevent fraud and abuse, maintain audit logs, and communicate with business users about their use of the service.
- Legal obligation — to comply with applicable tax, accounting, security and law-enforcement obligations.
- Consent — where required, for example for any non-essential cookies or marketing communications (only used if specifically enabled).
4. Service providers and processors
We use a limited number of trusted service providers to operate, secure and support the Simple Packaging platform. Where these providers process personal data on our behalf, they are required to do so under appropriate contractual and data-protection terms.
The categories of providers we use may include:
- payment processing and subscription-management providers;
- managed database, authentication and secure file-storage providers;
- cloud hosting, network-security and content-delivery providers;
- application infrastructure and technical-development providers; and
- transactional email-delivery providers used for account and service messages.
Stripe processes payments and subscription-management information through its hosted billing services. Simple Packaging does not store raw payment-card numbers, security codes or bank-account credentials.
We do not currently use third-party advertising trackers or marketing analytics on the customer-facing platform. If this changes, this Privacy Policy and any required cookie controls will be updated before that processing begins.
Further information about the categories of service providers used by Simple Packaging can be requested by contacting compliance@packaging-simple.com.
5. Cookies and similar technologies
The platform currently uses only essential cookies and equivalent browser storage required for authentication, session security, CSRF protection and core service operation. We do not currently deploy advertising, cross-site tracking or third-party analytics cookies on the customer-facing platform.
6. Payments and billing
Subscription payments are processed by Stripe on Stripe-hosted surfaces. Stripe acts as an independent controller for its own fraud-prevention and regulatory purposes. We receive from Stripe the subscription and billing metadata required to operate the customer’s subscription; we do not receive or store raw payment instrument details.
7. Uploaded content and evidence
Customer organisations are responsible for the accuracy and lawfulness of the Product, packaging, supplier, evidence and other information they enter into their workspace. We use structured data and recorded metadata to provide packaging-readiness information; we do not legally verify uploaded documents.
8. International transfers
Some of our service providers are established outside the United Kingdom or process data on infrastructure located outside the UK and EEA. Where personal data is transferred outside the UK, we rely on the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or adequacy decisions, as applicable to each provider.
9. Retention
- active account and workspace data is retained while the customer subscription remains active;
- on account closure, workspace data is deleted or anonymised in line with our operational retention process, except where retention is required for legal, billing, security or dispute purposes;
- billing and accounting records are retained for up to six years where required by UK law;
- security and audit records are retained only for as long as reasonably required for security, fraud prevention, investigations and legal obligations;
- support correspondence is retained for as long as needed to resolve enquiries and disputes and to improve the service;
- encrypted backups are retained until normal secure backup expiry.
10. Security
We apply technical and organisational measures appropriate to the risk, including access controls, encryption in transit, network protections, audit logging and role-based permissions inside the application. No online service can guarantee absolute security.
11. Your rights
Individuals in the UK have rights under UK GDPR, including the rights of access, rectification, erasure, restriction, objection and data portability, and the right not to be subject to solely automated decisions with legal or similarly significant effects. To exercise a right, contact compliance@packaging-simple.com. Where the customer organisation is the controller of the personal data in question, we will support that organisation in responding to the request.
12. Complaints
You have the right to complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk. We would appreciate the opportunity to address your concerns before you approach the ICO.
13. Contact
Privacy questions and data-protection requests can be sent to compliance@packaging-simple.com. Postal enquiries can be addressed to OXBEAK LTD, Unit 7–8 Silverlink Business Park, Wallsend, United Kingdom NE28 9NX.
14. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be reflected by updating the version and effective date at the top of this page.