Last updated: 10 June 2025
If you have any questions or concerns about this Privacy Policy or how CaskID handles your Personal Information, please contact us at support@cask.id. We will be happy to assist you.
This privacy policy ("Policy") describes how the personally identifiable information ("Personal Information") you may provide on the CaskID website ("Website" or "Service") and any related products and services (collectively, the "Services") is collected, protected, and used. It also describes your choices regarding our use of your Personal Information and how you can access or update this information. This Policy is a legally binding agreement between you ("User", "you" or "your") and CaskID Ltd ("CaskID", "we", "us" or "our"). By accessing and using the Website and Services, you acknowledge that you have read, understood, and agree to be bound by the terms of this Policy. This Policy does not apply to the practices of companies that we do not own or control, or to individuals whom we do not employ or manage.
CaskID is committed to protecting your privacy and handling your Personal Information in an open and transparent manner, in accordance with applicable laws including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We will only use your Personal Information as described in this Policy and in compliance with our legal obligations.
Important Note: CaskID is a platform for trading tangible whisky casks and similar assets. It is not authorised or regulated by the UK Financial Conduct Authority (FCA), and nothing in this Policy (or on our Website) constitutes financial or investment advice. Whisky casks are not regulated investments, and their purchase does not offer the protections afforded to regulated financial products. Users should be aware of the risks (including potential loss in value and fraud) associated with such transactions, as further detailed at the end of this Policy (see Regulatory Status and Important Disclaimers).
We minimize the amount of data we collect automatically from all users. When you visit our Website, our servers may automatically log certain basic information about your visit. This information can include data such as your IP address, browser type,device information, operating system, referring website, pages you viewed, and the dates/times of access. We use this automatically collected information primarily for identifying potential abuse or unauthorized use of our Services and for obtaining statistical information regarding the overall usage and traffic on our Website.
Automatically-collected data is used in aggregate form. In other words, we analyze this data to understand trends and administer the site, but we do not use it to identify any individual user. For example, we might track how many users visit a particular page or how load times vary, but this information is not combined in a way that reveals your identity. These automated logs are kept secure and are only accessible to authorised personnel. We do not use automatic collection mechanisms for any purpose other than those stated, and we do not link this data to any Personal Information you may have provided elsewhere in our Services.
You can access and browse the CaskID Website without telling us who you are or revealing any information that would identify you as a specific individual. We do not require you to register or provide Personal Information just to view public areas of the site. However, if you wish to use certain features or services on the Website – for example, creating an account, making a purchase, listing a cask, orparticipating in an offering – you will be asked to provide certain Personal Information as part of those processes. We receive and store any Personal Information that you provide to us knowingly when you register on the Website, fill out forms, make transactions, or contact us for support.
Such as your full name, date of birth, nationality, and any government-issued identification numbers or documents you provide for verification (e.g. a passport or driver's licence scan for age/identity verification). For example, we may ask for proof of age since our services involve alcoholic assets.
Including your email address, telephone number, and physical mailing address. This allows us to communicate with you (for instance, to send confirmations, updates, or support responses).
If you create an account, we will collect details like your username, password, and a unique user ID associated with your account. We maintain this information securely, and passwords are stored in hashed or encrypted form for security.
If you engage in transactions (such as purchasing a whisky cask or other product through our platform), we may collect information related to your transactions. This can include payment method details (though payment card information is typically handled by third-party payment processors, as described below), wallet addresses or transaction IDs for blockchain-based assets, invoice and order details, and records of payments, transfers, or withdrawals. We collect transaction data to maintain an audit trail and comply with legal obligations (such as tax and accounting rules).
In some cases, we may require additional information to comply with legal obligations or platform policies. For example, we might ask for proof of address (like a utility bill), or conduct "Know Your Customer" (KYC) checks which could involve collecting a copy of your identification documents or asking additional questions to verify your identity and ensure you meet eligibility (such as age requirements or sanctions list screening).
We may also collect information you provide about your preferences, interests, and how you intend to use our Services. For example, if you opt to provide information in surveys, respond to questionnaires, or participate in promotions, we will collect whatever information you choose to provide. If you communicate with us (such as through customer support inquiries or feedback forms), we will collect and retain those communications.
Providing Personal Information is voluntary, but if you choose not to provide certain information, you may not be able to use or benefit from some of our Services. For instance, if you do not provide a required proof of identity or age when requested, we might not be able to allow you to buy or sell through the platform. If you are ever unsure which information is mandatory and which is optional, please feel free to contact us for clarification.
In addition to information collected directly from you, we may also obtain some Personal Information from third-party sources to the extent permitted by law. For example, we might collect data from public databases, verification services, or marketing partners in order to confirm your identity, assist with compliance checks, or enhance our user base information. If we combine or associate information from other sources with Personal Information that you provide to us, we will treat the combined information as Personal Information under this Policy.
We collect and use your Personal Information for various purposes in order to operate our business, provide the Services to you, and meet certain legal requirements. In general, we will only process your Personal Information where we have a lawful basis to do so and for purposes that you would expect from a platform like CaskID. If you do not provide the Personal Information we need, we may not be able to deliver the products or services you have requested.
We use your information to create and manage your user account, to allow you to list, buy, or sell assets, and to otherwise deliver the features of our Website and Services that you request. This includes using Personal Information to facilitate transactions (e.g., transferring ownership of a cask), to display relevant content, and to customize your experience. We may also use the data to improve our products and services, for example by analyzing usage patterns or feedback to make enhancements or fix issues.
We process contact details to send administrative information such as confirmations of your transactions, invoices, security alerts, and support messages. We may also send you marketing and promotional communications about new listings, promotions, or news about CaskID, but only in accordance with your preferences and applicable law (see Email Marketing below). If you contact us with a question or request, we will use your contact information to respond to inquiries and provide support.
We use relevant Personal Information to deliver products or services you have requested, such as coordinating with storage facilities or shipping providers for physical goods, and to ensure you receive the correct items or documents. Payment and financial details are used to process your billing and payments (as described in the next section) and to keep proper records of those transactions.
We may use your information to request user feedback or invite you to participate in surveys or reviews. This helps us understand user satisfaction and improve the user experience. Similarly, we may analyze data on how you use our Website to improve user experience, such as by making the interface more user-friendly or ensuring important information is easy to find.
Where permitted, we use data (like your browsing behavior or past purchases) to deliver targeted advertising or content that may be more relevant to you. For example, we might highlight cask offerings that match your indicated preferences or show you promotions that we think could interest you. Any marketing is subject to your consent or opt-out choices. We do not engage in invasive profiling, but we do attempt to align our communications with your interests.
Personal Information is used to enforce our terms and conditions and policies, ensuring that all users comply with our rules. We also use it to prevent, detect, and address fraud or illegal activities on our platform. For example, we might use identity verification information to deter fake accounts, or use usage data to detect patterns of fraudulent behavior. We also process data as needed to respond to legal requests and prevent harm, such as investigating suspicious transactions or addressing violations of law.
Some of our processing is necessary for compliance with legal obligations. This can include verifying age for alcohol-related transactions (to comply with minimum age laws), maintaining transaction records for tax and accounting purposes, conducting anti-money laundering (AML) and fraud screening as required by law, and fulfilling our responsibilities in response to lawful requests by public authorities.
Finally, we use data to run and operate the Website and Services on a day-to-day basis. This encompasses all the background processes that make the platform function correctly, securely, and efficiently, such as backing up data, ensuring network security, and enabling account management features.
Our processing of your Personal Information is supported by one or more valid legal bases under data protection laws. The legal bases we rely on include:
In certain cases, we rely on your consent to process your Personal Information for one or more specific purposes. For example, if you opt-in to receive our newsletter, we rely on your consent to use your email for that purpose. You have the right to withdraw your consent at any time (see Your Rights below). (Please note: we generally do not base processing on consent if an alternative legal basis applies, especially where the UK GDPR or similar laws provide other grounds).
We process Personal Information when it is necessary for the performance of a contract with you, or to take pre-contractual steps at your request. This includes processing needed to provide the Services you sign up for – for example, using your details to set up your account, or processing payment information to complete a sale. If you have agreed to our Terms of Service, much of our data use is to fulfill our obligations under that agreement.
We process Personal Information when needed to comply with a legal obligation to which we are subject. For instance, we may be required by law to keep certain transaction records for tax, to verify identity documents under anti-fraud regulations, or to disclose information in response to valid requests by law enforcement or regulatory authorities.
In very limited circumstances, we might process Personal Information if it is necessary for a task carried out in the public interest or in the exercise of official authority vested in us. This basis is generally not applicable to CaskID's typical activities (as we are a private company, not a public authority), but it could apply if, for example, we participated in an official investigation or public safety initiative.
We may process Personal Information as necessary for our legitimate interests (or those of a third party), provided that those interests are not overridden by your fundamental rights and freedoms. For example, it is in our legitimate interest to ensure the security of our platform, to prevent fraud, to market our services to interested customers, and to improve our services. When we rely on legitimate interests, we carefully consider and balance any potential impact on your rights.
We will make sure to clearly identify the legal basis of our processing where required. In cases where multiple bases could apply, we rely on the one most appropriate for the specific purpose. If you ever have questions about the legal basis for any specific processing of your Personal Information, please contact us – we will gladly provide clarification on how your data is handled and the justification for its use. Note that in certain jurisdictions, we may be permitted to process Personal Information without consent or another specific legal basis until you object (opt-out), as long as such processing is not prohibited by law. In all cases, we adhere to applicable law and, where required, we will inform you whether providing Personal Information is a statutory or contractual requirement, or necessary to enter into a contract (and the consequences of not providing the information).
When you make a purchase or sale through CaskID that involves a monetary transaction, we use third-party payment processors or financial institutions to handle the processing of payments securely. Examples may include credit card payment gateways or cryptocurrency payment services, depending on what payment methods we support. CaskID does not store or collect your full payment card details on our own servers; such sensitive financial information is provided directly to the third-party payment processor during the transaction. These payment processors are PCI-DSS compliant or adhere to equivalent security standards to ensure the protection of your payment data.
The use of your Personal Information by these third-party payment processors is governed by their own privacy policies. This means that if you provide payment data (like a credit card number or bank account) during a transaction, that data is collected and processed by the payment processor under its privacy terms. For example, if we use a payment gateway like Stripe or PayPal, your financial details are handled by those services. We only share information with payment processors to the extent necessary for processing payments you initiate (such as the purchase amount and your identification to tie the payment to your account). We do not control the privacy practices of these third parties, though we choose reputable providers. We recommend that you review the privacy policy of any payment processor you use via our Services to understand how they will handle your Personal Information.
CaskID itself maintains records of transactions (e.g. that a payment was made, the date, the amount, and the parties involved) for our own accounting, dispute resolution, and customer service purposes. This information is kept secure and only used for legitimate business needs, such as handling refunds, addressing transaction disputes, or meeting financial reporting obligations. If you have questions about payment security or the handling of payment information, feel free to reach out to us.
We want you to have control over your Personal Information. Our Website and Services provide features that allow you to view, update, or delete certain Personal Information associated with your account at your convenience. For example, by logging into your account, you can typically access and update your profile details, such as your contact information or password. In some cases, you may also adjust preferences (like opting in or out of certain communications) through account settings.
If at any time you wish to edit or remove information, you can do so by accessing the relevant section of your account (if available) or by contacting us for assistance. The scope of information you can directly modify might evolve as our Website and Services change. We strive to make as much of your data as possible editable by you, to ensure accuracy and transparency.
Please note that when you delete Personal Information via your account, it may not be immediately removed from all our systems. For instance, deleting a piece of information in your profile will remove it from active view, but our system may retain an archived copy for legal or compliance reasons. CaskID maintains backups and archival records of our database to ensure continuity of service and to comply with laws and agreements. Thus, even if you delete or change information in your account, we might retain the original data in secure archives for a certain period as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. For example, if you delete a mailing address from your profile, we might still keep a record of that address in an order invoice for accounting and audit purposes.
We do not overwrite or remove your Personal Information without good reason. The data that remains in our archives is restricted and not used for any new purposes; it is kept only as long as needed for the reasons it was retained (such as fulfilling legal retention periods). After that period, it will be securely deleted.
If you would like to permanently delete your account (and associated Personal Information), you may typically do so via an account deletion option on the Website, or you can contact us with a deletion request. Upon verifying your identity, we will initiate the process of removing your Personal Information from our active systems and will inform you when the process is complete. Keep in mind that, as noted, certain information may be retained in backups or logs for a time, but will be purged in accordance with our retention policies (see Retention of Information below).
In summary, you have the ability to control your Personal Information in the following ways:
You can review and update the Personal Information in your account profile at any time. It's your responsibility to keep your details accurate and up-to-date, and we encourage you to promptly update your information if it changes.
You can delete specific pieces of information (where allowed by the interface) or request full account deletion. We will honor such requests and delete your Personal Information, except for information we are required or permitted to retain by law or for legitimate business purposes.
You can manage your preferences for marketing emails or newsletters as described in the Email Marketing section of this Policy. Additionally, if we ever use your information for any new purpose that is not covered in this Policy, we will seek your consent or provide an opt-out option as appropriate.
If you have any difficulty managing your information or have a request that the Website's interface doesn't accommodate, please reach out to us. We will be glad to help you make the changes or deletions you need, in line with our legal obligations.
We treat your Personal Information with care and confidentiality. We do not sell or rent your Personal Information to third parties for their own marketing purposes, and we only share your information in the ways described in this Policy. Below are the scenarios in which we may disclose Personal Information and the types of third parties with whom we may share it:
We may share your Personal Information with trusted third-party service providers who perform services on our behalf to help us operate the Website and deliver our Services to you. This includes companies and individuals we contract with to provide certain functions, such as:
These service providers only receive the information necessary to perform their specific functions, and they are contractually prohibited from using your information for any purpose other than providing services to us. They must follow our instructions and comply with appropriate confidentiality and security measures.
CaskID Ltd is currently a single entity, but if in the future we have any affiliate companies or subsidiaries (for example, a parent company or other companies under common ownership), we may share your information within our corporate family. Any such affiliate would be required to honor the commitments in this Privacy Policy.
If CaskID undergoes a business transition such as a merger with another company, acquisition, reorganization, or sale of all or a portion of its assets, your user account and Personal Information will likely be among the assets transferred to the new owner. In such events, we will ensure that the successor entity is bound by terms similar to this Privacy Policy in how it handles your data, or we will notify you and obtain any required consents.
We may disclose your Personal Information when required to do so by law or when we have a good-faith belief that disclosure is necessary to comply with a legal obligation or valid legal process. This includes responding to court orders, subpoenas, or requests by government or regulatory authorities. Additionally, we may share information if we believe it is necessary to protect our rights and property, protect your safety or the safety of others, or investigate fraud or other wrongdoing.
In cases where you have given us explicit consent to share your information, we will share it as instructed. For instance, if you opt-in to a feature that involves sharing your information with a third party (like participating in a joint marketing event with a partner company where you ask us to share your contact details), we will do so under the terms of that consent. You remain in control – if you've agreed to such sharing, you can also contact us to revoke consent for future sharing.
Other than the scenarios above, CaskID will not disclose your Personal Information to any third party. We do not divulge user data to other users or the general public, except in ways that are necessary for normal operation of the Service (for example, if you are a seller, certain information might be visible to buyers as part of a listing – but this would be clear from context and often under your control, such as a username displayed on your listings).
Importantly, we do not share Personal Information with unaffiliated third parties for their own marketing purposes. We also never engage in selling personal data. All third parties who might receive Personal Information are either service providers acting on our behalf, or parties in a transaction you are part of (e.g., a buyer or seller counterpart, or a shipping company delivering your cask), or official entities as required by law.
We ensure that any third-party disclosures are done securely. When Personal Information is shared, we transmit it using secure methods and we only share what is necessary for the purpose. If you have questions about whom we share your data with, or need more detail about third parties in a certain category, please contact us and we can provide additional information.
We will retain your Personal Information for only as long as necessary to fulfill the purposes we collected it for, including for the purpose of satisfying any legal, accounting, or reporting requirements. How long we keep specific Personal Information varies depending on the nature of the data and the reasons we need it. We take into account various factors when determining retention periods, such as the sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, the purposes of processing, and whether we can achieve those purposes through other means.
In practice:
We keep the Personal Information associated with your account for as long as your account is active. If you decide to close your account, we will initiate deletion of your Personal Information as described above in Managing Your Information. However, we may retain some data from closed accounts to comply with law, prevent fraud, collect fees owed (if any), resolve disputes, or enforce our agreements. Generally, basic account info and transaction history might be archived for a period after account deletion for legal or tax purposes.
Given the nature of our business, we may be required by law to retain certain financial and transaction records for a minimum period (for example, UK tax laws or anti-fraud regulations might require keeping records for 6 years or more). Even if you delete your account, records of transactions you were involved in (which may include your Personal Information like name or contact on an invoice/bill of sale) might be kept until the retention period expires.
If we are involved in litigation or government investigation, or if we reasonably believe we might need to defend our legal rights or the rights of others, we will retain relevant information for as long as the legal issue is active. Similarly, if you exercise certain rights (like objecting to processing or requesting restriction), we may retain information necessary to demonstrate compliance with your requests.
Our system may maintain encrypted backup copies of data, which are cycled and deleted after a certain period. There may be a slight lag between deletion of data in our primary systems and deletion from backups, but we ensure that backups are also eventually purged according to a schedule.
In all cases, when we no longer have a legitimate need or legal obligation to keep your Personal Information, we will securely delete, destroy, or anonymise it. We may, for example, anonymise data (so it can no longer be associated with you) and retain it for historical analysis or statistical purposes without further notice to you.
Once the retention period for a particular piece of data expires, we will permanently erase it from our systems. After this point, you will not be able to exercise certain rights such as access or deletion on that data because it no longer exists in identifiable form. For instance, if we delete records of a completed transaction after the legally required retention time has passed, we can no longer retrieve or provide that data to you.
To summarize, CaskID retains Personal Information as long as it is necessary and relevant for our operations and to comply with the law. We do not keep data indefinitely by default. If you have specific questions about our data retention practices (for example, how long we keep data for a certain type of transaction), you can contact us and we will provide more details.
CaskID is a UK-based service, but the nature of online platforms and global asset trading means that your Personal Information may be transferred to, stored in, or processed in a country other than your own. In particular, data that we collect from users in the United Kingdom or the European Economic Area (EEA) might be transferred outside of the UK/EEA, including to countries that may have different data protection standards than those in your jurisdiction.
For example, we may use cloud servers or service providers located in the United States or elsewhere to host our website and data. Also, if you are a user located outside the UK and you transact with a buyer or seller in the UK (or vice versa), personal details might be shared across borders as part of that transaction.
Whenever we transfer Personal Information out of the UK or EEA, we take steps to ensure that adequate safeguards are in place to protect your data in accordance with UK GDPR/EU GDPR requirements. These safeguards may include:
We may transfer data to countries that have been officially deemed to provide an adequate level of data protection by the UK government or European Commission (as applicable). For instance, the UK has recognised certain countries as adequate for personal data transfers. If we transfer data to such a country, it is treated as if it were still in the UK in terms of legal protection.
In the absence of an adequacy decision, we often rely on standard contractual clauses (also known as model clauses) approved by regulators. These are contractual commitments between parties transferring data, which bind the recipient to protect the data to the standard required by UK/EU data protection law. For example, if we use a US-based service provider, we would sign SCCs with them to ensure your Personal Information remains protected.
Depending on the situation, we might implement additional measures such as International Data Transfer Agreements (IDTAs) for UK transfers, Binding Corporate Rules if data moves within our future corporate group, or explicit consent from data subjects for certain transfers (though we try to avoid relying on consent for transfers).
As an added layer, we use encryption for data in transit and at rest, which means that even if data is stored or passing through another country, it remains encrypted and protected. Access to Personal Information is limited to authorized personnel, regardless of location.
You have the right to learn about the legal basis on which we transfer your personal data internationally and the safeguards we have put in place. We strive to be transparent about this. If you would like more information about international data transfers, such as obtaining a copy of the relevant contractual safeguards (e.g., SCCs) in place, you can contact us using the information provided in this Policy. We may request a signed non-disclosure agreement before sharing certain documents, but we will provide as much information as we can.
By using our Website and Services, or by interacting with us in the ways described, you acknowledge that your Personal Information may be transferred to and processed in countries other than your own. We will, however, always protect your data in line with this Privacy Policy wherever it is processed, and we will comply with all applicable laws to ensure your data remains secure and protected.
If international transfer of Personal Information is a concern to you, please let us know. In some cases, we may be able to accommodate requests such as hosting data in a specific region, but this may not always be possible given how global networks operate. Rest assured, our goal is to ensure your privacy is safeguarded universally.
We respect your rights to control your Personal Information. Under applicable data protection laws, and subject to certain conditions, you have specific rights regarding the Personal Information we hold about you. In particular, you have the right to do the following:
If we are processing your Personal Information based on your consent, you have the right to withdraw consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal. For example, if you consented to receive marketing emails, you can opt out later and we will stop sending them.
You have the right to object to the processing of your Personal Information if the processing is carried out on a legal basis other than consent. This means that if we are processing your data under legitimate interests or public interest, you can object to that processing (as explained more below). In practice, you can always object to, for instance, data used for direct marketing or profiling for marketing purposes, and we will honor that objection.
You have the right to learn whether your Personal Information is being processed by us, and if so, to obtain disclosure of certain information about the processing and to access the Personal Information we hold about you. This is commonly known as a Subject Access Request. You can request a copy of your data and additional details such as the purposes of processing, the categories of data, the categories of recipients, etc.
You have the right to verify the accuracy of your Personal Information and ask for it to be updated or corrected. If you find that any Personal Information we have is inaccurate or incomplete, please let us know. We will correct erroneous data or complete incomplete data (taking into account the purposes of processing) without undue delay.
Under certain circumstances, you have the right to restrict the processing of your Personal Information. This means we would store your data but temporarily halt any other processing. You might exercise this right if, for example, you contest the accuracy of the data (and we are verifying it), or if you object to our processing and we are considering that objection, or if processing is unlawful but you prefer restriction over deletion. When processing is restricted, we will mark the data as restricted and ensure it is only processed for limited reasons (such as with your consent or for legal claims) as per applicable law.
Under certain circumstances, you have the right to obtain the erasure of your Personal Information. We will delete your Personal Information upon request if, for example, the data is no longer needed for its original purpose, you have withdrawn consent and no other legal basis for processing exists, you have objected to processing and we have no overriding legitimate grounds to continue, or your Personal Information was processed unlawfully. Please note that this right is not absolute – sometimes we must retain certain data to comply with legal obligations or to establish or defend legal claims. We will inform you if that is the case.
You have the right to receive your Personal Information in a structured, commonly used and machine-readable format, and, where technically feasible, to have it transmitted directly to another controller. This right applies when your Personal Information is processed by automated means and the processing is based on your consent or on a contract you have with us. For example, if you provided us data and it's processed automatically for performing our contract with you, you can ask us to export it in a CSV or similar format for your reuse, or to send it to another service provider. We will comply as long as it is feasible to do so and does not affect the rights of others (e.g., we will not include other individuals' personal data in the export without their consent).
Please note that the right to data portability applies only under certain conditions – specifically, only to data you provided, processed by automated means, and processed on the basis of consent or contract. It does not apply to data we process on other legal bases (like legitimate interests).
Additionally, if your Personal Information is processed for direct marketing purposes, you have the unconditional right to object at any time to such processing, including profiling related to direct marketing, and we will stop processing your data for that purpose.
Each of the above rights can be exercised by contacting us (see How to Exercise These Rights below). We will handle your request in accordance with applicable law. Typically, we will respond within one month of receiving a request, but we may extend that period by an additional two months if the request is complex or we have received numerous requests (we will inform you of any extension and the reasons for delay).
There are circumstances where we might be unable to fulfill a request in full, usually because a legal exemption applies. For example, we might not release information that includes personal data about another individual, or we might refuse a deletion request if the data must be retained to comply with a legal obligation. If we have to refuse any part of your request, we will explain the reasoning to you (unless we are legally prevented from doing so).
Where we process your Personal Information based on legitimate interests or for a task in the public interest / exercise of official authority, you have the right to object to that processing on grounds relating to your particular situation. If you object, we will cease processing your information for those purposes unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or unless we need to continue processing for the establishment, exercise, or defense of legal claims. For example, if we process your data for our legitimate interest in preventing fraud and you object, we will consider your reasons and whether there is an overriding need to continue that processing.
Importantly, if your Personal Information is being processed for direct marketing purposes, you have the right to object at any time and we will stop processing your data for those purposes immediately. This is an absolute right under data protection law – when you say "no" to marketing, we will honor that with no exceptions. You can exercise this by using any opt-out mechanisms provided (such as an unsubscribe link in emails) or by contacting us directly to request we cease marketing communications to you.
If you object to processing, please specify the particular processing activity you are concerned about, and the reasons for your objection (if it's not related to direct marketing, where no reason is needed). This will help us properly evaluate your request. We will respond to your objection as outlined in the How to Exercise These Rights section.
If you are a resident of the United Kingdom, or of a country in the European Union (EU) or European Economic Area (EEA), you are entitled to certain additional data protection rights under the UK GDPR and EU GDPR. CaskID is committed to upholding these rights and ensuring that you can exercise them. Below is a summary of your rights and what they mean:
You have the right to request access to the Personal Information we store about you and to receive information about how it is processed. This allows you to confirm whether we are processing your Personal Information and to verify the lawfulness of the processing. Upon request, we will provide a copy of your Personal Information undergoing processing, usually free of charge (except as permitted by law for repetitive or excessive requests).
You have the right to request that we correct any Personal Information that you believe is inaccurate, and you also have the right to request that we complete information that you believe is incomplete. We encourage you to keep your Personal Information up to date and will promptly make corrections when notified, provided we can verify the accuracy of the new information you provide.
You have the right to request that we erase your Personal Information under certain conditions. This right (also known as the "right to be forgotten") applies, for instance, if the Personal Information is no longer necessary for the purpose it was collected, if you withdraw consent and no other legal basis exists, or if you object to processing and we have no overriding legitimate grounds to continue. We will also erase your data if we processed it unlawfully or if erasure is required to comply with a legal obligation. Keep in mind that this right is not absolute; sometimes we may refuse erasure, for example, where we need to comply with a legal obligation or in case of establishing or defending legal claims.
You have the right to object to our processing of your Personal Information at any time, on grounds relating to your particular situation, when the processing is based on legitimate interests or public interest. As mentioned, if you object to direct marketing, we will comply immediately. For other objections, we will stop processing unless we have compelling legitimate grounds to continue.
You have the right to request the restriction of processing of your Personal Information under certain circumstances. When processing is restricted, we can still store your data but will not process it further without your consent (except for certain exempt purposes like legal claims or protecting others' rights). You can request restriction if: you contest the accuracy of the data (for a period enabling us to verify it); or the processing is unlawful and you oppose erasure and prefer restriction; or we no longer need the data but you need it for a legal claim; or you have objected to processing (pending verification of our legitimate grounds).
You have the right to be provided with a copy of certain Personal Information in a structured, machine-readable and commonly used format, and you have the right to transmit that data to another controller (or have us transfer it, where technically feasible). This right only applies to information you have given us, which we process by automated means, and which we process based on your consent or a contract. For example, you might request a CSV file of all data you provided when signing up and transacting on our platform.
Where we rely on your consent to process Personal Information, you have the right to withdraw your consent at any time. If you withdraw consent, we will stop the processing that was based on consent. However, please note that withdrawal does not affect the lawfulness of prior processing. For instance, if you consented to our use of cookies and later withdraw it, we will stop placing new cookies but the data collected before withdrawal may still be processed if there's another lawful basis to do so.
(GDPR-specific) You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on you, unless it is necessary for entering into or performing a contract, based on your explicit consent, or otherwise authorized by law with appropriate safeguards. At this time, CaskID does not make any decisions about you that are purely automated and have a significant impact. If that changes, we will inform you and ensure the law's requirements (like providing a way to obtain human intervention) are met.
You have the right to lodge a complaint with a supervisory Data Protection Authority if you believe that our processing of your Personal Information violates the GDPR or other applicable data protection law. In the UK, the supervisory authority is the Information Commissioner's Office (ICO). In the EU, you can contact the authority in the country of your residence, place of work, or where an alleged infringement occurred. We would, however, appreciate the chance to address your concerns directly before you approach a regulator – so please consider reaching out to us first, and we will do our best to resolve any issue.
We handle all requests to exercise GDPR rights in accordance with the GDPR itself. Typically, we will respond to requests within one month. If needed, this may be extended by another two months for complex requests, but we will inform you of any delay and the reasons.
There is generally no fee for exercising your rights. However, the law permits us to charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive, particularly if they are repetitive. Rest assured, we aim to fulfill all legitimate requests.
If you wish to exercise any of these rights, please refer to the next section on How to Exercise These Rights for instructions.
If you are a resident of California, you are granted specific rights regarding your Personal Information under California law. These rights are in addition to those already explained in this Policy. We summarize some key California privacy rights below:
Under California Civil Code Section 1798.83 (known as the "Shine the Light" law), California residents who provide Personal Information in the course of obtaining products or services for personal, family, or household use have the right to request, once per calendar year, information about any customer information that we have shared (if any) with other businesses for their own direct marketing uses in the previous calendar year. If applicable, this information would include the categories of Personal Information shared and the names and addresses of those third-party businesses with which we shared such information for their direct marketing purposes.
To make a "Shine the Light" request, you can contact us using the contact details provided in this Policy. Please specify in your request that you are making a "California Shine the Light" inquiry. Note that we currently do not disclose Personal Information to third parties for their direct marketing purposes without your consent, so in most cases our response will be that we have not shared such information. Still, you are entitled to make this request and we will respond as required.
The California Consumer Privacy Act (as amended by the California Privacy Rights Act, collectively "CCPA") provides California residents with certain rights regarding Personal Information (referred to as "personal information" in the CCPA) collected by businesses. If the CCPA is applicable to our operations (this depends on certain thresholds and business criteria), your rights would include:
You can request that we disclose what personal information we collect, use, disclose, and sell. This includes the categories of personal information, the sources from which it was collected, the business or commercial purposes for collecting or selling it, the categories of third parties we share it with, and the specific pieces of personal information we hold about you.
You can request that we delete any personal information about you that we have collected from you, subject to certain exceptions (for example, we may retain information needed to complete a transaction, to detect security incidents, for legal compliance, etc., as permitted by the CCPA).
The CCPA gives you the right to opt out of the sale of your personal information. "Sale" is broadly defined in CCPA and can include certain data sharing. We want to clarify that CaskID does not sell your Personal Information in the traditional sense (for money). We also do not share personal data for targeted advertising in a way that is defined as a "sale" under CCPA. If that ever changes, we will implement a "Do Not Sell or Share My Personal Information" link or similar mechanism on our Website to allow you to opt out.
We will not discriminate against you for exercising any of your California privacy rights. This means, for example, we will not deny you services, charge you a different price, or provide a different quality of service just because you exercised your rights under the CCPA. However, please note that if deletion of data or opt-out of sale limits our ability to provide certain features, we will inform you of the consequences (for instance, if you ask us to delete your account data, you will no longer be able to use the Service).
If we fall under the scope of CCPA, we will provide a dedicated notice outlining our CCPA-related practices (including the categories of personal information collected and the purposes) and methods for California residents to submit requests (such as a toll-free phone number or online request form).
To exercise your CCPA rights, you (or your authorized agent) can contact us through the methods listed in How to Exercise These Rights. We will need to verify your identity (and that of any agent) to a reasonable degree of certainty before responding to requests, as required by law, which might involve matching information you provide with our records.
We aim to respond to verifiable California consumer requests within 45 days of receipt, or notify you if we need more time (up to 90 days in total).
For minors under 16 years of age, we do not sell their personal information without affirmative authorization as required by CCPA (often called "opt-in").
In summary, California residents have the above rights, and this Policy provides for transparency in how we handle personal data relevant to those rights. Because CaskID's core operations are in the UK, some aspects of CCPA may not directly apply, but we strive to honor the spirit of such laws and provide robust privacy protections universally.
If you have any questions about your California privacy rights, or how to exercise them, please contact us. We are committed to respecting your rights and will do our best to address any concerns.
You are welcome to reach out to us at any time to exercise your privacy rights or to ask any questions about your Personal Information. To make a request, please contact us by email at privacy@cask.id (or support@cask.id) with the subject line "Privacy Rights Request" and let us know what specific right you wish to exercise and the scope of your request.
For example, you can write: "I am requesting access to my personal data," or "Please delete the personal information associated with my account," or "I object to processing of my data for marketing." The more specific you can be, the better we can respond. If you have multiple requests, you can include them all in one correspondence.
In order to protect your security and prevent unauthorized access to data, we will need to verify your identity before fulfilling your request. For most account-related requests, we will verify by matching information you provide with information on file (for instance, we may ask you to write to us from the email address associated with your CaskID account or answer a few questions to confirm your identity). In some cases, we might ask for additional verification, especially for sensitive requests. If an authorized representative is making the request on your behalf, we will require proof of that authorization (e.g., a signed permission letter from you or a power of attorney, and we will still verify your identity directly as well).
Please provide sufficient information in your request so that we can understand and respond to it properly. For instance, if you are requesting specific data, clarify exactly what data you want. If you are requesting rectification, tell us what information is incorrect and what it should be replaced with. If you simply state "delete everything," we might come back to confirm, since deleting your data may mean you lose access to the Services.
Once we receive your request and verify your identity, we will do our best to answer or act on your request without undue delay. As noted earlier, we will reply within one month for GDPR-related requests, and within 45 days for CCPA-related requests, unless an extension is necessary (in which case we will inform you within the original timeframe).
If for some reason we cannot fulfill your request, we will provide an explanation (unless legally restricted from doing so). For example, if you request deletion of data that we are required by law to keep, we will explain that and describe the data and reasons.
We do not charge a fee for handling a reasonable request. However, if someone makes repetitive, excessive, or manifestly unfounded requests, we reserve the right (where permitted by law) to either charge a reasonable fee reflecting the administrative cost or refuse the request. We will of course explain our decision in such cases.
Email: privacy@cask.id (or support@cask.id if no dedicated privacy email).
Address: You may also send written requests to our business mailing address (if you prefer postal mail). [Insert CaskID's physical address here].
Please note that for certain requests (like data access or portability), we will deliver the information in a secure manner. Typically, we respond via email to the verified email on file, unless you request an alternate method.
Your privacy is very important to us. We have dedicated personnel and procedures in place to handle rights requests. If you have any trouble exercising your rights, or if you feel your request was not satisfactorily handled, please let us know so we can improve.
Finally, as mentioned above, you have the right to contact your local data protection authority if you have concerns about how we've handled your Personal Information. We sincerely hope to resolve any issues directly, and we greatly value the opportunity to do so.
Our Services are not intended for children or minors under the age of 18, nor for anyone below the legal age for purchasing or handling alcohol in their jurisdiction (if that age is higher than 18). We do not knowingly collect any Personal Information from individuals under 18 years old. If you are under 18 (or under the applicable legal age for alcohol-related activities in your country), please do not register an account, make purchases, or otherwise use our Website and Services.
CaskID deals with whisky casks and similar products, which are alcoholic assets. As such, we take age restrictions seriously. During the account registration or purchase process, you may be required to confirm that you are of legal age. We may also implement age verification measures (such as requesting a copy of an ID) to ensure compliance with laws that prohibit minors from engaging in alcohol-related transactions.
If we learn that we have inadvertently collected Personal Information from someone under 18 (or under the relevant legal age), we will take steps to delete that information promptly. This might come to our attention, for example, if a parent or guardian contacts us or if our systems detect inconsistencies suggesting a user is underage. In such cases, we will also terminate the minor's account (if one exists) and restrict access to the Services.
Parents or guardians who believe that CaskID might have any information about a child under 18 should contact us immediately. We will investigate and, if applicable, remove the information in accordance with applicable law. We encourage parents and guardians to supervise their children's online activities and consider using parental control tools available from online services and software providers to help provide a child-friendly online environment.
In summary, we do not intentionally target or serve anyone under the legal age. Our website's content and offerings are all geared toward adults (particularly given the nature of whisky casks as an asset). By using our Service, you represent that you are at least 18 years old and of legal age to form a binding contract in your jurisdiction, and if relevant, of legal age to engage in alcohol-related activities.
Like most websites, CaskID uses cookies and similar tracking technologies to enhance user experience and ensure our Services function effectively. Cookies are small text files that are placed on your computer or device when you visit a website. They are widely used to make websites work, or work more efficiently, as well as to provide reporting information to the owners of the site.
These cookies are necessary for the operation of our Website and cannot be switched off in our systems. They include, for example, cookies that enable you to log into secure areas of our site, use verification features, or maintain security. Without these cookies, certain services or features cannot be provided, and the site might not perform as smoothly as intended.
Legal Basis: These cookies are strictly necessary for the legitimate operation of our website.
We utilize analytics tools (like Google Analytics) that set cookies to collect information about how visitors use our site. These cookies help us understand things like which pages are visited most often, how users navigate through the site, and if they encounter error messages on certain pages. The data collected is aggregated and anonymized, meaning it does not directly identify individuals. We use this information to improve our Website's functionality and performance.
Third Parties: Google Analytics (with IP anonymization enabled)
We use these to remember your preferences and various settings. For instance, if you select your currency or language, a cookie might store that preference so that next time you return, those settings are already applied.
Certain cookies help us maintain security by authenticating users and preventing fraudulent use of user accounts. For example, when you log in, a cookie may help keep you logged in as you browse different pages, and also help detect malicious activity.
Legal Basis: These cookies are necessary for security and fraud prevention.
When you first visit our website, you will see a cookie banner asking for your consent to use non-essential cookies. You can:
You also have control through your browser settings: Most web browsers automatically accept cookies by default, but you can modify your browser setting to decline cookies or to alert you when a cookie is being placed. Check your browser's help section for instructions on how to change your cookie settings. You can delete cookies that have already been set through your browser's privacy settings.
If you choose to decline non-essential cookies:
You can change your cookie preferences at any time by:
For more information about cookies and how to manage them:
This policy was last updated: January 2025
"Do Not Track" (DNT) is a privacy preference that users can set in some web browsers, which is intended to inform websites that the user does not want certain information about their webpage visits collected across websites. However, there is currently no consistent industry standard for how to recognize or honor DNT signals, and many websites (including ours) may not respond to these signals in a uniform way.
At this time, our Website does not respond to Do Not Track signals sent by your browser. This means that if you enable the DNT setting in your browser, our data collection practices on our Website will remain the same (as described in this Privacy Policy). Tracking in this context generally refers to the collection of Personal Information about users' online activities over time and across different websites. As we have outlined, we do not engage in tracking users across third-party sites in a way that would violate DNT; our use of cookies and analytics is largely confined to our own domain and for our internal purposes.
It's important to understand that "tracking" is not the same as using or collecting information during a single website visit. All websites collect some information about visitors (as described in Automatic Collection of Information and Cookies sections). DNT is more about preventing the sharing of identifiable browsing activity between sites. We do not track your browsing beyond our own sites and services. For instance, we do not participate in networks that would track you on other websites to target ads to you on our behalf.
However, be aware that some third-party services we use may track your browsing activity across other sites. For example, if we embed a YouTube video or a social media widget, those third parties might set cookies and track usage in line with their own policies. Similarly, analytics providers might observe if you also visit other sites that use the same analytics service, although they generally provide us only aggregated data. These third parties may not honor DNT signals if your browser sends them. We do not control third-party tracking technologies, and their use is governed by the third parties' own privacy policies.
If you are concerned about online tracking, here are a few steps you can take:
We will continue to monitor the industry developments around Do Not Track. If a uniform standard for DNT is established in the future, we will update our practices and this Privacy Policy accordingly. In the meantime, we remain committed to only using your Personal Information as described herein and not sharing it with third parties for purposes that we haven't disclosed to you.
We may from time to time offer electronic newsletters or promotional communications to users who are interested in our products and services. If you subscribe to our newsletter or otherwise opt in to receive marketing communications from us, we will use your Personal Information (primarily your name and email address) to send you such communications. Examples of marketing content include news about new cask listings, special offers, industry insights, or events related to whisky and collectibles.
We will only send you marketing emails if you have given us consent to do so (for instance, by ticking a sign-up box or selecting a preference in your account settings). If you are an existing customer, we might send occasional updates about similar products or services, but you will always have a clear opportunity to opt out. We are committed to keeping your email address confidential and will not disclose your email address to any third parties for their direct marketing uses without your consent. We may share your email with service providers that help us send out emails (like an email marketing platform), but those providers are not allowed to use your email for their own purposes, only to assist us in sending our communications (as covered under Disclosure of Information).
All marketing emails we send will clearly state that they are from CaskID (or an associated brand of CaskID) and will not mislead you about the sender or subject matter. Our emails will typically include our company name and contact information, so you know it's an official communication. We might include content like:
We promise that we will not inundate your inbox. We aim to send communications at a reasonable frequency and only when we believe we have something genuinely valuable to share.
You have the right to opt out of our marketing emails at any time. Every marketing email we send will include an "Unsubscribe" link (usually at the bottom of the email). By clicking that link and following any simple instructions, you can remove yourself from the mailing list. You may also adjust your email preferences in your account settings on our Website, if such an option exists (for example, toggling off newsletters or promo emails). Additionally, you can always contact us at support@cask.id to request removal from marketing lists. We will process your opt-out request as soon as possible, and certainly within the timeframes required by applicable law.
After you unsubscribe from marketing communications, you will no longer receive promotional emails from us, but we may still send you transactional or service-related emails that are necessary for our relationship. For instance, if you continue to use our Services, you will still receive emails about transactions you perform (confirmations, receipts), updates about your account (like password changes or security alerts), or notices about changes to our terms or policies. These are not marketing messages but essential communications.
We comply with applicable laws regulating email communications. In the UK/EU, this includes the Privacy and Electronic Communications Regulations (PECR) and in the US, compliance with the CAN-SPAM Act. Our emails will provide clear information on how to contact the sender (us) and will not have deceptive subject lines or content. If you feel that you've received an email from us that is not compliant with your local regulations, please notify us immediately so we can address the issue.
We maintain the information sent via email (such as your email address and any other info like name used in the email) in accordance with applicable laws and regulations. We take measures to secure email lists and to ensure that only authorized personnel or service providers have access for the purposes of sending emails. We also avoid sending sensitive personal information via email. If we ever needed to communicate something sensitive, we'd likely direct you to our secure website rather than include it in an email.
In summary, we respect your choices when it comes to email marketing. We strive to provide value through our communications and to make opting out easy and honored. If you have any issues such as continuing to receive emails after unsubscribing, please let us know, and we will investigate and resolve the situation.
Our Website and Services may contain links to websites, content, or resources that are provided by third parties and are not owned or controlled by CaskID. For example, our site might include:
If you click on a third-party link, you will be directed to that third party's site. We provide these links for your convenience and reference only. It does not imply that we endorse the content, products, or services on those external sites.
It's important to note that this Privacy Policy does not apply to third-party websites or services. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. Those sites have their own privacy policies and terms of use, which could be very different from ours.
For instance:
We strongly encourage you to review the privacy policy (and terms of service) of every external site you visit, especially before providing any Personal Information to them. Many sites will have a link to their privacy notice readily available (often at the bottom of their homepage). Make sure you understand how they'll handle your data.
CaskID is not responsible for the privacy practices or content of such other sites. This disclaimer extends to anything you might encounter on those sites: how they collect data, what they do with it, their security practices, etc. If you find any linked third-party content to be inappropriate, unsafe, or in violation of any laws, we would appreciate if you notify us so we can consider removing the link, but ultimately we aren't liable for third-party actions.
Be aware also that when you leave our Website, our Terms of Service and Privacy Policy no longer govern. If you download an app or software from a site we link to, that download is at your discretion and risk; we don't warrant the safety or functionality of third-party software.
In summary, browsing and interaction on any other websites, including those linked on our platform, are subject to that website's own rules and policies. We advise you to exercise caution and to look at the privacy statement of those websites for more information. If you have questions about what data a third-party site collects, please review their privacy policy and/or contact the site's operators.
CaskID takes information security very seriously. We have implemented a variety of administrative, technical, and physical safeguards to protect your Personal Information against loss, theft, and unauthorized access, use, or disclosure. However, it is important to understand that no method of transmitting data over the Internet or storing data is 100% secure, and therefore we cannot guarantee absolute security.
Information you provide to us is stored on computer servers located in controlled facilities. We limit access to these servers to authorized personnel only. We employ measures like firewalls, intrusion detection systems, and network monitoring to guard against external attacks.
Our Website uses encryption protocols such as SSL/TLS to secure data in transit. You can verify that by looking for "https://" and a padlock icon in your browser's address bar on our site. This means that when you send information (like entering your password or payment details), that data is encrypted while it travels between your browser and our servers, reducing the risk of interception.
Internally, we restrict access to Personal Information strictly to employees, contractors, and agents who need to know that information in order to process it for us, and who are subject to confidentiality obligations. Every person with access to Personal Information is trained on confidentiality and data protection. We also segment data so that no one person can access all critical systems without proper clearance.
User accounts are protected by passwords. We encourage you to choose a strong, unique password and to keep it confidential. Our system stores passwords in a hashed form (not plaintext) for security. If you use the same password on other sites, a breach elsewhere could affect you here, so please practice good password hygiene (use unique passwords or a password manager).
If available, we highly encourage you to enable 2FA on your CaskID account. This adds an extra layer of security by requiring a second form of verification when logging in, such as a code from your phone. (If we offer 2FA, it will be in your account settings).
We maintain logs and routinely monitor our systems for possible vulnerabilities and attacks. We also keep our software, website platform, and dependencies up-to-date with security patches to minimize risks.
The data centers and offices we use have physical security measures (like access badges, surveillance, and security personnel) to prevent unauthorized access to servers and hard copies of data.
Where feasible, especially in development and testing environments, we use anonymized data (with personal identifiers removed or replaced) to limit exposure of real Personal Information.
Despite all these precautions, no Internet or email transmission is ever fully secure or error-free. For example, emails or messages you send us may not be encrypted on their way to us, so avoid including sensitive information (like full credit card numbers or passwords) in any correspondence with us. Additionally, we cannot control what happens to data during transmission outside of our systems. Therefore:
It's also important that you play a role in keeping your information secure. Choose strong passwords, guard your login credentials, log out after using shared devices, and notify us immediately if you suspect any unauthorized access to or use of your account. Be cautious of phishing attempts – CaskID will never ask you for your password via email, and you should verify emails claiming to be from us (check the sender's address carefully, etc.).
If you have reason to believe that your interaction with us is no longer secure (for example, if you feel your account has been compromised or you notice a vulnerability on our site), please contact us immediately. We appreciate and encourage security feedback; if you're a security researcher and you've discovered a potential issue, we have a procedure to handle that responsibly (often called "Responsible Disclosure" or a bug bounty program if applicable).
In conclusion, we employ robust measures to protect your Personal Information and regularly review and update our security practices in light of new risks and advancements. However, since absolute security can't be guaranteed, we want to ensure you are informed of the residual risks and the steps we have taken to mitigate them as much as possible.
Despite all precautions, data breaches can potentially occur due to cyber attacks, human error, or other unforeseen events. A data breach means a security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information. In simpler terms, it could be any situation where your Personal Information may have been compromised.
CaskID has a procedure and response plan in place in the event we become aware of a data breach involving Personal Information. If such an incident is suspected or confirmed, we will take prompt action to contain and investigate the breach. This includes:
If a data breach occurs that is likely to result in a real risk of harm or could significantly affect you, we will notify you as soon as feasible. Specifically, we will do so if we believe that the breach is likely to result in a high risk to your rights and freedoms (this wording comes from GDPR, meaning things like risk of identity theft, fraud, or financial loss, discrimination, damage to reputation, etc.). Our notification to you will include:
We will deliver such notice via the most appropriate channels: we may post a notice on our Website, send you an email, or even call you or send snail mail if necessary. The method will depend on the contact information we have and what's most likely to reach you quickly. We may also put a banner or alert in your user account dashboard (if applicable) as an additional measure.
We are also committed to complying with data breach notification laws. For instance, under the UK GDPR, we would report certain breaches to the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, if it meets the threshold for reporting (which generally, many breaches involving Personal Data would). Similarly, if users in other countries are affected, we might notify other relevant regulators as required. In some jurisdictions, if a breach involves certain types of Personal Information (like financial info or login credentials), consumer protection laws might also require specific notifications. Rest assured, we will follow all legal requirements in this regard.
If a breach involves criminal activity (like hacking), we will cooperate with law enforcement authorities. This could include preserving evidence, sharing relevant logs or information (as allowed by law), and assisting in any investigation or prosecution of those responsible. Protecting our users is paramount, and that includes working with authorities to deter and punish malicious actors.
After a breach, beyond just stopping it, we will evaluate and implement measures to prevent a similar incident in the future. That could mean reinforcing our security infrastructure, retraining staff, updating policies, or perhaps offering support to affected users (like credit monitoring in some cases of identity info leaks, if it were ever relevant).
While we have a robust security program, it's important to reiterate that no system is immune to breaches. Companies far larger and more resourced than ours have experienced them. We want you to know we will do everything in our power to protect your data and, if an incident occurs, to handle it responsibly, transparently, and swiftly.
If you suspect that your account or information has been subject to a possible breach (for example, if you notice unusual activity on your account), please contact us immediately. Early reports from users can help us identify issues quickly.
In summary, CaskID has a plan to deal with data breaches, will let you know if your data is affected (in line with legal requirements and our commitment to transparency), and will take all appropriate steps to mitigate any potential harm to you.
We reserve the right to modify or update this Privacy Policy from time to time as needed. Changes may be necessary for a variety of reasons, such as to reflect updates in our Services, changes in technology, changes in legal or regulatory requirements, or to clarify our practices. Whenever we make changes, we will update the "Last updated" date at the top of this Policy to indicate when the changes were made.
If we make any material changes to this Policy – meaning changes that substantively affect how your Personal Information is collected, used, or shared – we will notify you in an appropriate manner. Notification methods may include:
We will describe the changes in the notice or direct you to a page that highlights what's different. For example, we might summarize: "We've updated our Privacy Policy to include information about new features like XYZ and how we use your data for ABC."
In some cases, if the changes are very significant or as required by law, we might ask for your consent again. For instance, if we were to seek to use your Personal Information for a new purpose not covered by the original Policy (and that purpose relies on consent), we would either obtain your consent or give you a clear opportunity to opt out.
Any updated version of this Privacy Policy will be effective immediately upon posting on the Website, unless otherwise specified. This means that once the new Policy is live, it will govern how we can treat your information from that point forward. However, as a courtesy and good practice, we will usually provide advance notice of material changes (e.g., a few days' or weeks' notice) before they become effective, especially if the change is something you might need time to review. The notice will tell you the date the changes will become effective.
If you continue to use the Website and Services after a Privacy Policy update takes effect, it constitutes your acceptance of the changes. We understand that sometimes users might not see the notice right away, so if you have any concerns about changes, we encourage you to review this page periodically. We will not use your Personal Information in a materially different manner than stated at the time of collection without obtaining your consent, unless otherwise required or permitted by law.
For minor changes that don't significantly affect privacy (for example, rewording for clarity, reorganizing content, or other changes that do not alter the core commitments), we may not provide an explicit notification, and the changes may be effective immediately upon posting. Therefore, it's a good idea to check this Policy every now and then. We may also keep prior versions of this Privacy Policy accessible for your review (for transparency and historical reference).
If you do not agree with the changes to the Policy, you have the choice to discontinue use of our Website and Services, and you may also contact us to delete your account and/or Personal Information (exercising your rights as described above).
We appreciate our users' trust, and we aim not to make changes lightly. Any changes are intended to better protect you or to align with evolving laws and best practices.
By accessing or using the CaskID Website and Services, you signify that you have read, understood, and agreed to the terms of this Privacy Policy. If you do not agree with any aspect of this Policy, your choice is to not use the Website or Services. Continuing to use our Services indicates your acceptance of this Policy and any updates we make to it as described above.
When you register an account or use any of our services, we may also prompt you to affirm your acceptance (for example, by clicking "I agree" to this Privacy Policy and our Terms of Service). Even if we don't prompt you, your use of the site after having been presented with this Policy (via link or otherwise) constitutes acceptance.
It's important to us that you actually feel comfortable with and understand our privacy practices. If there's anything you're unsure about in this Policy, please reach out to us and we'll do our best to explain or clarify.
If you do not agree to this Privacy Policy or any future updated version of it, please stop using our Website and Services. You have the right to withdraw from any further data collection by us by discontinuing use (and, if you have an account, you can request deletion of your account data as described above). We don't want to lose you as a user, but your privacy and peace of mind are paramount.
Remember, by using CaskID, you are bound by the terms of this Privacy Policy, as well as our Terms of Service. This is a legal agreement. We strive to make these terms fair and transparent.
Finally, we'd like to reiterate that your trust is important to us. We are committed to handling your Personal Information responsibly and in accordance with this Policy. Thank you for taking the time to read our Privacy Policy.
CaskID Ltd is not authorised or regulated by the Financial Conduct Authority (FCA) in the UK. The services we provide involve facilitating the sale and purchase of tangible assets (such as whisky casks) which are generally considered collectibles or commodities, not financial instruments. As such, trading in whisky casks falls outside the scope of regulated investment activities in the UK. In plain terms, this means that whisky casks are not an investment of a specified kind under the Financial Services and Markets Act 2000 (FSMA), nor a controlled investment under Section 21 of FSMA. Consequently, CaskID's platform and services are not governed by financial services regulations that apply to stock exchanges, securities, or collective investment schemes. Any information provided by CaskID about cask values, market trends, or potential returns is for informational purposes only and should not be construed as financial or investment advice. We do not employ regulated financial advisors, and we do not offer investment advice or recommendations regarding the purchase or sale of any assets. If you require financial advice, you should consult a qualified professional who is regulated to provide such advice.
Engaging in the purchase of whisky casks (or similar assets) is done at your discretion and risk. CaskID does not provide advice on whether such an acquisition is suitable for your personal financial situation or investment objectives. We encourage you to perform your own due diligence. Any historical pricing information or ancillary materials we might provide are for educational/reference purposes; they are not guarantees of future performance. No information provided by CaskID should be deemed to constitute financial, investment, or tax advice. If you are unsure about the implications of buying or selling whisky casks, you should seek independent advice from professionals (e.g., financial advisors, tax consultants, legal counsel) who have expertise in this area.
Transactions in unregulated tangible assets like whisky casks carry inherent risks that you should understand. Because these products are unregulated, you do not have the same protections that you would have with regulated financial products (such as shares, bonds, or regulated funds). For example, there is no coverage by the UK Financial Services Compensation Scheme (FSCS) if something goes wrong, and no recourse to the Financial Ombudsman Service for disputes related to these asset trades. Investing in whisky or other collectible assets is speculative. The market for such items can be illiquid – meaning you might not be able to sell quickly or at a price you desire. The value of whisky casks can go down as well as up. You may not get back the original amount you spent; in fact, there's a possibility of losing a substantial portion or even all of your investment in these assets. Prices can be volatile and are influenced by factors like supply and demand, rarity, storage conditions, and broader economic conditions. There is also no official, regulated index for the value of whisky casks; any valuations are inherently subjective and based on industry knowledge or private sales data. We urge you to carefully consider your own financial position, risk tolerance, and investment goals before allocating money to such purchases. Only invest funds that you can afford to tie up for a long period or potentially lose without affecting your financial well-being. If in doubt about the suitability of purchasing whisky casks, you should seek your own professional advice prior to entering into any transaction.
While whisky casks are a legitimate commodity, the cask trading market has seen instances of fraud and scams by rogue operators in recent years. Because this space isn't regulated by the FCA, some unscrupulous entities have taken advantage of investors' lack of knowledge, sometimes misrepresenting cask values or even selling casks that don't exist. CaskID is committed to combating fraud – we perform certain checks on sellers and listings, and we have measures in place intended to detect and prevent fraudulent activity on our platform. However, we cannot guarantee absolute protection against fraud or misrepresentation. There is always a risk that a buyer or seller on any marketplace could attempt deceit. Users should exercise due diligence and caution when engaging in transactions. This includes verifying the details of a cask (age, distillery, cask number, location in bonded warehouse, etc.), perhaps seeking independent verification or inspection where feasible. If something sounds too good to be true (for example, guaranteed high returns or pressure to act quickly), please approach it skeptically. CaskID provides a platform for connecting buyers and sellers, but we do not independently verify every claim made by sellers about their casks. Information related to each cask listing is generally provided by the seller (or the broker/brand digitizing the product), and while we set guidelines and expect honesty, the responsibility for the accuracy of that information lies with the seller. We do not physically inspect every cask, nor do we appraise them; we rely on documentation provided. CaskID disclaims any liability for the accuracy of information provided by sellers or any third party on our platform.
CaskID is not a custodian of physical assets or funds. If your transaction involves transferring funds, those typically go through our payment partners (or between you and the seller directly, depending on how the platform is structured). Similarly, casks themselves remain in bonded warehouses; CaskID does not take physical possession of casks. Therefore, we cannot be held responsible for loss, theft, or damage of the casks themselves in storage – that is typically covered by warehouse arrangements and insurance (we encourage you to ensure that any cask you purchase is adequately insured).
By using our marketplace, you acknowledge that any purchase or sale of whisky casks (or similar collectibles) is conducted at your own risk. CaskID makes no warranties or representations about potential financial gains. Past performance is not indicative of future results. The onus is on you as a user to evaluate the merits and risks of each transaction. We provide a venue and tools, but ultimately the decision and responsibility rest with you. We expect users to abide by all applicable laws (for example, ensuring taxes and duties are paid when a cask is moved or bottled, etc.) and to conduct themselves honestly. If you suspect any fraudulent activity – whether it's a suspicious seller, a counterfeit document, or any other scam – please report it to us immediately. We will investigate and take appropriate action, which may include suspending or banning users, reporting to law enforcement, or alerting others on the platform.
To the maximum extent permitted by law, CaskID and its officers, directors, and employees shall not be liable for any loss or damage arising out of or in connection with the use of our platform or the purchase/sale of any assets listed on it, including but not limited to any financial losses, loss of opportunity, or damages resulting from fraud or misrepresentation by third parties. This includes scenarios like a seller failing to deliver a cask after payment, or a cask not being as described. While we will do our best to mediate disputes and help, we cannot guarantee outcomes. Any legal claims arising from a transaction may ultimately be between buyer and seller. We highly recommend using escrow services or secure payment methods for high-value transactions if our platform does not automatically handle escrow, as an added layer of safety.
In summary, CaskID is an unregulated marketplace for a niche asset class. We aim to provide transparency, security features, and a fair trading environment, but we operate outside the financial regulatory perimeter. By participating, you acknowledge the unique risks involved and agree that CaskID is not accountable for the same guarantees or protections that a regulated entity would provide. Always exercise common sense and caution in all dealings. If you are ever unsure or uncomfortable with a transaction, you have the right to walk away or seek independent advice.
By using our Website and Services, you confirm that you understand and accept these disclaimers regarding regulatory status, absence of financial advice, and limits of fraud protection. These disclaimers are meant to ensure you proceed with full awareness and continue to use CaskID in an informed manner.
Thank you for reading these important notes – we believe that transparency about these issues is crucial for building trust with our users. We remain at your service for any further clarifications or questions. Enjoy the CaskID platform, and may your experiences trading whisky casks be rewarding and secure!