Privacy Policy

CRAC Solutions / Waterfall Innovations Limited

Last updated: 25 June 2026

1. Who we are

This Privacy Policy explains how Waterfall Innovations Limited, trading as or operating the CRAC Solutions website at https://crac.solutions/, collects, uses, stores and protects personal data.

Company name: Waterfall Innovations Limited
Company number: 16416548
Registered office: 2 Valley View, Pudsey, England, LS28 9PB
Email: contact@crac.solutions

For the purpose of UK data protection law, including the UK GDPR and the Data Protection Act 2018, Waterfall Innovations Limited is the data controller for personal data collected through this website and in connection with our consultancy services.

2. What personal data we collect

We may collect and process the following categories of personal data:

2.1 Information you provide to us

This may include:

  • your name; 
  • business name; 
  • job title; 
  • email address; 
  • telephone number; 
  • website address; 
  • information submitted through contact forms; 
  • information provided when booking a consultation; 
  • details of your business, payment needs, compliance requirements or operational challenges; 
  • documents or information you voluntarily provide to us for assessment or advisory purposes. 

2.2 Business and advisory information

Where you ask us to review your business, payment arrangements, onboarding challenges, regulatory needs or operational processes, we may process information relating to:

  • your business model; 
  • payment service providers, banks or financial partners you use or wish to approach; 
  • transaction volumes or estimated volumes; 
  • risk, compliance, AML, fraud or underwriting matters; 
  • commercial contracts or proposals; 
  • onboarding or rejection correspondence; 
  • business policies, procedures or operational documents. 

You should not send us unnecessary personal data, sensitive personal data, customer files or confidential third-party information unless we have agreed a secure method and purpose for receiving it.

2.3 Website and technical information

When you visit our website, we may collect technical information such as:

  • IP address; 
  • browser type and version; 
  • device type; 
  • pages visited; 
  • time and date of visit; 
  • referring website; 
  • cookie and analytics data, where applicable. 

3. How we collect personal data

We collect personal data when:

  • you contact us by email; 
  • you submit a website form; 
  • you book or request a consultation; 
  • you provide information during calls, meetings or correspondence; 
  • you send us documents for review; 
  • you use our website; 
  • third parties, such as introducers, partners or service providers, provide your details with a lawful reason to do so. 

4. Why we use your personal data

We may use your personal data for the following purposes:

  • responding to enquiries; 
  • arranging consultations; 
  • assessing whether we can assist you; 
  • providing consultancy, advisory, compliance, payment operations or business support services; 
  • preparing proposals, commercial terms, reports, policies, procedures or recommendations; 
  • managing client relationships; 
  • communicating with you about services you requested; 
  • maintaining internal records; 
  • improving our website and services; 
  • protecting our business, website and systems; 
  • complying with legal, regulatory, tax, accounting and contractual obligations; 
  • handling disputes, complaints or legal claims. 

5. Our lawful basis for using your data

Under the UK GDPR, we must have a lawful basis to process personal data. The ICO explains that organisations must identify a lawful basis when handling personal information, including contract, consent, legal obligation and legitimate interests. 

We may rely on the following lawful bases:

5.1 Contract

Where processing is necessary to take steps before entering into a contract with you, or to perform a contract we have with you.

5.2 Legitimate interests

Where processing is necessary for our legitimate business interests, provided your rights and interests do not override those interests. This may include responding to business enquiries, managing client relationships, improving our services, protecting our business and maintaining commercial records.

5.3 Legal obligation

Where we need to process data to comply with legal, tax, accounting, regulatory or court obligations.

5.4 Consent

Where we ask for your consent, for example for certain types of marketing or optional cookies, you may withdraw that consent at any time.

6. Marketing communications

We may send you business-related updates or service information where you have requested it, where you are an existing business contact, or where we have another lawful basis to do so.

You can opt out of marketing communications at any time by contacting us at contact@crac.solutions.

We will not sell your personal data to third parties.

7. Cookies and analytics

Our website may use cookies or similar technologies to:

  • make the website function properly; 
  • understand how visitors use the website; 
  • improve content and user experience; 
  • support security and performance. 

Where required by law, non-essential cookies will only be used with your consent.

You can control cookies through your browser settings. If we use analytics, advertising or tracking cookies in the future, we should publish a separate Cookie Policy or cookie banner explaining which cookies are used and why.

8. Who we share personal data with

We may share personal data with:

  • IT, hosting, email, website and cloud service providers; 
  • professional advisers, including lawyers, accountants and consultants; 
  • business partners or providers where you ask us to make an introduction or support an application; 
  • payment service providers, banks, financial institutions or compliance vendors where relevant to your instructions; 
  • regulators, authorities, courts or law enforcement where legally required; 
  • prospective buyers or successors if our business is sold, merged or reorganised. 

We only share personal data where there is a lawful reason to do so.

9. International transfers

Some service providers or business partners may process personal data outside the United Kingdom.

Where personal data is transferred outside the UK, we will take appropriate steps to protect it, such as using adequacy decisions, approved contractual safeguards or other lawful transfer mechanisms.

10. How long we keep personal data

The ICO states that privacy notices should explain retention periods or the criteria used to decide how long information is kept. 

We will keep personal data only for as long as necessary for the purposes for which it was collected, including:

  • responding to enquiries; 
  • providing services; 
  • maintaining business records; 
  • complying with legal, tax or accounting requirements; 
  • resolving disputes; 
  • protecting our legal position. 

As a general guide:

  • enquiry data may be kept for up to 24 months; 
  • client and contract records may be kept for up to 6 years after the end of the relationship; 
  • financial and accounting records may be kept for at least 6 years; 
  • website analytics data may be kept for a shorter period depending on the analytics tool used. 

We may keep information for longer where required by law or where there is a legitimate reason, such as an ongoing dispute or regulatory matter.

11. Security

We take reasonable technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration or disclosure.

However, no website, email or online transmission is completely secure. You should avoid sending highly sensitive or confidential information by unsecured email unless we have agreed an appropriate method.

12. Your rights

Under UK data protection law, you may have the following rights:

  • the right to be informed about how your data is used; 
  • the right of access to your personal data; 
  • the right to rectification of inaccurate data; 
  • the right to erasure; 
  • the right to restrict processing; 
  • the right to object to processing; 
  • the right to data portability; 
  • the right to withdraw consent where processing is based on consent; 
  • the right to complain to the Information Commissioner’s Office. 

The ICO states that privacy notices should tell individuals about their information rights, including access, rectification, erasure, restriction, objection and data portability. 

To exercise your rights, contact us at:

contact@crac.solutions

13. Complaints

Please contact us first if you have concerns about how we use your personal data.

You also have the right to complain to the UK Information Commissioner’s Office.

14. Third-party links

Our website may contain links to third-party websites, platforms or service providers. We are not responsible for the privacy practices, content or security of those third-party websites.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be published on this website with a revised “Last updated” date.