Privacy
Policy.
Last Updated: 24 May 2026
01 / Introduction & Controller
This policy explains how Dram X handles personal data under the UK GDPR and the Data Protection Act 2018. The data controller is DX Wealth Ltd. (Company number SC888263), registered office 5 South Charlotte Street, Edinburgh, Scotland, EH2 4AN. Data protection enquiries can be sent to sales@dramxwhisky.com.
02 / Our Role: Marketplace & Disclosed Agent
Dram X operates a marketplace. For each transaction the vendor (a third-party seller listed on the platform) is the legal seller of the goods to you, and Dram X acts as the vendor's disclosed commercial agent - we collect payment, issue invoices on the vendor's behalf, and provide customer service. As a result, Dram X and each vendor are independent data controllers in respect of the personal data needed to perform a sale; we share the minimum data necessary with the vendor (such as your delivery name, address, and order contents) so they can fulfil your order. Where Dram X engages third parties to perform tasks on our behalf, those parties act as our processors and are listed in §06.
03 / Information We Collect
- Identity & contact details (name, email, postal address, phone, date of birth)
- Identity-verification information (government ID, proof of address, selfie / liveness check)
- KYB information (for vendors: company registration documents, beneficial ownership, director ID, VAT number, alcohol-licence evidence)
- Transaction data (orders, payments, payment-method metadata, refund records, crypto wallet addresses, on-chain transaction hashes)
- Vendor payout data (bank account details held by Stripe Connect or Revolut Business, payout schedules, commission records)
- Device & usage data (IP address, browser type, pages visited, referrers)
- Communications you send us (support messages, emails, call notes)
- Cookie and similar identifiers
04 / Sources of Data
We collect data directly from you when you register, transact, or contact us; from Stripe - via Stripe Identity for customer KYC and Stripe Connect for vendor onboarding and KYB; from our payment processors Stripe (card payments and high-value GBP bank-transfer invoicing) and BCB Group Limited (cryptoasset receipts, conversion, and provenance screening); from Revolut Business in respect of our own bank account and vendor payouts; from vendors in respect of order fulfilment; and through cookies and analytics tools when you use the site.
05 / How We Use Your Data & Lawful Bases
- Performance of our contract with you: account creation, processing orders as agent for the vendor, arranging delivery, customer support, refunds.
- Compliance with legal obligations: customer KYC and vendor KYB under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), tax and accounting records, and self-billed VAT invoicing on the vendor's behalf.
- Our legitimate interests: fraud prevention, securing the platform, defending legal claims, analysing and improving our services (balanced against your rights).
- Your consent: marketing communications and non-essential cookies, which you can withdraw at any time.
06 / Processors & Recipients
We use the following third parties to operate the service. Each is contracted under UK GDPR Article 28 where they act as our processor, or operates as an independent controller for its own regulated activity where indicated.
- Stripe (Stripe Payments UK Ltd. and Stripe group companies) - Stripe Identity customer identity verification (government-ID document and selfie/liveness) and Stripe Connect Express vendor onboarding, including the KYB and sanctions/adverse-media screening Stripe performs on connected accounts (independent controller for its regulated activity)
- Stripe Payments UK Ltd. - card payment processing and high-value GBP bank-transfer invoicing (independent controller in respect of Stripe's regulated activity)
- BCB Group Limited (UK) - receipt of cryptoasset payments, conversion to GBP, and provenance / illicit-finance screening of incoming cryptoassets, under its FCA cryptoasset firm registration (independent controller for its regulated activity)
- Mangopay S.A. - safeguarded escrow and settlement for high-value (£20,000 and over) transactions [planned] (independent controller / e-money institution for its regulated activity)
- Revolut Business (Revolut Ltd., UK) - our operating bank account and the rail for crypto-derived GBP vendor payouts (independent controller for its banking activity)
- HMRC bonded warehouses - where applicable, for goods storage and title records
- Google / Firebase (cloud hosting, authentication, database)
- Resend / similar transactional email provider - order confirmations and invoices
- Google Analytics - usage analytics (only with your cookie consent)
- Professional advisers (lawyers, auditors, accountants) under duties of confidentiality
- Vendors listed on the marketplace - they receive the minimum personal data required to fulfil your order
- Regulators, law enforcement, and courts where required by law
- A successor entity in connection with a merger, acquisition, or asset sale
07 / International Transfers
Our identity-verification and payment provider Stripe processes personal data in the United Kingdom, the EEA, and the United States. Certain other cloud and analytics providers may also transfer data to the United States. Where we transfer personal data outside the UK, we rely on UK adequacy regulations or, where these do not apply, on the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, together with appropriate technical and organisational safeguards.
08 / Retention
We retain personal data only for as long as necessary for the purposes set out in this policy. KYC, KYB and anti-money-laundering records are retained for five years after the end of the business relationship as required by MLR 2017. Transaction and accounting records (including self-billed VAT invoices) are retained for six years under UK tax law. Wallet-screening results are retained for the same period as the related transaction. Marketing data is retained until you withdraw consent. Where data is no longer required, it is securely deleted or anonymised.
09 / Security
We use encryption in transit and at rest, role-based access controls, and vendor due diligence to protect personal data. Payment card data is handled within Stripe's PCI-DSS environment and is not stored on our systems. No system is perfectly secure; in the event of a personal data breach that meets the relevant threshold, we will notify the Information Commissioner's Office (ICO) and, where required, affected individuals.
10 / Cookies
We use strictly necessary cookies to operate the site, preference cookies to remember your settings, and analytics cookies (including Google Analytics) to understand how the site is used. Non-essential cookies are only set with your consent, which you can manage through the cookie banner or your browser settings.
11 / Your Rights
- Access a copy of the personal data we hold about you
- Request correction of inaccurate or incomplete data
- Request erasure of your data where applicable (note: we are required to retain KYC/AML and tax records for the statutory periods in §08)
- Request restriction of processing in certain circumstances
- Receive your data in a portable format and have it transmitted to another controller
- Object to processing based on our legitimate interests, including direct marketing
- Withdraw consent at any time where processing is based on consent
- Not be subject to decisions producing legal effects based solely on automated processing - note that customer KYC tier decisions and vendor KYB outcomes have a human-review path, and you may request human review of any adverse outcome
12 / Complaints
If you have a concern, please contact us first at sales@dramxwhisky.com and we will do our best to resolve it. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
13 / Children
Dram X is intended for users aged 18 or over. We do not knowingly collect or process personal data of children. If you believe a child has provided personal data to us, please contact sales@dramxwhisky.com and we will delete it.
14 / Changes to This Policy
We may update this policy from time to time. Updates will be posted here with a new "Last Updated" date. Material changes will be notified by email or via the platform before they take effect.
15 / Contact
Questions about this policy or how we handle your data can be sent to sales@dramxwhisky.com or by post to DX Wealth Ltd., 5 South Charlotte Street, Edinburgh, Scotland, EH2 4AN.
