1. Who we are
This privacy policy applies to CAS Finder ("we", "us", "our"), a chemical discovery platform operated from the United Kingdom. We act as the data controller for personal data collected through the site at https://chemicals.rfsdev.co.uk/.
For any question about this policy, how we handle your data, or to exercise any of the rights listed below, email .
2. Scope
This policy covers personal data we process about:
- Buyers and visitors who search the site and may submit quote requests;
- Supplier account holders who list their company and manage chemical listings;
- Anyone who contacts us through the contact form, email, or newsletter sign-up.
3. What personal data we collect
The categories of personal data we may process are as follows.
3.1 Quote requests
When you submit a quote request we collect: your name, email address, optional phone number, optional company name, optional location, the chemical or chemicals requested, quantity, and any free-text message you include.
3.2 Supplier accounts
When you register a supplier account we collect: company name, contact name, email address, optional phone number, country, website, a free-text company profile, optional logo, and the chemicals you list. We also create a WordPress user account linked to the supplier profile.
3.3 Newsletter sign-ups
If you subscribe to the newsletter we collect your email address and the page or form it was entered on. We do not collect any other data through this form.
3.4 Contact form
When you use the contact form we collect your name, email address, optional company name, chosen subject, and the message body.
3.5 Technical data
Our server logs record the IP address, user agent, and requested URL for every page load, as standard for any web server. This data is used to diagnose errors, prevent abuse, and generate anonymous aggregate statistics. Raw server logs are retained for a maximum of 14 days.
We also use strictly-necessary cookies to maintain your session when you are logged in as a supplier. See our cookie policy for details.
4. Why we process this data (lawful bases)
Under the UK GDPR we need a lawful basis for every processing activity. Ours are:
- Contract — to provide the service you asked for: routing a quote request to a supplier, creating a supplier account, managing a subscription.
- Legitimate interests — to run the platform, prevent abuse, keep the site secure, and maintain anonymous analytics of search behaviour.
- Consent — for non-essential cookies and the newsletter, where we rely on your explicit opt-in. You can withdraw consent at any time.
- Legal obligation — where we are required by UK law to retain certain records (for example, billing records for tax purposes).
5. Who we share data with
We only share your personal data with the following categories of third parties, and only where necessary:
- Suppliers matching your quote request. If you submit a quote request for a specific chemical, the details you provide are shared with the verified suppliers who stock it, so they can respond to you. We do not share buyer data with any other supplier.
- Email delivery providers. Transactional email (account confirmations, password resets, quote notifications) is sent via our configured SMTP provider.
- Payment processor. Subscription payments for supplier plans are processed by Stripe, Inc. We never see or store full card details — Stripe handles the card data on their PCI-compliant infrastructure.
- Hosting provider. The site is hosted on servers operated by our hosting provider in the United Kingdom.
- Legal or regulatory bodies. We will disclose personal data if we are required to by law or a court order.
We do not sell your personal data. We do not share buyer quote enquiries with anyone other than the matching suppliers you're asking for a quote from.
6. International transfers
Our servers and databases are located in the United Kingdom. Some of our subprocessors (for example, Stripe) may transfer data outside the UK and EEA. Where this happens, we rely on standard contractual clauses or equivalent safeguards approved under UK GDPR.
7. How long we keep it
- Quote requests: retained for 24 months from submission, then deleted. Supplier responses to quotes are retained on their own systems and are outside our control after they reply to you.
- Supplier account data: retained for as long as the account is active. Accounts that are inactive for 24 months are archived; accounts that remain inactive for a further 12 months are deleted.
- Newsletter: retained until you unsubscribe, after which your email is hard-deleted within 30 days.
- Contact form messages: retained in our email system according to our internal retention policy, typically no longer than 36 months.
- Server logs: 14 days maximum.
- Billing records: retained for the period required by HMRC (currently 6 years).
8. Your rights
Under the UK GDPR, you have the right to:
- Access — ask for a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete data where we no longer have a lawful basis to keep it.
- Restriction — ask us to pause processing while a dispute is resolved.
- Portability — ask for a copy of your data in a machine-readable format.
- Object — object to processing that is based on legitimate interests.
- Withdraw consent — where processing is based on your consent, withdraw it at any time.
- Complain — lodge a complaint with the UK Information Commissioner's Office at ico.org.uk.
To exercise any of these rights, email . We respond to requests within 30 days and will verify your identity before releasing any data.
9. Security
We protect your data using industry-standard measures: TLS encryption for all data in transit, access controls on the admin interface, salted password hashing, and regular security updates. Payment data is handled exclusively by Stripe — we never see or store card numbers. Staff access to personal data is limited to employees who need it to perform their role, and is audited.
No system is perfectly secure. If we ever detect a breach that is likely to result in a risk to your rights, we will notify you and the ICO in line with UK GDPR requirements.
10. Children
The platform is designed for business use and is not directed at children under 16. We do not knowingly collect personal data from children.
11. Changes to this policy
We may update this policy to reflect changes in the service or in the law. Any material change will be communicated via a banner on the homepage and via email to supplier account holders. The "last updated" date at the top of this page always reflects the most recent revision.