PRIVACY AND COOKIES POLICY.
The Data Controller is Rosie O’Neill.
Principal place of business: Highfields, Pollards Lane, Southwell, Nottinghamshire, NG250TL.
Transparency and data protection is very important to us, and we strive to make things as accurate and easy to understand as possible.
Please contact email@example.com if you have any questions, or concerns and we'll get back to you promptly.
It is very important that the information we hold is accurate and up to date, please let us know at firstname.lastname@example.org if your personal information changes.
This Policy was last updated 08/19.
2. Personal Information We Collect, What We Use It For, And On What Lawful Grounds
Personal information means any data capable of identifying an individual (this does not include anonymised data).
We may process the following categories of data:
· Contact Data. This includes your name, email address, billing address. We collect this on the lawful grounds of performing a contract with you. This is so that we can fulfil your orders and complete your purchases.
· Transaction Data. This includes your bank or payment details and other information about your purchase. We collect this on the lawful grounds of performing a contract with you. This is so that we can fulfil your orders and complete your purchases.
· Technical Data. This includes your IP address(es), your device and browser type, the web page you visited before coming to our sites, what pages on our sites you visit and for how long and identifiers associated with your devices. It also includes pages views and navigation paths and time zone settings. If you’ve given us permission through your device settings, we may collect your location information. We collect this on the lawful grounds of necessary for our legitimate interests. This is so that we can administer our website properly and with the best service possible. It also allows us to analyse and learn about how the website is used – including which content is most popular – and therefore evaluate and improve our services in order to grow our business.
· User Data. This includes how you use our website and any online services, together with any data that you post for publication on our website (such as blog comments) or through other online services (such as reviews after making a purchase). We collect this on the lawful grounds of necessary for our legitimate interests. This is so that we can administer our website properly and with the best possible service. It also allows us to evaluate the popularity and success of services and products, so that we can improve our services and grow our business.
· Marketing Data. This includes your name, email address, IP address, timestamp at point of subscription, and chosen marketing preferences. We collect this on the lawful grounds of consent. This is so that we can grow our business through the use of email marketing and send you useful and interesting content which you agreed to before signing up. You have to opt in specifically for us to use this data, and you can opt out at any time – for more information see Section 4 ‘Marketing Communications’.
· Communications Data. This includes communication you send to us through our website contact form, over email, social media or any other communications. We collect this on the lawful grounds of necessary for our legitimate interests. This is so that we can maintain good customer service in our interactions with you (therefore helping us to grow our business), and also to keep records in the event of establishing, pursuing or defending a legal claim.
We do not process sensitive data about you. This includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data, information about criminal convictions and offences.
If we need to collect your data under the terms of a contract between us (such as, when you make a purchase or want to use a service), and you don’t provide the data when requested, we may not be able to perform the contract (such as, delivering a product to you). As such, we may have to cancel your order – we will notify you at the time if this is the case.
The reasons above detail why we may process your data, if you need more information please email us at email@example.com. If the purposes for processing change significantly, we’ll let you know and explain the new legal grounds.
When required by law, we may process your personal data without your knowledge or consent.
Automated Decision Making
We do not use your information for automated decision making or any type of automated profiling.
3. How We Collect Your Personal Information
We collect your data in three main ways:
· When you provide it directly. For example, if you choose to submit your name and email address when you sign up to receive marketing emails. Or, if you choose to purchase an item over Instagram or social media, you might give us your name and PayPal linked email address in order for us to invoice you and fulfil your order.
· We receive some of your data when you use third party processors or services that are required to share this information with us in order for us to provide you with a product or service as requested. This includes when you make a purchase using one of our online marketplace providers (either Etsy or Not On The High Street), who will then share details about your purchase – items and quantity ordered, name and postal address, username/email address – in order for us to fulfil your order successfully. Or, when you use a payment processor (such as PayPal) to complete a financial transaction (who, for example will then give us your address in order for us to ship and therefore fulfil your order).
4. Marketing Communications
We will send you marketing communications via email if you have subscribed to our newsletter list.
In this case, you will have provided us with your personal information (name, email address, IP address, timestamp at point of subscription and explicit marketing preferences) at the time of subscription.
We rely on the lawful grounds of consent to process your data for this purpose. You will be required to complete a double opt-in, with a positive/active tick box in order to subscribe and offer your consent successfully.
You will also be provided with details about the content you can expect to receive in our marketing emails, along with privacy information from the third party processor (in this case, Mailchimp) who facilitates our processing of your data for this purpose.
You can opt out or withdraw your consent to receive these emails at any time, either by following the link provided at the end of every marketing communication, or by emailing us at firstname.lastname@example.org. If you withdraw your consent, we’ll stop sending you marketing emails.
If you opt out of receiving our marketing communications, this will not apply to personal data provided to us as a result of a product/service purchase, warranty registration, product/service experience or other transactions.
Third Party Marketing
We have no control over the marketing practises of the third party services we use (in this case, online marketplaces – Etsy and Not On The High Street). If you have purchased one of our products from a third party, you may have opted to receive marketing communications from them at the time. You are encouraged to refer to their individual policies and instructions if you wish to opt out of receiving these emails.
5. How We Share Your Personal Information
We may share your personal data with the following parties:
· Service providers who provide IT and system administration services.
· Service providers or third party processors who facilitate our completion of a transaction or purchase by you (such as the payment provider PayPal, or the postal provider Royal Mail).
· Professional advisers including lawyers, bankers, auditors and insurers
· Government bodies (such as HMRC, regulators and other bodies in the UK) who require us to report/record processing activities in some circumstances.
· Virtual assistants who provide administration services (such as updating online marketplace listings).
· Third parties to whom we sell, transfer, or merge parts of our business or our assets.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We only allow third parties to process your personal data for specified purposes and in accordance with our instructions.
Where possible, we have sought written contracts with these third parties, such as ‘Data Processing Addendums’, which further clarify our relationships with them.
This sharing or disclosure of your personal information is done in the interests of completing a transaction or fulfilling a service to you, or if we believe that it is necessary in order to comply with the law, to enforce our terms and conditions or to protect our rights, property or safety.
6. Your Rights And Choices Regarding Your Personal Information
Under Data Protection Laws, you have a number of rights in relation to your personal information. These include the rights to: request access to your data; correct inaccurate or out of date data; erase or delete your data; restrict the processing of your data; transfer your data; object to your data being processed; and (where applicable) the right to withdraw consent.
While I have given a brief description below, you can see more detailed information about these rights at:
While some of these rights apply generally, certain rights apply only in certain limited cases.
We describe these rights below:
· Access. You have the right to obtain: confirmation that we are processing your personal data; a copy of the personal data we hold; and other supplementary information – such as (but not limited to) why, how and under what lawful basis we process your data.
· Correction or Rectification. You have the right to have inaccurate personal data rectified. You may also be able to have incomplete personal data completed – although this will depend on the purposes for the processing. We may restrict the processing of your data while verifying or rectifying as necessary.
· Erasure. (This right may not apply if the data is needed to: exercise the right of freedom of expression and information; to comply with a legal obligation; for the performance of a task carried out in the public interest or in the exercise of official authority; for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or for the establishment, exercise or defence of legal claims.)
· Restriction. This means that your data is still allowed to be stored, but not processed by us. In most cases, your data will not be restricted indefinitely, but temporarily restricted (for example, if it needs to be updated or completed). We can refuse to comply with a request for restriction if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
· Transfer. This right only applies when the lawful basis for processing your personal information is consent or for the performance of a contract; and the processing is carried out by automated means (ie excluding paper files).
· Object. This right effectively allows you to stop the processing of your personal data. However, it only applies in certain circumstances. You have the absolute right to object to the processing of your personal data if it is processed for direct marketing purposes. The right can also apply if the processing is for: a task carried out in the public interest; the exercise of official authority; or legitimate interests (or those of a third party). In these circumstances the right to object is not absolute.
If you wish to exercise any of the rights above, you can email email@example.com at any time, or contact us using any of the means described in Section 15 (‘Contact’).
You will not usually be charged a fee to access your personal data (or to exercise any of the other rights). However, a reasonable fee may be charged if your request is clearly unfounded, repetitive or excessive (or we may refuse to comply with your request in these circumstances.)
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We will try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you.
The Right To Withdraw Consent
We rely on consent for the processing of your personal information with regards to our email marketing communications. You have the right to withdraw your consent at any time and free of charge. However, this will not affect the lawfulness of the processing before your consent withdrawal.
To withdraw consent, you can email firstname.lastname@example.org , or follow the unsubscribe link provided at the bottom of each marketing communication.
The Right To Object
You have the absolute right to object to the processing of your personal data if it is processed for direct marketing purposes.
Please contact us at email@example.com if you wish to exercise this right.
The Right To Complain
If you are not happy with any aspect of how we collect, process or use your data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).
If you do have a complaint, we would be grateful to have the chance to resolve this for you in the first instance. Please feel free to contact us at firstname.lastname@example.org for assistance.
7. Security And How We Protect Your Personal Information
We have put in place appropriate security measures to protect your personal information (this includes: from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed).
We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know such data. They will only process your personal data on our instructions.
We have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
8. How We Retain Your Personal Information
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for (for example, to fulfil an order for you as requested).
However, we may also retain your information for the purposes of satisfying any legal, accounting, or reporting requirements.
When deciding what the correct time is to keep the data for we look at its amount, nature and sensitivity, potential risk of harm from unauthorised use or disclosure, the processing purposes, if these can be achieved by other means and legal requirements.
For tax purposes the law requires us to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they stop being customers.
You have a right to request that your personal data be erased in some cases. Please see Section 6 (‘Your Rights’) for more information.
In some circumstances we may anonymise your personal data for research or statistical purposes (in which case we may use this information indefinitely without further notice to you).
9. International Data Transfers
Countries outside of the European Economic Area (EEA) do not always offer the same levels of protection to your personal data, so European law has prohibited transfers of personal data outside of the EEA unless the transfer meets certain criteria.
Some of our third parties service providers are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.
Whenever we transfer your personal data out of the EEA, we do our best to ensure a similar degree of security of data by ensuring at least one of the following safeguards is implemented:
We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission; or
Where we use certain service providers, we may use specific contracts or codes of conduct or certification mechanisms approved by the European Commission which give personal data the same protection it has in Europe; or
Where we use providers based in the United States, we may transfer data to them if they are part of the EU-US Privacy Shield, which requires them to provide similar protection to personal data shared between the Europe and the US.
If none of the above safeguards is available, we may request your explicit consent to the specific transfer. You will have the right to withdraw this consent at any time.
Please email email@example.com if you would like more specific information on the nature of information transfers.
10. Third Parties Service Providers And Processors
We use some third party service providers and processors in order to reasonably run and grow our business, and to allow us to offer our customers the best possible service:
· These third parties may share your personal information with us, for example – the online marketplaces Etsy and Not On The Highstreet will share your order information and contact details with us when you purchase one of our products. This allows us to fulfil your order.
· We may share your personal information (as described in Section 5 ‘How We Share Your Information’) with service providers in the interests of fulfilling our business requirements, for example – we share your name and postal address with the delivery provider Royal Mail. This allows us to send you your purchase as requested.
As mentioned in Section 5 (‘How We Share Your Information’), we endeavour to ensure high levels of data protection and transparency with every third party we interact with.
However, because these third parties are not owned or controlled by us, you are encouraged to reference the parties individual privacy policies for more information regarding your data.
We have listed below each of the third parties we use, and linked to their Privacy Policies for your convenience:
· Not On The High Street. https://www.notonthehighstreet.com/about/privacy
· Mailchimp. https://mailchimp.com/legal/privacy/
· Stripe. https://stripe.com/gb/privacy
· Royal Mail. https://www.royalmail.com/privacy-notice
· Squarespace. https://www.squarespace.com/privacy/
When you purchase an item from us, we do not have access to your financial information. All financial transactions are processed through third parties – this includes directly through PayPal, Stripe, Etsy or Not On The High Street. Although no method of transmission over the Internet or electronic storage is 100% secure, we ensure the processors we use follow all PCI-DSS requirements. We encourage you to read their individual policies for more details.
11. Third Party Links
What Are Cookies?
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
· Functional and Required Cookies. Allow visitors to navigate and use key features on our site. This includes customer accounts, shopping cart and checkout, and URL redirects.
· Squarespace (our website service provider) uses the following Functional and Required Cookies:
· Analytics and Performance Cookies. Allow us to collect information about how visitors interact with our site. Storing these cookies means we can analyse things such as traffic sources, unique visitors and cart abandonment. This helps us to evaluate and improve our business in order for it to grow.
· Squarespace (our website service provider) uses the following Analytics and Performance Cookies:
What Are Your Choices Regarding Cookies?
Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:
(a) https://support.google.com/chrome/answer/95647?hl=en (Chrome);
(b) https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences (Firefox);
(c) http://www.opera.com/help/tutorials/security/cookies/ (Opera);
(d) https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies (Internet Explorer);
(e) https://support.apple.com/kb/PH21411 (Safari); and
(f) https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy (Edge).
However, blocking all cookies will have a negative impact upon the usability of many websites. In addition to this, if you block cookies, you may not be able to use all the features on our website, and certain features may not display or function correctly.
13. Age Of Consent
Our website and services are targeted at persons over the age of 18.
If we have reason to believe that we hold personal data of a person under that age, we will delete that personal data.
We may update this policy from time to time by publishing a new version on our website.
You should check this page occasionally to ensure you are happy with any changes to this policy.
We may notify you of significant changes to this policy by email, if that is possible.
15. Contact Details
Address: Rosie O’Neill, Highfields, Pollards Lane, Southwell, Nottinghamshire, NG250TL