Nature of Data Held by Grace & Oliver
Legal Basis for Holding Data
Data Protection Policy
Cookies Policy for this Site
Our Privacy Policy
Data Access Policy
Your Right to be Forgotten
Our Complaints Procedure
Data Retention Term
Automated Data Processing
Data Protection Officer
In order to ensure customer satisfaction, fulfil our contractual obligations to customers and satisfy our legal obligation to HMRC, we hold the following information:
Data held relating to customers
Contact information is held for the purposes of:
In practical terms, this will involve no more than 12 emails in any year.
Consent.
Site visitors may opt in to our mailing list at any time by checking the appropriate box on our contact form or order form. This implies consent to receive a limited number of promotional emails only from Grace & Oliver.
Fulfillment of contract.
For customers, to complete delivery or exchange of products.
Invoice and other commercial details, whether or not they contain personally identifiable data will be retained for long enough to fulfil any legal obligations upon us for tax record purposes. This is currently seven years, but this may change owing to factors outside our control.
Scope
This document defines the policy for managing data for the Grace & Oliver web site, not taking into account the data holdings at their fixed office or mobile facilities.
Online Shop
The online shop is operated through and managed by Big Commerce. Please follow this link to view their security and privacy policies. We do not authorise Big Commerce, or any other organisation to share, or process any data apart from for the purpose of receiving and satisfying orders.
Online Payments
All our online payments are handled by SagePay, using their fully hosted solution. This gives us the benefit of using the security arrangements put in place by Sage. We do not handle or process any personal payment data ourselves. Please see the SagePay site for their own data protection and privacy policies.
Newsletters and Promotional Mailing
Our opted in mailing list is managed by MailChimp. No personal data are stored other than name and email address for the purpose of occasional information broadcasts. Please see the MailChimp site for details of their security and data protection arrangements.
Grace & Oliver Cookies Policy
Grace & Oliver site uses only one cookie. It is a session cookie, which is deleted at the end of your browser session. It holds no personally identifiable data relating to our site visitors, other than the broad geographical location. This serves to ensure the site delivers the correct information in terms of local contacts, currency and taxes.
No personal data is ever held in a cookie on our web site.
However, a number of social media sites and search engines use practically every web site for tracking cookies and so called Interest Based Advertising. They do this without our consent or co-operation. While we make strenuous efforts to prevent them from doing this, their evolution is such that they can generate new ones faster than we can block the old ones.
We strongly recommend that if you do not want every moment of your web browsing catalogued and analysed, you should use the controls available in your browser to prevent tracking and to block third party cookies.
To get more information and help on how to use these blocking tools, here are some links:
privacy.net
Privacy Badger
Disconnect
AdBlock Plus
Firefox Tracking Blocker Instructions
Firefox Cookie Manager
Ghostery Tracking Blocker for Chrome
Managing Cookies in Chrome
Tracking Blocker Advice for Vivaldi
The only cookies that our site will place are for strictly functional purposes like identifying your broad geographical area to ensure accurate local informattion, and to retain the contents of a shopping basket if one is used.
We will collect personal data about you. This includes data collected when you contact us, register to use our site, search for a product, create a design through our bespoke service, place an order on our site and when you report a problem with our site. This may include your name, address, e-mail address and phone number, financial and credit card data. We will use this data:
When you visit our site, we may automatically collect technical data, including where available your IP address and your login data. We may also collect data about your visits to our site, for example traffic data, location data and products you viewed or searched for. This is statistical data and does not identify you personally. We will use this data:
We will work with third parties (including for example sub-contractors in payment and delivery services) and may receive data about you from them. We may use this data for any of the purposes already set out above.
If you are an existing customer, we will only contact you by electronic means (e-mail or SMS) with information about goods and services similar to those which were the subject of a previous sale or negotiations of a sale to you. If you are a new customer, and where we permit selected third parties to use your data, we (or they) will contact you by electronic means only if you have consented to this.
You have the right to ask us not to process your personal data for marketing purposes. If you do not want us to use your data in this way, or to pass your details on to third parties for marketing purposes, please opt-out by ticking the relevant box when you register to use the site/when you place an order.
You will at all times be able to unsubscribe, by clicking here [LINK] or by using the link in any e-mail we send you.
Cookies
Our site uses cookies to distinguish you from other users of our site. This helps us to provide you with a good experience when you browse our site and also allows us to improve our site. By using our site you agree that we can place these types of cookies on your device and access them when you visit the site in the future.
For detailed information on the cookies we use and the purposes for which we use them see our Cookie Policy.
We may share your personal data with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
We may share your data with selected third parties including:
The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff maybe engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.
All data you provide to us is stored on our secure servers. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of data via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your data, we will use strict procedures and security features to try to prevent unauthorised access.
There are no admin fees associated with any of your rights, and everything can be achieved by contacting us.
Good practice dictates that in order to review, modify or remove data, we ascertain that your identity is as stated. Assuming your email address to be a unique identifier of you as an individual, the first stage in the process is to send a secure link to your email address, which will bring you back to this page, with the relevant options enabled. This is in the interests of keeping your data private and preventing malicious deletions or modifications.
Data Access Policy
Under the provision of the General Data Protection Regulation, you have the right to access any data held by any organisation relating to you as a natural person.
By following the relevant link, our policy is to make your information freely available to you to view or amend as necessary.
Naturally, we have to ensure that the identity of the person requesting the information is valid, so when you make a request, an email will be generated to the address held on file for yourself. This will contain a secure link to this page, which will then display your information in editable fields.
Once you have finished amending any information that you want to update, click on the submit button to apply changes. The new information will then be presented for you to review.
Your Right to be Forgotten
Under the provisions of the General Data Protection Regulation, you have the right for all data held relating to yourself to be completely and permanently erased.
In pursuance of this policy, Grace & Oliver provides a link that will completely delete all information relating to an individual, identified by their email address from the current database. That request sends an email to the responsible individual informing that the records relating to a record, identified by sequential number have been removed.
To ensure that only you can remove your records, your RTBF request will generate an email to the address held on file for you, with a secure link back to this page, with the RTBF confirmation button showing. Confirming removal will delete all information held in association with your email address from Grace & Oliver database. If you have made enquiries on more than one occasion, using different email addresses, you will need to repeat the process for each address used.
The Regulation also provides for this information being removed from all backup copies and other repositories in the organisation. To ensure that this requirement is followed, Grace & Oliver adopts the following practices:
Please note that the server is backed up weekly, so there will be a latency of seven days between removal from the active database and removal from the backup copy.
For instant removal from the backup copy as well as the active database, contact the responsible individual who will manually destroy your record in the backup copy on the day of request.
Complaints Procedure
Complaints about the management, security or handling of personal data should be addressed to the responsible individual using the link on this page. In the event of receiving a complaint, the responsible individual will:
In the unlikely event of the outcome being unsuccessful or unsatisfactory, your rights as an individual allow for complaints to be escalated to the Office of the Information Commissioner, who may proceed on your behalf if a serious data breech is suspected. Their contact details are:
Web site: ico.org.uk
Phone: 0303 123 1113
Through the web site or phone line, you can express concerns to the ICO relating to:
Customers
Until contract expiry or termination
Other Contacts
3 Years or data removal by subject, whichever is the sooner.
Invoice details will be retained in accordance with our legal obligation in relation to tax regulations.
The only automated process carried out on data from this site, is the transmission of orders to our fulfilment house in order to ensure correct delivery. The recipients of such data are bound by our own policies of non-disclosure and non-sharing.
For the purposes of this policy, the Data Processor is Grace & Oliver, Devonshire Place, London W1
Contact number: 01923 210111