What we do with your data
We will never sell your personal data for any reason, though sometimes it will be necessary to transfer your data to a third party to be processed. Your data is processed for certain specific reasons:
To create an online account so you can manage and download your orders, we generate a unique identifier and use your email address as a username.
So that we can get in touch with you about your order, we need to know your name, email address, phone number and any messages you have sent through your online account.
On the order form, we require every information we ask for. If we ask for your country, This is because we are required to know the country in which you are downloading your order for VAT purposes.
We will only ever call you about an existing service you have asked us to provide or to talk about something important related to your account.
After we have completed your order, we pass your name, email address, order number and localisation data, to any company in partnership with us for review purposes, which will provide an independent product review service. They will then email you, asking for feedback on your order.
Sometimes, we offer coupons to individual customers for use with future orders. To ensure only the intended recipient of the coupon can use it, we store their email address alongside the coupon details. These addresses are not used for anything other than the administration of coupons.
When you place an order, our system stores your IP address. This address is used to work out your time zone so that we can call you during hours that are convenient for you. It is also used to identify when a customer is using multiple accounts to place their orders.
For payments over a certain amount, we ask for documents to prove you are the registered account holder. This is so that we can prevent fraudulent transactions, such as people paying with stolen card details.
In order to establish the facts in case of a legal dispute, we archive anything that might be relevant to the negotiation or performance of a contract (for example, messages or order instructions). Access to this archived data is strictly controlled so that only a few privileged employees can see it, and it is only ever used for the specific purpose of supporting a legal case.
By law, you have a number of rights available to you when you give us your personal data. You can ask for access to any of your personal data that we hold; you can ask us to correct any inaccuracies in your personal data; you can ask us to delete your personal data where there is no longer any good reason for us to have it; you can object to the processing of your data in some cases; and, where you have given consent, you are able to withdraw that consent at any time. Under certain circumstances, such as if the data is material to legal proceedings, you can also ask us to temporarily stop processing your personal data. Where your data is automatically processed, you can also ask for a copy of your data in a machine-readable format.
If you would like to exercise any of your rights listed above, please send your request to our data protection officer at email@example.com. After we have received proof of your identity, we will respond to your request within one calendar month.
How we keep your data safe
We use a variety of technical and organizational measures to make sure your personal data is stored and transmitted securely. For example, we make diligent use of encryption whenever personal data is being transmitted to a third party and we make regular backups in case the original copy of your data is lost, so you can rest assured that your personal data is secure and protected.
If you communicate with us by email over the Internet, you should be aware that the nature of the Internet is such that unencrypted communication may not be secure and may pass through several different countries en route to us. Please do not email us with confidential or sensitive information such as your credit card details. We cannot accept responsibility for unauthorised access to your information that is outside our control.
Data retention policy
We only hold on to your data for as long as we need it to fulfil one of the purposes it was originally collected for, such as to provide a service, to gather feedback or to comply with a legal obligation. This means that retention policies for your data can differ considerably depending on the context and the way it is used. When deciding on a retention policy for any type of data, we use the following criteria:
- How long is the data needed for? – For example, if you have not logged in to your account for several years, we will try to remove you from our mailing lists.
- What did we say we would do with the data when we collected it? – If the purposes for which we originally collected the data are no longer relevant, there is no need to keep it.
- Do we have a legal obligation to keep the data? – For example, financial information needs to be kept for a minimum amount of time for tax reasons.
- Does holding the data carry an inherent risk? – In the unlikely event of a data breach, we want to ensure that nothing sensitive is stolen. We will therefore have reduced retention periods for data we consider to be sensitive.
However, in general, we securely archive most of your account data after five years of inactivity (see ‘Other purposes’ above) and then permanently delete all of your personal data after six years of inactivity.
Transfers to countries outside the EEA
Some of the third parties we use to process your data are based in countries which do not have the same standard of data protection laws that EU citizens enjoy. In these cases, we have made sure there are safeguards in place to protect your rights and interests. For example, Survey Monkey and Mailchimp are both located in the United States, but we have made sure that they both comply with the EU-U.S. Privacy Shield Framework, which guarantees the same level of protection.
If you are 13 or under, you must have permission from a parent or guardian before you give us your personal information. If we find that we have received information from you without the appropriate consent, we reserve the right to cancel all transactions and services and remove all personal data that you have supplied. You will be able to re-submit the information when you have the required permission.
Links to other websites