Last updated 25th May 2018
This policy outlines how we collect and process your data, who we share it with, and what safeguards we have in place to ensure your privacy is protected. We collect data in a variety of ways; through your use of our website, communications you have with us, agreements with suppliers and so on.
We strongly value your privacy and take our obligations seriously; we undertake all reasonable measures to ensure that your data is stored safely, and you can rest assured that it will only ever be used for its intended purpose. We are committed to being open and transparent about how we use your personal information, so if you do have any queries about this policy, or how we collect and store your data, please don’t hesitate to get in touch with us.
Personal data, sometimes referred to as personal information, is considered to be any information which can be used to identify an individual.
Design a Ribbon is a trading name of Delightful Decor, who are defined as the data controller and hold responsibility for the storage and use of your personal data. Design a Ribbon may also be referred to as “we”, “us” or “our” in this policy.
You are defined as the owner of your personal data. You may also be referred to as “customer” or “supplier” in this policy document.
Legitimate business process is defined as the circumstance under which we have the right to store and process your data. For example, if you place an order with us, we will store a record of your order either on our website or on receipts. We may also print your invoice for inclusion in your order, and we will keep a copy of your order and payment notification for our accounts. These are legitimate business processes as we must carry them out to fulfil your order and meet our accounting obligations.
Data Protection Contact
Name: Alison Swift
Telephone: 01246 767428
Postal Address: 7 Falcon Yard, Low Pavements, Chesterfield, Derbyshire, S40 1PF
Data We Collect About You
We collect personal data through your use of our website including orders you place and communications you may have with us. We also collect personal data when purchases are made in our shop, or when you enter into a supplier agreement with us. This is used for a variety of purposes including fulfilment of orders and development of the business.
Data which we store on a day-to-day basis include:
– Identity and communication-based information including your name, address, E-Mail address, and telephone number
– Limited financial data including billing name and address, E-Mail addresses associated with payment services and anonymised card data. Note: all payments are made with third-party providers; we do not hold full credit card details.
– Quotes provided for bespoke orders such as frames
– Receipts for orders placed with us
– Transaction details for accounting purposes
We do not store or process any special category data such as race, ethnic origin, religious beliefs and so on.
Your data is obtained by us when you:
– Visit our website;
– Make a purchase in our shop;
– Call, E-Mail or submit an enquiry through the contact form on our website;
– Request us to provide a quote;
How We Use Your Data
We will only ever use your data for legitimate business interests, or to comply with any legal or regulatory obligations that we may have. Examples of this include:
– Fulfilling an order placed with us;
– Contacting you if we have a query with your order;
– Responding to an enquiry you have placed via phone, E-Mail or contact form;
– Providing information to legal or regulatory bodies such as the HMRC or the ICO to comply with legal obligations;
You own your data, and you have certain rights under GDPR which we have outlined under the ‘Your Legal Rights & Our Responsibilities’ section. These have been enhanced to further your right to privacy and control over your personal data, as well as clarifying our rights to use it under fair processing.
The purposes for which we typically use your data are outlined in the table below:
|Activity||Data Stored/Processed||Legitimate basis for processing|
|Order Placement||Name, telephone number, E-Mail address, billing and delivery address||Required for the fulfilment of your order with us, including contact details should we need to clarify anything about your order or provide details to a courier|
|Register a Supplier||Name, telephone number, E-Mail address, address||Creation of a record of a supplier for the purposes of placing orders for stock, recording commission due and invoicing|
|Administration||Name, telephone number, E-Mail address, address||Creation of quotes and invoices, debt-recovery, fulfilment of legal and accounting purposes|
Security of Data
We have a range of mechanisms in place to safeguard your data and ensure that your privacy is maintained.
Strong passwords are required for all services used within the business which store or are used to process your data including our website, E-Mail accounts and backup facilities. Any machines or devices used to access any of these services are password protected and are stored in a secure location when not in use. All PC’s used within the business have up to date antivirus software and are regularly checked for malware to ensure they remain secure.
Where personal data exists in paper form, it is either stored in a secure location should it be required for accounting purposes, or securely shredded once it is no longer required. Orders through our website are paid for via 3rd-party gateways; we do not handle your payment details. Orders placed over the phone are entered directly into our payment terminal – at no point are your payment details written down.
We take every precaution to keep your data safe, but in the unlikely event of a data breach or loss of data, we will inform you as soon as it has been identified, or as soon as is practicable. In addition, we may also inform regulatory bodies of the data breach, as well as legal professionals or insurers as required to protect the business.
Your personal data is stored only for as long as is required to fulfil its intended purpose. The length of time will vary depending on the nature of the data stored, and the purpose for which it was collected. Typical examples from our day-to-day business include:
– Order details will be retained for the purposes of fulfilment; we will also retain records of the orders for accounting purposes
– Financial records/transaction details will be kept for six years after the end of the previous financial year end in line with HMRC reporting requirements
You have the right to request the deletion of your personal data; please see the section titled ‘Your Legal Rights & Our Responsibilities’ for more information about the data you can request to be deleted and how you would go about doing so.
Consent & Contract
We have a legal basis for processing your data if it is for the purposes of fulfilling a contract between us and you. For example, if you place an order with us, then we may use your data for the purposes of fulfilling that order. Likewise, if you get in touch with us to request a quote, then we can use the data you have provided to us for the purposes of providing that quote.
You can disable cookies through your web browser; however, we would not recommend doing this as many, many sites including as ours rely on these to function.
If you have accepted cookies but later change your mind, you can clear the stored cookies through your browser settings and preferences.
International Data Transfers
We may share your personal data with selected third-parties as outlined below purely for business purposes and service provision. In some cases, this data is transferred outside of the European Economic Area (EEA) – however, we ensure that your data remains subject to the same high level of protection afforded here by only using trusted services which provide their own rigorous data protection policies.
Your Legal Rights & Our Responsibilities
The GDPR identifies key aspects of how you can access and control the personal data that companies such as us store and use. Specifically, you can:
– Make a data subject access request to know what data we store about you
– Request that we amend incorrect data stored about you
– Request that we delete your personal data*
– Make an objection to us processing your data, requiring us to cease the use of your data*
– Request the transfer of data which we store about you to a nominated third-party
– Withdraw or amend the consent you have given us previously for us to use your personal data at any time
If you make a data subject access request, we will aim to respond within one month of receiving the request in writing. In unusual circumstances, or if the data requested proves difficult to collate or obtain, this time may be extended. We will advise you if this is the case. We may also require further information from you to identify the data that you are requesting, and to verify that the data subject access request is genuine.
There is usually no fee for a data subject access request. However, we may opt to exercise our right to charge a reasonable fee if your request is unfounded, repetitive or excessive. In these circumstances, we may instead exercise our right to refuse to comply with your request.
* If you request us to delete or cease processing your personal data, please note that there are circumstances under which we may not be able to comply with your request. Specific examples may include, but are not limited to, the cancellation and deletion of an order where production has been started, or the deletion of financial transaction records which we are required by law to retain for six years by HMRC.
In some circumstances, we may share your data with third parties. These may include:
– External IT service providers we use for conducting day-to-day business
– Courier services who require contact information of the recipient for delivery
– Professionals including solicitors, book-keepers, accountants or insurers for the seeking of legal advice, finance and accounting purposes or claim handling
– Regulatory bodies such as HM Revenue & Customers or the ICO to meet our legal reporting obligations
We regularly share data with the following:
|Service Provider||Service||Data Processed & Purpose||Safeguards in Place|
|All E-Mails are stored within a Gmail account which may include orders, enquiries, updates for suppliers etc.||Strong passwords are required for the accessing of any Google Accounts.
E-Mails which are no longer relevant are deleted.
|PayPal||Payment Processing, Accounting||Customer details including name, address, E-Mail address and details of an order for the process of taking payment.||Access to PayPal is strictly limited to the owner. Payments are handled through PayPal; at no point do we have contact with credit card information for PayPal payments.|
|XLN Telecoms||Payment Processing||Customer details including card number, CVC number, house number and billing post code for payments taken over the phone.||Card payments taken over the phone are entered straight into the terminal; at no point are any of these details written down or stored.|
|HMRC||Accounting||Customer details including name, address, E-Mail address, payment method and order details for auditing or investigative purposes.||Customer data is not routinely shared with HMRC; However, in the event of an investigation or court order, we may be obliged to provide full access to our accounts which include sales data.|
|Webhosting UK||Hosting||Our website is hosted with Webhosting UK. Subsequently any orders placed through the website and online enquiries are stored on our secure hosting account.||Access to our hosting account is protected with a strong password, and strictly limited to the owner.
Backups are stored in secure remote locations to protect against deletion or loss of data.