REMEDY ROOTS PRIVACY STATEMENT
Primary reason/s for updates when creating this version: GDPR compliance checks. Includes additional section explicitly outlining the data rights of an individual (see section 3)
SECTION 1 – WHAT DO WE DO WITH YOUR INFORMATION?
When you purchase something from our store, as part of the buying and selling process, we collect the personal information you give us such as your name, telephone, address and email address.
When you browse our store, we also automatically receive your computer’s internet protocol (IP) address in order to provide us with information that helps us learn about your browser and operating system.
As a customer, we will endeavour to learn relevant information about you in order to better tailor our services to you. This information may include your previous purchase history or product interests, or your social handles.
Email marketing: With your expressed consent, we may send you emails about our store, new products and other updates about us. These are marketing emails.
You can choose to amend or delete any of the data the we collect and store about you at any time. You can contact us to request this by any of the means provided at the end of this page.
We will hold your data for different periods of time depending on the reason we collected your data for processing:
Data collected for transactional purposes – we will hold your data for a reasonable period to service your orders and to help expedite any future repeat orders.
Data collected for marketing purposes – we will hold your data for as long as we feel it is relevant to market our services to you and for as long as you are happy for us to do so. We will monitor the engagement of our marketing communications every 12 months. If we feel you are not engaging with our communications, we may delete the data that we store about you for these purposes.
SECTION 2 – CONSENT
What is consent?
Your ‘consent’ is your explicit permission to us to process your data for a specific reason. This mainly applies to us using your data for transactional (in order to complete a sale or fulfil an order) or marketing purposes.
How do you get my consent?
When you provide us with personal information to complete a transaction, verify your credit card, place an order, arrange for a delivery or return a purchase, we imply that you consent to our collecting it and using it for that specific reason only, as it is necessary to carry out the transaction.
If we process your personal information for another reason, like marketing, we will ask you directly for your expressed consent, wherever possible, before doing so. This can take a few different forms on our site:
- A tick box as part of the checkout process asking you to ‘subscribe to our newsletter’ or similar
- A short form or pop-up box that asks for your email address, asking you to ‘Join the Remedy Roots Community’ or similar
- A short form that asks for your email address as part of a content download, where we will make it clear that you are also signing up for marketing communications
If you’ve given your consent by providing your email address, we will, wherever possible, also ask you to confirm your email address, which represents a double confirmation, or ‘double opt-in’ of your consent.
How do I withdraw my consent?
If, after you opt-in, you change your mind, you may withdraw your consent for us to contact you, or for the continued collection, use or disclosure of your information, at any time. The easiest way to do this is to click on the ‘manage preferences’ or ‘unsubscribe’ links at the bottom of our marketing emails. You can also achieve this by contacting our data controller, Stuart Harrison at email@example.com or mailing him at: Remedy Roots, Faraday Wharf, Innovation Birmingham Campus, Birmingham, ENG, B7 4BB, United Kingdom.
SECTION 3 – YOUR RIGHTS AROUND DATA
Data that we process about you belongs to you alone, and you have rights surrounding that data that we will (and are required by law) to respect. Here is a list of your individual rights around your data and what they mean:
Right to be informed
Right of access
You have the right to obtain a copy of the personal data that we store about you. We are required to provide this to you in a commonly accessible format, free of charge, within 30 days of your request. Which we are happy to do!
Right to rectification
You have the right to have any inaccurate data that we store about you rectified, or completed if it is incomplete. We are required to complete this within 30 days of your request.
Right to erasure
You have the right to ‘be forgotten’. This means you can ask for us to delete some or all of the data that we store about you. We are required to complete this within 30 days of your request.
Right to restrict processing
You have the right to restrict how we process your data in certain circumstances. For example, if you asked us to correct data stored about you, you could also ask us to restrict how we process that data whilst we go about correcting it.
Right to data portability
You have the right to receive personal data stored by us about you in a commonly used machine readable format. You also have the right to request that we transmit this data directly to another controller.
Right to object
You have the right to object to your data being processed. This is not necessarily the same as the right to erasure, as it focuses more on the data being processed, as opposed to being stored. For example, if you objected to us using your data for marketing purposes, we would stop processing it for marketing purposes. However, we would retain enough data to put you on a ‘suppression list’, which makes sure we don’t send you marketing emails. We’d also be allowed to keep your data for transactional purposes (like speeding up repeat orders) unless you requested that we delete it.
Rights related to automated decision making including profiling
You have a right to be protected from automated individual decision making that would have legal or significant implications on you. For example, if you were applying online for a loan or credit card. We use automated processes to help run our business, but these don’t have a significant or legal impact on you as an individual.
SECTION 4 – DISCLOSURE
We will not disclose your personal information to third parties for their purposes and benefit unless we are required by law to do so, or you have given your specific consent in advance.
SECTION 5 – PAYMENT
We do not store any of your payment information. We use a third party payment processing gateway to take your order, and they use their own security measures to protect your information at the point of purchase or if it is stored with your consent (for example, for the next time you use the site to make an order). Otherwise, your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that is complete, your purchase transaction information is deleted.
The third-party service we use to collect payments is called Stripe. You can find information about their security standards here.
SECTION 6 – THIRD-PARTY SERVICES
In general, the third-party providers used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us. An example of a third-party provider used by us would be MailChimp, an email service provider, which we use to contact you via email.
For these providers, we recommend that you read their privacy policies so you can understand the manner in which your personal information will be handled by these providers.
In particular, remember that certain providers may be located in or have facilities that are located in a different jurisdiction than either you or us. So if you elect to proceed with a transaction that involves the services of a third-party service provider, then your information may become subject to the laws of the jurisdiction(s) in which that service provider or its facilities are located.
Here is a list of the third-parties we use that may collect or handle your data when providing their services to us. Here ‘hold’ means they store your data for a period of time and ‘process’ means they pass your data from one system to another within our environment. Next to each is a brief description of why we use them and what data they interact with. Their name is a link to their privacy policies:
Mailchimp – email service provider and email gathering on-site. They will hold and process your name and email address, plus additional relevant information about you such as where you signed up to our services, your order history, your engagement with our marketing emails, your ip address and an estimate of your location.
Sumo Group – email gathering on-site. They may process your name and email address.
Stripe – payments gateway for processing your orders. They will hold and process your name, email address and payment information, as well as additional information such as your order history and the status of your payments to us.
Woocommerce – provides the ecommerce functionality for our site. Holds and processes information about orders, including your name, email address, physical address and telephone number, plus additional information such as your order history and activity on our site. It holds these data on our servers. It does not hold any payments data.
Royal Mail – creates postage labels to help us quickly fulfil our orders. Holds and processes your name, email address, telephone number and physical address, plus additional information such as your order history.
SECTION 7 – LINKS
When you click on links on our site, they may direct you away from our site. We are not responsible for the privacy practices of other sites and encourage you to read their privacy statements. We are also not able to control the content that they display on their site.
SECTION 8 – SECURITY
To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.
If in the unlikelihood of such an event, we would endeavour to contact all affected individuals as soon as the details of the event had been established, so that they could take any appropriate actions. We would also endeavour to contact the Information Commissioners Office (ICO) within 24 hours to notify them of the data breach.
SECTION 9 – COOKIES
If our store is acquired or merged with another company, your information may be transferred to the new owners so that we may continue to communicate with you effectively and sell products to you.
QUESTIONS AND CONTACT INFORMATION
If you would like to: access, correct, amend or delete any personal information we have about you, register a complaint, or simply want more information contact Stuart Harrison at firstname.lastname@example.org or by mail at Stuart Harrison at the below address:[Remedy Roots, Faraday Wharf, Innovation Birmingham Campus, Birmingham, ENG, B7 4BB, United Kingdom]