SECTION 1 – FAIR PROCESSING NOTICE
WHAT PERSONAL DATA DO WE RECORD AND WHAT DO WE DO WITH YOUR INFORMATION?
Minimum Data Set Required
In order to comply with new General Data Protection Regulation (GDPR) rules, we have taken steps to ensure that all personal data that we record and store from you is the minimum amount of data needed to fulfil the purposes it is required for, and that we do not ask for more personal data than we need.
When you purchase something from our store, as part of the buying and selling process, we collect the personal information you give us, including your name, address, email address, telephone number, order number, products purchased, IP address and card data. This data is used to process your transaction and fulfil your items. Some of your personal data may also be shared with our suppliers in order to fulfil your purchase. We may also share your information with our Order Printer app (developed by Shopify) to print invoices or packing notes for you. Under the GDPR, we have a lawful basis of the contract of the sale in order to collect, store and process your data in this way.
For the processing of your order, your data may be sent to or used by software from Google, Microsoft and Apple in order for us to undertake the administration of processing your order. Under the GDPR, we have a lawful basis of the contract of the sale in order to collect, store and process your data in this way.
For the fulfilment and delivery of your order, some of your personal data such as name, address and email address, may be used by Royal Mail and My Hermes to track and send your parcel. Under the GDPR, we have a lawful basis of the contract of the sale in order to collect, store and process your data in this way.
For all orders, personal data will be held and processed by Shopify in order to store your account/customer details, track your purchase history, save your address details and track any updates in the order/delivery process. Shopify may also use your data to process your transaction if you choose to pay via Shopify Payments.
No financial data (eg. Card number etc) is stored by us, but is processed during the course of the transaction, either by Shopify Payments, Paypal or Stripe.
All personal data gathered from the website/Shopify through transactions is gathered directly from the user and processed and held by Shopify and/or Paypal (if customers choose to pay via Paypal). This data is used to process and fulfil orders, refunds and queries. Under the GDPR, our lawful basis for sharing and processing this personal data is the contract of sale.
Personal data gathered from Shopify on transactions for subscription boxes are shared with Bold Commercewho provide the recurring subscription software, and also Stripe, who process the payment information on a monthly basis. Stripe will save payment information for further transactions to enable the recurring element of the subscriptions. Under the GDPR, our lawful basis for sharing and processing this personal data is the contract of sale.
If you purchase a digital product, such as a downloadable pattern, from our site, we will share your information with our Digital Downloads app from Shopify in order to allow us to deliver your digital product to you. Under the GDPR, our lawful basis for sharing and processing this personal data is the contract of sale.
Some basic data such as name, email address and order information may also be processed by Web 1-2-3 Regin order to fulfil order queries and in the process of fulfilling the contract of sale. Under the GDPR, our lawful basis for sharing and processing this personal data is the contract of sale.
Transaction amount and order number is also shared with and stored with Xeroand our accountants Paget & Reidfor accounting purposes. Under the GDPR, our lawful basis for sharing and processing this personal data is our legal obligation to provide statutory accounts to HMRC.
If you choose to create an account on our site, we will collect and store the following personal data on you: name, email address. We may also store your address if you wish to add this to your account for quicker checkout. This personal data is collected and stored by Shopify, and we will only use it to contact you about your account, or to process your order if you use this information at checkout. The information in the account is password protected by you, so please ensure you choose a strong password to avoid putting your data at risk. Under the GDPR, we have a lawful basis of the contract of providing a service (of an account on our site) to collect, store and process your data in this way.
Email marketing (if applicable)
The personal data you supply on this form will be stored and processed by our email provider, Mailer Lite, in order to fulfil our marketing. Under the GDPR, we are allowed to use your personal data in this way due to the lawful basis of your consent, by ticking the consent box when you sign up and the opt-in double confirmation email.
You will also be able to give permission for us to send you more targeted and personalised emails through customer profiling/segmentation and customised online advertising. You can opt-out of these at any time.
Sometimes we will share your personal data with apps in order to improve the website service and experience. As such, your information may be shared with our Product Review app (developed by Shopify) in order to allow you to let us know what you think of our products and service. Under the GDPR, our lawful basis for using your data in this way is our legitimate business interest.
From time to time we may also use Survey Monkey to help us gain insight into our customers and how they use our site. As such, we may ask for your personal data (name and email address) through Survey Monkey in order to identify responses. In such cases, this personal data will be processed and stored by Survey Monkey.
You will need to give consent for us to use this data in this way, if you choose to participate. Under the GDPR, our lawful basis for using your data in this way would be consent. In each case, you will be required to consent upon initiating participation of a survey, and not before. Your consent will be required for each individual survey.
HOW LONG WE HOLD YOUR PERSONAL DATA
For personal data collected, used and stored from purchases on the site, we will hold your personal data for 2 years from your last order date. After this time, it will be deleted as we presume you will not buy from us again.
For personal data collected, used and stored from your consent to email marketing purposes, we will hold your personal data for 1 year from the date of your last opened email, before removing it from our records. After this time, it will be deleted as we presume you are no longer interested in receiving further marketing information about our goods and services.
For personal data collected, used and stored from cookies on the site, we will hold this personal data for 26 months, in order to help us analyse site performance, site issues and potential development areas to help improve the site.
For personal data stored in Xero and our accounts, we will hold this personal data for 7 years, in order to allow us to supply statutory accounts for HMRC.
For personal data collected, used and stored from Survey Monkey, we will hold your personal data for 2 years from the end of the survey, in order for us to analyse business performance and product development.
For personal data collected, used and stored in 123 Webmail (our email provider), we will hold your personal data for up to 1 year from the date of your email. After this time, it will be deleted as we presume your request will have been completed and any issues fully dealt with.
YOUR PERSONAL DATA RIGHTS
In the EU, you should know that your personal data rights are protected under law. These include rights as specified in the General Data Protection Regulation, which are the right for your personal data to be accessed, corrected or changed, and erased.
To learn more about your rights under GDPR, visit the Information Commissioners Office website.
CHANGING YOUR PERSONAL DATA
Under the GDPR, you have the right to correct or change the personal data we hold on you at any time. If you would like to do so, please send us an email at firstname.lastname@example.org write to us at My Sewing Box, Office 3 & 4, Mulberry Court, Stour Road, Christchurch, BH23 1PS.
RIGHT TO BE FORGOTTEN
Under the GDPR, you also have the right for your personal data to be removed or ‘forgotten’. If you would like the personal data we hold on you to be erased, please send us an email at email@example.com write to us at My Sewing Box, Office 3 & 4, Mulberry Court, Stour Road, Christchurch, BH23 1PS.
SECTION 2 - CONSENT
How do you get my consent?
To consent to our email marketing, you must fill in the form, tick the box to say you give permission, and click submit to make it clear that we have your explicit consent to be contacted by the email address and name you provide. This may be done on either through our email pop-up, the form on our newsletter page or during check out.
When signing up to our email marketing, you can also choose whether to give your consent for us to use your data for customised advertising and customer profiling – by consenting to these, you allow us to give you more personalised content that we think you will like.
If we want to use, share or collect any of your personal data for any other reason, we will contact you first to explicitly ask for it, and wait for your permission or rejection of consent before doing so.
How do I withdraw my consent?
If you change your mind, you may withdraw your consent for us to use, share or contact you for the continued collection, use or disclosure of your information, at any time, by contacting us at firstname.lastname@example.org or mailing us at:
My Sewing Box
Office 3 & 4, Mulberry Court, Stour Road, Christchurch, BH23 1PS.
You can also use the unsubscribe link at the bottom of every email we have sent you.
Please allow up to 28 days for this change to take effect.
To opt-out of cookies, simply use decline button in the banner on site to switch them off.
SECTION 3 - DISCLOSURE
We may disclose your personal information if we are required by law to do so or if you violate our Terms of Service. Under the GDPR, our lawful basis for doing so would be a legitimate interest for security or criminal concerns, and we may disclose your personal data to the authorities (such as the police), in order for them to investigate further and ensure no crime is committed.
Subject Access Requests
You may ask to access the personal data we hold on you at any time. To do so, simply email us at email@example.com write to us at My Sewing Box
Office 3 & 4, Mulberry Court, Stour Road, Christchurch, BH23 1PS.
Please allow one month for us to complete your request.
Upon receiving your request, we will supply you with the data you have requested to access in an easily readable format, such as a Word document or physical letter.
SECTION 4 - SHOPIFY
Our store is hosted on Shopify Inc. They provide us with the online e-commerce platform that allows us to sell our products and services to you.
Your data is stored through Shopify’s data storage, databases and the general Shopify application. They store your data on a secure server behind a firewall.
If you choose a direct payment gateway to complete your purchase, then Shopify stores your credit card data. It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). Your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that is complete, your purchase transaction information is deleted.
All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover.
PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.
For more insight, you may also want to read Shopify’s Terms of Service here or Privacy Statement here.
SECTION 5 - THIRD-PARTY SERVICES
In general, the third-party providers used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us.
However, certain third-party service providers, such as payment gateways and other payment transaction processors, have their own privacy policies in respect to the information we are required to provide to them for your purchase-related transactions.
For these providers, we recommend that you read their privacy policies so you can understand the manner in which your personal information will be handled by these providers.
In particular, remember that certain providers may be located in or have facilities that are located in a different jurisdiction than either you or us. So if you elect to proceed with a transaction that involves the services of a third-party service provider, then your information may become subject to the laws of the jurisdiction(s) in which that service provider or its facilities are located.
As an example, if you are located in Canada and your transaction is processed by a payment gateway located in the United States, then your personal information used in completing that transaction may be subject to disclosure under United States legislation, including the Patriot Act.
When you click on links on our store, they may direct you away from our site. We are not responsible for the privacy practices of other sites and encourage you to read their privacy statements.
SECTION 6 - SECURITY
To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.
If you provide us with your credit card information, the information is encrypted using secure socket layer technology (SSL) and stored with a AES-256 encryption. Although no method of transmission over the Internet or electronic storage is 100% secure, we follow all PCI-DSS requirements and implement additional generally accepted industry standards.
Additionally, personal data sent collected and stored by Shopify through us, may be sent to networks in Canada/the USA. We have ensured that the relevant Privacy Shield or Binding Corporate Rules documentation is attained by any company we send your data to outside of the EEA, to ensure the highest standards of data security and to comply with GDPR rules on data security.
If a breach of data is discovered, you will be notified immediately of any data breach and risk to your personal data. This is also the case for any supplier that we may share your personal data with.
SECTION 7 – COOKIES
What are cookies?
A cookie is a small amount of information that’s downloaded to your computer or device when you visit certain websites. We use a number of different cookies on the website, including strictly necessary, performance, advertising, and social media or content cookies. Cookies make your browsing experience better by allowing the website to remember your actions and preferences (such as login and region selection). This means you don’t have to re-enter this information each time you return to the site or browse from one page to another. Cookies also provide information on how people use the website, for instance whether it’s their first time visiting or if they are a frequent visitor.
Here is a list of cookies that we use. We’ve listed them here so you that you can choose if you want to opt-in to cookies or not.
Shopify – Essential cookies
Some cookies are essential for our site to run properly, such as remembering what is in your basket and performing checkout. These are as follows, with a description of their function:
_ab Used in connection with access to adminshop has a password, this is used to determine if the current visitor has access.
_orig_referrer Used in connection with shopping cart.
_secure_session_id Used in connection with navigation through a storefront.
Cart Used in connection with shopping cart.
cart_sig Used in connection with checkout.
cart_ts Used in connection with checkout.
checkout_token Used in connection with checkout.
Secret Used in connection with checkout.
Secure_customer_sig Used in connection with customer login.
storefront_digest Used in connection with customer login.
Shopify Non-Essential Cookies
We use non-essential cookies for things like analytics and reporting, to help us analyse the site usage and make improvements to help better your experience of the site. These are as follows, with a description of their function:
_landing_page Track landing pages.
_orig_referrer Track landing pages.
_s Shopify analytics.
_shopify_fs Shopify analytics.
_shopify_s Shopify analytics.
_shopify_sa_p Shopify analytics relating to marketing & referrals.
_shopify_sa_t Shopify analytics relating to marketing & referrals.
_shopify_uniq Shopify analytics.
_shopify_visit Shopify analytics.
_shopify_y Shopify analytics.
_y Shopify analytics.
tracked_start_checkout Shopify analytics relating to checkout.
Additionally, we use pixels and tags from the following third parties, which may in turn place cookies:
Third party non-essential cookies
We also use third party cookies for a range of different purposes – please see below to find out more about what cookies we use and what they do.
Reporting & Analytics
Google Analytics We use Google Analytics to help measure how users interact with our websites.
Facebook Pixel We use the Facebook pixel, and any cookies it places for this, to help us deliver and measure targeted advertising
Social media & content
Facebook Connect We use Facebook Connect to allow visitors to our website to interact with and share content via Facebook’s social media platform.
Pinterest We use Pinterest to allow visitors to our website to interact with and share content via Pinterest’s social media platform.
Twitter We use Twitter to allow visitors to our website to interact with and share content via Twitter’s social media platform.
Youtube We use Youtube to allow visitors to our website to interact with and share content via Youtube’s social media platform.
The length of time that a cookie remains on your computer or mobile device
depends on whether it is a “persistent” or “session” cookie. Session cookies last until
you stop browsing and persistent cookies last until they expire or are deleted. Most
of the cookies we use are persistent and will expire between 30 minutes and two
years from the date they are downloaded to your device.
Opting in and out of cookies
You can opt in, and opt out, of non-essential cookies at any time during your visit on our website – simply use the cookies banner to adjust your preference settings.
You can control and manage cookies in various ways. Please keep in mind that removing or blocking cookies can negatively impact your user experience and parts of our website may no longer be fully accessible.
Most browsers automatically accept cookies, but you can choose whether or not to accept cookies through your browser controls, often found in your browser’s “Tools” or “Preferences” menu. For more information on how to modify your browser settings or how to block, manage or filter cookies can be found in your browser’s help file or through such sites as: www.allaboutcookies.org.
SECTION 8 - AGE OF CONSENT
By using this site, you represent that you are at least the age of majority in your state or province of residence, or that you are the age of majority in your state or province of residence and you have given us your consent to allow any of your minor dependents to use this site.
If our store is acquired or merged with another company, your information may be transferred to the new owners so that we may continue to sell products to you.
QUESTIONS AND CONTACT INFORMATION
If you would like to: access, correct, amend or delete any personal information we have about you, register a complaint, or simply want more information contact our Data Protection Officer Amy Gilbert at firstname.lastname@example.org or by mail at
My Sewing Box
[Re: Data Protection Officer]
Office 3 & 4, Mulberry Court, Stour Road, Christchurch, BH23 1PS