PRIVACY STATEMENT

 

----

 

UPDATE MAY 2024 – our privacy policy has recently been updated. Please re-read the whole privacy policy to understand what changes have been made.

 

----

 

SECTION 1 – FAIR PROCESSING NOTICE

 

WHAT PERSONAL DATA DO WE RECORD AND WHAT DO WE DO WITH YOUR INFORMATION?

 

Minimum Data Set Required

 

In order to comply with new General Data Protection Regulation (GDPR) rules, we have taken steps to ensure that all personal data that we record and store from you is the minimum amount of data needed to fulfil the purposes it is required for, and that we do not ask for more personal data than we need.

 

Purchasing

 

When you purchase something from our store, as part of the buying and selling process, we collect the personal information you give us, including your name, address, email address, telephone number, order number, products purchased, IP address and card data. This data is used to process your transaction and fulfil your items. Some of your personal data may also be shared with our suppliers in order to fulfil your purchase. We may also share your information with our Order Printer app (developed by Shopify) to print invoices or packing notes for you. Under the GDPR, we have a lawful basis of the contract of the sale in order to collect, store and process your data in this way.

 

For the processing of your order, your data may be sent to or used by software from Google, Microsoft and Apple in order for us to undertake the administration of processing your order. Under the GDPR, we have a lawful basis of the contract of the sale in order to collect, store and process your data in this way.

 

For the fulfilment and delivery of your order, some of your personal data such as name, address and email address, may be used by Royal Mail and My Hermes to track and send your parcel. Under the GDPR, we have a lawful basis of the contract of the sale in order to collect, store and process your data in this way.

 

For all orders, personal data will be held and processed by Shopify in order to store your account/customer details, track your purchase history, save your address details and track any updates in the order/delivery process. Shopify may also use your data to process your transaction if you choose to pay via Shopify Payments.

 

No financial data (eg. Card number etc) is stored by us, but is processed during the course of the transaction, either by Shopify Payments, Paypal or Stripe.

All personal data gathered from the website/Shopify through transactions is gathered directly from the user and processed and held by Shopify and/or Paypal (if customers choose to pay via Paypal). This data is used to process and fulfil orders, refunds and queries. Under the GDPR, our lawful basis for sharing and processing this personal data is the contract of sale.

 

Personal data gathered from Shopify on transactions for subscription boxes are shared with Bold Commerce who provide the recurring subscription software, and also Stripe, who process the payment information on a monthly basis. Stripe will save payment information for further transactions to enable the recurring element of the subscriptions. Under the GDPR, our lawful basis for sharing and processing this personal data is the contract of sale.

 

If you purchase a digital product, such as a downloadable pattern, from our site, we will share your information with our Digital Downloads app from Shopify in order to allow us to deliver your digital product to you. Under the GDPR, our lawful basis for sharing and processing this personal data is the contract of sale.

 

When you purchase from our site, you will have the option to sign up for our newsletter to send you more information about further products and services. To sign up, you will need to give us your consent by reading our privacy policy and ticking the box. You will be given the option to opt-out of receiving our marketing emails in your first email, and can also opt out at any time by using the unsubscribe link at the bottom of every email.  We are using the lawful basis of consent under the GDPR to collect, store and process your data in this way.

 

Some basic data such as name, email address and order information may also be processed by Web 1-2-3 Reg in order to fulfil order queries and in the process of fulfilling the contract of sale. Under the GDPR, our lawful basis for sharing and processing this personal data is the contract of sale.

 

Transaction amount and order number is also shared with and stored with Xero and our accountants Paget & Reid for accounting purposes. Under the GDPR, our lawful basis for sharing and processing this personal data is our legal obligation to provide statutory accounts to HMRC.

 

 

Website accounts

 

If you choose to create an account on our site, we will collect and store the following personal data on you: name, email address. We may also store your address if you wish to add this to your account for quicker checkout. This personal data is collected and stored by Shopify, and we will only use it to contact you about your account, or to process your order if you use this information at checkout. The information in the account is password protected by you, so please ensure you choose a strong password to avoid putting your data at risk. Under the GDPR, we have a lawful basis of the contract of providing a service (of an account on our site) to collect, store and process your data in this way.

 

 

Email marketing (if applicable)

 

With your explicit consent, we may send you emails about our store, new products and other updates, when you supply us with your name and email address on our pop-up form, on the form on our newsletter page, or if you consent at checkout when making a purchase. In each case, we ask for your explicit consent to do so by asking you to tick the box to give your consent, and encouraging you to read our privacy policy to understand how this data will be used, as well as your personal data rights.

 

The personal data you supply on this form will be stored and processed by our email provider, Mailer Lite, in order to fulfil our marketing. Under the GDPR, we are allowed to use your personal data in this way due to the lawful basis of your consent, by ticking the consent box when you sign up and the opt-in double confirmation email.

 

You will also be able to give permission for us to send you more targeted and personalised emails through customer profiling/segmentation and customised online advertising. You can opt-out of these at any time.

 

Other

 

Sometimes we will share your personal data with apps in order to improve the website service and experience. As such, your information may be shared with our Judge Me app (developed by Shopify) in order to allow you to let us know what you think of our products and service. Under the GDPR, our lawful basis for using your data in this way is our legitimate business interest.

 

From time to time we may also use Survey Monkey to help us gain insight into our customers and how they use our site. As such, we may ask for your personal data (name and email address) through Survey Monkey in order to identify responses. In such cases, this personal data will be processed and stored by Survey Monkey.

 

You will need to give consent for us to use this data in this way, if you choose to participate. Under the GDPR, our lawful basis for using your data in this way would be consent. In each case, you will be required to consent upon initiating participation of a survey, and not before. Your consent will be required for each individual survey.

 

HOW LONG WE HOLD YOUR PERSONAL DATA

 

For personal data collected, used and stored from purchases on the site, we will hold your personal data for 2 years from your last order date. After this time, it will be deleted as we presume you will not buy from us again.

 

For personal data collected, used and stored from your consent to email marketing purposes, we will hold your personal data for 1 year from the date of your last opened email, before removing it from our records. After this time, it will be deleted as we presume you are no longer interested in receiving further marketing information about our goods and services.

 

For personal data collected, used and stored from cookies on the site, we will hold this personal data for 26 months, in order to help us analyse site performance, site issues and potential development areas to help improve the site.

 

For personal data stored in Xero and our accounts, we will hold this personal data for 7 years, in order to allow us to supply statutory accounts for HMRC.

 

For personal data collected, used and stored from Survey Monkey, we will hold your personal data for 2 years from the end of the survey, in order for us to analyse business performance and product development.

 

For personal data collected, used and stored in 123 Webmail (our email provider), we will hold your personal data for up to 1 year from the date of your email. After this time, it will be deleted as we presume your request will have been completed and any issues fully dealt with.

 

 

YOUR PERSONAL DATA RIGHTS

 

In the EU, you should know that your personal data rights are protected under law. These include rights as specified in the General Data Protection Regulation, which are the right for your personal data to be accessed, corrected or changed, and erased.

 

To learn more about your rights under GDPR, visit the Information Commissioners Office website.

 

CHANGING YOUR PERSONAL DATA

 

Under the GDPR, you have the right to correct or change the personal data we hold on you at any time. If you would like to do so, please send us an email at info@mysewingbox.co.ukor write to us at My Sewing Box, Unit 9 Silver Business Park, Airfield Way, Christchurch, BH23 3TA.

 

RIGHT TO BE FORGOTTEN

 

Under the GDPR, you also have the right for your personal data to be removed or ‘forgotten’. If you would like the personal data we hold on you to be erased, please send us an email at info@mysewingbox.co.ukor write to us at My Sewing Box, Unit 9 Silver Business Park, Airfield Way, Christchurch, BH23 3TA.

 

 

SECTION 2 - CONSENT

 

How do you get my consent?

 

To consent to our email marketing, you must fill in the form, tick the box to say you give permission, and click submit to make it clear that we have your explicit consent to be contacted by the email address and name you provide. This may be done on either through our email pop-up, the form on our newsletter page or during check out.

 

When signing up to our email marketing, you can also choose whether to give your consent for us to use your data for customised advertising and customer profiling – by consenting to these, you allow us to give you more personalised content that we think you will like.

 

If we want to use, share or collect any of your personal data for any other reason, we will contact you first to explicitly ask for it, and wait for your permission or rejection of consent before doing so.

 

We also require your consent to use cookies on our site – to give your consent, please accept the banner when you land on the site and your preference will be remembered. You can opt-out at any time.

 

How do I withdraw my consent?

If you change your mind, you may withdraw your consent for us to use, share or contact you for the continued collection, use or disclosure of your information, at any time, by contacting us at info@mysewingbox.co.uk or mailing us at:

My Sewing Box

Unit 9 Silver Business Park, Airfield Way, Christchurch, BH23 3TA

 

You can also use the unsubscribe link at the bottom of every email we have sent you.

Please allow up to 28 days for this change to take effect.

 

To opt-out of cookies, simply use decline button in the banner on site to switch them off.

 

SECTION 3 - DISCLOSURE

 

We may disclose your personal information if we are required by law to do so or if you violate our Terms of Service.  Under the GDPR, our lawful basis for doing so would be a legitimate interest for security or criminal concerns, and we may disclose your personal data to the authorities (such as the police), in order for them to investigate further and ensure no crime is committed.

 

Subject Access Requests

You may ask to access the personal data we hold on you at any time. To do so, simply email us at info@mysewingbox.co.ukor write to us at My Sewing Box

Unit 9 Silver Business Park, Airfield Way, Christchurch, BH23 3TA.

 

Please allow one month for us to complete your request.

 

Data Portability

Upon receiving your request, we will supply you with the data you have requested to access in an easily readable format, such as a Word document or physical letter.

 

SECTION 4 - SHOPIFY

 

Our store is hosted on Shopify Inc. They provide us with the online e-commerce platform that allows us to sell our products and services to you.

Your data is stored through Shopify’s data storage, databases and the general Shopify application. They store your data on a secure server behind a firewall.

 

Payment:

If you choose a direct payment gateway to complete your purchase, then Shopify stores your credit card data. It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). Your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that is complete, your purchase transaction information is deleted.

All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover.

PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.

For more insight, you may also want to read Shopify’s Terms of Service here or Privacy Statement here.

 

SECTION 5 - THIRD-PARTY SERVICES

 

In general, the third-party providers used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us. 

However, certain third-party service providers, such as payment gateways and other payment transaction processors, have their own privacy policies in respect to the information we are required to provide to them for your purchase-related transactions.

For these providers, we recommend that you read their privacy policies so you can understand the manner in which your personal information will be handled by these providers. 

In particular, remember that certain providers may be located in or have facilities that are located in a different jurisdiction than either you or us. So if you elect to proceed with a transaction that involves the services of a third-party service provider, then your information may become subject to the laws of the jurisdiction(s) in which that service provider or its facilities are located.

As an example, if you are located in Canada and your transaction is processed by a payment gateway located in the United States, then your personal information used in completing that transaction may be subject to disclosure under United States legislation, including the Patriot Act.

Once you leave our store’s website or are redirected to a third-party website or application, you are no longer governed by this Privacy Policy or our website’s Terms of Service.

 

All of our suppliers and service providers agree to terms set out in this Privacy Policy and are GDPR compliant.

 

Links

When you click on links on our store, they may direct you away from our site. We are not responsible for the privacy practices of other sites and encourage you to read their privacy statements.

 

SECTION 6 - SECURITY

 

To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.

 

If you provide us with your credit card information, the information is encrypted using secure socket layer technology (SSL) and stored with a AES-256 encryption.  Although no method of transmission over the Internet or electronic storage is 100% secure, we follow all PCI-DSS requirements and implement additional generally accepted industry standards.

 

Additionally, personal data sent collected and stored by Shopify through us, may be sent to networks in Canada/the USA. We have ensured that the relevant Privacy Shield or Binding Corporate Rules documentation is attained by any company we send your data to outside of the EEA, to ensure the highest standards of data security and to comply with GDPR rules on data security.

 

If a breach of data is discovered, you will be notified immediately of any data breach and risk to your personal data. This is also the case for any supplier that we may share your personal data with.

 

SECTION 7 – COOKIES

 

What are cookies?

 

A cookie is a small amount of information that’s downloaded to your computer or device when you visit certain websites. We use a number of different cookies on the website, including strictly necessary, performance, advertising, and social media or content cookies. Cookies make your browsing experience better by allowing the website to remember your actions and preferences (such as login and region selection). This means you don’t have to re-enter this information each time you return to the site or browse from one page to another. Cookies also provide information on how people use the website, for instance whether it’s their first time visiting or if they are a frequent visitor.

 

Here is a list of cookies that we use. We’ve listed them here so you that you can choose if you want to opt-in to cookies or not.

 

Shopify – Essential cookies

Some cookies are essential for our site to run properly, such as remembering what is in your basket and performing checkout. These are as follows, with a description of their function:

 

_ab                             Used in connection with access to adminshop has a password, this is used to determine if the current visitor has access.

 

_orig_referrer                       Used in connection with shopping cart.

 

_secure_session_id            Used in connection with navigation through a storefront.

 

Cart                             Used in connection with shopping cart.

 

cart_sig                      Used in connection with checkout.

 

cart_ts                                    Used in connection with checkout.

 

checkout_token        Used in connection with checkout.

 

Secret                        Used in connection with checkout.

 

Secure_customer_sig          Used in connection with customer login.

 

storefront_digest     Used in connection with customer login.

 

Shopify Non-Essential Cookies

We use non-essential cookies for things like analytics and reporting, to help us analyse the site usage and make improvements to help better your experience of the site. These are as follows, with a description of their function:

 

_landing_page                                 Track landing pages.

 

_orig_referrer                                   Track landing pages.

 

_s                                            Shopify analytics.

 

_shopify_fs                           Shopify analytics.

 

_shopify_s                             Shopify analytics.

 

_shopify_sa_p                                  Shopify analytics relating to marketing & referrals.

 

_shopify_sa_t                                   Shopify analytics relating to marketing & referrals.

 

_shopify_uniq                                  Shopify analytics.

 

_shopify_visit                                   Shopify analytics.

 

_shopify_y                             Shopify analytics.

 

_y                                            Shopify analytics.

 

tracked_start_checkout      Shopify analytics relating to checkout.

 

Additionally, we use pixels and tags from the following third parties, which may in turn place cookies:

 

 

Third party non-essential cookies

We also use third party cookies for a range of different purposes – please see below to find out more about what cookies we use and what they do.

 

Reporting & Analytics

 

Google Analytics                  We use Google Analytics to help measure how users interact with our websites.

 

Advertising

 

Facebook Pixel                     We use the Facebook pixel, and any cookies it places for this, to help us deliver and measure targeted advertising   

 

Social media & content

 

Facebook Connect               We use Facebook Connect to allow visitors to our website to interact with and share content via Facebook’s social media platform.

 

Pinterest                                We use Pinterest to allow visitors to our website to interact with and share content via Pinterest’s social media platform.

 

Youtube                                 We use Youtube to allow visitors to our website to interact with and share content via Youtube’s social media platform.

 

Cookie Duration

 

The length of time that a cookie remains on your computer or mobile device

depends on whether it is a “persistent” or “session” cookie. Session cookies last until

you stop browsing and persistent cookies last until they expire or are deleted. Most

of the cookies we use are persistent and will expire between 30 minutes and two

years from the date they are downloaded to your device.

 

Opting in and out of cookies

 

You can opt in, and opt out, of non-essential cookies at any time during your visit on our website – simply use the cookies banner to adjust your preference settings.

 

You can control and manage cookies in various ways. Please keep in mind that removing or blocking cookies can negatively impact your user experience and parts of our website may no longer be fully accessible.

 

Most browsers automatically accept cookies, but you can choose whether or not to accept cookies through your browser controls, often found in your browser’s “Tools” or “Preferences” menu. For more information on how to modify your browser settings or how to block, manage or filter cookies can be found in your browser’s help file or through such sites as: www.allaboutcookies.org.

 

Many of the third party advertising and other tracking services listed above offer you the opportunity to opt out of their tracking systems. You can read more about the information they collect and how to opt out through their privacy policy.

 

SECTION 8 - AGE OF CONSENT

 

 By using this site, you represent that you are at least the age of majority in your state or province of residence, or that you are the age of majority in your state or province of residence and you have given us your consent to allow any of your minor dependents to use this site.

 

SECTION 9 - CHANGES TO THIS PRIVACY POLICY

 

We reserve the right to modify this privacy policy at any time, so please review it frequently. Changes and clarifications will take effect immediately upon their posting on the website. If we make material changes to this policy, we will notify you here that it has been updated, so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we use and/or disclose it.

If our store is acquired or merged with another company, your information may be transferred to the new owners so that we may continue to sell products to you.

 

 

QUESTIONS AND CONTACT INFORMATION

 

If you would like to: access, correct, amend or delete any personal information we have about you, register a complaint, or simply want more information contact our Data Protection Officer Amy Gilbert at info@mysewingbox.co.uk or by mail at

My Sewing Box

[Re: Data Protection Officer] 

Unit 9, Silver Business Park, Airfield Way, Christchurch, BH23 3TA.

----