FREE DELIVERY on all orders over £75*
NEXT DAY DELIVERY on all stock items, order by 3pm

My Wishlist
My Cart

Mini Basket

Privacy & Cookies Policy
  • Home
  • Privacy & Cookies Policy

Full Terms & Conditions

 

See red17's full terms and conditions.

Returns Policy

 

Check out our returns policy for more information.

Quality Assurance

 

Quality control, warranties and guarantees.

Privacy & Cookies Policy

 

Red17 policies regarding cookies and privacy can be found here.


Privacy Statement:

This privacy policy sets out how Red17 uses and protects any information that you provide when you use this website.

Red17 is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement. We may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes.

For our full General Data Protection Regulation (GDPR) Policy click here: Red17 GDPR Policy.



Secure Shopping

At Red17 the security of your personal details when ordering with us is paramount and our website shopping cart ordering system is hosted on a Secure Server which uses industry approved SSL (Secure Socket Layer) encryption security, which encompasses the highest level of data protection available. You might also want to read our Privacy Statement below.



Secure Checkout with WorldPay

We work with the UK's leading payment gateway provider, WorldPay, to process your credit and debit card transactions. No card information is held on our site. All payment is handled and processed by WorldPay. To learn more about WorldPay's procedures and security protocols visit our WorldPay Information Page.



Secure Checkout with PayPal

We want to make the payment process as simple and secure as possible. That is why we have teamed up with PayPal, one of the safest and fastest ways to pay for your goods in the UK. PayPal offers you an extra payment option, ensuring you have access to your preferred payment method.





(GDPR)

General Data Protection Policy



What is GDPR?

The General Data Protection Regulation (GDPR) will come into effect on 25th May 2018. This new regulation, imposed by the European Union, aims to enforce new rules relating to data privacy. European individuals will benefit from stricter guidelines on how their data is collected and managed by organisations. As a result, any organisation wishing to deal with European users must comply with the GDPR.



More Information:
For full guidelines to General Data Protection Regulation (GDPR) visit: Information Commissioner's Office



Data Protection law will change on 25 May 2018

This Privacy Notice sets out your rights under the new laws.



Who are we?

Red17 manufacture and retail of sign, print and display products based in the UK. Red17 have a registered office at: Red17 Limited, Building 31-32, BKS, High Street, Wellingborough, Northamptonshire, NN8 4HL and company number 06036613.



How the law protects you

Data protection laws state that we are only able to process personal data if we have valid reasons to do so. The basis for processing your personal data includes, but is not limited to, your consent, performance of a contract, to enable billing and remittance, and to contact you for customer service purposes.



How do we collect personal data from you?

We receive information about you from you when you use our website, complete forms on our website, if you contact us by phone, email, live-chat or otherwise in respect of any of our products and services or during the purchasing of any such product. Additionally we also collect information from you when you sign up, enter a competition, promotion or survey or when you inform us of any other matter.

If you provide us with personal data about a third party (for example when registering a domain on their behalf), you warrant that you have obtained the express consent from the third party for the disclosure and use of their personal data.

Your personal data may be automatically collected when you use our services, including but not limited to, your IP address, device-specific information, server logs, device event information, location information and unique application numbers.



Personal data and security statement

  1. We are committed to engendering a culture of accountability, integrity and confidentiality in all aspects of the organisation in regard to personal data and security. Our ultimate aim is to align every member of staff to these values such that they may be ambassadors of best practice data processing.  We seek to achieve this by inducting new starters into our security practices and to maintain engagement and commitment to these values through transparent communication, providing regular training to staff and embedding privacy into our practices.
  2. As an employer we process a significant amount of personal data about our staff. The type of information we require includes: nationality, date of birth, contact details and medical information. The grounds upon which this information is required will include legal and contractual obligations such as; demonstrating right to work checks, meeting statutory payment conditions and corresponding with individuals in respect of their employment.
  3. Please refer to section the section ‘Roles and responsibilities’ for the details of the Controller. For a list of your rights as a data subject, please refer to section ‘The rights of data subjects’.


Principles

  1. All persons who process personal data with our permission must endorse and adhere to these principles at all times and especially when they obtain, handle, process, transfer, store or erase personal data.
  2. The six fundamental principles of personal data processing are as follows:
    Fairness, lawfulness and transparency
    All personal data must be processed fairly, lawfully and transparently.
    Purpose limitation
    All personal data must be collected for specified, explicit and legitimate purposes and shall not be further processed in any manner that is incompatible with those purposes.
    Minimisation
    All personal data must be adequate, relevant and limited to what is necessary for the purpose for which they are processed.
    Accuracy
    All personal data must be accurate and where necessary, kept up to date with regards to the purposes. Every reasonable step to rectify or erase inaccurate personal data must be taken without delay.
    Storage limitation
    No personal data should ever be kept in a form which permits identification of a data subject for longer than is necessary to achieve the purpose.
    Integrity and confidentiality
    All personal data must be processed in a manner that ensures appropriate security of the personal data. At the very least, it must always be protected against unauthorised or unlawful processing, accidental loss, destruction or damage, by using appropriate technical and organisational measures.
  3. The data controller is ultimately accountable for each of these principles and is obliged by law to be able to demonstrate compliance at all times. It is for this reason that everyone in the organisation is required to take responsibility for their own strict adherence to these principles.
  4. This policy is not contractual as it may be subject to change. However, it does indicate how we intend to meet our legal responsibilities for data protection. Therefore, any actionable points within it must be regarded as a legitimate management instruction. Explicit permission must always be sought and evidenced from a line manager before conducting yourself in a manner that varies from this policy. Failure to do so may result in disciplinary action.
  5. Any additions or revisions to this policy will be communicated to staff where appropriate. We will notify data subjects of any changes that apply to them where appropriate, personally and in writing.


Extent

  1. As a UK established organisation, this policy applies to all processing of personal data regardless of where in the world that processing, or any processing outsourced by us may take place.
  2. This is an internal policy and it applies to all employees, workers and any other internal persons who may have responsibility for or a vested interest in the operations of the organisation.
  3. The document may be shared with third parties, contractors and other self-employed persons who will be asked to comply with the policy. Where the organisation does undertake the services of a third party, that party will be required to make adequate assurances to the data controller and/or processor that their own processing is compliant with current applicable data protection laws.
  4. The policy applies to all data processes in general but particularly to all activities relating to the acquisition, recording, processing, sharing storing and removal of personal data. In respect of carrying out general business activities and for illustrative purposes only, such processes include but are not limited to: the collection of marketing data,  recruitment activities, collection of client information.


Collecting data

  1. Transparency principle
    Anyone acting on behalf of the company is expressly required to make sure that any information they provide to a data subject or supervisory authority is done so in a manner that is: concise, transparent, intelligible, uses clear and plain language and is provided in an easily accessible form.
  2. Collecting personal data from the subject
    If during the course of your employment you are required to collect personal data, you must ensure that the data subject is advised or made aware of each of the following:
    – The identity and contact details of the controller
    – The purposes and legal basis of the processing
    – If the legal basis is the Company’s legitimate interest, the interest must be detailed
    – The recipients or categories of recipients of the personal data, if any
    – Whether there is an intention to transfer personal data outside the European Economic Area and if so, whether an adequacy decision by the European Commission exists in relation to the transfer, or alternatively reference to the appropriate or suitable safeguards relied upon by the Company and how these can be obtainedTo ensure fair and transparent processing, the following information must also be provided to the data subject:
    – The length of time the personal data will be stored for or the criteria used to determine the length of time it will be stored for.
    – Details of their rights (see section 16).
  3. Collecting personal data from a source other than the subject
    When information of this nature is collected, the subject must be provided with all the information in the above clause as well as the information below. This should be provided at the time it is obtained, in concise and plain language:
    – The categories of the personal data collected
    – The source of the data (and whether it was publicly available)
    In these circumstances, the information must be provided within a reasonable period after obtaining the personal data, but at the latest within one month. However, if the data shall be used to communicate with the subject, then the information must have been provided by the first communication. If it shall be disclosed to another party, then the information must have been provided by the first disclosure.
  4. Privacy and fair processing notices
    The Company uses privacy notices to convey the information listed in the sections above at the point of data collection.
  5. The purpose changes
    If the original purpose for which the data that was collected changes, then the data subject must be informed of the new purpose. They must also be informed of any changes to the information already provided under the points in this section.
  6. Multiple controllers
    In a situation where the Company should act jointly with other organisations as a controller, then respective responsibilities will be clearly laid out between the parties.


Collecting data; purpose

  1. We collect, store and process information relating to individuals (personal data) whilst carrying out our business activities. This document is necessary to help ensure compliance with our legal obligations in respect of data processing.
  2. It is also intended to be a key tool toward demonstrating compliance measures to regulators and may be regarded by them as a top layer document and therefore comprises part of our layered approach to documenting practices in this area.
  3. Through this policy and other practices, the organisation aims to create and operate a culture of openness in respect of data processing.


What type of data do we collect from you?

The personal data that we may collect from you includes your name, address, email address, phone numbers, payment information and IP addresses. We may also keep details of your visits to our site including, but not limited to traffic data, location data, weblogs and other communication data. We also retain records of your queries and correspondence, in the event you contact us.



How do we use your data?

We use information about you in the following ways:

  • To process orders that you have submitted to us;
  • To provide you with products and services;
  • To comply with our contractual obligations we have with you;
  • To help us identify you and any accounts you hold with us;
  • To enable us to review, develop and improve the website and services;
  • To provide customer care, including responding to your requests if you contact us with a query;
  • To administer accounts, process payments and keep track of billing and payments;
  • To detect fraud and to make sure what you have told us is correct;
  • To carry out marketing and statistical analysis;
  • To review job applications;
  • To notify you about changes to our website and services;
  • To provide you with information about products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes; and
  • To inform you of service and price changes.


Data processing conditions

  1. Under data protection legislation the processing of personal data is prohibited unless there is a legitimate legal basis upon which the data is being processed. There are six potential legal bases for processing.
    All persons authorising the processing of personal data must be assured that at least one of the following bases applies:

    2. Legal bases for personal data processing
  2. Consent
    The data subject must have given consent for specific purposes and be given the option to withdraw consent at any time. Lawful consent may only be obtained if prescribed conditions set out by data protection laws have been met. Consent must always be explicit and may not be implied.
  3. Contract
    The processing must be necessary to enter in to or adhere to a contract which the data subject is party to. For example, to enter into a contract of employment or when a product or service is purchased by the data subject and personal data is required to provide or perform it.
  4. Legal obligation
    The processing must be necessary to comply with a legal obligation that you are bound to. For example, tax obligations, evidencing the right to work or to ensure compliance with the Working Time Directive etc. Legal obligations imposed by a country outside of the EU may not be justified under this legal basis.
  5. Vital interests
    The processing is necessary to protect vital interests of the data subject. For example, subjects who are unable to make decisions in the best interests of their health.
  6. Public interest
    The processing is necessary to perform a task either in the public interest or under instruction from an official authority or regulatory body. This must be sufficient to reasonably override the interests and rights of the data subjects concerned. It may be used for the defence of a legal claim.
  7. Legitimate interest
    The processing must be necessary to pursue a legitimate interest, except where it is overridden by fundamental rights and freedoms of the data subject. (This is not applicable to public authorities.) It is likely to be appropriate where people’s data is used in a way in which they may reasonably expect, with minimum impact to their privacy, or where there is a compelling justification for the processing.

    8. Special category data
  8. The processing of special category or ‘sensitive data’ is strictly prohibited under UK and EU data protection laws. There are limited circumstances in which it is permissible to process special category data. If any of the conditions are met, then all other conditions and protections afforded to regular personal data will also apply. Some provisions including security, should be imposed more strictly.Conditions under which special category data may be processed are:
  9. The data subject has given explicit consent to the processing of personal data for one or more specified purposes, and there is no overriding legal prohibition.
  10. Processing is necessary to carry out obligations and specific rights of the controller or of the data subject in the field of employment, social security and social protection law. Appropriate safeguards are imperative.
  11. Processing is necessary to protect the vital interests of the data subject or of another person who is physically or legally incapable of giving consent. For example, in a medical emergency.
  12. Processing relates to personal data which are obviously made public by the data subject.
  13. Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts make instructions to the Company when acting in their judicial capacity.
  14. Processing is necessary for reasons of substantial public interest, on the basis of data protection legislation. Advice from the relevant supervisory authority may need to be sought in advance to agree the appropriateness of this condition.
  15. Processing is necessary for the purposes of the assessment of the working capacity of the employee.

    16. Criminal convictions and offences
  16. Personal data of this nature shall be handled with a greater level of protection than that which may be adequate for the processing of standard personal data.
  17. The Company shall only process data of this nature where there is a legitimate requirement to do so, namely in respect of its duties as an employer. Where there is a legal obligation for the Company to review or record data of this nature an appropriate member of staff may seek to establish the required information from the employee, worker, self-employed person, contractor or any other third party.Examples of when this may be necessary include; when the performance of a duty requires a criminal record check.

    18. Processing which does not require identification
  18. When processing information, if you can remove all personal data which identifies the data subject, then you will no longer be required to adhere to the conditions for processing detailed in this policy.
  19. If a data subject becomes identifiable then the conditions for processing will apply.


Policy definitions

  1. Data
    Information which is processed or is intended form part of a filing system. This applies to electronic or hard copy formats.
  2. Data subject
    An identified or identifiable, natural, legal person.
  3. Data Protection Impact Assessments
    A Data Protection Impact Assessment (DPIA) is also known as a Privacy Impact Assessment (PIA). It is a method which may be used to ensure privacy by design by conducting a prescribed risk assessment on data processes and making necessary adaptations, thereby implementing appropriate safeguarding measures. A DPIA is made mandatory by law in certain circumstances.
  4. Data protection legislation
    All privacy laws applicable to any Personal Data processed under or in connection with this Agreement, including, without limitation, the UK Data Protection Act 1998 , the Data Protection Directive 95/46/EC (as the same may be superseded by the General Data Protection Regulation 2016/679 (known as “GDPR”), the Privacy and Electronic Communication Directive 2002/58/EC  and all national legislation implementing or supplementing the foregoing and all associated codes of practice and other guidance issued by any applicable Data Protection Authority, all as amended, re-enacted and/or replaced and in force from time to time.
  5. Personal data (personal information)
    Any ‘data’ relating to a ‘data subject’ who can be directly or indirectly identified by reference to a piece of data. This includes a name, identification number, location data or online identifier.  It may be an identifier that relates to physical, physiological, genetic, mental, economic, cultural or social identity. It may also apply to data that has been pseudonymised. The nature of the definition of data and personal data means that the expression of opinion or view about a data subject may also be regarded as personal data.
  6. Special category data (sensitive data)
    This is also more commonly referred to as ‘sensitive data’. In essence this is any data that has the potential to be used to discriminate against a natural person. It includes: racial, ethnic, political opinion, religious or philosophical belief, trade union membership, genetic, biometric data, sex life or sexual orientation data. It does not include information pertaining to criminal convictions however, such information must be treated with a higher level of security than generic personal data.
  7. Privacy by design
    Privacy by design is the concept of ensuring that security, confidentiality and integrity of personal data is prioritised within the heart of the methods used for processing the data.
  8. Processing
    Any activity which is performed on personal data whether or not this is manual or automated, such as: recording, organising, structuring, storing, updating, retrieving, disclosing or erasing. Examples may include; sorting e-mail addresses into categories for marketing campaigns, recording absences from work, monitoring vehicle tracking etc.
  9. Pseudonymise
    To adapt how personal data is processed and presented such that the data cannot be attributed to a specific data subject, without additional personal data. The additional personal information must be kept separately and securely using appropriate technical and organisational measures.
  10. Recipient
    A natural person or organisation to whom personal data is disclosed or made available to. A recipient is not necessarily a third party with who the Company has professional dealings.


Roles and responsibilities

    Data Controller
  1. The Company’s Data Controller is the Digital Director. Their direct contact details may be provided on request.
  2. The role
    The Data Controller is the key decision maker in respect of why and how personal data is used and handled. The Data Controller will ensure that, both in the planning and implementation phases of processing activities, data protection principles and appropriate safeguards are addressed and implemented and that records of processing activity are kept.
  3. Overview of responsibilities
    – To be ultimately accountable for the Company’s compliance with the six principles (see section ‘Principles’).
    – To be able to demonstrate compliance with the six principles and therefore the proper handling and processing of all personal data. This will include information about the various data protection management resources that have been put into place and take the primary responsibility for the internal data protection framework.
    – To implement appropriate technical and organisational measures to ensure processing is performed in accordance with data protection laws. These measures will take into account the nature, scope, context and purposes of the data processing and the risks to the rights and freedoms of individuals.
    – To adopt measures to protect against any high levels of risk identified by a Privacy Impact Assessment, such as; discrimination, identity theft or significant legal, social or economic disadvantage.
    – To implement internal data protection policies; assign protection responsibilities and to ensure adequate training on data protection is provided and carried out by all staff.
    – To determine how data subjects may exercise their rights.

    4. Data Processor
  4. The role
    This role processes personal data on behalf of and further to documented instruction given by the Controller.
  5. Overview of responsibilities:
    – To take all measures required to ensure their own compliance with data protection legislation regarding security.
    – To make available all information necessary to demonstrate compliance with data protection legislation and to permit an audit should the Controller wish to further ensure compliance.
    – To assist the controller in compliance with its obligations under data protection legislation regarding; security of processing, assist in meeting any rights exercised by a data subject e.g. subject access request, notification of a personal data breach to the supervisory authority, communication of a personal data breach to the data subject, any necessary Data Protection Impact Assessments, consultation with the supervisory authority about any processing that should be identified as being ‘high risk’
    – To ensure that on instruction from the Controller, any personal data held on behalf of a client for whom we act as a processor, is deleted and returned to that client, unless we are prohibited by data protection legislation.
    – To immediately inform the Controller if it believes any instruction given by the Controller would be in breach of data protection legislation.
  6. Any processors are not permitted to appoint another processor without prior written agreement from the Company. Equally when we act as a processor we will not appoint another processor without written agreement of the Controller we act on behalf of.


Security of information

As a company we regularly review our approach to information security and stay up to date with developments in the field and emerging threats.  To secure the information we hold we are committed to allocating sufficient resources (including time and budget) to ensure that robust and high-quality tools and processes are implemented.

The Company takes all reasonable steps to protect and maintain the integrity, confidentiality and availability of personal data. For the purposes of this policy, organisational and technological security measures are in place to protect and secure against: accidental loss, damage, destruction, theft or unsanctioned disclosure, publication or transfer of personal data.

  1. Protection: All members of staff and any associated third parties are made aware of their responsibilities and are required to exercise and uphold every applicable security measure.
    Integrity: All members of staff and any associated third parties are made aware of their responsibilities and are required to securely update and maintain completeness of personal data.
  2. Confidentiality: All members of staff and any associated third parties are made aware of their responsibilities and are required to only access personal data which they are authorised to process. Those with authority to process personal data will only make personal data available to recipients (other colleagues, third parties etc) if those recipients are authorised to access or process the data.
  3. Availability: The Company has taken measures to prevent accidental and deliberate unauthorised access. This includes disaster recovery and business continuity arrangements. All members of staff, agency workers and any associated third parties are made aware of their responsibilities and are required to maintain the measures put in place by the Company to physically and virtually secure information. If they detect any threats to the continued availability of access to assets, systems and information they must report this to a line manager so that it may be escalated appropriately. Threats may include: damage to a computer of filing system, faulty locks, viruses or malware.
  4. This section is applicable to self-employed persons and contractors in so far as they will be asked to ensure compliance with these points and our security measures. In any event, they will be required to uphold obligations under applicable data protection laws at all times and without exception. Failure to do so will enable the Company to terminate the service agreement without notice and the incident may be reported to the relevant supervisory authority.


Data retention

We will keep your personal data for the duration of the period you are a customer of Red17. We shall retain your data only for as long as necessary in accordance with applicable laws.

On the closure of your account, we may keep your data for up to 7 years after you have cancelled your services with us. We may not be able to delete your data before this time due to our legal and/or accountancy obligations. We may also keep it for research or statistical purposes. We assure you that your personal data shall only be used for these purposes stated herein.



Default privacy

  1. The Company embeds data protection into the design of every system that uses personal data, so that it is protected throughout its entire lifecycle. To maintain this principle, all members of staff are required to:
  2. Ensure personal data is mapped, classified into either personal or special category data, labelled, stored and accessible so that it is easily found if need be (eg in the event of a subject access request, the need to remove the data or the need to update the data).
  3. Ensure our systems continue to function so that any personal data that is added may be deleted automatically (where appropriate).
  4. Ensure that any new documentation which collects personal data is drafted in such a way that no personal data is requested in excess of what is necessary to achieve the purpose.
  5. Ensure that a data subject is only identified for as long as necessary. This may include removing an identifier such as a name or date of birth.
  6. Ensure that any new system will process data in a format that is commonly used.


Reporting an incident or breach

  1. Serious breaches must be reported to the relevant supervisory authority within 72 hours of becoming aware of the breach. Therefore, all employees and workers must immediately report an incident that may potentially or actually put personal data at risk of a data breach. This is never more imperative than when it is suspected that there may be actual loss, theft unauthorised disclosure or inappropriate use of personal data, either wholly or partly. In this event you must immediately refer to and follow the Company’s Breach and Incident and Reporting Procedure.
  2. Where a third-party service provider notifies you of an incident that may affect the Company and its responsibilities, you must immediately report the incident. In this event you must immediately refer to and follow the Company’s Breach and Incident Reporting Procedure.


Data subject; rights

  1. The Company shall be diligent in providing data subjects information about their rights and in complying with any appropriate assertions of their rights.
  2. All reasonable efforts will be made to verify the identity of the data subject before carrying out any requests or disclosures of information made by them. These efforts may include the request for additional personal information if necessary.
  3. The following rights apply to all data subjects:
    – Right of transparent communication
    – Right of access
    – Right to rectification
    – Right to erasure (right to be forgotten)
    – Right to restriction of processing
    – Obligation to notify recipients
    – Right to data portability
    – Right to object
    – Right to not be subject to automatic decision making


Your rights

In preventing the use or processing of your personal data, it may delay or prevent us from fulfilling our contractual obligations to you. It may also mean that we shall be unable to provide our services or process the cancellation of your order.

You have the right to object to our use of your personal data, or ask us to delete, remove or stop using it if there is no need for us to keep it. This is known as your right to be forgotten. There are legal and accountancy reasons why we will need to keep your data, but please do inform us if you think we are retaining or using your personal data incorrectly.

You have the right to ask us not to process your personal data for marketing purposes. If you choose not to receive marketing communications from us about our products and services, you will have the choice not to choose these by ticking the relevant boxes situated on the pages either at check out or in your account settings.

We will not contact you for marketing purposes unless you have given us your prior consent.



Access requests

    Making a request
  1. If you wish to make a subject access request to verify the lawfulness and accuracy of the personal data we hold about you, then you are encouraged to put your request in writing (letter or e-mail) and submit it to a member of the senior management team.
  2. Your request should be specific about the nature and the type of data you require.
  3. Every attempt will be made to comply with your request in a timely manner and without undue delay.
  4. Upon receipt of the information you are encouraged to check the accuracy of the information and to advise the Company of any updates that may need to be made.
  5. A fee will not be charged for an access request, except where a request is deemed to be ‘manifestly excessive’ or you have already been provided with the information.

    6. Receiving a request
  6. If you receive a request, you should pass it to the a member of the senior management team immediately.
  7. Requests must be acknowledged upon receipt.
  8. Requests must be complied with in a timely manner and without undue delay. If it is anticipated that compliance with a request is not going to be immediate then the Controller should be notified and informed of the legitimate reasons for this.  The information requested must be provided within one month of receipt of the request.
  9. If an extension to the timeline is absolutely necessary under exceptional circumstances, then any extension must be agreed by the data subject and signed off by the Controller within one month of the request. If an extension is agreed, then the information must be provided within a maximum of three months from the receipt of the request.
  10. If a request is received electronically (eg via e-mail) then the request must be responded to electronically.
  11. The data must be provided in a common format (eg a paper file, a pdf document etc.).
  12. Only personal data pertaining to the individual who made the request should be released.
  13. If there is any doubt over the identity of the individual making the access request, then reasonable steps must be taken to verify their identity, before complying with the request.
  14. When the personal data is provided, the individual must be informed of the right to lodge a complaint with the relevant supervisory authority and the existence of the right to objection, rectification, erasure and restriction of the data.
  15. The data subject may be directed to the relevant privacy/fair processing notice which will provide advice on the conditions for processing.


Management; general responsibilities

  1. All members of the senior management are responsible for championing and enforcing this policy to all other staff within the Company, whenever appropriate.
  2. Particular roles within senior management are responsible for assessing the business risk arising as a result of processing personal data. These roles include: Managing Director, Digital Director.
  3. Those members of senior management identified above are required to work with the Company to develop procedures and controls to identify and address risks appropriately.
  4. Responsibility will be allocated to individual roles for determining risk-based technical, physical and administrative safeguards including safeguards for equipment, facilities and locations where personal data is stored; establishing procedures and requirements for collecting, transporting, processing, storing, transferring (where appropriate) and destroying personal data. These considerations must also be given when dealing with any third parties who may be authorised or obligated to process personal data on behalf of the Company.


Employees guidance

We recognise that there are different areas in the organisation where members of staff may be responsible for processing personal data in different ways. We also recognise that responsibilities and nuances in processing are likely to vary across specialisms and levels of seniority.
The Company will provide guidance to staff when processing personal data specific to their job. This information shall include:
A description of the limitations which surround how personal data can be used.
The steps that must be followed to ensure that personal data is maintained accurately.
A comprehensive discussion of security obligations, including all reasonable steps that should be taken as a minimum to prevent unauthorised access or loss.
Confirmation of whether the transfer of personal data shall be permitted. Transfer of personal data is prohibited unless specific legitimate grounds have been established.
Specific information regarding the way in which personal data should be handled when it is destroyed or deleted.



Non-compliance

  1. This policy along with associated documents, seeks to guide and instruct all member of staff on how they ensure compliance with data protection laws to which the Company is subject.
  2. If a member of staff should fail to comply with applicable data protection laws, they may subject the Company and themselves as individuals to civil and criminal penalties. This is likely to jeopardise the reputation of the Company and as a result may impact on the operational and performance capabilities of the business.
  3. As the ramifications of non-compliance are potentially severe, any failure to comply with this policy or reasonable instruction given in connection with the protection and security of personal data, may result in disciplinary action. Serious, deliberate or negligent transgressions may be regarded as gross misconduct and if substantiated, may result in summary dismissal (without notice).

    4. Third parties, contractors and self-employed persons
  4. If any self-employed person, contractor or third party is found to be failing to meet obligations with applicable data protection laws then notice may be served on the contract for service.
  5. Serious, deliberate or negligent transgressions may permit the Company to terminate the contract for service with immediate effect. In this event, all reasonable steps will be taken to recover and protect the personal data concerned and the relevant supervisory authority will be notified. Where the rights and freedoms of data subjects are likely to be at risk, the data subjects will be notified without delay.


Documents and policies:

The above list is not exhaustive.



Additional information

Any queries or comments about this policy, or any concerns that the policy has not been followed, should be addressed to the Digital Director.



Policy review date

Date last reviewed: 08/06/2022



Policy owner

This policy is owned and maintained by the Digital Director.



Your right to make a complaint

You have the right to make a complaint about how we process your personal data to the Information Commissioner:


red17 ICO Certificate

https://ico.org.uk/concerns/
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF





Cookies Policy

Enable Cookies

What Are Cookies?

Cookies are short pieces of data that are sent to your computer when you visit a website. On later visits, this data is then returned to that website. Cookies allow us to recognize you automatically whenever you visit our site so that we can personalize your experience and provide you with better service.



Why Are They Required?

We use cookies for fraud prevention and website functionality. If your web browser is set to refuse cookies, you will not be able to complete a purchase, or take advantage of certain features such as adding items to your shopping cart or receiving personalized recommendations.

We strongly encourage you to configure your web browser to accept cookies.



Use of cookies

Our cookie policy is applicable to all our digital correspondence and throughout our website as well as informational documentation provided by ourselves or provided on our behalf.

We use cookies and similar services to track customers’ use on our website, analyse customer trends and obtain customer information.

You may refuse to accept cookies by activating the setting on your browser which allows you to refuse the setting of cookies. However, if You select this setting You may be unable to access certain parts of our site and you will not be able to carry out a transaction with us unless you have adjusted Your browser setting so that it will refuse cookies, our system will issue cookies when you log on to our website.

We use cookies to collect specific types of information including:

  • the Internet domain and IP address from which you access the web site;
  • the type of browser (Internet Explorer or Netscape) and operating system (Windows, UNIX) you use;
  • the date and time of your visit;
  • the pages you visit; and
  • the address of the web site from which you linked to us (if applicable).

This is solely statistical data that enables us to analyse customer trends and does not identify personally identifiable information.

We work closely with third parties who may also supply us with analytical services. These third parties may provide Us with analytical cookies for us to review.

For further information about cookies, you may like to visit what are cookies.

What we collect

We may collect the following information:

  • name
  • contact information including email address
  • demographic information such as postcode, preferences and interests
  • other information relevant to customer surveys and/or offers

For the exhaustive list of cookies we collect see the List of cookies we collect section.

What we do with the information we gather

We require this information to understand your needs and provide you with a better service, and in particular for the following reasons:

  • Internal record keeping.
  • We may use the information to improve our products and services.
  • We may periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided.
  • From time to time, we may also use your information to contact you for market research purposes. We may contact you by email, phone, fax or mail. We may use the information to customise the website according to your interests.

Security

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.

How we use cookies

A cookie is a small file which asks permission to be placed on your computer's hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.

Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

Controlling your personal information

You may choose to restrict the collection or use of your personal information in the following ways:

  • whenever you are asked to fill in a form on the website, look for the box that you can click to indicate that you do not want the information to be used by anybody for direct marketing purposes
  • if you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by letting us know using our Contact Us information

We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so. We may use your personal information to send you promotional information about third parties which we think you may find interesting if you tell us that you wish this to happen.

You may request details of personal information which we hold about you under the Data Protection Act 1998. A small fee will be payable. If you would like a copy of the information held on you please email us this request using our Contact Us information.

If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible, at the above address. We will promptly correct any information found to be incorrect.

List of cookies we collect

The table below lists the cookies we collect and what information they store.

Cookie Name Cookie Description
FORM_KEY Stores randomly generated key used to prevent forged requests.
PHPSESSID Your session ID on the server.
GUEST-VIEW Allows guests to view and edit their orders.
PERSISTENT_SHOPPING_CART A link to information about your cart and viewing history, if you have asked for this.
STF Information on products you have emailed to friends.
STORE The store view or language you have selected.
USER_ALLOWED_SAVE_COOKIE Indicates whether a customer allowed to use cookies.
MAGE-CACHE-SESSID Facilitates caching of content on the browser to make pages load faster.
MAGE-CACHE-STORAGE Facilitates caching of content on the browser to make pages load faster.
MAGE-CACHE-STORAGE-SECTION-INVALIDATION Facilitates caching of content on the browser to make pages load faster.
MAGE-CACHE-TIMEOUT Facilitates caching of content on the browser to make pages load faster.
SECTION-DATA-IDS Facilitates caching of content on the browser to make pages load faster.
PRIVATE_CONTENT_VERSION Facilitates caching of content on the browser to make pages load faster.
X-MAGENTO-VARY Facilitates caching of content on the server to make pages load faster.
MAGE-TRANSLATION-FILE-VERSION Facilitates translation of content to other languages.
MAGE-TRANSLATION-STORAGE Facilitates translation of content to other languages.
_fbp Used by Facebook to deliver advertisement products.
SRCHUID Used by Microsoft (Bing) to serve relevant advertisements to visitors across the Microsoft Bing network.
_ga Used by Google Analytics to anonymously track the use of our website.
__gads Used by Google Ads and Google Ad Manager for purposes of advertising.

To find out more about how Google will use your personal data/cookies when you give consent on our site, click this link: Google’s Privacy & Terms.








shop now
call us
email us