Concerning Digital Records

This privacy Policy is a legal requirement detailing how I collect, store and share information when you purchase, contact, or use my services on Etsy.com :

- But since I do not currently maintain ANY separate digital records that contain personal identifiable data on my clients, or download records from my sales channels to be stored anywhere separately, the bulk of GDPR regulatory concerns do not apply to my business.

The Policy also does not apply to the practices of third Parties that I do not own or control, including Etsy and any third party services you access through Etsy.

Etsy has their own Privacy Policy governing the use of this data.

1) Information I collect and why: Personal information supplied at point of sale is only shared with:

- Postal Services, for purposes of fulfilling your order.

- Etsy - as necessary to comply with Etsy's Terms of Use and Seller Policy requirements.

- The legal requirement to complete International Customs Declarations and Import forms correctly.

- Tracked mail requirements to additionally include the customer's contact email address and/or a phone number in case of delivery issues

- Compliance with Tax, Legal and Fraud prevention purposes - if asked to supply this info by government bodies, or for credit checks, police investigation, or fraud prevention enquiries.

2) I do not currently download, store, or transcribe personally identifiable customer data in any digital form, so the legal requirement to decribe how and where and for how long it is stored is a moot point.

a) I do not use shipping labels (as currently not available in my country), and so transcribe relevant address and order info from the sales screen by hand.

It is not downloaded, uploaded, stored anywhere except on the servers of Etsy, or passed on to third parties by myself.

b) As an Auto-Entrepreneur microbusiness, with TURNOVER below the 83,000 eur threshold of VAT, I am obliged to submit gross sales figures quarterly.

- for which I only record the item(s) sold, gross price, any deductions, postage, and the destination country for tax purposes.

- No address, email, or personal info is contained in my digital records, which are hand transcribed and not downloaded or stored by myself in any digital format.

(since I run a number of shops on various platforms, and all have wildly different formats - this method is easier for book-keeping and I have no plans to change this in the future)

c) The only places customer info is stored is on the 3rd party infrastructure of the website where the sale occurred (Etsy), for the purposes of fulfilling your order. Etsy has their own Privacy Policies governing their use of this data since is is stored on their servers and handled by their Payment Processors

- I have no access to, or records of, sensitive customer payment information beyond sales figures, payment type, order delivery address and necessary client contact details to fulfil orders.

I do not run any adware, trackers, or 3rd party applications on my website apart from Google Analytics for the purposes of business insight.

Google Analytics is currently being altered to align with GDPR privacy requirements - currently I have it set up to wipe all collected data after a year.

3) Based on GDPR Law, customers have a number of rights pertaining to their personal information and it's use.

- ACCESS: You may have the right to access and receive a copy of the info I hold about you, by contacting me at the address below.

- CHANGE, RESTRICT, DELETE - You may also have rights to change, restrict my use of, or delete your personal information (Absent exceptional circumstances such as where I am required to keep data for legal reasons)

I will generally delete your personal info on request (although as stated above, I DO NOT actually record it anywhere seperately, and have no control over what third parties like Etsy and their associates keep in their records, or for how long, as this is governed by their own Privacy Policies)

- OBJECT. You can object to:

i) my processing some of your info based on my legitimate interests, and

ii) receiving marketing messages from me after providing your express consent to receive them.

(In plain English: Marketing Lists. I don't run one from Etsy, and folks that do now need your explicit consent to be added to one, and to be sent marketing emails.

It also means that you can ask to be removed from a Mailing list you already agreed to be on at any time - and on receiving such a request, the manager of the list legally has to delete your contact info and stop sending you marketing emails.

iii) In such cases, I will delete your personal info unless I have compelling and legitimate grounds to continue using that information (see above - fulfilling the order, taxes etc), or if it is needed for legal reasons.

- COMPLAIN. If you reside in the EU and wish to raise a concern about my use of your information (and without prejudice to any other rights you may have), you have the right to do so with your local Data Protection Authority.

How to Contact Me:

For the Purposes of EU data Protection Law, I Carina H, am the data Controller of your Personal Information provided to me. If you have any questions or concerns, please contact me via the "Contact" button, or herissonrosedesign [at!] gmail [ dot!] com 

Interesting read: EU GDPR site

- The Law

-Your rights

(Either as an EU citizen, or doing business with companies/customers based in the EU)