Short version: In compliance with EU GDPR Law and citizens right to Privacy, I do not collect hold or process any personal data except in the following cases:
* To communicate with you about your order
* To make and send out your order (shipping and billing address)
* For legal requirements, such as tax records (country of sale, sale amount, taxes)
The only personal info I maintain digital records of is my Mailing List - for the sole purposes of newsletters, product information and news.
I do not pass on, sell or share this data to any other party except the site that runs the Infrastructure.
(My mailing list is run by a third party company called MailChimp).
This is an entirely opt-in choice - ie with the consent of the customer explicitly signing up for it via a form.
I do not auto-add people who buy from me, or without their express permission in writing.
You can ask to be removed from it at any time (withdrawing consent to be contacted)
Please let me know via my Contact form.
Security - it may occasionally be necessary to use personal data provided with your order to fulfill necessary anti-fraud checks. This information may be disclosed to a credit reference or fraud prevention agency, which may keep a record of that information. This is done only to confirm identity for security purposes.
Third party websites - This site contains links to and from other websites. If you follow a link to any of these websites, please note that they have their own privacy policies and we do not accept any liability for these policies.
+ + +
Concerning Digital Records (the long, legal bit)
- But since I do not currently maintain ANY separate digital records that contain personal identifiable data on my clients, or download records from my sales channels to be stored anywhere separately, the bulk of GDPR regulatory concerns do not apply to my business.
The only places this info is stored is on the 3rd party infrastructure of whichever website where the sale occurred - Etsy, Amazon, eBay etc - for the purposes of fulfilling your order. These sites all have their own Privacy Policies governing this data.
My own website herissonrose.com is hosted by a British company, and so falls within the juristiction of GDPR.
My WEBSITE is SSL certificate protected, and the credit processing information handled by a large global Payment Processor also based in Europe and therefore subject to GDPR regulations.
- I have no access to, or records of sensitive payment information beyond sales figures, payment type, delivery address and client contact details.
The Policy also does not apply to the practices of third Parties and other websites accessible via external links from this site
1) Information I collect and why:
Personal information supplied at point of sale is only shared with:
- Postal Services, for purposes of fulfilling your order.
- The legal requirement to complete International Customs Declarations and Import forms correctly.
- Tracked mail requirements to additionally include the customer's contact email address and/or a phone number in case of delivery issues
- Compliance with Tax, Legal and Fraud prevention purposes - if asked to supply this info by government bodies, or for credit checks, police investigation, or fraud prevention enquiries.
- Mailchimp - my Mailing list is explicitly OPT IN by the choice and affirmative action of the customer (via sign up form), and can be opted out at any time as per your rights under GDPR - please get in contact if you wish to unsubscribe/your info deleted.
2) I do not currently download, store, or transcribe personally identifiable customer data in any digital form, so the legal requirement to decribe how and where and for how long it is stored is a moot point.
a) I do not use shipping labels (as currently not available in my country), and so transcribe relevant address and order info direct to envelope from the sales screen by hand.
It is not downloaded, uploaded, or stored anywhere except on the sales records on the servers of my webhost, or passed on to any third parties digitally by myself, except the exceptions noted in paragraph (1) above.
b) As an auto-Entrepreneur microbusiness, with TURNOVER below the 83,000 eur threshold of VAT, I am obliged to submit gross sales figures quarterly.
- for which I only record the item(s) sold, gross price, any deductions, postage, and the destination country for tax purposes.
- No address, email, or personal info is contained in my digital records, which are hand transcribed and not downloaded or stored by myself in any digital format.
(Since I run a number of shops on various platforms, and all have wildly different and not always compatible formats - this method is easier for book-keeping and I have no plans to change this in the future)
c) The only places customer info is stored is on the 3rd party infrastructure of the website where the sale occurred, for the purposes of fulfilling your order.
I do not run any adware, trackers, or 3rd party applications on my website apart from Google Analytics for the purposes of business insight (which items are popular? which are not? so I can figure out why, and improve them).
Google Analytics is currently being altered to align with GDPR privacy requirements - currently I have it set up to wipe all collected data after a year.
3) Based on GDPR Law, customers have a number of rights pertaining to their personal information and it's use.
- ACCESS - You may have the right to access and receive a copy of the info I hold about you, by contacting me at the address below.
- CHANGE, RESTRICT, DELETE - You may also have rights to change, restrict my use of, or delete your personal information (Absent exceptional circumstances such as where I am required to keep data for legal reasons)
I will delete your personal info on request (although as stated above, I DO NOT actually record it anywhere seperately, and have no control over what third parties like Payment Processors, Legal bodies, or external websites like Amazon and their associates keep in their records - if for example you choose to buy my product from one of those sites instead), as this is governed by their own Privacy Policies.
- OBJECT - You can object to:
i) my processing some of your info based on my legitimate interests, and:
ii) receiving marketing messages from me after providing your express consent to receive them.
(In plain English: Marketing Lists. Companies now need your explicit consent to be added to one, and to be sent marketing emails.
It also means that you can ask to be removed from a Mailing list you already agreed to be on at any time - and on receiving such a request, the manager of the list legally has to delete your contact info and stop sending you marketing emails.
iii) In such cases, I will delete your personal info unless I have compelling and legitimate grounds to continue using that information (see above - fulfilling the order, taxes etc), or if it is needed for legal reasons.
- COMPLAIN - If you reside in the EU and wish to raise a concern about my use of your information (and without prejudice to any other rights you may have), you have the right to do so with your local Data Protection Authority.
4) How to Contact Me:
Fur the Purposes of EU data Protection Law, I Carina H, am the data Controller of your Personal Information provided to me.
If you have any questions or concerns, please contact me via the "Contact" button, or herissonrosedesign [at!] gmail [ dot!] com
Interesting read: EU GDPR site
- The Law
(Either as an EU citizen, or doing business with companies/customers based in the EU)