Last updated 4th November 2018
This policy outlines how we collect and process your data, who we share it with, and what safeguards we have in place to ensure your privacy is protected. We collect data in a variety of ways; through your use of our website, communications you have with us, orders you place and so on. These interactions all result in data which we use exclusively to provide the best customer experience possible.
We strongly value your privacy and take our obligations seriously; we undertake all reasonable measures to ensure that your data is stored safely, and you can rest assured that it will only ever be used for its intended purpose. We are committed to being open and transparent about how we use your personal information, so if you do have any queries about this policy, or how we collect and store data, please don’t hesitate to get in touch with us.
Personal data, sometimes referred to as personal information, is considered to be any information which can be used to identify an individual.
Shop Indie is a trading name of Altered Chic, who are defined as the data controller and hold responsibility for the storage and use of your personal data. Shop Indie may also be referred to as “Altered Chic”, “we”, “us” or “our” in this policy document.
You are defined as the owner of your personal data. You may also be referred to as “customer” in this policy document.
Legitimate business process is defined as the circumstance under which we have the right to store and process your data. For example, if you place an order with us, we will store a record of your order on our website, we will print your invoice for inclusion in your order, and we will keep a copy of your order and payment notification for our accounts. These are legitimate business processes as we must carry them out to fulfil your order and meet our accounting obligations.
Data Protection Contact
Name: John O’Nions
Telephone: 01246 769941
Postal Address: 48 St Johns Road, Staveley, Chesterfield, Derbyshire, S43 3QW
Data We Collect About You
We collect personal data through your use of our website including orders you place and communications you may have with us. This is used for a variety of purposes including fulfilment of orders, development of the business, or marketing where you have given explicit consent.
Data which we store on a day-to-day basis include:
- Identity and communication-based information including your name, address, E-Mail address, and telephone number
- Limited financial data including billing name and address and E-Mail addresses associated with payment services. Note: all payments are made with third-party providers; we do not store or process information such as credit card details
- Invoices and quotes provided for bespoke orders
- Transaction details for accounting purposes
- Aggregated analytics data including your rough location, browser, time zone and so on. Note: we anonymise the IP address collected with Google Analytics, meaning that we cannot identify an individual’s browsing session
- Marketing and communications data including your contact details and details of when you opted in
We do not store or process any special category data such as race, ethnic origin, religious beliefs and so on.
Your data is obtained by us when you:
- Visit our website;
- Call, E-Mail or submit an enquiry through the contact or business logo enquiry form on our website;
- Subscribe to marketing, such as a newsletter;
- Request us to provide an estimate and/or design proof;
- Provide us with feedback;
How We Use Your Data
We will only ever use your data for legitimate business interests, or to comply with any legal or regulatory obligations that we may have. Examples of this include:
- Fulfilling an order placed with us;
- Contacting you if we have a query with your order;
- Responding to an enquiry you have placed via phone, E-Mail or contact form;
- Sending you marketing materials which you have explicitly consented to;
- Providing information to legal or regulatory bodies such as the HMRC or the ICO to comply with legal obligations;
You own your data, and you have certain rights under GDPR which we have outlined under the ‘Your Legal Rights & Our Responsibilities’ section. These have been enhanced to further your right to privacy and control over your personal data, as well as clarifying our rights to use it under fair processing.
The purposes for which we typically use your data are outlined in the table below:
|Activity||Date Stored/Processed||Legitimate basis for processing|
|Customer Registration||Name, telephone number, E-Mail and address||Creation of an account on our website to allow you to log in and see the status of orders placed, and to make future purchases easier|
|Order Placement||Name, telephone number, E-Mail address, billing and delivery address||Required for the fulfilment of your order with us, including contact details should we need to clarify anything about your order or provide details to a courier|
|Business development||Analytics and website usage statistics||Analysis of our website usage to determine how it can be improved to better-serve visitors based on their browsing and behaviours. Note: We use aggregated data with anonymised IP addresses for our analysis, but our hosting company’s raw access logs may store your IP address when you visit our website|
|Administration||Name, telephone number, E-Mail address, billing and delivery address, E-Mail associated with payment services such as PayPal||Creation of estimates and invoices, debt-recovery, fulfilment of legal and accounting purposes|
|Marketing||Name and E-Mail address||Newsletters and/or promotional materials sent to subscribers who have given explicit consent to receive marketing communications from us|
Security of Data
We have a range of mechanisms in place to safeguard your data and ensure that your privacy is maintained.
Strong passwords are required for all services used within the business which store or are used to process your data including our website, E-Mail accounts and backup facilities. Any machines or devices used to access any of these services are password protected and are stored in a secure location when not in use. All PC’s used within the business have up to date antivirus software and are regularly checked for malware to ensure they remain secure.
Staff have only limited access to personal data for the purposes of responding to enquiries and fulfilling orders.
Secure backup services are used routinely to ensure that your data remains protected and to safeguard against loss or accidental deletion.
Where personal data exists in paper form, it is either stored in a secure location should it be required for accounting purposes, or securely shredded once it is no longer required. Orders through our website are paid for via 3rd-party gateways; we do not handle your payment details. Orders placed over the phone are entered directly into our virtual terminal – at no point are your payment details written down.
We take every precaution to keep your data safe, but in the unlikely event of a data breach or loss of data, we will inform you as soon as it has been identified, or as soon as is practicable. In addition, we may also inform regulatory bodies of the data breach, as well as legal professionals or insurers as required to protect the business.
Your personal data is stored only for as long as is required to fulfil its intended purpose. The length of time will vary depending on the nature of the data stored, and the purpose for which it was collected. Typical examples from our day-to-day business include:
- Order details will be retained for the purposes of fulfilment; we will also retain records of the orders for accounting purposes, and may also use these at your request, such as to provide a repeat of a previous order
- Contact details for marketing will be kept until such time you opt-out of receiving communication
- Financial records/transaction details will be kept for six years after the end of the previous financial year end in line with HMRC reporting requirements
You have the right to request the deletion of your personal data; please see the section titled ‘Your Legal Rights & Our Responsibilities’ for more information about the data you can request to be deleted and how you would go about doing so.
Consent & Contract
We have a legal basis for processing your data if it is for the purposes of fulfilling a contract between us and you. For example, if you place an order with us, then we may use your data for the purposes of fulfilling that order. Likewise, if you get in touch with us to request a quote, then we can use the data you have provided to us for the purposes of providing that quote.
Other uses of your data, such as for marketing purposes, require your explicit consent; you will not receive any marketing or promotional material from us unless you have granted us explicit consent. If consent has been provided, you are free withdraw it at any point. All marketing E-Mails that you will receive from us will contain a clear ‘Unsubscribe’ link which will remove you from our mailing list immediately, or you can get in touch with us directly to request your removal from any mailing lists.
You can disable cookies through your web browser; however, we would not recommend doing this as many, many sites including as ours rely on these to function.
If you have accepted cookies but later change your mind, you can clear the stored cookies through your browser settings and preferences.
International Data Transfers
We may share your personal data with selected third-parties as outlined below purely for business purposes and service provision. In some cases, this data is transferred outside of the European Economic Area (EEA) – however, we ensure that your data remains subject to the same high level of protection afforded here by only using trusted services which provide their own rigorous data protection policies.
Your Legal Rights & Our Responsibilities
The GDPR identifies key aspects of how you can access and control the personal data that companies such as us store and use. Specifically, you can:
- Make a data subject access request to know what data we store about you
- Request that we amend incorrect data stored about you
- Request that we delete your personal data*
- Make an objection to us processing your data, requiring us to cease the use of your data*
- Request the transfer of data which we store about you to a nominated third-party
- Withdraw or amend the consent you have given us previously for us to use your personal data at any time
If you make a data subject access request, we will aim to respond within one month of receiving the request in writing. In unusual circumstances, or if the data requested proves difficult to collate or obtain, this time may be extended. We will advise you if this is the case. We may also require further information from you to identify the data that you are requesting, and to verify that the data subject access request is genuine.
There is usually no fee for a data subject access request. However, we may opt to exercise our right to charge a reasonable fee if your request is unfounded, repetitive or excessive. In these circumstances, we may instead exercise our right to refuse to comply with your request.
* If you request us to delete or cease processing your personal data, please note that there are circumstances under which we may not be able to comply with your request. Specific examples may include, but are not limited to, the cancellation and deletion of an order where production has been started, or the deletion of financial transaction records which we are required by law to retain for six years by HMRC.
In some circumstances, we may share your data with third parties. These may include:
- External IT service providers we use for conducting day-to-day business
- Courier services who require contact information of the recipient for delivery
- Professionals including solicitors, book-keepers, accountants or insurers for the seeking of legal advice, finance and accounting purposes or claim handling
- Regulatory bodies such as HM Revenue & Customers or the ICO to meet our legal reporting obligations
We regularly share data with the following:
|Service Provider||Service||Data Processed & Purpose||Safeguards in Place|
|Website Analytics||Visitor information including browser, country of origin, pages visited, duration of visit and so on may be tracked via Google Analytics. This may be used for business development purposes to improve our website to meet identified needs of visitors.||Strong passwords are required for the accessing of any Google Accounts.
Individuals data is not identifiable through anonymising of the IP address attributed to browsing sessions.
|Dropbox||Cloud storage & Backup||Customer-provided content such as business logos, backups of our website files/databases for backup, archive or transfer purposes, order information.||Access is limited to only those who require it for the purposes of fulfilling orders or day-to-day running of the business such as accounting.
Data is only synced to machines which are password-protected and stored in secure locations.
|PayPal||Payment Processing, Accounting||Customer details including name, address, E-Mail address and details of an order for the process of taking payment.||Access to PayPal is strictly limited to the owners and feeds to our accounting software. Payments are handled through PayPal; at no point do we have contact with credit card information for PayPal payments.|
|Stripe||Payment Processing, Accounting||Customer details including name, address, E-Mail address and details of an order for the process of taking payment.||Access to Stripe is strictly limited to the owners and feeds to our accounting software. Payments are handled through Stripe; at no point do we have contact with credit card information for Stripe payments.|
|Square||Payment Processing, Accounting||Customer details including name, E-Mail address, credit card number and billing postcode for the process of taking payment over the phone.||Access to Square is strictly limited to staff and feeds to our accounting software. Staff are strictly supervised by the owners; staff may take payments over the phone. Payment details are entered straight into the Virtual Terminal; at no point are credit card details written down or stored.|
|Xero||Accounting||Customer details including name, address, E-Mail address, payment method and order details for accounting purposes.||Access is limited to only the owners and bookkeeper/accountant via strong passwords.
Data is stored for the minimum time required by law.
|Silver Siphon||Accounting||Customer details including name, address, E-Mail address, payment method and order details for accounting purposes. Silver Siphon provide an interface between our transactional website platform and Xero for Stripe payments.||Access it limited to the site owners, with data transferred securely into Xero, our accounting software.
At no point are credit card details transferred; Silver Siphon simply provides a readable format for orders paid for via Stripe to Xero.
|Bookkeeper and Accountant||Accounting||Customer details including name, address, E-Mail address, payment method and order details for accounting purposes.||Documents are shared via Dropbox or handed over in-person. All data is stored in a secure location which is inaccessible to the public.
Data which is no longer required by law is permanently deleted or shredded.
|HMRC||Accounting||Customer details including name, address, E-Mail address, payment method and order details for auditing or investigative purposes.||Personnel data is stored with HMRC for the purposes of running payroll.
Customer data is not routinely shared with HMRC; However, in the event of an investigation or court order, we may be obliged to provide full access to our accounts which include sales data.
|MailChimp||Contact Management & Marketing||Client contact details including name and E-Mail are stored, alongside other details which may include where they signed up from and a consent statement where express consent was granted to send E-Mail communication.
Aggregated data may also be stored alongside E-Mail campaign data for business development purposes, such as seeing the proportion of E-Mails opened or the number of clicks on a link within an E-Mail.
|Access is limited to only those who need it for the day-to-day running of the business.
E-Mail communication is only sent to users who have provided explicit consent for us to contact them.
|Siteground Ltd||E-Mail & Hosting||Our website and E-Mail are hosted with Siteground. Subsequently any orders placed through the website, online enquiries and E-Mails are stored on our secure hosting account.||Access to our hosting account is protected with a strong password, and strictly limited to the owners.
Backups are stored by both Siteground and in secure remote locations to protect against deletion or loss of data.