Date of last revision: 28 August 2018
We take the privacy of our Website users and Store visitors very seriously. We ask that you read this Policy carefully as it contains important information about how we will process your personal data.
We may change this Policy from time to time. You should check this Policy regularly to ensure you are aware of the most recent version that will apply each time you access the Website.
1 Information about us
The Website and Store are operated by Sanne Limited incorporated in England and Wales under company number 10026906 and having its registered office address at 38 Haycroft Gardens, London NW10 3BN (“we”/“our”).
For the purposes of data protection law, we are the “controller” (i.e. the company who is responsible for, and controls the processing of, your personal data).
If you would like to contact us in relation to this Policy, please send an email to firstname.lastname@example.org.
2 The information we collect about you
We may collect the following personal data about you for the purposes described in this Policy:
· your contacts details, such as your name, residential address, email address and phone number;
· payment details; and
· demographic information such as your date of birth and gender.
We collect this information in a number of circumstances including but not limited to:
· when you register an account with the Website;
· when you make a purchase using the Website;
· if you contact us in relation to a query; or
· when you visit us in Store.
Occasionally we may receive information about you from other sources, which we will add to the information we already hold about you for the purposes listed in this Policy.
3 Information we obtain from other sources
We may also obtain personal data about you from other sources, for example:
The types of personal data about you that we may collect from other sources include:
· Your name and email address.
4 How we use your personal information
We may use your personal information for the purposes of:
· processing any orders you may make;
· billing and order fulfilment;
· notifying you of any changes to the Website or to our products or services that may affect you;
· personalising our service to you;
· customer profiling and analysing your purchasing preferences;
· marketing—see 'Marketing’ below;
· security, fraud prevention and detection;
· improving our products and services; and
· complying with our legal obligations.
5 Lawful bases of processing
In order to process personal data, we must have a lawful reason (sometimes called a lawful basis). We always ensure that this is the case, and we set out our lawful bases below.
If you are our customer, we will process your personal data for the following purposes, on the legal basis that it is necessary for us to provide our products and services to you:
· to identify you;
· to respond to your enquiries;
· to allow you to register an account;
· to provide our products and services;
· to carry out billing and administration activities.
We process your personal information for our legitimate business purposes, which include the following:
· to conduct and manage our business;
· to enable us to carry out our services;
· to ensure our Website and systems are secure (for example, by conducting security penetration tests on our Website to ensure our security tools are effective);
· to personalise your web experience – for example, by tailoring our products, offers and services to you;
· to analyse, improve and update our services for the benefit of our customers;
· to deal with complaints;
· to detect and prevent fraud;
· to let you know about our products, services, promotions or events that we consider may be of interest to you: we carry out this processing on the legal basis that we have a legitimate interest in marketing our products and services, and only to the extent that we are permitted to do so by applicable direct marketing laws. Please see clause 10 below for further information about our marketing activities and regarding your right to opt out.
Whenever we process your personal data for these purposes, we ensure that your interests, rights and freedoms are carefully considered.
Compliance with laws
We may process your personal data in order to comply with applicable laws (for example, if we are required to co-operate with an investigation pursuant to a court order).
We generally do not rely on consent as a legal basis for processing your personal data other than in relation to sending direct marketing communications to you via email where we are not otherwise entitled to do so. You have the right to withdraw consent to marketing at any time. This will not affect the lawfulness of processing that took place prior to the withdrawal of consent.
We will always be clear whenever we intend to process on the basis of consent, and we will process lawfully and only for the purpose for which consent was given.
6 Sharing your personal information
We may provide your personal information to the following recipients for the purposes set out in this Policy:
• other companies within our group;
• our employees, consultants, agents and service providers, in each case where it is relevant to do so;
• law enforcement agencies in connection with any investigation to help prevent unlawful activity.
In addition, you may choose to post information about, or interact with, us on social media platforms, for example Facebook, Twitter and Instagram.
We may monitor and record communications with you (such as telephone conversations and emails) for the purposes of quality, training and improving our customer services.
8 How long your personal information will be kept
We carefully consider the personal data that we store, and we will not keep your information in a form which identifies you for longer than is necessary for the purposes set out in this Policy.
We use the following criteria to determine data retention periods for your personal data:
· Retention for providing our products and services. We will retain your personal data as long as necessary for us to provide our products and services to you.
· Retention in case of queries. We will retain your personal data as long as necessary to deal with your queries.
· Retention in accordance with legal and regulatory requirements. We will retain your personal data after we have provided products and services based on our legal and regulatory requirements.
9 Transferring your information outside the EEA
While we are based in England, we may transfer your personal information to a location (for example to a secure server) outside the European Economic Area, if we consider it necessary or desirable for the purposes set out in this Policy. In such cases, to safeguard your privacy rights, transfers will be made to recipients to which a European Commission adequacy decision applies (this is a decision from the Commission confirming that adequate safeguards are in place for the protection of personal data), or will be carried out under standard contractual clauses that have been approved by the European Commission as providing appropriate safeguards for international personal data transfers, copies of which are available to view on the Commission’s website
We may store your contact details, and carry out marketing profiling activities, for direct marketing purposes. If you have given your consent, or if we are otherwise permitted to do so, we may contact you about our products or services that may be of interest to you. If you prefer not to receive any direct marketing communications from us, you can opt out at any time by sending an email to email@example.com. We will also give you the option to opt out each time we send a marketing communication by electronic means.
11 How we protect your information
We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. For example:
· access to your account is controlled by a unique password that you have created;
· we store your personal data on secure servers; and
· payment details are encrypted using SSL technology.
12 Your information rights
We draw your attention to your following rights under data protection law:
• the right to be informed about the collection and use of your personal data;
• the right of access to your personal data, and to request a copy of the information that we hold about you
and supplementary details about that information;
• the right to have inaccurate personal data that we process about you rectified;
• the right (in certain circumstances) to have personal data that we process about you blocked, erased or destroyed;
• the right to object:
o to processing of personal information concerning you for direct marketing;
o to decisions being taken by automated means which produce legal effects concerning you or that similarly significantly affect you;
o in certain other situations, to our continued processing of your personal information;
• the right of portability of your data in certain circumstances;
• rights in relation to automated decision-making.
These rights are subject to certain limitations that exist in law. Further information about your information rights is available on the ICO’s website: https://ico.org.uk/. If you wish to know more detail as to how we observe the rights above, please contact us.
13 Changes to this Policy
We may change this Policy from time to time. Please check this Policy on our Website regularly to ensure you are aware of the most recent version.
14 How to complain
If you have a complaint about the way we handle your personal data, please contact us at the address in clause 1 of this Policy. In addition, should you find it necessary, you have a right to raise a concern with the information regulator, the Information Commissioner’s Office: https://ico.org.uk/