Compiled 13 May 2021, reviewed 27 August 2023.
SECTION 1: THE TYPE OF PERSONAL INFORMATION WE KEEP AND WHAT WE DO WITH IT
We collect and process the following information when you use our store:
- Personal identifiers, contacts and characteristics (for example, name and contact details)
- Financial information (credit cards, debit cards)
When you purchase something from our store A Nickel And A Nail, as part of the buying and selling process, we collect the personal information you give us such as your name, address, email address and credit or debit card information. We use this information to arrange for shipping, providing you with invoices and/or order confirmations and other directly related communication. Your information may be shared with our payment provider company or the UK banking system for the purpose of processing your payment. Your information may also be shared with HM Revenue and Customs (HMRC) or similar authorities, only if and when specifically requested or required by law.
When you browse our on-line store, we also automatically receive your computer’s internet protocol (IP) address, web browser, time zone and some of the cookies that are installed on your device, in order to provide us with information that helps us learn about your browser and operating system. This information gives us an overview of how people use our website and helps us to assess risk and fraud.
With your permission, we may use your personal information to send you emails about our store, new products and other updates. We use Mailchimp to facilitate the email marketing process. We do not use your information for automated decision making such as profiling, credit scoring or other purpose.
SECTION 2: HOW LONG DO WE KEEP YOUR PERSONAL INFORMATION?
We will only store your personal information for as long as we need it for the purposes for which it was collected. Where we provide you with any service, we will retain any information you provide to us at least for as long as we continue to provide that service to you. Additionally, the HM Revenue and Customs service requires us to keep records of purchase receipts for 6 years.
SECTION 3 – COLLECTING YOUR PERSONAL INFORMATION FROM THIRD PARTIES
We will only collect personal information provided directly by you. We will not approach any third parties for your personal data.
SECTION 4: HOW WE GET YOUR INFORMATION, AND LAWFUL BASES
Most of the personal information we process is provided to us directly by you for one of the following reasons:
- Purchasing items from this retail website
- Marketing purposes, where you choose to “opt in” to this
We use the information that you have given us in order to process your order, to contact you with information about your shipment, or to communicate in the event of a query or complaint
Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:
(a) For email marketing: Our lawful basis for using and holding your data is ‘consent’. You are given the choice to opt into marketing: you are not automatically opted in. You are also able to remove your consent at any time. You can do this by contacting the data controller at the email address or mailing address above. An option is also given in the body of our marketing emails for you to opt out at any time.
(b) For processing sales transactions and related communications: Our lawful basis is ‘legitimate interests’. By purchasing a product from this site we assume you reasonably expect us to process your payments via third parties such as Paypal, or Shopify related payment gateways for card payments; and to send you transactional emails, such as receipt of your order, notification of delivery schedules or other communications specifically related to your purchase or enquiry. These emails are a necessary and proportionate means of communicating important information with you, our customer, and so it is in our legitimate interests to send these emails.
SECTION 5: HOW WE STORE YOUR INFORMATION
Your information is securely stored on electronic databases. Physical records are stored in a secure, locked location. We keep sales transaction related data for a maximum of 6 years, in line with HMRC requirements. We will then dispose of physical records after the period of time we are no longer required to keep it.
SECTION 6 - YOUR RIGHTS AS A DATA SUBJECT
We have a legal obligation to provide you with concise, transparent, intelligible and easily accessible information about your personal information and our use of it, and your rights. We have written this policy to do just that, but if you have any questions or require more specific information, you can get in touch using Contact Us section of the website.
- RIGHT TO ACCESS: You have the right to access your personal data. You have the right to ask us to confirm whether or not we hold any of your personal information. If we do, you have the right to have a copy of your information and to be informed of the following: why we have been using your information; what categories of information we were using, who we have shared the information with, and how long we envisage holding your information. In order to maintain the security of your information, we will have to verify your identity before we provide you with a copy of the information we hold. We will provide your information which we hold, free of charge.
- RIGHT TO RECTIFY: You have the right to correct any inaccurate or incomplete personal data. Where you have requested a copy of the information we hold about you, you may notice that there are inaccuracies in the records, or that certain parts are incomplete. If this is the case, you can contact us so that we can correct our records.
- RIGHT TO ERASURE: You have the right to be forgotten. There may be times where it is no longer necessary for us to hold personal information about you. This could be if: the information is no longer needed for the original purpose that we collected it for; you withdraw your consent for us to use the information (and we have no other legal reason to keep using it); you object to us using your information and we have no overriding reason to keep using it; we have used your information unlawfully or we are subject to a legal requirement to delete your information. In those situations, you have the right to have your personal data deleted. If you believe one of these situations applies to you, please get in touch using our website.
- RIGHT TO REQUEST PORTABLE DATA: You have the right to have a copy of your data transferred to you or a third party in a compatible format. Also known as data portability, you have the right to obtain a copy of your personal data for your own purposes. This right allows you to move, copy or transfer your personal data more easily from one IT system to another, in a safe and secure way. If you would like us to transfer a copy of your data to you or another organisation in a structured, commonly use and machine-readable format, please contact us. There is no charge for you exercising this right.
- THE RIGHT TO OBJECT TO DATA USE: For example, you have the right to object to direct marketing. You can tell us at any time that you would prefer that we do not use your information for direct marketing purposes. If you would not like to receive any direct marketing from us, please contact us or use the links provided in any of our marketing communications, and we will stop sending direct marketing immediately. Sometimes, we use your personal information to achieve goals that will help us as well as you. This includes: when we tell you about products or services that are like ones that you have already bought; when we use your information to help us make our business better, and when we contact you to interact, communicate or let you know about changes we are making. We aim to always ensure that your rights and information are properly protected. If you believe that the way we are using your data is not justified due to its impact on you or your rights, you have the right to object. Unless we have a compelling reason to continue, we must stop using your personal data for these purposes. In order to exercise your right to object to our use of your data for the purposes above, please contact us.
- RIGHT TO RESTRICT DATA USE You have the right to restrict or stop how we use your personal data
SECTION 7 - DISCLOSURE
We may disclose your personal information if we are required by law to do so.
SECTION 8 - SHOPIFY
Our on-line store website is hosted by Shopify Inc. They provide us with the online e-commerce platform that allows us to sell our products and services to you. Your data is stored through Shopify’s data storage, databases and the general Shopify application. They store your data on a secure server behind a firewall.
If you choose a direct payment gateway to complete your purchase, then Shopify stores your credit card data. It is encrypted in line with the Payment Card Industry Data Security Standard. Your purchase transaction data is stored only as long as is necessary to complete your purchase transaction.
All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.
For more insight, you may also wish to read Shopify’s Terms of Service at https://www.shopify.com/legal/terms) or Privacy Statement at https://www.shopify.com/legal/privacy.
SECTION 9 - THIRD-PARTY SERVICES
We share your personal information with third parties to help us use your personal information, in the ways described above. For example, as mentioned we use Shopify to power our online store--you can read more about how Shopify uses your personal information in section 7 of this policy statement.
In general the third-party providers used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us. However, certain third-party service providers, such as the payment gateways and other payment transaction processors, have their own privacy policies in respect to the information we are required to provide to them for your purchase-related transactions. For these providers, we recommend that you read their privacy policies, so you can understand the manner in which your personal information will be handled by these providers.
We use Google Analytics to help us understand how our customers use the Site -- you can read more about how Google uses your personal information here: https://www.google.com/intl/en/policies/privacy/. You can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.
We use Mailchimp services for promotional and marketing communications, but only if you have actively opted into this service. You can read more about how Mailchimp uses personal information here: https://mailchimp.com/legal/privacy/
We use Shopify Payments services to process payments made by Visa, Mastercard and American Express cards. You can read more about how Shopify Payments use your information at https://www.shopify.com/legal/privacy
We use Paypal services to process payments made by this method. You can read more about how Paypal use your information at https://www.paypal.com/re/webapps/mpp/ua/privacy-prev
Please note that certain providers may be located in or have facilities that are located a different jurisdiction than either you or us, including the U.S. and Canada. So if you proceed with a card transaction, that involve the services of a third-party service provider, and your information may become subject to the laws of the jurisdiction(s) in which that service provider or its facilities are located. Mailchimp and Shopify are certified as companies operating within EU-US and Swiss-US Privacy Security Shield Framework for data protection.
SECTION 10 - SECURITY
To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.
If you provide us with your credit card information, the information is encrypted in the transaction automatically by the secure Shopify payment gateway using accepted industry standards. We do not have direct access to your full card details.
SECTION 11 – COOKIES AND DEVICE INFORMATION
Additionally, as you browse our website, we collect information about the individual web pages or products that you view, what websites or search terms referred you to our website, and information about how you interact with the website. We refer to this automatically collected information as “Device Information”.
We collect Device Information using the following technologies:
- “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org.
- “Log files” track actions occurring on the Site, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.
- “Web beacons”, “tags”, and “pixels” are electronic files used to record information about how you browse the Site.
As Shopify host our website, they have provided information regarding the types and names of cookies used if you access a Shopify-hosted website, as well as how to control these. This can be found at https://www.shopify.co.uk/legal/cookies
SECTION 12 - AGE OF CONSENT
This site is not intended to be used by children. If using this site, you represent that you are at least the age of majority in your state or province of residence. We do not knowingly collect information, including personal data, from children. If we obtain actual knowledge that we have collected personal data from a child under the age of majority, we will promptly delete it, unless we are legally obligated to retain such data.
SECTION 13: COMPLAINTS
If you have any concerns about our use of your personal information, please contact A Nickel And A Nail via firstname.lastname@example.org or Edward Windle , 29 Woodhill Rise, Leeds, West Yorkshire LS16 7DB.
You can also contact the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk