A NICKEL AND A NAIL (Website hosted by Shopify Inc.) Effective from 23 May 2018.
SECTION 1 - WHAT INFORMATION DO WE COLLECT FROM YOU AND WHAT DO WE DO WITH IT?
When you purchase something from our store A Nickel And A Nail, as part of the buying and selling process, we collect the personal information you give us such as your name, address, email address and credit or debit card information. We use this information to arrange for shipping, providing you with invoices and/or order confirmations and other directly related communication. Your information may be shared with our payment provider company or the UK banking system for the purpose of processing your payment. Your information may also be shared with HM Revenue and Customs (HMRC) or similar authorities if and when specifically requested or required by law.
When you browse our on-line store, we also automatically receive your computer’s internet protocol (IP) address, web browser, time zone and some of the cookies that are installed on your device, in order to provide us with information that helps us learn about your browser and operating system. This information gives us an overview of how people use our website and helps us to assess risk and fraud.
With your permission, we may use your personal information to send you emails about our store, new products and other updates. We use Mailchimp to facilitate the email marketing process.
We do not use your information for automated decision making such as profiling, credit scoring or other purpose.
SECTION 2 – HOW LONG DO WE KEEP YOUR PERSONAL INFORMATION?
We will only store your personal information for as long as we need it for the purposes for which it was collected. Where we provide you with any service, we will retain any information you provide to us at least for as long as we continue to provide that service to you. The HM Revenue and Customs service requires us to keep records of receipts for 6 years.
SECTION 3 – COLLECTING YOUR PERSONAL INFORMATION FROM THIRD PARTIES
We will only collect personal information provided directly by you. We will not approach any third parties for your personal data.
SECTION 4 – CONSENT
We use consent as our lawful basis for processing your personal information for marketing. We use legitimate interests as the lawful basis when processing your personal information for the purposes of payment transactions.
How do you get my consent?
When you provide us with personal information to complete a transaction, verify your credit card, place an order, arrange for a delivery or return a purchase, we imply that you consent to our collecting it and using it for that specific reason only.
If we ask for your personal information for a secondary reason, like marketing, we will ask you directly for your expressed consent. You will not be automatically opted in. The provision of personal data does not form part of a statutory or contractual obligation. There are no detrimental consequences of failing to provide personal data.
How do I withdraw my consent?
If after you opt-in, you change your mind, you may withdraw your consent for us to contact you, for the continued collection, use or disclosure of your information, at any time.
SECTION 5 - YOUR RIGHTS AS A DATA SUBJECT
We have a legal obligation to provide you with concise, transparent, intelligible and easily accessible information about your personal information and our use of it. We have written this policy to do just that, but if you have any questions or require more specific information, you can get in touch using Contact Us section of the website.
- You have the right to access your personal data.
- You have the right to ask us to confirm whether or not we hold any of your personal information. If we do, you have the right to have a copy of your information and to be informed of the following: why we have been using your information; what categories of information we were using, who we have shared the information with, and how long we envisage holding your information. In order to maintain the security of your information, we will have to verify your identity before we provide you with a copy of the information we hold. We will provide your information which we hold, free of charge.
- You have the right to correct any inaccurate or incomplete personal data. Where you have requested a copy of the information we hold about you, you may notice that there are inaccuracies in the records, or that certain parts are incomplete. If this is the case, you can contact us so that we can correct our records.
- You have the right to be forgotten. There may be times where it is no longer necessary for us to hold personal information about you. This could be if: the information is no longer needed for the original purpose that we collected it for; you withdraw your consent for us to use the information (and we have no other legal reason to keep using it); you object to us using your information and we have no overriding reason to keep using it; we have used your information unlawfully or we are subject to a legal requirement to delete your information. In those situations, you have the right to have your personal data deleted. If you believe one of these situations applies to you, please get in touch using our website.
- You have the right to have a copy of your data transferred to you or a third party in a compatible format. Also known as data portability, you have the right to obtain a copy of your personal data for your own purposes. This right allows you to move, copy or transfer your personal data more easily from one IT system to another, in a safe and secure way. If you would like us to transfer a copy of your data to you or another organisation in a structured, commonly use and machine-readable format, please contact us. There is no charge for you exercising this right.
- You have the right to object to direct marketing. You can tell us at any time that you would prefer that we do not use your information for direct marketing purposes. If you would not like to receive any direct marketing from us, please contact us or use the links provided in any of our marketing communications, and we will stop sending direct marketing immediately.
- You have the right to object to us using your information for our own legitimate interests. Sometimes, we use your personal information to achieve goals that will help us as well as you. This includes: when we tell you about products or services that are like ones that you have already bought; when we use your information to help us make our business better, and when we contact you to interact, communicate or let you know about changes we are making. We aim to always ensure that your rights and information are properly protected. If you believe that the way we are using your data is not justified due to its impact on you or your rights, you have the right to object. Unless we have a compelling reason to continue, we must stop using your personal data for these purposes. In order to exercise your right to object to our use of your data for the purposes above, please contact us.
- You have the right to restrict how we use your personal data
- You have the right to ask us to stop using your personal data in any way other than simply keeping a copy of it. This right is available where you have informed us that the information we hold about you is inaccurate, and we have not yet been able to verify this; where you have objected to us using your information for our own legitimate interests and we are in the process of considering your objection, where we have used your information in an unlawful way, but you do not want us to delete your data; where we no longer need to use the information, but you need it for a legal claim. If you believe any of these situations apply, please contact us.
- You have rights related to automated-decision making and profiling. Any automated decision-making or profiling we undertake is solely for the purpose of tailoring the information which we provide to you. We will not use automated decision-making or profiling to make any decisions which will have a legal effect upon you or otherwise significantly affect you, and you have the right not to be subject to such decisions. If you have any concerns or questions about this right, please contact us.
SECTION 6 - DISCLOSURE
We may disclose your personal information if we are required by law to do so.
SECTION 7 - SHOPIFY
Our on-line store is hosted on Shopify Inc. They provide us with the online e-commerce platform that allows us to sell our products and services to you. Your data is stored through Shopify’s data storage, databases and the general Shopify application. They store your data on a secure server behind a firewall.
If you choose a direct payment gateway to complete your purchase, then Shopify stores your credit card data. It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). Your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that is complete, your purchase transaction information is deleted.
All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover.
PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.
For more insight, you may also want to read Shopify’s Terms of Service (https://www.shopify.com/legal/terms) or Privacy Statement (https://www.shopify.com/legal/privacy).
SECTION 8 - THIRD-PARTY SERVICES
We share your personal information with third parties to help us use your personal information, in the ways described above. For example, as mentioned we use Shopify to power our online store--you can read more about how Shopify uses your personal information in section 7 of this policy statement.
In general the third-party providers used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us. However, certain third-party service providers, such as the payment gateways and other payment transaction processors, have their own privacy policies in respect to the information we are required to provide to them for your purchase-related transactions. For these providers, we recommend that you read their privacy policies, so you can understand the manner in which your personal information will be handled by these providers.
We use Google Analytics to help us understand how our customers use the Site -- you can read more about how Google uses your personal information here: https://www.google.com/intl/en/policies/privacy/. You can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.
We use Mailchimp services for promotional and marketing communications, but only if you have actively opted into this service. You can read more about how Mailchimp uses personal information here: https://mailchimp.com/legal/privacy/
We use Shopify Payments services to process payments made by Visa, Mastercard and American Express cards. You can read more about how Shopify Payments use your information at https://www.shopify.com/legal/privacy
We use Paypal services to process payments made by this method. You can read more about how Paypal use your information at https://www.paypal.com/re/webapps/mpp/ua/privacy-prev
Please note that certain providers may be located in or have facilities that are located a different jurisdiction than either you or us, including the U.S. and Canada. So if you elect to proceed with a transaction that involves the services of a third-party service provider, then your information may become subject to the laws of the jurisdiction(s) in which that service provider or its facilities are located. Mailchimp and Shopify are certified as companies operating within EU-US and Swiss-US Privacy Security Shield Framework for data protection.
SECTION 9 - SECURITY
To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.
If you provide us with your credit card information, the information is encrypted using secure socket layer technology (SSL) and stored with a AES-256 encryption. We follow all generally accepted industry standards.
SECTION 10 – COOKIES AND DEVICE INFORMATION
Additionally, as you browse our website, we collect information about the individual web pages or products that you view, what websites or search terms referred you to our website, and information about how you interact with the website. We refer to this automatically-collected information as “Device Information”.
We collect Device Information using the following technologies:
- “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org.
- “Log files” track actions occurring on the Site, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.
- “Web beacons”, “tags”, and “pixels” are electronic files used to record information about how you browse the Site.
As Shopify host our website, they have provided information regarding the types and names of cookies used if you access a Shopify-hosted website, as well as how to control these. This can be found here https://www.shopify.co.uk/legal/cookies
SECTION 11 - AGE OF CONSENT
This site is not intended to be used by children. If using this site, you represent that you are at least the age of majority in your state or province of residence. We do not knowingly collect information, including personal data, from children. If we obtain actual knowledge that we have collected personal data from a child under the age of majority, we will promptly delete it, unless we are legally obligated to retain such data.
QUESTIONS AND CONTACT INFORMATION
If you would like to: access, correct, amend or delete any personal information we have about you, register a complaint, or simply want more information please contact us via the Contact Us section on the website of A Nickel And A Nail. Alternatively write to Edward Windle (the data controller contact for A Nickel And A Nail) at 29, Woodhill Rise, Cookridge, Leeds, West Yorkshire, LS16 7DB. You also have a right to complain to the International Commissioner’s Office (ICO) at https://ico.org.uk/ if you think there is a problem with the way we are handling your data.