Privacy And Data Protection Policy
Shorty Beds website privacy and data protection
We gather and use certain information about individuals in order to provide products and services and to enable certain functions on this website.
We also collect information to better understand how visitors use this website and to present timely, relevant information to them.
The data we gather
We may collect the following information:
- Name and job title
- Contact information including email address
- Demographic information, such as postcode, preferences and interests
- Website usage data
- Other information relevant to client enquiries
- Other information pertaining to special offers and surveys
How we use this data
Collecting this data helps us understand what you are looking for in the company, enabling us to deliver improved products and services.
Specifically, we may use data:
- For our own internal record
- To improve the products and services we provide
- To contact you in response to a specific enquiry
- To customise the website for you
- To send you promotional emails about products, services, offers and other things we think might be relevant to you.
- To contact you via email, telephone or mail for market research reasons.
Cookies and how we use them
What is a cookie?
A cookie is a small file placed on your computer’s hard drive. It enables our website to identify your computer as you view different pages on our website.
Cookies allow websites and applications to store your preferences in order to present content, options or functions that are specific to you. They also enable us to see information like how many people use our website and what pages they tend to visit.
- Analyse our web traffic using an analytics package. Aggregated usage data helps us improve the website structure, design, content and functions.
- Identify whether you are signed in to our website. A cookie allows us to check whether you are signed in to the site.
- Test content on our website. For example, 50% of our users might see one piece of content, the other 50% a different piece of content.
- Store information about your preferences. The website can then present you with information you will find more relevant and interesting.
- To recognise when you return to our website. We may show your relevant content, or provide functionality you used previously.
Cookies do not provide us with access to your computer or any information about you, other than that which you choose to share with us.
However, please note that doing this may affect how our website functions. Some pages and services may become unavailable to you.
Controlling information about you
When you fill in a form or provide your details on our website, you will see one or more tick boxes allowing you to:
Opt-in to receiving marketing communications from us by email, telephone text message or post.
If you have agreed that we can use your information for marketing purposes, you can change your mind easily via one of these methods:
- Sign in to our website and change your opt-in settings.
- Unsubscribe when you receive an marketing email; you'll find the link at the bottom of every email
- Send an email to firstname.lastname@example.org
- Write to us at Data Controller, JCP Trading Ltd, PO Box 907, Lancaster. LA1 9LE
We will never lease, distribute or sell your personal information to third parties.
Any personal information we hold about you is stored and processed under our data protection policy, in line with the Data Protection Act.
We will always hold your information securely.
To prevent unauthorised disclosure or access to your information, we have implemented strong physical and electronic security safeguards.
We also follow stringent procedures to ensure we work with all personal data in line with the Data Protection Act.
Links from our site
Our website may contain links to other websites.
Please note that we have no control of websites outside the www.shortybeds.co.uk domain. If you provide information to a website to which we link, we are not responsible for its protection and privacy.
Always by wary when submitting data to websites. Read the site’s data protection policy in full.
Your rights as an Individual
If at any point you believe the information we process on you is incorrect you request to see this information and even have it corrected or deleted.
If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Controller who will investigate the matter.
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO).
Our Data Controller is Mr A James and can be contacted by emailing - email@example.com
We are committed to protecting your privacy and maintaining the security of any personal information received from you. We strictly adhere to the requirements of the GDPR legislation in the UK.
Information we need
When you purchase from us we need to know basic personal information, which does not include any special types of information. Information required is
- Company name, company number, address information, contact details (phone, email address(es))
- Employee names, contact details (phone, email addresses)
- Bank details/information
- Credit account request(s)/forms/amount
- Payment records
- Court orders (relating to us)
- Order history
This allows us to fulfil your order. You have the option to withhold personal information that is not required for the order process.
What we do with your personal information
All the personal data we process is processed by our staff in the UK. We follow strict security procedures in the storage and disclosure of information which you have given us, to prevent unauthorised access in accordance with the UK data protection legislation. In order to maintain the accuracy of our database, you can check, update or remove your personal details by emailing us at firstname.lastname@example.org
We do not sell, rent or exchange your personal information with any third party, except to help prevent fraud.
How long we hold personal information
We are required under UK tax law to keep your basic personal data (name, address, contact details) for a minimum of 3 years after which time it will be destroyed.
Your information we use for marketing purposes will be kept with us until you notify us that you no longer wish to receive this information. More information on our retention schedule can be found obtained by emailing email@example.com
We share your information with some partners who we carefully choose for their compliance with data protection requirements. We minimise the use of third parties but currently your data may be shared with
Marketing: We use MailChimp to store and manage our marketing databases. MailChimp report IP addresses, bounces, opening and click throughs to our website. In addition we also use them for automated marketing which uses buying, searching and viewing data to send relevant marketing email. Remember you can unsubscribe from email marketing at any time by clicking the Unsubscribe link at the bottom of each email.
Customer Service: If you use our 'Live Chat' facility we store your email address and IP address. This information is not used for marketing purposes and we have a policy of regularly deleting this data.
IT: We use Monaghan Consulting to manage our website and they have access to data stored on our website platform. They access this only to resolve any IT issues and do not use any data for marketing purposes
Payment: If you purchase online your payment details are processed by PayPal or Shopify.
A data subject is a natural person. Examples of a data subject can be an individual, a customer, a prospect, an employee, a contact person, etc.
Any information relating to an identified / identifiable individual, whether it relates to his or her private, professional, or public life. Can be anything from a name, photo, email address, bank details, posts on social networking sites, medical information, IP address, or a combination of the data that directly or indirectly identifies the person.
Sensitive personal data
The GDPR refers to sensitive personal data as “special categories of personal data.” The special categories of data include racial or ethnic origin, political opinions, religious or philosophical views, trade union membership, sexual orientation, and health, genetic and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offenses are not included, but similar extra safeguards apply to its processing.
Any organization, person, or body that determines the purposes and means of processing personal data, controls the data and is responsible for it, alone or jointly. Examples when the data controller is an individual include general practitioners, pharmacists, and politicians, where these individuals keep personal information about their patients, clients, constituents etc. Examples of organizations can be data controllers, for profit or not for profit, private or government-owned, large or small, where those organizations keep personal information about their employees, clients, etc.
A data processor processes the data on behalf of the data controller. Examples include payroll companies, accountants, and market research companies.
An appointment of a Data Protection Officer is obligatory if: (1) processing is carried out by a public authority; or (2) the “core activities” of a data controller / data processor either require “the regular and systematic monitoring of data subjects on a large scale,” or consist of processing of special categories of data or data about criminal convictions “on a large scale.”
Accountability is the ability to demonstrate compliance with the GDPR. The Regulation explicitly states that this is the organization’s responsibility. In order to demonstrate compliance, appropriate technical and organizational measures have to be implemented. Best practice tools such as privacy impact assessments and privacy by design are now legally required in certain circumstances.
Consent is any “freely given, specific, informed and unambiguous” indication of the individual’s wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed for one or more specific purposes.
The affirmative action, or a positive opt-in, means that the consent cannot be inferred from silence, pre-ticked boxes, or inactivity. It should also be separate from terms and conditions, and have a simple way to withdraw it. Public authorities and employers will need to pay special attention to ensure that consent is freely given.
The existing consents do not have to be refreshed automatically in preparation for the GDPR, but they have to meet the GDPR standard for being specific, granular, clear, opt-in, properly documented, and easily withdrawn. If not, change your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.
If a business is established in more than one Member State, it will have a “lead authority,” determined by the place of its “main establishment” in the EU. A supervisory authority that is not a lead authority may also have a regulatory role, for example where processing impacts data subjects in the country where that supervisory authority is the national authority.
Privacy Impact Assessment (PIA)
The GDPR imposes a new obligation on data controllers and data processors to conduct a Data Protection Impact Assessment (also known as a privacy impact assessment, or PIA) before undertaking any processing that presents a specific privacy risk by virtue of its nature, scope, or purposes.
Processing is any operation performed on personal data (sets), such as creation, collection, storage, view, transport, use, modification, transfer, deletion, etc., whether or not by automated means.
Profiling is any form of automated processing of personal data intended to evaluate certain personal aspects relating to an individual, or to analyze or predict in particular that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behavior.
This is the data subject’s right to obtain from the data controller, on request, certain information relating to the processing of his/her personal data.
The territorial scope of the GDPR includes the European Economic Area (EEA – all 28 EU member states), Iceland, Lichtenstein, and Norway, and does not include Switzerland.
A third party is any natural or legal person, public authority, agency, or any other body other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or the processor, are authorized to process the data.
The transfer of personal data to countries outside the EEA or to international organizations is subject to restrictions. As with the Data Protection Directive, data does not need to be physically transported to be transferred. Viewing data hosted in another location would amount to a transfer for GDPR purposes.