This policy aims to help you understand how Rosarts obtain and use any personal data you provide to us when you use this website or any of our linked online systems, such as our email systems. If you have any questions, please get in touch with us at firstname.lastname@example.org.
Who we are
Welcome to Rosarts, an online shop selling art prints and digital design services. Our website address is: https://rosarts.co.uk.
What personal data we collect and why we collect it
Information we collect:
Rosarts may collect the following information from you through your use of this website:
- Your name
- Your contact information, such as an email address and/or contact telephone number
- Your delivery address
- Your payment details (via Paypal/Worldpay/Stripe)
- Information about your computer and internet connection such as browser type and IP address. This information is for statistical purposes only – i.e. to identify where customers are visiting from.
If you create an account with Rosarts by registering on our website, the details you provide can only be used by you to register and sign into this website. We may use the information you provide such as your name or email address to contact you about any order you make.
What we do with the information we gather
Collecting this data helps us to learn about what you are looking for from us, which helps us to identify and deliver the most relevant products and services to our customers.
We use the information which you provide during your order solely to process your order and contact you about any delays or problems.
The information you provide to us is kept private.
We do not pass on your details to third parties for marketing purposes, and will only pass on your data to third parties for any other purpose if required to do so by law.
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
We respect your right to privacy and your right to choose how we communicate with you. We will only use the contact details provided by you to communicate with you about your order.
The information you provide to us is kept private. We do not pass on your personal data unless we are required to do so by law.
Any personal information we hold about you is stored and processed under our data protection policy, in line with the new General Data Protection Regulation (GDPR).
Cookies cannot read any information saved on your hard drive and cannot spread viruses.
Our cookies only pass on the information that you have already disclosed to our website.
All computers have the ability to decline cookies. This can be done by activating the setting on your browser which enables you to decline the cookies. Please note that should you choose to decline cookies, you may be unable to access particular parts of our website.
You can read more about cookies here: http://www.allaboutcookies.org/
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
We use Google Analytics and online security software to monitor traffic to our website.
When you place an order on our website, we collect the following personal data:
- Billing details:
- First name
- Company name (optional)
- Street address
- Shipping details (optional)
- First name
- Company name
- Street address
- Email address
- Telephone number
- IP address
Additionally, certain data is collected by Google Analytics when you make a purchase from our website.
Why do we process this personal data?
Billing details are required to process the debit or credit card transaction and for delivery of the item(s) ordered. Credit and debit card transactions are handled by Stripe, WorldPay or PayPal on behalf of Rosarts. Your card details are encrypted (known as tokenisation) by your web browser before they are transmitted securely to Stripe or PayPal, who will then process the transaction. We do not have access to your credit or debit card details at any time and we do not hold untokenised credit or debit card details on our server. The tokenised version of your card details, which can only be decrypted by Stripe, WorldPay or PayPal, is stored on our server if you select the option to save your payment method in your account.
Shipping details are only required if the item(s) ordered are to be delivered to a different address to the billing details. Your email address is used to contact you regarding your order. Your telephone number is required in case we need to get in touch urgently regarding your order for example if an item in your order is time-limited in some way,
We require your IP address to locate which country you are in because sales are currently restricted to the United Kingdom.
Payment providers’ access to this data:
Depending on the provider you choose to make a transaction with, they will have access to this data.
The lawful basis for processing this data is contractual necessity.
How long do we retain this personal data?
We retain personal data created through e-commerce for a period of six years.
Who we share your data with
We share website data with the following 3rd party providers: our web host, online security provider, Google Analytics, PayPal, Stripe and WorldPay (for online purchases). The data we share with these providers is related to customers’ visits to the site, any signups to our email list, and/or any purchases that may be made on the site.
Transactional data generated from our payment providers is shared with our accounting software which is provided by our Bank. You can read more about this here: https://www.freeagent.com/company/gdpr/
We do not and will not share your personal data with other companies for marketing purposes, or for any other reason, unless required to do so by law.
How long we retain your data
We retain data that is collected or processed by our website until we delete it or you remove your customer account from our website.
We delete email communications periodically as a matter of course.
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Your right to be informed
You can contact us at any time for information on how we are processing your personal information. Email us at email@example.com.
Your right of access
You have the right to access the personal information we hold about you, including any information you have provided to us. You can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can do this using a Subject Access Request form, which we can provide to you on request. Email us at firstname.lastname@example.org.
Your right to rectification
You have the right to request a rectification of any inaccuracies in the information we hold on you, or have it completed if it is incomplete. You can do this verbally or in writing. We will respond to your request within one calendar month.
Your right to erasure
You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Your right to restrict processing
You have the right request that we limit the ways in which we use the information you provide to us. You can do this verbally or in writing. When processing is restricted, we are permitted to store your personal data, but not use it. We will respond to your request within one calendar month.
Your right to data portability
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us.
Your right to object
If you feel that your personal data is not being handled in an appropriate way by us or if you think there is a problem in the way we are processing your data then you have the right to complain to the ICO.
Online Dispute Resolution
You can use this link to the Online Dispute Resolution Platform. This is an alternative dispute resolution service that is conducted online. It is for consumers and traders who have had a problem or dispute between themselves regarding online purchases. If you have a dispute you can access this portal by clicking on the above link.
Your right not to be subject to automated decision-making including profiling
We occasionally look at user profiles of our website visitors that are created by Google Analytics, to help us learn more about who is visiting our website. You have the right to opt out of Google Analytics tracking so that your use of our website does not process any of your data. You can download an opt-out browser add-on from Google tools if you wish to do this.
Where we send your data
Visitor comments may be checked through an automated spam detection service.
Our contact information
For any privacy-specific concerns or requests, please contact us via email at email@example.com.
We process personal data under the following basis:
Contractual necessity: the processing of data that we need in order to carry out the work we provide for our customers. For example, we need to know the name, address and contact details of a customer who wants us to order a print, product or service or to create some design work for them. We also need to know where to send an invoice to if a purchase isn’t being made directly on this site.
How we protect your data
We have carried out a Privacy Impact Assessment for the data we collect from our website and email communications. The website is secured by SSL, as is our email server, to encrypt transmissions between the server and the user’s computer. The number of website administrators with access to this data is kept to a minimum.
What data breach procedures we have in place
A ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. We have the following procedures in place to deal with potential or real data breaches:
Detection and monitoring: we regularly monitor our website to see who is accessing it and we use online firewall technology to block any hacking or unauthorized access attempts. We receive an email from our security provider if there are any security issues occurring in our website. We are also in very close contact with our web host who is also on hand to identify any issues and alert us to them.
Response and reporting: If we detect a breach, we firstly investigate to establish the likelihood and severity of the resulting risk or damage to people’s rights and freedoms. We document the breach, and also the determination made regarding the risks to people’s rights and freedoms as a result. If we determine that this risk is significant, we will report the data breach to the ICO within 72 hours. If we determine that a risk to people’s rights and freedoms is unlikely, we will not report this, but we will still document the breach and explain why the risk was deemed unlikely.
If the data breach poses a high or severe risk to the rights and freedoms of people involved then we will inform those individuals of the data breach immediately and advise them of the steps we’re taking in response.
We will review this policy and update it periodically, please come back and check from time to time as we do so.
For any questions or enquiries regarding your privacy, please email us at firstname.lastname@example.org.
This policy is effective from April 2015.