Privacy Notice – Spruce York
This Privacy Notice sets out how Spruce York (the Data Controller) collects and uses your personal data. References to “we”, “us” “our” or “controller” in this Privacy Notice mean Spruce York.
When we refer to:
- UK GDPR we mean the UK General Data Protection Regulation;
- DPA18 we mean the Data Protection Act 2018; and
- PECR we mean the Privacy & Electronic Communications Regulation 2003
Our Privacy Notice is set out in a way for you to easily find information about what we do with your personal data.
Contents
SECTION 1 – GENERAL INFORMATION.. 3
How we get your personal data. 3
Why we need your personal data and what we do with it. 4
The lawful grounds we rely on to process your personal data. 9
How to make a complaint about us to the Information Commissioner’s Office. 11
Sharing your personal data with other businesses. 12
Using data processors and 3rd parties. 12
Transferring personal data outside of the UK. 12
Changes to our Privacy Notice. 13
This Privacy Notice was last updated April 2022.
SECTION 1 – GENERAL INFORMATION
Our contact details
You can contact us about how we collect and use your personal data via one of the following ways:
- Email: info@spruceyork.co.uk
- Website: https://www.spruceyork.co.uk/contact/
Data Protection Officer
Although we do not meet one of the UK GDPR criteria to legally appoint a Data Protection Officer, we take our data protection compliance obligations seriously. We use the services of an external data protection consultant where necessary to help ensure we collect and use your personal data in a manner you would expect us to.
The various ways you can contact us to discuss any data protection issues or concerns you have, are shown in the “Our contact details” section.
How we get your personal data
We usually obtain your personal data directly from you for the following reasons:
- when you make enquiries about the products we sell;
- when you purchase any of the products we sell;
- when you book onto one of our events or workshops;
- when you opt in to receive marketing from us;
- when we use your business to buy a service or products from you.
If we have met you at a networking event, business club or some other form of social meeting you may have provided your business card details to us.
We may also obtain your personal data indirectly. This is likely to be when we have obtained your details by word-of-mouth referrals, and recommendations from 3rd parties for example another business has given us your details or introduced us to each other. We will also have obtained your personal data if someone has made a group booking for one of our events or workshops.
We also collect personal data about you automatically. This is done when you visit our website and we collect your IP address and other information from the cookies that are deposited on the device you are using. You can control which cookies are deposited to your device and you can change your settings at any time you wish. To find out more about the cookies we use, please read our Cookie Policy.
Why we need your personal data and what we do with it
There are various reasons we need to collect and use your personal data. The table below sets out what those reasons are, the personal data we need, what we do with your data, the lawful grounds relied on to process your data, how long we intend to keep your data, and the data processors used.
Reason we need your personal data |
Personal data needed |
What we do with your personal data |
Lawful grounds relied on |
How long we keep your personal data |
Data processors & 3rd parties used |
When you make enquiries about our products; and
When you purchase our products |
· Full name · Postal address · Billing Address · Email address · Telephone number · Payment details, e.g. debit or credit card |
Provide you with information, at your request, about the product(s) you have enquired about;
Provide you with prices for our bespoke products at your request;
Process and deliver the product(s) you have purchased; Provide any service updates regarding the product(s) you have purchased, e.g. delivery dates; and
Send you our newsletters and other marketing communications. |
Contractual obligation (GDPR Article 6(1)(b))
Legitimate interests (GDPR Article 6(1)(f))
|
Enquiries are kept for no longer than 1 year from the date the enquiry was made.
Purchasing data is for 6 years from the end of the accounting year that the purchase was made.
Marketing contact details are held for as long as you want to remain on our marketing contact list. You always have the option to unsubscribe from our marketing at any time. |
Website host Etsy WooCommerce Paypal SumUp Our Stockists Social Media platforms Accounting Software platform Marketing platform
|
When you just want to receive marketing from us |
· Name · Email address · Birth date and month (not year)
|
send you our newsletter;
send you special offers, promotions, discounts;
send you something special on your birthday, such as a gift voucher; and
send you any other marketing related messages. |
Consent (GDPR Article 6(1)(a))
|
Marketing contact details are held for as long as you want to remain on our marketing contact list. You always have the option to unsubscribe from our marketing at any time. |
Marketing platform Etsy
|
When you are a supplier, contractor or a business we provide a service to |
· Business name; · Name or person we are liaising with; · Business postal address; · Business email address; · Business telephone number; · Business mobile number; · Social media details, such as Instamessaging; · Bank details to enable payment to be made.
We may also need information relating to the project brief and your business when we are providing a service to you. |
Enquire about your products or services;
Enter into an arrangement with you for you to sell your products through Spruce York;
Enter into an arrangement with you for us to provide our services to you;
Purchase your products or services for our business use;
Pay you for the products or services we have purchased; and
Deal with any contractual and payment issues. |
Contractual obligation (GDPR Article 6(1)(b))
Legal obligation (GDPR Article 6(1)(c))
|
Contractual data is kept for 6 years from the end of the contract.
Financial data is for 6 years from the end of the accounting year that the purchase was made.
|
Website host Etsy Our Stockists Social Media platforms Accounting Software platform
|
When you attend one of our events or workshops |
Name of person who made the booking; Email address of individual who made the booking; Names of all individuals attending the event or workshop; Email addresses of all individuals attending the event or workshop; Emergency contact details, where appropriate; Payment details, such as credit/debit card; Billing address; Dietary requirements (if refreshments are being served). |
Provide you with tickets for the event or workshop;
Provide all necessary information relating to the booking both in advance of and after the event or workshop;
Process financial transactions relating to the purchase of tickets;
Deal with any queries or disputes; and
Send you our newsletters and other marketing communications. |
Contractual obligation (GDPR Article 6(1)(b))
Legitimate interests (GDPR Article 6(1)(f))
|
Records relating to the event and workshop are kept for 2 years from when the event or workshop took place.
Financial data is kept for 6 years from the end of the financial year it relates to.
Marketing contact details are held for as long as you want to remain on our marketing contact list. You always have the option to unsubscribe from our marketing at any time. |
Website host Eventbrite or other Ticketing Platform Accounting Software platform Marketing platform
|
The lawful grounds we rely on to process your personal data
When gathering and using your personal data we must have a lawful ground to do so – this is a key requirement of GDPR.
We have provided more information about the lawful grounds we rely on here.
Consent (GDPR Article 6(1)(a)
We will rely on your consent when you just want to receive our newsletters and other promotions and special offers but have never purchased any thing from us or made any enquiries about our products.
You always have the right to withdraw your consent to receive marketing, you can do this by clicking the “unsubscribe” link or contact us via one of the ways shown in the “Our contact details” section.
If you choose to unsubscribe, we will stop sending you marketing communications. We will aim to stop sending you marketing as soon as we possibly can after we have received your unsubscribe request.
Contractual obligation (GDPR Article 6(1)(b))
This lawful ground allows us to use your personal data to respond to your enquiries about our products, including providing you with prices for bespoke items, and to process and deliver the products you purchase from us.
We require certain information from you to enable us to fulfil our contractual obligation with you. If you are not able to provide all the necessary information we have asked for it may mean that we are not able to provide the service to you and the arrangement may therefore not proceed or may need to be terminated.
Legal obligation (GDPR Article 6(1)(c))
There are times when we must process your personal data for us to comply with a legal or regulatory requirement. In these cases we will usually rely on the lawful ground known as “legal obligation” as the processing is necessary for use to fulfil our legal obligation to which we are subject to. For example:
- We have a legal obligation under finance and tax laws to keep certain information relating to payments and tax.
- We have a legal obligation to provide the police or other law enforcement body with information if they are investigating a potential crime.
Legitimate interests (GDPR Article 6(1)(f)
We rely on the legitimate interest lawful ground to send you our newsletters, special offers, discount vouchers, promotions, and any other marketing communications for the purposes of direct marketing.
We rely on “soft opt in” to send you marketing. UK GDPR allows us to use the legitimate interests lawful ground for direct marketing purposes when soft opt in applies. This is because it is not deemed to be an unreasonable expectation for anyone who has purchased any of our products or made enquiries to receive marketing from us.
This also complies with the UK’s e-Privacy laws, currently PECR, which governs how a business can undertake electronic direct marketing. We can rely on soft opt-in to keep in touch and send email marketing to our prospective and existing customers.
We always give you the opportunity to object to receiving marketing from us when we first collect your personal data and with every marketing communication thereafter.
Your rights
Depending on the reasons why we need your personal data and the legal basis we rely on, there are various rights available to you. You can:
- access the personal data we keep about you and be given specific information about the processing. This right always applies regardless of the reason we need your personal data.
- ask us to rectify personal data we hold about you that you think is inaccurate. This right always applies regardless of the reason we need your personal data.
- ask us to delete your personal data. This right only applies in specific circumstances depending on the reason we need to use your personal data.
- ask us to restrict the processing of your personal data. This right only applies when specific circumstances apply.
- object to the processing when we have relied on legitimate interest to undertake that processing activity and you believe we have infringed your rights.
- transfer your personal data from us to another service provider. This right only applies to personal data you have given to us directly and when the lawful ground for the processing is consent or contractual basis and the processing is automated.
We do not undertake any solely automated decision making, including profiling, about you.
To find out more about how to exercise your rights please refer to the guidance on the Information Commissioner’s Office website. https://ico.org.uk/your-data-matters/
You do not need to pay a fee to us to exercise any of your rights. However, if your request is manifestly unfounded or excessive, we do have the right to either charge a reasonable fee or refuse the request.
We shall respond to a valid request within one month of receiving it.
If you wish to exercise one of your rights, please contact us via one of the methods shown in the “Our contact details” section.
How to make a complaint about us to the Information Commissioner’s Office
If you are not happy with how we are processing your personal data, or you believe we have not dealt with one of your rights correctly you are entitled to make a complaint to the Information Commissioners Office (ICO). The ICO has several ways in which you can get in touch with them, including post, email, and online forms. For full details how to make a complaint please refer to their website. https://ico.org.uk/make-a-complaint/
Sharing your personal data with other businesses
We do not share, sell or rent your personal data to other businesses for them to use for their own marketing purposes.
We sometimes need to share your data with other organisations, such as when we have a legal obligation to do so. Whenever we are asked to share personal data we always ensure we have a lawful ground to do so and fully document our reasons for the sharing.
You can find out about any routine data sharing that we undertake with other organisations in Sections 2 to 5.
Using data processors and 3rd parties
There are times when we need to use other businesses to help us fulfil our business activities, such as payment providers, couriers, marketing, etc. These other businesses will either be:
- data processors as they are acting under our strict instruction on what they can and cannot do with your personal data; or
- joint data controllers as we are doing something together but will use your personal data for own purposes.
When ever we use other businesses to process personal data on our behalf (data processors) we always ensure we have appropriate UK GDPR compliant contracts in place with each one.
A data processor is not allowed to do anything with your personal data other than what we have instructed them to do with it. They will not share your personal data with any other business apart from us, unless they are required to do so by law. They will hold it securely and retain it for the period we instruct.
You can find out which data processors and 3rd parties we use in Sections 2 to 5.
Transferring personal data outside of the UK
Sometimes it is not possible for us to store or process your personal data wholly in the UK. When your personal data does need to be transferred or stored outside of the UK, we make sure we comply with UK GDPR.
We will usually rely on one of the following safeguards to be in place to make the transfer:
- An Adequacy Regulation is in place with the country where the personal data is being transferred to. This means the UK has deemed the receiving country to have strong data protection laws in place.
- Standard Contractual Clauses or the UK’s International Data Transfer Agreement.
If we are unable to rely on the above safeguards it might be that we need to obtain your explicit consent to make the transfer of personal data to a country outside of the UK.
Children’s information
We do not collect and process personal data relating to children.
Cookies
You can find full details of our Cookie Policy here.
Links to other websites
Our website may provide links to websites of other organisations. Our Privacy Notice does not cover how those organisations process your personal data when you visit their website. We advise you to read their Privacy Notices.
Changes to our Privacy Notice
We keep our Privacy Notice under review to ensure it remains accurate and up to date and we reserve the right to modify it at any time. The current version of our privacy notice will always be available on our website.
If you have any questions about our Privacy Notice, please contact us via one of the ways shown in the “Our contact details” section.
This Privacy Notice was last updated April 2022.