Política de privacidad
PRIVACY STATEMENT
----
SECTION 1 - WHAT DO WE DO WITH YOUR INFORMATION?
When you purchase something from our store, as part of the buying and selling process, we collect the personal information you give us such as your name, address and email address.
When you browse our store, we also automatically receive your computer’s internet protocol (IP) address in order to provide us with information that helps us learn about your browser and operating system.
Email marketing (if applicable): With your permission, we may send you emails about our store, new products and other updates.
SECTION 2 - CONSENT
How do you get my consent?
When you provide us with personal information to complete a transaction, verify your credit card, place an order, arrange for a delivery or return a purchase, we imply that you consent to our collecting it and using it for that specific reason only.
If we ask for your personal information for a secondary reason, like marketing, we will either ask you directly for your expressed consent, or provide you with an opportunity to say no.
How do I withdraw my consent?
If after you opt-in, you change your mind, you may withdraw your consent for us to contact you, for the continued collection, use or disclosure of your information, at anytime, by contacting us at charlotte@groomi.co.uk or mailing us at:
Groomi Limited
Unit 2 Riverview Farm, Overcote Road, Over, Cambridge, CB24 5NT
SECTION 3 - DISCLOSURE
We may disclose your personal information if we are required by law to do so or if you violate our Terms of Service.
SECTION 4 - SHOPIFY
Our store is hosted on Shopify Inc. They provide us with the online e-commerce platform that allows us to sell our products and services to you.
Your data is stored through Shopify’s data storage, databases and the general Shopify application. They store your data on a secure server behind a firewall.
Payment:
If you choose a direct payment gateway to complete your purchase, then Shopify stores your credit card data. It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). Your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that is complete, your purchase transaction information is deleted.
All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover.
PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.
For more insight, you may also want to read Shopify’s Terms of Service (https://www.shopify.com/legal/terms) or Privacy Statement (https://www.shopify.com/legal/privacy).
SECTION 5 - THIRD-PARTY SERVICES
In general, the third-party providers used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us.
However, certain third-party service providers, such as payment gateways and other payment transaction processors, have their own privacy policies in respect to the information we are required to provide to them for your purchase-related transactions.
For these providers, we recommend that you read their privacy policies so you can understand the manner in which your personal information will be handled by these providers.
In particular, remember that certain providers may be located in or have facilities that are located a different jurisdiction than either you or us. So if you elect to proceed with a transaction that involves the services of a third-party service provider, then your information may become subject to the laws of the jurisdiction(s) in which that service provider or its facilities are located.
As an example, if you are located in Canada and your transaction is processed by a payment gateway located in the United States, then your personal information used in completing that transaction may be subject to disclosure under United States legislation, including the Patriot Act.
Once you leave our store’s website or are redirected to a third-party website or application, you are no longer governed by this Privacy Policy or our website’s Terms of Service.
Links
When you click on links on our store, they may direct you away from our site. We are not responsible for the privacy practices of other sites and encourage you to read their privacy statements.
Google analytics:
Our store uses Google Analytics to help us learn about who visits our site and what pages are being looked at
SECTION 6 - SECURITY
To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.
If you provide us with your credit card information, the information is encrypted using secure socket layer technology (SSL) and stored with a AES-256 encryption. Although no method of transmission over the Internet or electronic storage is 100% secure, we follow all PCI-DSS requirements and implement additional generally accepted industry standards.
SECTION 7 - COOKIES
Here is a list of cookies that we use. We’ve listed them here so you that you can choose if you want to opt-out of cookies or not.
_session_id, unique token, sessional, Allows Shopify to store information about your session (referrer, landing page, etc).
_shopify_visit, no data held, Persistent for 30 minutes from the last visit, Used by our website provider’s internal stats tracker to record the number of visits
_shopify_uniq, no data held, expires midnight (relative to the visitor) of the next day, Counts the number of visits to a store by a single customer.
cart, unique token, persistent for 2 weeks, Stores information about the contents of your cart.
_secure_session_id, unique token, sessional
storefront_digest, unique token, indefinite If the shop has a password, this is used to determine if the current visitor has access.
PREF, persistent for a very short period, Set by Google and tracks who visits the store and from where
SECTION 8 - AGE OF CONSENT
By using this site, you represent that you are at least the age of majority in your state or province of residence, or that you are the age of majority in your state or province of residence and you have given us your consent to allow any of your minor dependents to use this site.
SECTION 9 - CHANGES TO THIS PRIVACY POLICY
We reserve the right to modify this privacy policy at any time, so please review it frequently. Changes and clarifications will take effect immediately upon their posting on the website. If we make material changes to this policy, we will notify you here that it has been updated, so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we use and/or disclose it.
If our store is acquired or merged with another company, your information may be transferred to the new owners so that we may continue to sell products to you.
Section 10 Customer Services
We use the services of a UK-based third party company, Parcelhub Limited, to handle our Customer Service operations relating to the delivery of your order. Your Personal Information will be shared with them accordingly and used and protected according to their privacy policy which is available here :
Privacy Notice
In its capacity of providing customer services, Parcelhub Limited (PHL) will on
behalf of Groomi process information provided to it directly by you in order to
respond to your specific enquiry.
In order to be able to respond to and fully handle customer service queries placed by Groomi’s
customers, PHL is in addition supplied with access to the original purchase information of all
orders including personal data, consisting of name and address, telephone number, email
address, item purchased and price paid, and any delivery instructions provided. No financial
information about you is supplied. This data is held and accessed on a Legitimate Interests
basis in order to assist with the successful delivery of your order and also to assist you with
any questions you submit regarding that. We access this information as a data Controller for
customer service reasons only where necessary and no access is made to, or use made of,
information outside this.
Contractual agreement regarding processing of personal data by
Parcelhub Limited for Groomi Limited
Contractual agreement regarding processing of personal data by
Parcelhub Limited.
1. Definition
1.1 Parcelhub Limited (“PHL”) acts as a data processor on behalf of its customers who, as data
controllers, submit data through PHL’s software (“Parcelhub”) in order to access the services
of providers of courier and postal despatch, or submit data to PHL for the purpose of
contracting PHL to despatch items that it has stored and/or packed and prepared for
despatch. PHL processes their data to this end and in order to provide supporting and
related services. In certain cases, the data so provided will relate to an identifiable subject
and so is defined as “personal data” under EU General Data Protection Regulation 2016/679
(“GDPR”). This document serves the purpose of the written contract required to be in place
between PHL and Groomi Limited (“Controller”) clarifying their responsibilities and liabilities
under GDPR.
2. Terms of Processing
2.1 PHL will act only on the written instructions of the Controller in processing any data
supplied (“the Data”), personal or otherwise, unless required by law to act without such
instruction. Agreement to trade with PHL under written Sales Agreements, or by written
acceptance of provided quotation for services, is taken to constitute consent to process the
Data solely for the purposes necessary to perform the contracted services.
2.2 PHL will ensure that any people internally processing or accessing the Data are subject to
a duty of confidence. All staff of PHL are bound by the terms of PHL’s Staff Data Policy
regarding correct and lawful processing.
2.3 PHL will take appropriate measures to ensure the internal security of processing the Data,
such that are outlined in PHL’s Data Policy as published on PHL’s website.
2.4 PHL will pass some shipment data to Whistl Limited to enable shipment on that
company’s accounts. That data is strictly restricted to named users and is fully password
controlled. Otherwise PHL will only engage sub-processors of the Data with the prior
consent of the Controller and a written contract. By submitting the Data for delivery by a
chosen courier or postal provider through Parcelhub, such shipment being governed by prior
written Sales Agreement, or by written acceptance of provided quotation for services, the
Controller consents to PHL passing any of the Data necessary to that courier or postal
provider for processing for their contracted purpose of conducting that delivery. Any further
sub-processing of the Data will be subject to a further and separate written agreement.
2.5 PHL will assist the Controller in meeting any stated obligations regarding the provision of
subject access to their personal data and any other rights under GDPR. Should PHL receive
such a request directly, it will in the first instance refer the request to the Controller, inform
the data subject that it has done so, and subsequently act according to the reasonable
instruction of the Controller in providing further information or access.
2.6 PHL will assist the Controller in meeting any stated obligations regarding security of
processing of the Data. The Controller is advised to incorporate the Details of Processing in
this contract into their own data policy, and is advised that elements relating the usage and
storage of data therein are liable to form a central part of any such policy.
2.7 PHL will notify the Controller of any personal data breaches relating to the Data, and any
resultant data protection impact assessments, in line with its obligations under GDPR.
2.8 PHL will submit to audits and inspections of its processing practices by any supervisory
authority, and provide the Controller with any information required to meet an equivalent
audit or inspection or any connected legal obligations.
2.9 PHL will immediately inform the Controller if it is asked by a third-party to infringe GDPR
or any other applicable data-protection law in relation to the Data.
3. Details of Processing
3.1 PHL processes the Data on behalf of the Controller by using its submission through
Parcelhub to supply relevant information to providers of courier and postal despatch, or by
formatting supplied information such that it is suitable for entry into any relevant despatch
systems, and by using that information to produce and print despatch documentation.
Subsequently the data is used to provide tracking information and supporting customer
services on request and through provided online tools.
3.2 PHL processes the data for the purpose of enabling delivery to the Controller’s
designated recipients.
3.3 The Data may contain a number of types of “personal data”, frequently consisting of
name and address information and sometimes also accompanying telephone numbers
and/or email addresses. Those names may be connected with either business or home
addresses, and their usage for both business and personal purposes. While it is conceivable
there may be “personal Data” relating to vulnerable persons, to children, and to other special
categories of person within the Data, this in current practice will not be identifiable therein,
nor is the purpose of processing related to that status.
3.4 PHL’s general policy is that there should be no reason for the Controller to supply
definable “sensitive personal data” to PHL for the purposes of its processing. Should PHL
become aware of such instances, the Controller will be advised on ways in which the Data
can be supplied that does not constitute qualification as “sensitive”. Should there be no
alternative to the Controller supplying “sensitive personal data” to meet its processing deeds,
PHL will agree a separate written arrangement regarding its safe usage and storage.
3.5 If the Data is provided other than by submission through Parcelhub, PHL retains files
within which the Data is supplied for a period of 30 days following last processing, after
which they are deleted.
3.6 The Data if submitted through Parcelhub or used for courier or tracked postal despatch is
retained for a period of 90 days following despatch within PHL’s central courier database
prior to its anonymisation by the removal of any identifiable personalising information. No
personal information is held in PHL’s associated and other systems and databases for longer
than this unless it is a necessary part of a continuing and unresolved query, claim, or dispute
after 90 days, in which case any of the Data required for the resolution thereof will be
retained until 30 days after last use.
3.7 The Data is submitted by PHL to the supplier of the chosen despatch service for the
purpose of conducting delivery, and will then be stored by that supplier in line with their own
processing terms. Data submitted to Whistl Limited is stored and used by that company in
line with their own processing terms.
3.8 Information, including the Data where applicable, that is submitted to PHL by email is
stored for a period of 2 years after submission prior to archiving in an encrypted form offsite.
The Controller is under no obligation to supply the Data in this way and is encouraged not to
do so where the Data constitutes “personal data” under GDPR, although PHL recognises that
the Controller holds ultimate responsibility and control over how the Data is submitted and
used. Secure forms of information transmission other than email, deleted within 30 days of
use, are alternatively available to Controllers that do not have their own such method in
place.
3.9 Personal data processed using PHL’s designated warehouse/stock management system
is stored therein for a period of 1 year prior to anonymization by removal of personally-
identifying name and address details.
3.10 The Controller holds responsibility for ensuring that the Data it provides to PHL for
processing complies with all legal obligations. Specifically, (a) the Controller verifies that the
Data, and any record therein, has been made subject to a valid and documented “lawful
basis for processing” under GDPR, and that (b) the period for which the Data is retained within
the areas of Parcelhub under the Controller’s administration has formed a part of that valid
and documented test, (c) the Controller verifies that it has complied with any valid and
reasonable subject request for removal or deletion it has received and that no records of
such subjects exist within the Data, (d) the Controller verifies that the Data does not contain
any record that is required to be excluded by either MPS or TPS registration as appropriate,
(e) the Controller verifies that it is willing and able to cooperate with any compliance
requirements made of it under GDPR.
4. Responsibilities
4.1 PHL does not indemnify the Controller against any data breach or against any other
financial harm resultant from its lawful processing of the Data, other than by prior additional
arrangement or other than as governed by law.
4.2 Nothing within this contract relieves PHL of its own direct responsibilities and liabilities
under GDPR.
Parcelhub Limited, part of the Whistl Group, is registered with the ICO, registration number
ZA30849.
For further information or questions regarding processing of data, please
email dataprotection@parcelhub.co.uk