Privacy Policy

 

Amended May 2018 to reflect GDPR requirements

Introduction

Spotlight Stationery is a trading name of RMHT Trading Ltd and is based in the UK and operates in accordance with UK law. It is registered with the UK Information Commissioner’s Office (ICO): Registration Reference A8242889. 

This privacy policy states how we use and protect information when a customer uses our merchant shopping services. This policy tells you how we deal with your “personal data” (i.e. the technical term for information about any identified or identifiable living person). The policy sets out what information we collect, how we use and safeguard that information. Please note that we do not collect or process any personal information if you do not sign up to purchase our products or to our newsletters. 

Spotlight Stationery may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. 

GDPR 

This policy has been updated to reflect the requirements of the EU General Data Protection Regulation (GDPR) 2016/679 , which replaces the Data Protection Directive 1995. This directive places additional privacy requirements on organisations. We have used the ICO’s website at reference for much of this document. 

Principles 

We are committed to protecting your privacy. We will only use the information that we collect about you lawfully. In GDPR terms the information lawfully gathered arises from three primary reasons:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

In order to purchase goods or to receive marketing (e.g. newsletters), the customer has to take positive steps to sign up for the services. That is customers give their consent to the terms and conditions prior to the purchase of goods and/or consent to receive marketing information relating to the goods by signing up our newsletters. 

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

In order to form a contract to buy goods, as documented in the terms and conditions, we require certain information to process the contract, and for the prevention of fraudulent activity. We also need to account for our sales and invoices in accordance with UK tax law, and will therefore record such transactions (which may include name and address ) to our accounting software Xero. Xero’s data stores are also cloud based and Xero’s GDPR compliance statement is recorded at reference h.
 

(c) Legitimate interest : the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests

In order to communicate to our customers who have bought our products or for those who have registered for our newsletter, we believe it is reasonable to conclude you are interested in our products and we have, in GDPR terms, ‘legitimate interest’. As the data is simply processed via an email address there are minimal privacy issues involved, and as it straightforward to opt out or unsubscribe, we believe there is appropriate balance to an individual’s interests, rights and freedoms. 

We also note that the GDPR allows for circumstances where there is a legitimate interest in disclosing information about possible fraudulent activity to relevant parties.  

Please do not use our website unless you are completely happy with these principles. 

Third parties  

Spotlight Stationery does not sell any of the data obtained to third parties such as advertisers. We will not sell, rent, exchange or provide your email address with anyone for the purpose of sending you marketing emails. If you purchase products from us, it is necessary to share your data with certain third parties in order to fulfil the contract; for example postal or courier firms in order to deliver the goods you buy. 

Please note that we rely on two third party ‘processors’ to sell and market our products:  

a: our e-commerce platform is provided by Cratejoy inc., headquartered in Austin, Texas, in the USA. Their privacy policy is located on their homepage - reference b, and their statement on GDPR compliance is web-linked at reference c.  

b: our email marketing platform is MailChimp, provided by The Rocket Science Group LLC d/b/a MailChimp, a State of Georgia limited liability company. Their privacy policy is located on their homepage - reference d, and their statement on GDPR compliance is web-linked at reference e.

We also use two web analytic packages (see below) to analyse anonymous web traffic. We use Google Analytics and Statcounter. Their privacy policies can be found at references f and g respectively.  

Rationale and necessity  

The Spotlight Stationery website is an e-commerce site, and as such needs to maintain customer details and associated information for three specific purposes:

•  To maintain records of customers who purchase products from the website in order that we can send customers the goods that they have ordered to their chosen address.

•  To communicate with customers for queries, clarifications and marketing purposes

•  To maintain statistics on site usage for web site optimisation and improvement in order to grow our business.

Infrastructure

The e-commerce infrastructure we use is provided by the subscription specialist provider Cratejoy. 

Secure credit card transactions and associated customer data are handled by the payment providers Stripe and Paypal. Their privacy statements are can be found on their respective websites. Please note that the payment methodology (PCI) used allows transactions data to be sent directly from the customer's browser to the gateway by using the Payment Card Industry Data Security Standard (PCI DSS); this prevents merchants such as ourselves from being exposed to confidential credit card or other financial information.

What data we gather

We may collect the following information:

•  Name, including any unique IDs associated with a customer

•  Contact information including physical and email addresses

•  Website usage data - anonymous user data such as IP addresses, web browser used, date and time, referrer IP sites, etc. 

•  Other information pertaining to special offers and surveys

Personal information

It is important to note that our website will not collect any personally identifiable information about you (e.g., your name, address, telephone number or e-mail address), unless you voluntarily choose to provide it to us (e.g., by registration, or signing up for newsletters or competitions).

By providing us with personal information, you consent to the use of it as set out in this policy. We usually use it to respond to your enquiry, process your order (e.g. posting you your order), or provide you access to specific account information and also, subject to your wishes about receipt of marketing communications, to support our customer relationship with you.

In cases of suspicious activity we may use information provided by you in order to conduct appropriate anti-fraud checks. 

We may store and process personal information to better understand your needs and how we can improve our products and services. We may also use personal information to contact you about any offers that we think you may be interested in or to conduct online surveys to understand better our customers’ needs.

Disclosure

We may disclose personal data so far as reasonably necessary: 

a) if we have reason to believe that it breaches our terms and conditions, or that such steps are necessary to protect us or others, or that a criminal act has been committed, or if there has been a complaint about content posted by you, or if we are required to do so by law or appropriate authority; or 

b) in the case of an actual or proposed (including negotiations for a) sale or merger or business combination involving all or the relevant part of our business. 

If you choose not to have your personal information used to support our customer relationship by receiving marketing communications, we will respect your choice. Moreover, you can choose to opt out of marketing communications at any time by unsubscribing using the option provided.  

We do not store credit card details nor do we share customer details with any third parties except for the purpose of processing orders (e.g. couriers, payment processing) unless you give us permission to do so, or we are obliged or permitted by law to disclose them.

We do not now (and do not intend to) sell, rent or otherwise market your personal information to third parties.

Customers are requested to log in and keep their own personal information, such as name, address, email, billing information etc., up to date

Technical Methods

Only if you volunteer by registering an account, will the e-commerce engine used (Cratejoy) capture customer contact details (email, postal address etc). We and Cratejoy need this information in order to know who and where to send merchandise and to resolve any customer issues.. We also use this information to print address labels, and communicate with customers; e.g. email on queries. 

The website also uses javascript and cookies to allow the system to operate. Cookies are commonly used by websites to enhance the capability of a website beyond that provided by the standard browser methods (e.g. for shopping carts) . Cookies are small text files that are stored on a customer’s computer or mobile device. All the major browsers allow customers to manage the cookie information via their privacy settings. Please note that the e-commerce site can only operate successfully if cookies are enabled.

When you access our website, we may automatically (i.e., not by registration) collect information that is not personally-identifiable (e.g., type of Internet browser and computer operating system used; domain name of the website from which you came; number of visits, average time spent, pages viewed etc). 

Where we store your information

The information that we collect from you is collected and processed by the e-commerce software suite provided by Cratejoy. Please note that their servers are located outside the United Kingdom and are hosted in the USA. We make use of this data to process custom orders; e.g. to create an address label.  

Your name and associated email is processed on our behalf my Mailchimp. Please note that their servers are located outside the United Kingdom and are hosted in the USA. We make use of this data to communicate via newsletters if you have signed up to this service.

Cookies

To sign up to our website requires the transfer of cookies from the e-commerce platform via your browser to your computer device. To learn more about cookies and how they are used, visit the All About Cookies website.

You can use your web browser’s cookie settings to determine how our website uses cookies. If you do not want our website to store cookies on your computer or device, you should set your web browser to refuse cookies or manage them in browser preferences option. However, please note that cookies allow you to take full advantage of the services we provide including checkout functionality and so we recommend that you leave them turned on. Some pages and services may become unavailable to you, and unless you have changed your browser to refuse cookies, our website will issue cookies when you visit it.

Use of Cookies

We Cookie data collected by this website are used to:

•  Process orders form the shopping cart. 

•  Administer and enhance the site and service

•  Collect anonymous statistical data to enhance site functionality and performance 

We may use cookies to:

•  Collect anonymous statistical data to enhance site functionality and performance. Analysis of our web traffic using an analytics package helps us improve the website structure, design, content and functions.

•  Identify whether you are signed in to our website.

•  To recognise when you return to our website. We may show your relevant content, or provide functionality you used previously.

Cookies set and associated privacy policies

Visiting our website generates a variety of cookies and javascript actions provided by third parties described above. We have linked their policies as per the date of this document. 

a: Cratejoy : the e-commerce package - The Cratejoy privacy policy can be found at reference b. 

b: Google Analytics statistical package - The Google analytics privacy policy and further details can be found at reference f.

Google Analytics’ terms of use require us to include the wording below in this policy. 

Google Analytics statement: “This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States . Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.”

c: Statcounter statistical package - The Statcounter privacy policy is provided at reference g:

Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

Controlling your personal information

You may choose to restrict the collection or use of your personal information in the following ways:

•  by cancelling your subscription 

•  by unsubscribing from any marketing emails 

•  by emailing us asking us to confirm that we have removed all records about you. Please note that we are obliged to keep some transactional records for audit or in case of disputes. 

You have the right to request personal data that we hold about you, subject to us reserving the right to withhold such data to the extent permitted by law. As per GDPR guidelines there is no administration fee to do so, but we may also require appropriate evidence of identity. Note that you may be able to rectify certain of your personal data within your account on our service (if applicable). 

If you believe that any information we are holding on you is incorrect or incomplete, please email us as soon as possible, at the above address. We will promptly correct any information found to be incorrect.

Subject Access requests

The GDPR regulation requires that we offer a method to allow any customer to request a full statement of any personal data held by us. If any user of our service requires such a statement please use the contacts page on the website with such a request . We will provide a statement within 30 days. 

We do not charge for complying with such a request, but we do require proof of identity for such requests in order to prevent providing personal data being fraudulently obtained.

Please note that, in accordance with the GPDR regulation we may refuse or charge for requests that are manifestly unfounded or excessive. However we tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month.

You may also contact Cratejoy and Mailchimp directly to request information stored on their systems. See references c and e.  

Right to be forgotten

The GDPR regulation requires that we offer a “right to be forgotten“service. If any user of our service requires a confirmatory notice that we have removed all references to your personal data from our records, then please use the contacts page on the website with that request . We will provide a confirmatory statement to this effect within 30 days. 

Please note that within the regulation there are exemptions; e.g. where there is legal obligation to retain the data , this may create a condition to be exempted from this right. For example if there is a need to maintain personal data in relation to a payment dispute or for taxation records.  

Data Portability

A new GDPR requirement relates to the right to receive structured information on personal data in a manner that allows for portability. 

If a customer does require a listing however, we will provide a structured download of data in a machine readable CSV format. We will provide this within 30 days of any request.

We do not charge for complying with such a request, but we do require proof of identity for such requests in order to prevent providing personal data being fraudulently obtained.

Changes in this Privacy Policy

The GDPR regulation is new and will not doubt be subject to review as organisations gain understanding of these complex issues and interpretations. As a result his policy is likely to change.  

Any changes we may make to our privacy policy in the future will be posted on this page, and, where appropriate, notified to you by email.

If we make changes that materially affect our uses or by unintentional disclosures of personally identifiable information that we have previously collected, we will notify you here, by email, or by means of a notice on our home page.

By using the website, you agree to the terms of this Privacy Policy. Whenever you submit information via the websites operated by Spotlight Stationery you consent to the collection, use, and disclosure of that information in accordance with this Privacy Policy.

  

References

a: ICO guidance information on GDPR

b: Cratejoy privacy policy 

c: Cratejoy and GDPR 

d: MailChimp Privacy policy 

e: Mailchimp and GDPR 

f:  Google-analytics privacy policy

g: Statcounter privacy policy

h: Xero and GDPR