At Second Nature Soaps, we are committed to maintaining the trust and confidence of our visitors to our website. This policy aims to outline how we collect and process your data, through communications you have with us. In this policy we provide information on when and why we collect your personal data, how we use it, the limited conditions under which we may disclose to third parties and how we undertake all reasonable measures to ensure that your data is storey safely, processed fairly and only used for its intended purpose.
Collection and Use of Personal Information
Personal data is defined as any information that may be used to identify you, such as your name, title, phone number, email address or delivery address. In general, you can browse our website without giving us any personal information. We use several products to analyse traffic to this website in order to improve our visitor’s experience.
Second Nature Soaps is defined as the data controller and holds responsibility for the storage and use of your personal data.
You are defined as the owner of your personal data. You may also be referred to as the ‘client’ in this policy document.
The legitimate business process is defined as the circumstance under which we have the right to store and process your data. For example, to receive our monthly newsletter, enter some of our competitions or to make a purchase on our site we will need to add you to our computer system in order to undertake your request.
Data Protection Contact
Name: Juliette Badger
Telephone: 01279 777682
Postal Address: Second Nature Soaps, 1 Pelham Grove, Stocking Pelham, Nr Buntingford, Herts, SG9 0HZ
We collect personal data through your use of our website when providing you with a service and through communications, you may have with us. This information may be used for a variety of purposes including the fulfilment of an order, monthly newsletter or to let you know about a new product, a special offer that you have previously purchased.
Data which we store include:
- Your title, name, postal address, delivery address, email address and telephone number.
- Limited financial data including billing name and address and email addresses associated with payment services. Payments are made using third-party providers; we do not store or process information from credit cards/visa debit cards.
- Transaction details i.e. copy of your invoice for accounting purposes
- Analytics data including your IP address so that we can continue to improve your customer experience to this website.
- Marketing and communications data including contact details and opt-in/opt-out preferences
Children and Privacy
We do not knowingly collect any children’s data on our website as our products are aimed at adults. Any person registering on our site is required to be 13 years or over OR have obtained permission from their parent or guardian.
Your data is obtained by us when you:
- Visit our website
- Email or submit an enquiry through the contact form on our website
- Subscribe to our newsletter
- Provide us with feedback
How We Use Your Data
We will only use your data for legitimate business interests, or to comply with legal or regulatory obligations. This may include, but is not limited to:
- Where you have contracted us to undertake a purchase on our website
- Where you have contacted us in response to an enquiry via phone/email/contact form or via marketing.
- Where we are required by law to provide information to legal or regulatory bodies such as HMRC or the ICO.
You have certain rights under GDPR which we have outlined under ‘Your Legal Rights and Our Responsibilities’ that further your rights to privacy and control over your personal data, as well as our rights to fair processing.
The purposes for which we typically use your data are outlined below:
|Activity||Data Stored Processed||Legitimate Basis For Processing|
|Register you as a client||Identity and contact details||Creation of accounts within our financial project management and storage cloud systems for the purposes of undertaking work you have contracted us to undertake.|
|Client relationship management||Identity and contact details, marketing and communication preferences||Notifying you or policy changes, providing targeted information based on products you have previously purchased.|
|Business Development||Analytics and website usage statistics||Analysis of our website usage to determine how it can be improved to better-serve visitors based on their browsing and behaviours. Note: we do not use personally identifiable information when using analytics data; we only use aggregate data – for example, the % of visitors that view a given page or the average length of time spent on our website.|
|Administration||Identity and contact details, financial/transactional details||For the process of invoices and the fulfilment of legal and accounting obligations.|
|Marketing||Identity and contact details||Newsletter and promotional offers sent to customers that have subscribed to receive our marketing communication and for those customers who have purchased similar products from our site.|
Security of Data
We have numerous methods in place to safeguard your data and ensure that your privacy is maintained. Secure passwords are required for all services used to store and process your data, with any machines or devices used to access these stored in secure locations when not in use. Staff and third-party contractors have access to personal data only for the provision of services which you have agreed to. Backup services are used routinely to ensure that your data remains protected and safeguarded against loss or accidental deletion.
In the unlikely event of a data breach or loss of data, we will inform you as soon as it has been identified or as is practicable. In addition, we may also inform regulatory bodies of the data breach, as well as legal professionals or insurers as required in order to protect the business.
Your personal data is stored only for as long as is required to fulfil its intended purpose. The length of time will vary depending on the nature of the data stored, and the purpose for which it was collected. Typical examples from our day-to-day business include:
|Fulfilling future orders||Face to face orders – data is not retained by us. Payment processing is carried out by a third party processor. Telephone orders – information is temporarily retained by us but then immediately destroyed on completion of the transaction. Online orders – data is not retained by us. Payment processing is carried out by a third party processor. (Please refer to Third Party’s within this policy document for more detailed information).
Your data will only be retained for a set period of time in accordance with GDPR regulations.
|Dealing with customer queries/enquiries i.e. email messages/contact form||In some cases, consent will be implied – for example in the case you contact us requesting a quote for work, we will assume by your submission that you consent to us contacting you with regards to that quote. Likewise, once you have entered into a contract with us, we will assume that you are happy for us to be in touch with you regularly regarding the project. Your data communication is deleted from our computer systems on completion of the specific task but transactional data will be kept for six years in line with HMRC reporting requirements.|
|Financial records/transaction details||Details will be kept for six years in line with HMRC reporting requirements.|
You can disable cookies through your web browser; however please note that some aspects of the website may not function, or may function incorrectly as a result of doing this.
If you have accepted cookies but later change your mind, you can clear the stored cookies through your browser settings and preferences.
International Data Transfers
We may share your personal data with selected third-parties as outlined below purely for business purposes and service provision. Our preference is UK/EU-based providers but in some cases, this data may be transferred outside of the European Economic Area (EEA) – however, we ensure that your data remains subject to the same high level of protection afforded hereby only using trusted services which provide their own rigorous data protection policies.
Your Legal Rights & Our Responsibilities
You own your data, and you have the right to know how we use it and with whom we share it. Specifically, you can:
Make a data subject access request in which we will send you a copy of the data we store about you
Request that data that we store about you is corrected should we incorrect or outdated information on file
Request that you are ‘forgotten’, requiring us to delete personal information that we store about you
Object to the processing of your personal data, requiring us to cease the use of your data
Request the transfer of data which we store about you to a nominated third-party
Withdraw or amend the consent you have given us previously for us to use your personal data at any time
If a data subject access request is made, then we will attempt to respond to it in a timely manner, usually within one month of receiving the request in writing. In unusual circumstances, or if the data requested proves difficult to obtain, this time may be extended. We will advise you if this is the case. We may also require further information from you to identify the data that you are requesting and to verify that the request is genuine.
There is usually no fee for a data subject access request. However, we may exercise our right to charge a reasonable fee if your request is unfounded, repetitive or excessive. In these circumstances, we may alternatively exercise our right to refuse to comply with your request.
In the event that you request us to delete or cease processing your personal data, please note that there are circumstances under which we may not be able to comply with your request. Specific examples may include but are not limited to, the deletion of financial transaction records which we are required by law to retain for six years by HMRC.
In some circumstances, we may share your data with third parties. These may include:
External IT service providers we use for conducting day-to-day business
Professionals including solicitors, book-keepers, accountants or insurers for the seeking of legal advice, finance and accounting purposes or claim handling
Regulatory bodies such as HM Revenue & Customers or the ICO to meet our legal reporting obligations
We regularly share data with the following:
|Dropbox||Cloud storage and backup||Client-provided content shared materials for collaborative use on projects and backups of website files/databases for backup, archive or transfer purposes.||Access is limited to the data controller at Second Nature Soaps or on occasions to a developer when supplying training to the data controller for the purpose of completing a specific project. Data is only synced to machines which are password-protected and stored in secure locations.
|Cloud-based storage, Website Analytics & E-Mail||
Client-provided content, names and project details may be stored within documents for internal-use-only from time to time for the purposes of completing projects and project management.
Visitor information including IP address, browser, country of origin, pages visited, duration of visit and so on may be tracked via Google Analytics. This may be used for business development purposes to improve our website to meet identified needs of visitors.
Contact details, client-provided content, project details, passwords/access credentials may be present in E-Mails between clients and between members of the organisation and third-party contractors for the purposes of completing projects.
|A single Second Nature Soaps Google Account is used to manage all services used. Access is limited strictly to those who need to know. Information stored is limited only to what is required to carry out contracted work.
Strong passwords are required for the accessing of any Google Accounts. These are changed on a regular basis and in any circumstance where a staff member or contractor may cease to work for/with Second Nature Soaps.
E-Mails containing particularly sensitive information – such as access credentials or business/organisation-critical information – are deleted once the purpose of receiving this information has been fulfilled.
|HSA Accountants Ltd|
|MailChimp||Contact management and marketing||Client contact details including name and E-Mail are stored, alongside other details which may include where they signed up from and a consent statement where express consent was granted to send E-Mail communication.
Aggregated data may also be stored alongside E-Mail campaign data for business development purposes, such as seeing the proportion of E-Mails opened or the number of clicks on a link within an E-Mail.
|Access is limited to the data controller at Second Nature Soaps or on occasions to a developer when supplying training to the data controller for the purpose of completing a specific project. Data is only synced to machines which are password-protected and stored in secure locations.
|Out It Goes|