About this policy
Created 18 June 2018 and is subject to change without prior notice. Use of the site will be subject to the current policy in force. A history of revisions will be noted for reference in case of any queries.
Who we are
Our website address is: http://www.thebeadfairy.co.uk.
We are a small online shop providing goods to registered and unregistered users.
We use several cookies to provide functional operation for the site, for example, store management and maintaining your details as you navigate the site.
We also use some experience cookies to improve the operation of the site. These include keeping your basket and wish-lists after you leave the site, in case you accidentally navigate away from the site.
To improve user experience we also use Google Analytics tracking cookies to monitor how users visit our site. These have been IP anonymised as per EU law and we do not capture any information to provide marketing or advertising data. We do not require explicit consent to enable this as no personally identifiable information is captured, however you are entitled to opt out of this tracking by clicking here to opt-out of Google Analytics
You should also check your browser documentation if you want to remove any cookies from any site, or disable cookies altogether.
This is a list of cookies that we may store for site operation. This is not a list of active cookies.
|Admin Site Session||session||Browsing Session||Holds a record of the current security session on the site for a user logged into the content system|
|Basket Count||Session||Browsing Session||Holds a record of number of items in the basket|
|Browser Session||session||Browsing Session||Holds the current session identifier|
|Contact Form||session||Browsing Session||Holds a security record for the contact forms|
|Cookie Consent Policy||persistent||1 year||Holds a record if you accepted the cookie consent policy|
|Google Analytics||third party||Browsing Session||Monitors how you use the site to improve services. Anonymised data only.|
|Logged In User||persistent||12 hours||Security to identify if you are logged into the site|
|Product Page||session||Browsing Session||Holds a record for browsing long product pages|
|Recently Viewed Products||persistent||1 day||Holds recently viewed product references|
|Session Security||Session||Browsing Session||Holds a session identifier|
|Test Cookie||session||Browsing Session||Test cookie to verify cookies are enabled and working|
|User Basket||session||Browsing Session||Holds a link to products stored in current basket|
|User Basket Session||persistent||2 days||Holds a session record for the current basket|
|Wishlist||persistent||2 days||Holds a link to a stored wishlist|
What personal data we collect and why we collect it
Where you choose to log into our website to save baskets, address details and wishlists, this information is retained in our systems for up to 1 year from your last interaction with us.
For users that register on our website, we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit some information; however most information is encrypted to prevent your details being gathered directly from the administration portal.
Access to decrypt information is strictly controlled and the codes required for this are stored in a secure password vault separate from the site, with 2 factor authentication protection. Decryption will only be carried out for the purposes of emergency administration to the data and not for general data collection.
We collect user names, passwords, email addresses, billing and shipping addresses to provide our services. This data is held encrypted in our systems.
We hold information on all processed orders on this system for up to 1 year from the transaction, after which time the order is stripped of personal data and used just for order history analysis. Some information may be kept longer outside of this system for legal and accounting purposes and is deemed out of scope of the EU data protection regulations.
Parts of your order data may be transmitted to third party payment gateways to provide payment and receipt services.
BASKET / WISHLIST
Baskets and wishlists contain no direct personal information and are linked to the session in use at the time of creation. Where you have registered an account and have logged in, the basket will be linked to the account in use at the time of the logon and will be retained after logout.
Wishlists will be accessible for up to 2 weeks after logout.
We do not store any payment information on our systems. All payments are taken in cash, or using third party systems where we have no access to your account information. Such services have all been verified as compliant with PCI DSS, and GDPR to protect your payment information and personal information. Payment information is transmitted directly from your system to the payment gateway and does not interact with our site at all.
Please note that you are responsible for ensuring your machine is free of malware that may be able to capture this information. We do send details of your order to the payment gateway, including your address, and we receive a confirmation code back for confirmation of payment – this code contains no personal information.
COMMENTS / REVIEWS
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
We may collect and store your contact form information to provide you with feedback to information you send us. We do not use or store this information for any purpose other than providing a reply and this information is never sent to any third party.
Your data is stored encrypted in the system. We may transmit your email address in plain text for the purposes of communicating with you.
We post blog pages to Facebook. Any comments posted on these blogs will be available on Facebook through links back to the site. We do not capture any Facebook user information nor do we publish anything other than blog posts.
We may capture data about your visit and site browsing history to help improve services to you. We use Google Analytics with IP anonymisation to report on how visitors use our site so we can improve services to you. We do not pass details of user IDs or account information through this service.
We capture details about your connection to our site to provide website security. Your IP, Geolocation data and browser details may be stored within the security database if your system is detected as breaching one of our security policies. This data is not shared with any third party.
Who we share your data with
Access to this site is limited to key personnel for administration and order processing. We use security levels to limit access to this data to those functions necessary for that job role.
Where we are obliged to provide information for the purposes of compliance with legal obligations, we will supply any information required where official requests are received, specific to the subject of that obligation.
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Clicking on any embedded content may leave you on our site but will behave as though you had visited the linked site.
Where possible we block or minimise this interaction.
Visitor comments may be checked through an automated spam detection service.
To provide delivery services, some of your contact information may be sent or made available to third party courier services. This will be limited to your address, and in some cases, your contact number – specifically when required to provide the service.
To provide payment services, some of your contact information may be sent or made available to third party systems. This will be limited to the information essential to provide the service and ensure you receive your order.
How long we retain your data
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.
Data captured for security will be retained indefinitely to ensure the security of the site.
User account data will be kept for a period of 1 year since your last interaction with us, then be anonymised to provide order analysis history.
Backups are retained for up to 2 months
Some data may be retained beyond this scope where required to do so for legal or accounting purposes.
What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Your contact information
Your contact information will be used for the purposes of processing your orders, and for follow up communications relating to a specific order, and for administering your account.
Where you opt in for additional communications, we shall limit communication to just information relevant to your selections, and you may opt out at any point from your account.
HOW WE PROTECT YOUR DATA
We encrypt all user account and order information on this site. Parts of the data may be decrypted to provide administrative access to previous orders when deemed essential; access to decrypt data is strictly controlled and the decryption process is secured by 2 factor authentication independent of the site.
All admin access to the site is monitored and we record history of any access and changes to the site. This history is also copied off-site for audit purposes and held in a secure data centre with controlled access.
Administration passwords are periodically reset and all administrative passwords are subject to very high complexity rules. We also send alerts whenever the webmaster accesses the site for audit and security purposes.
Backups are taken regularly and these are stored off-site in an encrypted form in a remote data centre. Access to these are strictly controlled and these are protected by 2 factor authentication independent of the site.
Backup passwords are periodically reset for security and are subject to very high complexity rules and functional limitations.
To protect the site and data we take automatic backups of the database and files.
These are stored off-site in a secure data centre, and are transmitted and stored using AES-256 encryption.
The keys used to transmit the data are changed periodically and at least twice a year.
Access to the storage is limited and controlled by 2 factor authentication, and passwords to access the storage are changed periodically and at least twice a year.
All passwords and keys used are randomly generated to ensure password strength.
Data is retained for up to 2 months depending on the data type then automatically deleted securely.
In the event there is a restore needed, a review of the restored data will be carried out to ensure that any data removal requests made prior to the restore are then re-processed where possible. We will aim to send an email notification to any known affected users advising them of the restore and re-send the data deletion verification.
In all restore cases we will use the most recent available backup suitable to correct the issue to minimise the chance of accidentally restoring user data that should not be present.
Where we detect or receive reports of a potential data breach, we have the following process in place:
- Apply a site-wide lock down of all accounts, with the exception of the key administration account needed
- Ascertain the nature of the breach from logs, and determine what information may have been compromised.
- Determine whether the nature of the breach may contain data necessary to report the breach to the ICO – such determination will be made within 72 hours of the breach and reported to the ICO as soon as feasibly possible after this point.
- Determine whether the nature of the breach may require notification to any or all registered users and send such notification within 48 hours of the breach. This shall be done in all cases where email addresses or passwords may have been compromised.
- Determine whether the nature of the breach may require notification to law enforcement
- Reset all administrative level passwords
- Reset all backup passwords.
- Re-encrypt all data
- Comply with ICO and Law enforcement actions where necessary
THIRD PARTY DATA
We may use information obtained from our Facebook, Instagram and Shopify accounts to populate data in this site. We do not use any purchased lists and all data must be from users registering interest on our pages, or making a purchase from other channels.
AUTOMATED DATA PROFILING
We do not use any automated processes to profile user data, other than where our security systems detect suspicious behaviour and record / block / limit access automatically.
29 July 2018 – Amended headings, rearranged some items for logical layout and amended some wording for clarity prior to site launch – Previous wording not retained as pre-launch content.