About this policy
Created 18 June 2018 and is subject to change without prior notice. Use of the site will be subject to the current policy in force. A history of revisions will be noted for reference in case of any queries.
Who we are
Our website address is: https://www.thebeadfairy.co.uk.
We are a small online shop providing goods to registered and unregistered users.
We use several cookies to provide functional operation for the site, for example, store management and maintaining your details as you navigate the site.
We also use some experience cookies to improve the operation of the site. These include keeping your basket and wish-lists after you leave the site, in case you accidentally navigate away from the site.
To improve user experience we also use Google Analytics tracking cookies to monitor how users visit our site. These have been IP anonymised as per EU law and we do not capture any information to provide marketing or advertising data. We do not require explicit consent to enable this as no personally identifiable information is captured, however you are entitled to opt out of this tracking by clicking here to opt-out of Google Analytics
You should also check your browser documentation if you want to remove any cookies from any site, or disable cookies altogether.
This report shows a list of the cookies we are currently detecting for your visit.
If you are a logged on user this report will also show the content of the cookies.
COOKIE is not set on this website.
You can purge stored cookies by clicking here (You will be logged out and may lose some preferences).
What personal data we collect and why we collect it
Where you choose to log into our website to save baskets, address details and wish lists, this information is retained in our systems for up to 1 year from your last interaction with us.
For users that register on our website, we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit some information; however we use restricted accounts for general website design so that the designers have no access to user or order information.
We collect user names, passwords, email addresses, billing and shipping addresses to provide our services. This data is held in our systems to enable order processing and updates, as well as a history of previous orders for users to view.
We hold information on all processed orders on this system for up to 1 year from the transaction, after which time the order is stripped of personal data and used just for order history analysis. Some information may be kept longer outside of this system for legal and accounting purposes and is deemed out of scope of the EU data protection regulations.
Parts of your order data may be transmitted to third party payment gateways to provide payment and receipt services.
BASKET / WISHLIST
Baskets and wishlists contain no direct personal information and are linked to the session in use at the time of creation. Where you have registered an account and have logged in, the basket will be linked to the account in use at the time of the logon and will be retained after logout.
Wishlists will be accessible for up to 2 weeks after logout.
We do not store any payment information on our systems. All payments are taken in cash, or using third party systems where we have no access to your account information. Such services have all been verified as compliant with PCI DSS, and GDPR to protect your payment information and personal information. Payment information is transmitted directly from your system to the payment gateway and does not interact with our site at all.
Please note that you are responsible for ensuring your machine is free of malware that may be able to capture this information. We do send details of your order to the payment gateway, including your address, and we receive a confirmation code back for confirmation of payment – this code contains no personal information.
COMMENTS / REVIEWS
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection. Comments left on blog pages may continue to contain this information for users who are not logged in – you are asked to consent before leaving a comment. Logged on users leaving comments will be tied to the user account not the IP address.
We also restrict reviews and comments on products to logged on users to ensure that we only capture minimal data.
We may collect and store your contact form information to provide you with feedback to information you send us. We do not use or store this information for any purpose other than providing a reply and this information is never sent to any third party.
We may transmit your email address in plain text for the purposes of communicating with you.
We post blog pages to Facebook. Any comments posted on these blogs will be available on Facebook through links back to the site. We do not capture any Facebook user information and information poste on Facebook is not transmitted back to the site.
We may capture data about your visit and site browsing history to help improve services to you. We use Google Analytics with IP anonymisation to report on how visitors use our site so we can improve services to you. We do not pass details of user IDs or account information through this service.
We capture details about your connection to our site to provide website security. Your IP, Geolocation data and browser details may be stored within the security database if your system is detected as breaching one of our security policies. This data is not shared with any third party.
Who we share your data with
Access to this site is limited to key personnel for administration and order processing. We use security levels to limit access to this data to those functions necessary for that job role.
Where we are obliged to provide information for the purposes of compliance with legal obligations, we will supply any information required where official requests are received, specific to the subject of that obligation.
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Clicking on any embedded content may leave you on our site but will behave as though you had visited the linked site.
Where possible we block or minimise this interaction.
Visitor comments may be checked through an automated spam detection service.
To provide delivery services, some of your contact information may be sent or made available to third party courier services. This will be limited to your address, and in some cases, your contact number – specifically when required to provide the service.
To provide payment services, some of your contact information may be sent or made available to third party systems. This will be limited to the information essential to provide the service and ensure you receive your order.
How long we retain your data
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.
Data captured for security will be retained indefinitely to ensure the security of the site.
User account data will be kept for a period of 1 year since your last interaction with us, then be anonymised to provide order analysis history.
Off-site backups are retained for up to 3 months.
Some data may be retained beyond this scope where required to do so for legal or accounting purposes.
What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Your contact information
Your contact information will be used for the purposes of processing your orders, and for follow up communications relating to a specific order, and for administering your account.
Where you opt in for additional communications, we shall limit communication to just information relevant to your selections, and you may opt out at any point from your account.
HOW WE PROTECT YOUR DATA
All admin access to the site is monitored and we record history of any access and changes to the site. This history is also copied off-site for audit purposes and held in a secure data centre with controlled access.
Administration passwords are periodically reset and all administrative passwords are subject to very high complexity rules. We also send alerts whenever the webmaster accesses the site for audit and security purposes.
Backups are taken regularly and these are stored off-site in an encrypted form in a remote data centre. Access to these are strictly controlled and these are protected by 2 factor authentication independent of the site.
Backup passwords are periodically reset for security and are subject to very high complexity rules and functional limitations.
Access to the master administrator account is controlled and logged in our audit system, as well as alerted when the account is used to ensure no unauthorised access is made to the account. Store manager accounts that have access to user data are not known to the administrator, and can only be accessed for testing from a master administrator account.
To protect the site and data we take automatic backups of the database and files.
These are stored off-site in a secure data centre, and are transmitted and stored using AES-256 encryption.
The keys used to transmit the data are changed periodically and at least twice a year.
All passwords and keys used are randomly generated to ensure password strength.
Access to the storage is limited and controlled by 2 factor authentication, and passwords to access the storage are changed periodically and at least twice a year.
Data is retained for up to 3 months depending on the data type then automatically deleted securely.
In the event there is a restore needed, a review of the restored data will be carried out to ensure that any data removal requests made prior to the restore are then re-processed where possible. We will aim to send an email notification to any known affected users advising them of the restore and re-send the data deletion verification if the situation require it.
In all restore cases we will use the most recent available backup suitable to correct the issue to minimise the chance of accidentally restoring user data that should not be present.
Where we detect or receive reports of a potential data breach, we have the following process in place:
- Apply a site-wide lock down of all accounts, with the exception of the key administration account needed
- Ascertain the nature of the breach from logs, and determine what information may have been compromised.
- Determine whether the nature of the breach may contain data necessary to report the breach to the ICO – such determination will be made within 72 hours of the breach and reported to the ICO as soon as feasibly possible after this point.
- Determine whether the nature of the breach may require notification to any or all registered users and send such notification within 48 hours of the breach. This shall be done in all cases where email addresses or passwords may have been compromised.
- Determine whether the nature of the breach may require notification to law enforcement
- Reset all administrative level passwords
- Reset all backup passwords.
- Re-encrypt all data
- Comply with ICO and Law enforcement actions where necessary
THIRD PARTY DATA
We may use information obtained from our Facebook, Instagram and Shopify accounts to populate data in this site. We do not use any purchased lists and all data must be from users registering interest on our pages, or making a purchase from other channels.
AUTOMATED DATA PROFILING
We do not use any automated processes to profile user data, other than where our security systems detect suspicious behaviour and record / block / limit access automatically.
11 November 2018 – Amended cookie section due to a plugin change
1 November 2018 – Grammatical and typo corrections. Moved security paragraph from personal data to security area
21 September 2018 – Updated wording in line with changes to plugins used on the site to be more specific
29 July 2018 – Amended headings, rearranged some items for logical layout and amended some wording for clarity prior to site launch – Previous wording not retained as pre-launch content. View Here