About this policy
Created 18 June 2018 and is subject to change without prior notice. Use of the site will be subject to the current policy in force. A history of revisions will be noted for reference in case of any queries.
Who we are
Our website address is: https://www.thebeadfairy.co.uk/
We are a small online shop providing goods to registered users.
We use several cookies to provide functional operation for the site, for example, store management and maintaining your details as you navigate the site. We also use some experience cookies to improve the operation of the site. These include keeping your basket and wish-lists after you leave the site, in case you accidentally navigate away from the site.
To improve user experience we also use Google Analytics tracking cookies to monitor how users visit our site, so we can improve services to users. These have been IP anonymised as per EU law and we do not capture any information to provide marketing or advertising data. We do not require explicit consent to enable this as no personally identifiable information is captured, however you can choose to disable this from the Cookie options if you prefer.
You should also check your browser documentation if you want to remove any cookies from any site, or disable cookies altogether.
This report shows a list of the cookies we have registered for use.
You can change your cookie preferences using the link below.
[ultimate_gdpr_cookie_popup] CHANGE COOKIE CONSENT[/ultimate_gdpr_cookie_popup]
You can also delete all active cookies on this site using the link below – note that any essential cookies will be recreated, and your cookie consent will be reset.
DELETE ACTIVE COOKIES
What personal data we collect and why we collect it
Where you choose to log into our website to save baskets, address details and wish lists, this information is retained in our systems for up to 1 year from your last interaction with us.
For users that register on our website, we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit some information; however we use restricted accounts for general website design so that the designers have no access to user or order information.
We collect user names, passwords, email addresses, billing and shipping addresses to provide our services. This data is held in our systems to enable order processing and updates, as well as a history of previous orders for users to view.
We hold information on all processed orders on this system for up to 1 year from the transaction, after which time the order is stripped of personal data and used just for order history analysis. Some information may be kept longer outside of this system for legal and accounting purposes and is deemed out of scope of the EU data protection regulations.
Parts of your order data may be transmitted to third party payment gateways to provide payment and receipt services.
Baskets contain no direct personal information and are linked to the session in use at the time of creation. Where you have registered an account and have logged in, the basket will be linked to the account in use at the time of the logon and will be retained after logout for 14 days.
We do not store any payment information on our systems. All payments are taken in cash, or using third party systems where we have no access to your account information. Such services have all been verified as compliant with PCI DSS, and GDPR to protect your payment information and personal information. Payment information is transmitted directly from your system to the payment gateway and does not interact with our site at all.
Please note that you are responsible for ensuring your machine is free of malware that may be able to capture this information. We do send details of your order to the payment gateway, including your address, and we receive a confirmation code back for confirmation of payment – this code contains no personal information.
COMMENTS / REVIEWS
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection. Comments left on blog pages may continue to contain this information for users who are not logged in – you are asked to consent before leaving a comment. Logged on users leaving comments will be tied to the user account not the IP address.
We also restrict reviews and comments on products to logged on users to ensure that we only capture minimal data.
We may collect and store your contact form information to provide you with feedback to information you send us. This information is not used or stored for any purpose other than providing a reply and this information is never sent to any third party.
Your email address may be transmitted in plain text for the purposes of communicating with you.
POSTING TO FACEBOOK
We post blog pages to Facebook. Any comments posted on these blogs will be available on Facebook through links back to the site. We do not capture any Facebook user information and information posted on Facebook is not transmitted back to the site.
Facebook’s data policy can be found at https://www.facebook.com/policy.php
We capture details about your connection to our site to provide website security. Your IP, Geolocation data and browser details may be stored within the security database if your system is detected as breaching one of our security policies. This data is not shared with any third party except those parties directly administering the website.
We also monitor your progress through the site to assist with tracking fake users and bots.
Your IP and email address will be captured and sent to third party services for provision of account and site security and are not retained for verified users
Who we share your data with
Access to this site is limited to key personnel for administration and order processing. We use security levels to limit access to this data to those functions necessary for that job role.
Where we are obliged to provide information for the purposes of compliance with legal obligations, we will supply any information required where official requests are received, specific to the subject of that obligation.
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Clicking on any embedded content may leave you on our site but will behave as though you had visited the linked site.
Where possible we block or minimise this interaction.
FORMS, COMMENTS AND REVIEWS
Where you choose to share a post or product via the provided sharing links, your IP address and/or browser details may be shared with that third party. This will be subject to their privacy policies and security. By sharing our content, you are explicitly consenting to this information being transmitted. We do not log these interactions.
To provide delivery services, some of your contact information may be sent or made available to third party courier services. This will be limited to your address, and in some cases, your contact number – specifically when required to provide the service.
Royal Mail® Privacy notice can be found at https://www.royalmail.com/privacy-notice
To provide payment services, some of your contact information may be sent or made available to third party systems. This will be limited to the information essential to provide the service and ensure you receive your order.
Paypal® Privacy notice can be found at https://www.paypal.com/en/webapps/mpp/ua/privacy-full
The site is protected by several security mechanisms, including Wordfence. This may log your IP address and visited pages for security purposes.
Emails are transmitted through a third party service to allow secure end to end transmission. Your IP address may also be recorded in some situations.
How long we retain your data
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.
Data captured for security will be retained indefinitely to ensure the security of the site.
User account data will be kept for a period of 1 year since your last interaction with us, then be anonymised to provide order analysis history.
Off-site backups are retained for up to 12 months. These are encrypted but may contain personal data that formed part of the logs of the site at the time of the backup
Some data may be retained beyond this scope where required to do so for legal or accounting purposes.
Email data will be retained for at least 6 months – where transaction queries are raised these may be retained for a longer period.
Data held with third parties will usually be limited up to 3 months depending on the type of processing. These third parties have been listed along with their privacy statements. All third parties used are believed to comply with UK GDPR rules.
What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
You can use the Data Protection link from within the My Account section to make requests for data and data deletion. We will collect your email address for this purpose so we can track any information linked to that email on other systems used as part of the processing of data by this site. This is collected separately only for this purpose and is removed from the system after any data deletion request, otherwise it is retained to record your data access request only.
If you find any inaccurate data held about you, you have the right to request amendment. In most cases data can be changed through the My Account section; however if any data is not editable (for example, third party systems in use that have not been updated to match the site), you can use the Data Protection section to request changes to your held information.
Your contact information
Your contact information will be used for the purposes of processing your orders, and for follow up communications relating to a specific order, and for administering your account.
Where you opt in for additional communications, we shall limit communication to just information relevant to your selections, and you may opt out at any point from your account.
Where you send us information by form or personal email, we shall retain this information and use it to respond solely to the enquiry and any follow up correspondence, unless the form specifically confirms you are opting in to future correspondence and you have explicitly agreed to this.
HOW WE PROTECT YOUR DATA
All admin access to the site is monitored and we record history of any access and changes to the site. This history is also copied off-site for audit purposes and held in a secure data centre with controlled access.
Administration passwords are periodically reset and all administrative passwords are subject to very high complexity rules. We also send alerts whenever the webmaster accesses the site for audit and security purposes.
Backups are taken regularly and these are stored off-site in an encrypted form in a remote data centre. Access to these are strictly controlled and these are protected by 2 factor authentication independent of the site.
Backup passwords are periodically reset for security and are subject to very high complexity rules and functional limitations. Data is encrypted during transmission and at rest.
Access to the master administrator account is controlled and logged in our audit system, as well as alerted when the account is used to ensure no unauthorised access is made to the account. Store manager accounts that have access to user data are not known to the administrator, and can only be accessed for testing from a master administrator account.
We monitor the site for unauthorised changes and access, and perform regular scans for unexpected behaviour.
We enforce stronger passwords on user accounts and ensure password length and complexity meet minimum requirements on both registration and password changes. We also allow users to enable Two Factor Authentication to further secure their accounts – this is also enforced on all administrators of the site. We also display the password age, 2FA status and last logon on the My Account page for quick reference to the account security status
To protect the site and data we take automatic backups of the database and files. Database backups are encrypted on the server prior to being sent off-site to protect user data.
Backups of files and data are stored on a secure server with controlled access. Backups are deleted from the website automatically after transmission.
Access to the storage is limited and controlled by 2 factor authentication, and passwords to access the storage are changed periodically and at least twice a year.
Data is retained for up to 12 months depending on the data type, then automatically deleted securely.
In the event there is a restore needed, a review of the restored data will be carried out to ensure that any data removal requests made prior to the restore are then re-processed where possible.
In all restore cases we will use the most recent available backup suitable to correct the issue to minimise the chance of accidentally restoring user data that should not be present.
Where we detect or receive reports of a potential data breach, we have the following process in place:
- Apply a site-wide lock down of all accounts, with the exception of the key administration account needed
- Ascertain the nature of the breach from logs, and determine what information may have been compromised.
- Determine whether the nature of the breach may contain data necessary to report the breach to the ICO – such determination will be made within 72 hours of the breach and reported to the ICO as soon as feasibly possible after this point.
- Determine whether the nature of the breach may require notification to any or all registered users and send such notification within 48 hours of the breach. This shall be done in all cases where email addresses or passwords may have been compromised.
- Determine whether the nature of the breach may require notification to law enforcement
- Reset all administrative level passwords
- Reset all backup passwords.
- Re-encrypt all data
- Comply with ICO and Law enforcement actions where necessary
THIRD PARTY DATA
We may use information obtained from our Facebook, Instagram and Shopify accounts to populate data in this site. We do not use any purchased lists and all data must be from users registering interest on our pages, or making a purchase from other channels.
AUTOMATED DATA PROFILING
We do not use any automated processes to profile user data, other than where our security systems detect suspicious behaviour and record / block / limit access automatically.
21 August 2019 – Added security section to data sharing due to plugin changes affecting operations. Added extra note about email retention. Added Account Security section due to added 2FA security, password complexity rules and new security notice on the My Account page. Added note about email correspondence under Your Contact Information.
29 June 2019 – Amended backup and cookie section due to changes to plugins affecting options, plus differences in the backup process on a new hosted server.
27 May 2019 – Amended data access section due to plugin change affecting options available
29 January 2019 – Amended cookie section to clarify cookie purge and that some cookies are stored for operational necessity. Some sentence amendments to improve reading ease.
26 January 2019 – Amended Google tracking section due to a plugin change
11 November 2018 – Amended cookie section due to a plugin change
1 November 2018 – Grammatical and typo corrections. Moved security paragraph from personal data to security area
21 September 2018 – Updated wording in line with changes to plugins used on the site to be more specific
29 July 2018 – Amended headings, rearranged some items for logical layout and amended some wording for clarity prior to site launch – Previous wording not retained as pre-launch content.