About this policy
Who we are
Our website address is: https://www.thebeadfairy.co.uk/
We are a small online shop providing goods to registered users.
We use several cookies to provide functional operation for the site, for example, store management and maintaining your details as you navigate the site. We also use some experience cookies to improve the operation of the site. These include keeping your basket and wish-lists after you leave the site, in case you accidentally navigate away from the site.
To improve user experience we also use Google Analytics tracking cookies to monitor how users visit our site, so we can improve services to users. These have been IP anonymised as per EU law and we do not capture any information to provide marketing or advertising data.
Please see our separate Cookie Audit page for details on the cookies used on this site.
What personal data we collect and why we collect it
Where you choose to log into our website to save baskets, address details and wish lists, this information is retained in our systems for up to 1 year from your last interaction with us.
For users that register on our website, we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit some information; however we use restricted accounts for general website design so that the designers have no access to user or order information.
We collect user names, passwords, email addresses, billing and shipping addresses to provide our services. This data is held in our systems to enable order processing and updates, as well as a history of previous orders for users to view.
We hold information on all processed orders on this system for up to 1 year from the transaction, after which time the order is stripped of personal data and used just for order history analysis. Some information may be kept longer outside of this system for legal and accounting purposes and is deemed out of scope of the EU data protection regulations.
Parts of your order data may be transmitted to third party payment gateways to provide payment and receipt services.
Your IP address is captured when placing an order for the purposes of fraud prevention and is directly tied to the order data not the user data. This information is removed during anonymisation.
Baskets contain no direct personal information and are linked to the session in use at the time of creation. Where you have registered an account and have logged in, the basket will be linked to the account in use at the time of the logon and will be retained after logout for 14 days.
We do not store any payment information on our systems. All payments are taken in cash, or using third party systems where we have no access to your account information. Such services have all been verified as compliant with PCI DSS, UK Data protection, and GDPR to protect your payment information and personal information. Payment information is transmitted directly from your system to the payment gateway and does not interact with our site at all.
Please note that you are responsible for ensuring your machine is free of malware that may be able to capture this information. We do send details of your order to the payment gateway, including your address, and we receive a confirmation code back for confirmation of payment – this code contains no personal information.
COMMENTS / REVIEWS
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection. Comments left on blog pages may continue to contain this information for users who are not logged in – you are asked to consent before leaving a comment. Logged on users leaving comments will be tied to the user account not the IP address.
We also restrict reviews and comments on products to logged on users to ensure that we only capture minimal data.
We may collect and store your contact form information to provide you with feedback to information you send us. This information is not used or stored for any purpose other than providing a reply and this information is never sent to any third party.
Your email address may be transmitted in plain text for the purposes of communicating with you.
POSTING TO FACEBOOK
We post blog pages to Facebook. Any comments posted on these blogs will be available on Facebook through links back to the site. We do not capture any Facebook user information and information posted on Facebook is not transmitted back to the site.
Facebook’s data policy can be found at https://www.facebook.com/policy.php
We use Google Analytics with IP anonymisation to report on how visitors use our site so we can improve services to you. Details of user IDs or account information are not passed through this service.
We capture details about your connection to our site to provide website security. Your IP, Geolocation data and browser details may be stored within the security database if your system is detected as breaching one of our security policies. This data is not shared with any third party except those parties directly administering the website.
We also monitor your progress through the site to assist with tracking fake users and bots.
Your IP and email address will be captured and sent to third party services for provision of account and site security and are not retained for verified users. Users breaching security policies will be subject to a longer retention period (up to 3 months) to allow analysis. This data is not used for any purpose other than administering site security.
All data processed by this site, through any plugins, custom content or via any third party solution is reviewed and believed to be covered by UK data protection requirements as a minimum. Any such system found to be non-compliant will be changed within 30 days of learning of such non-compliance.
Who we share your data with
Access to this site is limited to key personnel for administration and order processing. We use security levels to limit access to this data to those functions necessary for that job role.
Where we are obliged to provide information for the purposes of compliance with legal obligations, we will supply any information required where official requests are received, specific to the subject of that obligation.
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Clicking on any embedded content may leave you on our site but will behave as though you had visited the linked site.
Where possible we block or minimise this interaction.
FORMS, COMMENTS AND REVIEWS
Where you choose to share a post or product via the provided sharing links, your IP address and/or browser details may be shared with that third party. This will be subject to their privacy policies and security. By sharing our content, you are explicitly consenting to this information being transmitted. We do not log these interactions.
To provide delivery services, some of your contact information may be sent or made available to third party courier services. This will be limited to your address, and in some cases, your contact number – specifically when required to provide the service.
Royal Mail® Privacy notice can be found at https://www.royalmail.com/privacy-notice
To provide payment services, some of your contact information may be sent or made available to third party systems. This will be limited to the information essential to provide the service and ensure you receive your order.
Paypal® Privacy notice can be found at https://www.paypal.com/en/webapps/mpp/ua/privacy-full
We use a third party POS system for periodic use when at shows. Customer data, order data and product data is sent securely to the remote POS via a third party bridge. This product is secured with logon password and local PIN access. Data is synchronised at launch so data deletions are preserved.
The site is protected by several security mechanisms, including Wordfence. This may log your IP address and visited pages for security purposes.
Emails are transmitted through a third party service to allow secure end to end transmission. Your IP address may also be recorded in some situations.
Your IP address and site interaction may be captured in several server level security logs for audit and security analysis. This information is only accessible to key staff and is only accessed in the event of a security issue.
How long we retain your data
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.
Data captured for security may be retained indefinitely to ensure the security of the site. However many of the security logs are automatically anonymised or rotated periodically to reduce storage.
User account data will be kept for a period of 1 year since your last interaction with us, then be anonymised to provide order analysis history.
Off-site backups are retained for up to 12 months. These are encrypted but may contain personal data that formed part of the logs of the site at the time of the backup, or copies of the database from a point in time.
Some data may be retained beyond this scope where required to do so for legal or accounting purposes.
Email data will be retained for at least 6 months – where transaction queries are raised these may be retained for a longer period.
Data held with third parties will usually be limited up to 3 months depending on the type of processing. These third parties have been listed along with their privacy statements. All third parties used are believed to comply with UK GDPR rules.
What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
You can use the Data Protection link from within the My Account section to make requests for data and data deletion. We will collect your email address for this purpose so we can track any information linked to that email on other systems used as part of the processing of data by this site. This is collected separately only for this purpose and is removed from the system after any data deletion request, otherwise it is retained to record your data access request only.
If you find any inaccurate data held about you, you have the right to request amendment. In most cases data can be changed through the My Account section; however if any data is not editable (for example, third party systems in use that have not been updated to match the site), you can use the Contact Us page to request changes to your held information.
Your contact information
Your contact information will be used for the purposes of processing your orders, and for follow up communications relating to a specific order, and for administering your account.
Where you opt in for additional communications, we shall limit communication to just information relevant to your selections, and you may opt out at any point from your account.
Where you send us information by form or personal email, we shall retain this information and use it to respond solely to the enquiry and any follow up correspondence, unless the form specifically confirms you are opting in to future correspondence and you have explicitly agreed to this.
HOW WE PROTECT YOUR DATA
All admin access to the site is monitored and we record history of any access and changes to the site. This history is also copied off-site for audit purposes and held in a secure data centre with controlled access.
Administration passwords are periodically reset and all administrative passwords are subject to very high complexity rules. We also send alerts whenever the webmaster accesses the site for audit and security purposes.
Backups are taken regularly and these are stored off-site in an encrypted form in a remote data centre. Access to these are strictly controlled and these are protected by 2 factor authentication independent of the site.
Backup passwords are periodically reset for security and are subject to very high complexity rules and functional limitations. Data is encrypted during transmission and at rest.
Access to the master administrator account is controlled and logged in our audit system, as well as alerted when the account is used to ensure no unauthorised access is made to the account. All lower level accounts are restricted based on functionality and we operate a least permission model to limit access.
All users with access to site administration level functions have enforced 2FA requirement on their accounts. Users with content editing and customer level access have optional 2FA protection.
We monitor the site for unauthorised changes and access, and perform regular scans for unexpected behaviour. Software is checked and updated regularly and software used is reviewed periodically for update frequency, age and function. Real-time scans are carried out for user interactions to monitor for attempts to bypass security.
We enforce stronger passwords on user accounts and ensure password length and complexity meet minimum requirements on both registration and password changes. We also allow users to enable Two Factor Authentication to further secure their accounts – this is also enforced on all administrators of the site. We also display the password age, 2FA status and last logon on the My Account page for quick reference to the account security status
To protect the site and data we take automatic backups of the database and files. Database backups are encrypted on the server prior to being sent off-site to protect user data.
Backups of files and data are stored on a secure server with controlled access. Backups are deleted from the website automatically after transmission.
Access to the storage is limited and controlled by 2 factor authentication, and passwords to access the storage are changed periodically and at least twice a year.
Data is retained for up to 12 months depending on the data type, then automatically deleted securely. In the event there is a restore needed, a review of the restored data will be carried out to ensure that any data removal requests made prior to the restore are then re-processed where possible.
In all restore cases we will use the most recent available backup suitable to correct the issue to minimise the chance of accidentally restoring user data that should not be present.
The site is hosted in the Amazon Web Services infrastructure, using a securely configured machine image. Additional security hardening is applied as per regular audits determine. Access to the server is limited to specific accounts and protected by 2 factor authentication and encrypted security keys.
User data on the server (including logs that may contain information about database transactions) are stored encrypted at rest, and this encryption is maintained through backup and restore processes.
A staging server is used to test updates and verify security changes. Access to this server is not public and automated processes remove customer data during launch of the server each time.
Where we detect or receive reports of a potential data breach, we have the following process in place:
- Apply a site-wide lock down of all accounts, with the exception of the key administration account needed
- Ascertain the nature of the breach from logs, and determine what information may have been compromised.
- Determine whether the nature of the breach may contain data necessary to report the breach to the ICO – such determination will be made within 72 hours of the breach and reported to the ICO as soon as feasibly possible after this point.
- Determine whether the nature of the breach may require notification to any or all registered users and send such notification within 48 hours of the breach. This shall be done in all cases where email addresses or passwords may have been compromised.
- Determine whether the nature of the breach may require notification to law enforcement
- Reset all administrative level passwords
- Reset all backup passwords
- Reset user level passwords / 2FA settings where necessary
- Re-encrypt all data
- Comply with ICO and Law enforcement actions where necessary
THIRD PARTY DATA
We may use information obtained from our Facebook, Instagram and Shopify accounts to populate data in this site. We do not use any purchased lists and all data must be from users registering interest on our pages, or making a purchase from other channels.
AUTOMATED DATA PROFILING
We do not use any automated processes to profile user data, other than where our security systems detect suspicious behaviour and record / block / limit access automatically.
22 June 2020 – Updated details about IP capture during order and details on POS system due to plugin changes and updates. Added new Server Security section in line with new guidelines and processes. Extended one paragraph into new Site Security section. Added user password reset to Data Breach section as had been omitted. Updated wording to reflect changes to data retention, and adding in extra clarification to protected data areas. underlying policy is unchanged but this document has been amended for better visibility of actions that were previously omitted.
21 August 2019 – Added security section to data sharing due to plugin changes affecting operations. Added extra note about email retention. Added Account Security section due to added 2FA security, password complexity rules and new security notice on the My Account page. Added note about email correspondence under Your Contact Information.
29 June 2019 – Amended backup and cookie section due to changes to plugins affecting options, plus differences in the backup process on a new hosted server.
27 May 2019 – Amended data access section due to plugin change affecting options available
29 January 2019 – Amended cookie section to clarify cookie purge and that some cookies are stored for operational necessity. Some sentence amendments to improve reading ease.
26 January 2019 – Amended Google tracking section due to a plugin change
11 November 2018 – Amended cookie section due to a plugin change
1 November 2018 – Grammatical and typo corrections. Moved security paragraph from personal data to security area
21 September 2018 – Updated wording in line with changes to plugins used on the site to be more specific
29 July 2018 – Amended headings, rearranged some items for logical layout and amended some wording for clarity prior to site launch – Previous wording not retained as pre-launch content.