CONTACT INFORMATION - DATA PROTECTION OFFICER
Emailing us at firstname.lastname@example.org.
Writing to us at The Conran Shop, 55 Marylebone High Street, London, W1U 5HS.
CONTACTING THE REGULATOR
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Identity Data including first name, last name, date of birth and gender. On some occasions, this may include your image/photograph or video of you (as described further in this policy);
- Contact Data including billing address, delivery address, email address and telephone number;
- Financial Data including payment card details (which is limited to part of your card number and your card expiry date);
- Transaction Data including details about payments to and from you and other details of products and services you have purchased from us;
- Technical Data including internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website;
- Profile Data including your email address and password, purchases or orders made by you, your interests, preferences, feedback and survey responses. We do not have access to your password details as those are encrypted;
- Usage Data including information about how you use our website, products and services; and
- Marketing and Communications Data including your preferences in receiving marketing from us and our third parties and your communication preferences.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity.
DIRECT INTERACTIONS BETWEEN US
We collect personal information that you provide directly to us through filling in forms or communicating with us, including your Identity Data, Contact Data, Profile Data, Financial Data and Marketing and Communications Data. In particular this will occur when you:
- open an account;
- place an order;
- subscribe to our newsletter;
- subscribe to SMS marketing messages;
- enter a competition, take part in promotions (including, but not limited to VIP events in store and online) or complete surveys or reviews (including via Trustpilot);
- visit our stores;
- use our virtual shopping offerings, such as our Hero service;
- engage with us on social media; or
- contact us.
We may incidentally collect additional personal data outside of the categories already listed, if you provide this to us. If you would prefer us not to collect this personal data from you please do not provide us with any such information.
AUTOMATED TECHNOLOGIES OR INTERACTIONS
We may also collect Transaction Data, Technical Data and Usage Data from you automatically when you:
- buy something from us;
- browse our website;
- subscribe to our newsletter or SMS messaging, enter a competition, answer a customer survey or take part in promotions; or
- open or click on our email or SMS communications or any links within the email or SMS.
We do not seek to collect special category data (sometimes known as sensitive information) from you. Sensitive information includes data relating to: race or ethnic origin; sexual orientation; political opinions; religious or other similar beliefs; physical or mental health; and criminal convictions and offences. If you do provide us with your sensitive information, we will only use it for the purposes for which it has been provided.
If you do not wish to provide us with your information, where we need to collect that data by law, or under the terms of a contract we have with you, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel your order with us but we will notify you if this is the case at the time.
We only use your personal data when the law allows us to. The law on data protection sets out a number of different reasons for which a company may collect and process your personal data, including:
- Consent – in specific situations, where you have given us your consent.
- Performance of Contract – where it is necessary for the performance of a contract with you or to take steps at your request before entering into such a contract.
- Comply with a legal obligation – where it is necessary for compliance with a legal obligation that we are subject to.
- Legitimate Interest – meaning our interest in conducting and managing our business to enable us to give you the best service and experience. Whenever we rely on this basis we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data. We do not use your personal data for activities where our interests are outweighed by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
Most commonly, we use your personal data in the following circumstances:
TO SET UP YOUR ACCOUNT WITH US. Type of data: Identity, Contact, Profile.
Lawful basis for processing including legitimate interest: Consent given when you register your account.
TO PROCESS AND DELIVER ANY ORDERS THAT YOU MAKE. This also includes managing payments and communicating with you while your order is in process or production. If you make a purchase in store, this may include sending you an electronic receipt by email. We use third party payment providers who will process your card details and provide us with part of your card number and the expiry date.
Type of data: Identity, Contact, Financial, Transaction.
Lawful basis for processing including legitimate interest: Performance of Contract with you. Necessary to comply with a legal obligation.
Type of data: Identity, Contact, Profile, Usage, Marketing and Communications.
TO RESPOND TO YOUR QUERIES, REQUESTS AND COMMENTS. Type of data: Identity, Contact, Profile, Usage.
Lawful basis for processing including legitimate interest: Necessary to comply with a legal obligation. Performance of Contract with you. Legitimate Interest in providing you with the best service.
TO ENABLE YOU TO PARTAKE IN A PROMOTION (including but not limited to VIP events in-store and online) or competition which you have entered.
Type of data: Identity, Contact, Profile, Usage, Marketing and Communications.
Lawful basis for processing including legitimate interest: Consent when you enter the competition.
TO SEND YOU SURVEYS, REVIEWS OR QUESTIONNAIRES. This may include us sharing your name, email address and reference number with Trustpilot for them to send a review invitation to you on our behalf. Trustpilot may share with us your reference number, order ID or similar and any information you share when replying to a message sent by a reviewed business using the Find Reviewer tool.
Type of data: Identity, Contact, Profile, Usage, Technical, Marketing and Communications.
Lawful basis for processing including legitimate interest: Legitimate Interest in studying how customers use our products and services.
Type of data: Identity, Contact, Profile, Marketing and Communications.
Lawful basis for processing including legitimate interest: Necessary to comply with a legal obligation.
TO PROTECT OUR BUSINESS AND YOUR ACCOUNT FROM FRAUD AND OTHER ILLEGAL ACTIVITIES. We do this by using your data to maintain, update and safeguard your account.
Type of data: Identity, Contact, Profile, Technical.
Lawful basis for processing including legitimate interest: Legitimate Interest in running our business, provision of administration and IT services, network security and to prevent fraud. Necessary to comply with a legal obligation.
TO ADMINISTER AND PROTECT OUR BUSINESS AND WEBSITE (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).
Type of data: Identity, Contact, Technical.
Lawful basis for processing including legitimate interest: Legitimate Interest in running our business, provision of administration and IT services, network security and to prevent fraud.
TO USE DATA ANALYTICS TO IMPROVE OUR WEBSITE, PRODUCTS/SERVICES, MARKETING, CUSTOMER RELATIONSHIPS AND EXPERIENCES.
Type of data: Usage, Technical.
Lawful basis for processing including legitimate interest: Legitimate Interest to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy.
TO MAKE SUGGESTIONS AND RECOMMENDATIONS TO YOU about goods or services that may be of interest to you on our website.
Type of data: Identity, Contact, Profile, Usage, Technical, Marketing and Communications.
Lawful basis for processing including legitimate interest: Legitimate Interest to develop our products/services and grow our business.
IF YOU PARTICIPATE IN ANY FILMING OR PHOTOGRAPHY, SUCH AS WHERE WE ARE FILMING IN STORE FOR ADVERTISING then we may use your personal data in any advertising and/or marketing materials or events in all media (including, without limitation, social media). You should be aware that if you tag us or include us in your hashtag on a social media post, we may re-share this content on our own social media channels.
Type of data: Identity, Contact, Financial.
Lawful basis for processing including legitimate interest: Legitimate Interest to promote our products/services/brand and grow our business. Performance of Contract with you. Consent when you sign the relevant waiver/release document.
WE OPERATE CCTV SYSTEMS IN OUR STORES WHICH RECORD IMAGES FOR SECURITY.
Type of data: Identity
Lawful basis for processing including legitimate interest: Legitimate Interest to protect against crime.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
We may send you marketing communications if you have requested information from us or purchased goods from us and you have not opted out of receiving that marketing. We will get your express opt-in consent before we share your personal data with any third party for marketing purposes. You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time.
You may elect to receive Text Messages from us. When you sign up to receive Text Messages, we will send you information about promotional offers and more. These messages may use information automatically collected based on your actions while on our sites and may prompt messaging such as cart abandon messages. To the extent you voluntarily opt to have Text notifications sent directly to your mobile phone, we receive and store the information you provide, including your telephone number or when you read a Text Message. You may opt out of receiving Text Messages at any time by texting “STOP” to our Text Messages. For more information about Text Messages, see our Terms and Conditions.
We may share your personal data with trusted third parties to help achieve our purposes set out above.
Whenever we share your personal data however we will ensure that:
- We will only provide the information they need to perform their specific services.
- They may only use your personal data for the purposes we specify in our contract with them.
- They are required to respect the security of your personal data and to treat it in accordance with the law.
Examples of the kind of third parties we work with are:
- Other companies who are part of The Conran Shop corporate group.
- Service providers for example IT and system administration services; operational and logistical companies; direct marketing companies; advertising and marketing agencies; payment service providers; delivery companies; review providers; and data insight companies.
- Professional advisers including lawyers, bankers, auditors and insurers.
- Regulators and other authorities who require reporting of processing activities in certain circumstances.
We may also, in very limited circumstances, share information with third parties for their own purposes. For example:
- With your consent, given at the time you supply your personal data, we may pass that data to a third party for their purposes. For example we from time to time make our postal mailing list available to third parties including Epsilon Abacus, Experian, and iBehaviour who share information on what customers buy to UK retailers (including us) to help them understand customers’ wider buying patterns.
- We may be required to disclose your personal data to the police or other enforcement, regulatory or Government body upon a valid request to do so.
Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- The country to which your personal data is transferred has been deemed to provide an adequate level of protection for personal data.
- Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may also retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
Details of retention periods for different aspects of your personal data are available in our retention policy.
At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.
Under certain circumstances, you have rights under data protection laws in relation to your personal data to:
- Request a copy of the personal data we hold about you.
- Request correction of the personal data that we hold about you.
If you have an online account with us, you can also under the ‘My Account’ section of our website update your details.
- Request the deletion of your personal data. Note, however, that we may not always be able to comply with this request for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Request a computer file in a common format containing the personal data that you have previously provided to us, and to have that information transferred to you or another entity where this is technically possible.
- Object to the processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes.
In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in specific circumstances such as when you have withdrawn consent, or object for reasons related to your individual circumstances.
- Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
For direct marketing communications from us, you can also stop these by clicking the ‘unsubscribe’ link at the bottom of any email communication that we send you or, if you have an online account with us, by visiting the ‘My Account’ section and changing your preferences.
If you wish to exercise any of the rights set out above, please contact us by emailing us at email@example.com or by writing to us at: The Conran Shop, 55 Marylebone High Street, London, W1U 5HS, UK.
To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice.
If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
If we choose not to action your request, we will explain the reasons for our refusal.