Last updated 24th May 2018
Overview
This policy outlines how we collect and process your data, who we share it with, and what safeguards we have in place to ensure your privacy is protected. We collect data in a variety of ways; through your use of our website, communications you have with us, work you contract us to do and so on. These interactions all result in data which we use exclusively to provide our services and develop our business.
We strongly value your privacy and take our obligations seriously; we undertake all reasonable measures to ensure that your data is stored safely, and you can rest assured that it will only ever be used for its intended purpose. We are committed to being open and transparent about how we use your personal information, so if you do have any queries about this policy, or how we collect and store data, please don’t hesitate to get in touch with us.
Terms
Personal data, sometimes referred to as personal information, is considered to be any information which can be used to identify an individual.
Studio 48 Internet are defined as the data controller and hold responsibility for the storage and use of your personal data. Studio 48 Internet may also be referred to as “we”, “us” or “our” in this policy document.
You are defined as the owner of your personal data. You may also be referred to as “customer” in this policy document.
Legitimate business process is defined as the circumstance under which we have the right to store and process your data. For example, if you place an order with us, we will store a record of your order on our website, we will print your invoice for inclusion in your order, and we will keep a copy of your order and payment notification for our accounts. These are legitimate business processes as we must carry them out to fulfil your order and meet our accounting obligations.
Data Protection Contact
Name: John O’Nions
E-Mail: john@studio48internet.co.uk
Telephone: 01246 769941
Postal Address: 48 St Johns Road, Staveley, Chesterfield, Derbyshire, S43 3QW
Data We Collect About You
We collect personal data through your use of our website, work you contract us to carry out and communications you may have with us such as quote requests. This is used for a variety of purposes including service fulfilment, development of the business, or marketing where you have given explicit consent.
Data which we store on a day-to-day basis include:
- Identity and communication-based information including your name, address, E-Mail address, and telephone number
- Limited financial data including billing name and address and E-Mail addresses associated with payment services. Note: all payments are made with third-party providers; we do not store or process information such as credit card details
- Invoices and quotes provided
- Transaction details for accounting purposes
- Aggregated analytics data including your rough location, browser, time zone and so on. Note: we anonymise the IP address collected with Google Analytics, meaning that we cannot identify an individual’s browsing session
- Marketing and communications data including your contact details and details of when you opted in
We do not store or process any special category data such as race, ethnic origin, religious beliefs and so on.
Your data is obtained by us when you:
- Visit our website;
- Call, E-Mail or submit an enquiry through the contact form on our website;
- Subscribe to marketing, such as a newsletter;
- Request us to provide a quote;
- Provide us with feedback;
How We Use Your Data
We will only ever use your data for legitimate business interests, or to comply with any legal or regulatory obligations that we may have. Examples of this include:
- Fulfilling work you have contracted us to undertake;
- Contacting you with regards to a project;
- Responding to an enquiry you have placed via phone, E-Mail or contact form;
- Sending you marketing materials which you have explicitly consented to;
- Providing information to legal or regulatory bodies such as the HMRC or the ICO to comply with legal obligations;
You own your data, and you have certain rights under GDPR which we have outlined under the ‘Your Legal Rights & Our Responsibilities’ section. These have been enhanced to further your right to privacy and control over your personal data, as well as clarifying our rights to use it under fair processing.
The purposes for which we typically use your data are outlined in the table below:
Activity | Date Stored/Processed | Legitimate basis for processing |
---|---|---|
Account Creation | Name, telephone number, E-Mail and address | Creation of an account for essential services such as web hosting or domain name registration. |
Fulfilling a Contracted Service | Name, telephone number, E-Mail address, address, content which may include personal data depending on the nature of the work, login credentials to other services such as payment gateways or social media | Required for the fulfilment of work which you have contracted us to carry out. |
Business development | Analytics and website usage statistics | Analysis of our website usage to determine how it can be improved to better-serve visitors based on their browsing and behaviours. Note: We use aggregated data with anonymised IP addresses for our analysis, but our hosting company’s raw access logs may store your IP address when you visit our website |
Administration | Name, telephone number, E-Mail address, billing and delivery address, E-Mail associated with payment services such as PayPal | Creation of estimates and invoices, debt-recovery, fulfilment of legal and accounting purposes |
Marketing | Name and E-Mail address | Newsletters and/or promotional materials sent to subscribers who have given explicit consent to receive marketing communications from us |
Security of Data
We have a range of mechanisms in place to safeguard your data and ensure that your privacy is maintained.
Strong passwords are required for all services used within the business which store or are used to process your data including our website, E-Mail accounts and backup facilities. Any machines or devices used to access any of these services are password protected and are stored in a secure location when not in use. All PC’s used within the business have up to date antivirus software and are regularly checked for malware to ensure they remain secure.
Secure backup services are used routinely to ensure that your data remains protected and to safeguard against loss or accidental deletion.
Where personal data exists in paper form, it is either stored in a secure location should it be required for accounting purposes, or securely shredded once it is no longer required. Any payments are paid for directly or via 3rd-party gateways; we do not handle your payment details.
Data Breaches
We take every precaution to keep your data safe, but in the unlikely event of a data breach or loss of data, we will inform you as soon as it has been identified, or as soon as is practicable. In addition, we may also inform regulatory bodies of the data breach, as well as legal professionals or insurers as required to protect the business.
Data Retention
Your personal data is stored only for as long as is required to fulfil its intended purpose. The length of time will vary depending on the nature of the data stored, and the purpose for which it was collected. Typical examples from our day-to-day business include:
- Project details will be retained for the purposes of fulfilment; we will also retain records of contracted work undertaken for accounting purposes
- Contact details for marketing will be kept until such time you opt-out of receiving communication
- Financial records/transaction details will be kept for six years after the end of the previous financial year end in line with HMRC reporting requirements
You have the right to request the deletion of your personal data; please see the section titled ‘Your Legal Rights & Our Responsibilities’ for more information about the data you can request to be deleted and how you would go about doing so.
Consent & Contract
We have a legal basis for processing your data if it is for the purposes of fulfilling a contract between us and you. For example, if you ask us to build you a website or transfer your hosting account, then we may use your data for the purposes of completing that work. Likewise, if you get in touch with us to request a quote, then we can use the data you have provided to us for the purposes of providing that quote.
Other uses of your data, such as for marketing purposes, require your explicit consent; you will not receive any marketing or promotional material from us unless you have granted us explicit consent. If consent has been provided, you are free withdraw it at any point. All marketing E-Mails that you will receive from us will contain a clear ‘Unsubscribe’ link which will remove you from our mailing list immediately, or you can get in touch with us directly to request your removal from any mailing lists.
Cookies
We use cookies on our website for the purposes of tracking website usage using Google Analytics. These are used solely for the development of the business through analysis of how visitors are interacting with our site and identifying how we can improve our website based on their usage. As we have opted to anonymise the IP address stored, no personally identifiable information is stored.
You can disable cookies through your web browser; however, we would not recommend doing this as many, many sites do rely on these to function without invading your privacy.
If you have accepted cookies but later change your mind, you can clear the stored cookies through your browser settings and preferences.
International Data Transfers
We may share your personal data with selected third-parties as outlined below purely for business purposes and service provision. In some cases, this data is transferred outside of the European Economic Area (EEA) – however, we ensure that your data remains subject to the same high level of protection afforded here by only using trusted services which provide their own rigorous data protection policies.
Your Legal Rights & Our Responsibilities
The GDPR identifies key aspects of how you can access and control the personal data that companies such as us store and use. Specifically, you can:
- Make a data subject access request to know what data we store about you
- Request that we amend incorrect data stored about you
- Request that we delete your personal data*
- Make an objection to us processing your data, requiring us to cease the use of your data*
- Request the transfer of data which we store about you to a nominated third-party
- Withdraw or amend the consent you have given us previously for us to use your personal data at any time
If you make a data subject access request, we will aim to respond within one month of receiving the request in writing. In unusual circumstances, or if the data requested proves difficult to collate or obtain, this time may be extended. We will advise you if this is the case. We may also require further information from you to identify the data that you are requesting, and to verify that the data subject access request is genuine.
There is usually no fee for a data subject access request. However, we may opt to exercise our right to charge a reasonable fee if your request is unfounded, repetitive or excessive. In these circumstances, we may instead exercise our right to refuse to comply with your request.
* If you request us to delete or cease processing your personal data, please note that there are circumstances under which we may not be able to comply with your request. Specific examples may include, but are not limited to, the cancellation and deletion of an order where production has been started, or the deletion of financial transaction records which we are required by law to retain for six years by HMRC.
Third Parties
In some circumstances, we may share your data with third parties. These may include:
- External IT service providers we use for conducting day-to-day business
- Professionals including solicitors, book-keepers, accountants or insurers for the seeking of legal advice, finance and accounting purposes or claim handling
- Regulatory bodies such as HM Revenue & Customers or the ICO to meet our legal reporting obligations
We regularly share data with the following:
Service Provider | Service | Data Processed & Purpose | Safeguards in Place |
---|---|---|---|
Website Analytics | Visitor information including browser, country of origin, pages visited, duration of visit and so on may be tracked via Google Analytics. This may be used for business development purposes to improve our website to meet identified needs of visitors. | Strong passwords are required for the accessing of any Google Accounts.
Individuals data is not identifiable through anonymising of the IP address attributed to browsing sessions. |
|
Dropbox | Cloud storage & Backup | Customer-provided content, copies of website files/databases for backup, archive or transfer purposes, order information. | Access is limited to only those who require it for the purposes of fulfilling orders or day-to-day running of the business such as accounting.
Data is only synced to machines which are password-protected and stored in secure locations. |
PayPal | Payment Processing, Accounting | Customer details including name, address, E-Mail address and details of an order for the process of taking payment. | Access to PayPal is strictly limited to the owners and feeds to our accounting software. Payments are handled through PayPal; at no point do we have contact with credit card information for PayPal payments. |
Bookkeeper and Accountant | Accounting | Customer details including name, address, E-Mail address, payment method and order details for accounting purposes. | Documents are shared via Dropbox or handed over in-person. All data is stored in a secure location which is inaccessible to the public.
Data which is no longer required by law is permanently deleted or shredded. |
HMRC | Accounting | Customer details including name, address, E-Mail address, payment method and order details for auditing or investigative purposes. | Personnel data is stored with HMRC for the purposes of running payroll.
Customer data is not routinely shared with HMRC; However, in the event of an investigation or court order, we may be obliged to provide full access to our accounts which include sales data. |
MailChimp | Contact Management & Marketing | Client contact details including name and E-Mail are stored, alongside other details which may include where they signed up from and a consent statement where express consent was granted to send E-Mail communication.
Aggregated data may also be stored alongside E-Mail campaign data for business development purposes, such as seeing the proportion of E-Mails opened or the number of clicks on a link within an E-Mail. |
Access is limited to only those who need it for the day-to-day running of the business.
E-Mail communication is only sent to users who have provided explicit consent for us to contact them. |
Siteground Ltd & Smart Hosting | E-Mail & Hosting | We have hosting accounts and E-Mail hosted with these service providers. Subsequently data submitted via the websites, online enquiries and E-Mails are stored on our secure hosting accounts. | Access to our hosting accounts is protected with a strong password, and strictly limited to the owners.
Backups are stored by both Siteground, Smart Hosting and in secure remote locations to protect against deletion or loss of data. |