What does this Privacy Notice cover?
This Privacy Notice describes how ANNE'S DAY LTD ("we", "us", "Daye") will make use of your personal data when you use and interact with our website at www.your-daye.myshopify.com and our other online channels ("Site"). We are the data controller for the purposes of UK and European data protection laws.
It also describes your data protection rights, including a right to object to some of the processing which we carry out and where we rely on consent, a right to withdraw your consent. More information about your rights, and how to exercise them, is set out in the “What rights do I have?” section.
We may also provide you with additional information when we collect personal data where we feel it would be helpful to provide relevant and timely information.
What personal data do we collect?
We collect and process personal data about you when you interact with us and our Sites, and when you order something from us (for example, a sample product) or join our subscription service. This includes:
- your name and contact information (including email address and phone number);
- username and password;
- the sample you’ve requested, products you've ordered, or the subscription package you've chosen (if you've opted for a subscription, we will have information about your menstrual cycle such as the frequency of your period and your preferred products);
- your payment and delivery details, including billing and delivery addresses, transaction history and credit card details;
- any communications that we have with you (for example, your interactions with customer services or information you provide to us about your lifestyle, health or periods through a survey or when you visit our social media pages, blogs or forums); and
- your marketing preferences, including any consents you have given us.
We also automatically collect the following information when you visit our Sites:
- technical information, including your device’s IP address, browser type and version, time zone setting, browser plug-in types and versions, operating system, unique device identifiers and advertising identifiers; and
- information about your visit, including the URL clickstream to, through and from our Sites (including date and time); products you viewed or searched for, the content (and any ads) that you view or interact with, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.
Some of this personal data is collected using cookies and related technologies, and often provided by third party providers such as Google Analytics. To learn more, please see our Cookies Notice.
We do not knowingly collect personal data from children under the age of 13.
How do we use this personal data, and what is the legal basis for this use?
We process this personal data for the following purposes:
- To fulfil a contract, or take steps linked to a contract: this is relevant where you request a sample, purchase products from us, sign up to our subscription service, or enter a competition we run. In particular we will:
- As required by us to conduct our business and pursue our legitimate interests, in particular we will:
- Where you give us consent, we will:
- For purposes which are required by law. Where required we will:
- respond to requests by government or law enforcement authorities (for example, where they are conducting an investigation); and
- investigate issues of product liability.
Relying on our legitimate interests
We have carried out balancing tests for all the data processing we carry out on the basis of our legitimate interests, which we have described above. You can obtain information on any of our balancing tests by contacting us using the details set out later in this notice.
Withdrawing consent or otherwise objecting to direct marketing
Wherever we rely on your consent, you will always be able to withdraw that consent, although we may have other legal grounds for processing your personal data for other purposes, such as those set out above. In some cases, we are able to send you direct marketing without your consent, where we rely on our legitimate interests. You have an absolute right to opt-out of direct marketing, or profiling we carry out for direct marketing, at any time. You can do this by following the instructions in the communication where this is an electronic message, or by contacting us using the details set out below. Please note that this will not stop you from receiving service messages (i.e. non-marketing communications, such as e-mail updates on your order status or notifications about your account activities) from us.
Who will we share this personal data with, where and when?
We will share your personal data with:
- authorised supply, delivery and fulfilment companies to process and complete your subscription;
- banks and our payment services provider (Shopify Payments) for the purpose of processing transactions and checking for payment card fraud;
- legal advisors, accountants, auditors and other professional advisors;
- third parties, where we have your permission to do so (e.g. social networks providers);Your personal data will become subject to the privacy policies of those third parties when your personal data is shared with them;
- government authorities, court, regulatory authority and/or law enforcement officials if required for the purposes above, if mandated by law or if required for the legal protection of our legitimate interests in compliance with applicable laws. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction; and
- third party service providers, who will process it on our behalf for the purposes identified above. In particular, we use third party technology and platform providers for website development, hosting and maintenance, website live chat support, surveys and consumer research purposes, payment processing and fraud checking, and email service delivery.
We also share information with third parties including advertising, social media and search engine partners: We aggregate your personal data with the information of other customers, creating a dataset of information about the usage of our Sites, purchase of our products and services, and other general, grouped information about our customers. Although this dataset is aggregated and anonymised, meaning it cannot directly identify you as an individual, it provides a valuable insight into the use of our Sites and we will share it with select third parties.
[We also transfer personal data about you to ad technology providers and our social media and search engine partners (including Facebook, Google, Twitter and Instagram) so that they may recognize your devices and deliver interest based content and advertisements. The information can include your name, postal address, email, device ID, or other identifier in encrypted form. The providers often process the information in hashed or de-identified form. These providers can collect additional information from you, such as your IP address and information about your browser or operating system; combine information about you with information from other companies in data sharing cooperatives in which we participate; and may place or recognize their own unique cookie on your browser. The third parties that generate these cookies have their own privacy policies and we have no access to read or write these cookies. For more information about how to opt out of targeted advertising, please see our Cookies Notice.]
In the event that the business is sold or integrated with another business, your details will be disclosed to our advisers and any prospective purchaser’s adviser and will be passed to the new owners of the business.
We transfer personal data outside the UK and the European Economic Area (‘EEA’) where necessary for the purposes explained in this Privacy Notice. For example, our website is hosted and developed in [insert non-EEA country] and our cloud services provider is located in [insert non-EEA country].
Where personal data is transferred outside the UK or EEA or (as applicable), and where this is to an organization in a country that is not subject to an adequacy decision by the EU Commission or adequacy determined in another valid method under applicable data protection legislation, personal data is adequately protected by EU Commission approved standard contractual clauses, an appropriate Privacy Shield certification or Binding Corporate Rules. A copy of the relevant mechanism can be provided for your review on request to firstname.lastname@example.org.
We are committed to ensuring that your personal data is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the personal data we collect online. We use ‘https’ technology to secure access to all areas of our Site. Access to your data is password-protected, and sensitive data such as payment card information is held securely by our 3rd party payment providers, and tokenized to ensure it is protected. We ensure that our systems are regularly monitored for possible vulnerabilities and attacks.
Links to Other Websites
Our Sites may contain links to other websites of interest. However, once you have used these links to leave our Sites, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy notice. You should exercise caution and look at the privacy statement applicable to the website in question.
What rights do I have?
In addition to rights to withdraw your consent or object to direct marketing (as outlined above, you have the right to ask us for a copy of your personal data; to correct, delete or restrict (stop any active) processing of your personal data; and to obtain the personal data you provide to us for a contract or with your consent in a structured, machine readable format, and to ask us to share (port) this data to another controller.
In addition, you can object to the processing of your personal data in some circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirement, or where we are using the data for direct marketing).
These rights may be limited, for example if fulfilling your request would reveal personal data about another person, where they would infringe the rights of a third party (including our rights) or if you ask us to delete personal data which we are required by law to keep or have compelling legitimate interests in keeping. Relevant exemptions are included in both the GDPR and in the Data Protection Act 2018 (or any subsequent legislation). We will inform you of relevant exemptions we rely upon when responding to any request you make.
To exercise any of these rights, or to obtain other information, such as a copy of a legitimate interests balancing test, you can get in touch with us using the details set out below. [You can also deactivate your account and request that we delete your personal data through the account management portal]. If you have unresolved concerns, you have the right to complain to the Information Commissioner’s Office in the UK or any EU data protection authority where you live, work or where you believe a breach may have occurred.
In order to provide you with a sample, products which you've purchased, or our subscription service, you must provide us with your name, address, email address user name and password and billing details. If this information is not provided, then we cannot provide the subscription service. All other provision of your information is optional. A failure to provide this information may mean that other functionalities and services are available such as our product recommendations.
How long will you retain my personal data?
We’ll only keep and process your personal data for as long as is necessary for the purpose for which we collected it in the first place.
How do I get in touch with you?
We hope that we can satisfy queries you may have about the way we process your personal data. If you have any concerns about how we process your personal data, or would like to opt out of direct marketing, you can get in touch at email@example.com or by writing to Daye, Cocoa Building Suite 301, The Biscuit Factory, 100 Drummond road, Bermondsey, London SE16 4DG.