This Privacy Notice explains the types of personal data we may collect about you when you interact with us. It also explains how we store and handle that data and keep it safe.
1. Who we are and what we do
Lucy Willow is a retailer of exclusive hand-made furniture and beautiful accessories that adorn many of the finest homes in Britain. We can be contacted at Lucy Willow Ltd, Top Floor, Heskin Barns, Heskin farmers Market & Craft Centre, Wood Lane, Chorley, Lancashire, PR7 5PA or on 0845 8030988.
2. The first point of contact for data protection
If you have any concerns or queries about our data protection procedures, please contact Jason Thomas on 0845 8030988, or email@example.com.
3. Why we process data
We want your experience with us to be a happy and smooth process from the moment you click to browse our website to the knock on your door to deliver your order. As such, we do require the following personal details from you to help us; your name, address (both delivery and email), payment details and telephone number. Please be assured that we do not pass these details to anyone else outside of our company and that your security is taken very seriously at Lucy Willow.
If you are one of our retail or service providers, then we process your data and finance details as part of our ongoing working relationship.
4. Legal bases for processing your data including any explanation of legitimate interests
The law on data protection sets out a number of different reasons for which a company may collect and process your personal data. Some of these reasons, set out below, are the bases we have for processing your personal data:
In specific situations, we can collect and process your data with your consent. For example, when you opt in to receive exclusive email offers.
When collecting your personal data, we always make it clear to you which data is necessary in connection with a particular service.
In certain circumstances, we need your personal data to comply with our contractual obligations.
We need to collect and retain your contact details, so we can, for example:
- Deliver our service,
- Supply you with goods or;
- To enter into contract with you to supply us with goods or services
If the law requires us to, we may need to collect and process your data.
For example, we are obliged to retain certain information for HMRC tax and accounting purposes or to comply with other legislative provisions.
In particular circumstances, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests.
For example, we retain customer and supplier information for six years beyond the contract period, in order to maintain a good working relationship with these individuals.
If you are a customer or supplier we may also use your address details to send you direct marketing information by post or email, telling you about our latest products and promotions that we think might interest you, based on our previous dealings.
5. When we collect data
This could be an enquiry, subscription to our mailing list, or when you place an order. When you order via our website, your name, addresses and phone number are collected to enable us to deliver your order to your address or reply to your email enquiry.
Phone or email
If you make an enquiry or order over the phone or by email, we will use the details you give us to process your payment and confirm your order. These details will be your name, addresses, phone number and payment details.
This data is only seen by the company; we do not pass it on to anyone else.
6. What data we collect
- Contact information including: name, address, phone number and email address
- When you place an order on our website, you can choose to either input your bank details, or pay via Sage Pay or PayPal.
- When you place an order over the phone or by email, we will process your payment using Sage Pay.
- New online customers will be asked to create a password when you register with us.
7. How we use your personal data
- We process data to enable us to process customer orders and deliver these to the correct addresses
- Your bank details will only be used when placing an order
- We hold your telephone number and addresses so that we can contact you via phone, post or email regarding the products and promotions that we think you might be interested in, based on our dealings with you
8. How long we keep your personal data
Whenever we collect or process your personal data, we only keep it for as long as is necessary for the purpose for which it was collected.
At the end of that retention period, your data will be deleted completely. Some examples of our data retention periods:
Purchases and Services
When you place an order, we keep the personal data you give us for 6 years so that we can retain a good relationship with you should you need any further products or services, or have any future queries.
If your order included a warranty, the associated personal data will be kept until the end of the warranty period.
We also need to comply with our legal contractual obligations and therefore we need to retain certain transactional information from the order for 7 years to satisfy accounting rules.
For individuals who are supplying us with products or services we retain your personal information for a period of 6 years so that we can, if necessary, contact you again and continue our business relationship with you.
9. HOW WE KEEP YOUR DATA SAFE
We are aware of the need to maintain the correct and highest-level security when processing your personal information. We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way.
We take the following steps to maintain the security of your personal information:
- We keep all your information in systems that are secure
- Access to customer information is limited to those who need access for the performance of their job.
- We use full login and password controls on our sales control system
- All employees are required to sign a confidentiality clause as part of their terms of employment with the company
- Confidentiality and database access controls are reviewed periodically and updated as required in order to further protect your personal data.
- We maintain firewalls and anti-virus software
- Any data which is accessed off site or on a mobile device is kept locked when not in use and never left unattended
Any documentation retained in paper form or kept in our offices is locked away in filing cabinets, and the premises is monitored with an intruder alarm.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
10. Who we share your data with
We sometimes share your personal data with trusted third parties which act only on our instruction (known as “data processors”).
Data processors might be, for example, 3rd party accounting apps or subcontractors or delivery drivers or those companies who store data for us:
Where we share information with these companies or individuals we make sure that they also keep your data secure and that they also protect your rights. To this end, we make sure that:
- We provide only the information they need to perform their specific services.
- They may only use your data for the exact purposes we specify in our contract with them or where their terms and conditions of processing contain the correct data processor clauses under GDPR
- If we stop using their services, any of your data held by them will either be deleted or rendered anonymous.
We sometimes also share your data with third parties for their own purposes (“joint controllers”) e.g. HMRC, accountants, legal advisors.
We will only do this in very specific circumstances, for example:
- With your consent
- Where we have a data sharing agreement in place with the other party
- Where we are obliged to share the information for legal reasons
11. Where your data is processed
We do not transfer data outside of the EEA.
From time to time we may pass personal data such as your name and email address to other services that we use to send out communications (both electronic and print).
However, your personal data will remain in the EU or countries considered by the EU to have equivalent policies such as Jersey, Guernsey, Switzerland, New Zealand and Canada. Companies based in the USA that have certified with the EU-US Privacy Shield programme are also considered to be permitted destinations by the EU (this includes popular US products like Gmail, DropBox and MailChimp).
12. Your rights and who to contact
You have the following rights, which you can exercise free of charge:
The right to be provided with a copy of your personal data
The right to require us to correct any mistakes in your personal data
To be forgotten
The right to require us to delete your personal data, in certain situations
Restriction of processing
The right to require us to restrict processing of your personal data, in certain circumstances e.g. if you contest the accuracy of the data
The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party, in certain situations
The right to object:
at any time to your personal data being processed for direct marketing (including profiling);
in certain other situations to our continued processing of your personal data, e.g. processing carried out for the purpose of our legitimate interests.
Not to be subject to automated individual decision-making
The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you
If you would like to exercise any of those rights, please contact Jason Thomas on 0845 8030988, or firstname.lastname@example.org.
Your right to withdraw consent
Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent. You can do this by contacting email@example.com.
Where we rely on our legitimate interest
In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation.
We will then stop processing your information unless we believe we have a legitimate overriding reason to continue processing.
You have the right to stop the use of your personal data for direct marketing activity through all channels, or selected channels. We will always comply with your request. To ask us to stop direct marketing please email us at firstname.lastname@example.org.
Checking your identity
To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice.
For us to check your identity, please:
- Let us have enough information to identify you (e.g. your full name, address and customer/supplier number or order number, if applicable);
- Let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill); and
- Let us know what right you want to exercise and the information to which your request relates.
If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act on your behalf.
If we choose not to action your request, we will explain to you the reasons for our refusal.
Your right to contact the ICO
We would hope that you will always raise any issues with us first, and that we will be able to resolve them to your satisfaction. However, if this isn’t possible then you always have a right to complain directly to the Information Commissioner’s Office (ICO) If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data.
You can contact them by calling 0303 123 1113 (local rate) or go online to www.ico.org.uk/concerns (this opens in a new window; please note we can't be responsible for the content of external websites).
If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence.
You also have the right to take to seek a judicial remedy.
Updates to this privacy notice
From time to time we will make changes to this Privacy Notice, for example, as the result of government regulation, new technologies, or other developments in data protection laws or privacy generally. You should check our website periodically to view the most up-to-date Privacy Notice. This privacy notice was last updated on 25 May 2018.