This Privacy Notice explains the types of personal data that The Cotton Bunting Company (referred to as "we" "our" or "us" in the Notice) may collect about you when you interact with us. It also explains how we store and handle that data.
This Privacy Notice was last updated on 24th October 2019 and it is likely that we will need to update it from time to time.
2. The legal bases we rely on
There are different reasons for which a company may collect and process your personal data, including:
Sometimes we will need your personal data to comply with our contractual obligations. For example, if you order from us we will need your delivery address and contact details to deliver your purchase, answer any queries, and provide information to our courier or Royal Mail.
If the law requires us to, we may need to collect and process your data. For example, we can pass on details of fraud to law enforcement .
In certain situations, we need your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business. For example, we will use your data to reduce the chance of us incurring losses through credit card fraud, and to invite you to give feedback so we can improve our service.
3. When we collect your personal data
- When you place an order.
- When you register for an account.
- When you contact us with queries or complaints.
- When you visit our website, engage with us on social media.
- When you comment on, or review our products and services, via our Feedback Management Company (currently Feefo).
4. What sort of personal data we collect
- Your name, gender, billing address, email address, telephone number, recipient & delivery details (if different), computer IP address, and details of your orders (both completed and partially-completed).
- Details of your interactions with us online or by telephone. For example, we may make notes of our conversations with you, and keep details of any complaints or comments you make, and details of orders you make.
- Details of your visits to our website, items added to your basket, promotional offer codes you use, and which site you came from to ours.
- Payment method used, payment details, and card information if you use one.
- Your comments and product reviews.
- Technical information about your internet browser, for example the country where your computer is, the pages you visit on our website, the advertisements you clicked on, and any search terms you entered.
- Your social media username, if you interact with us through those channels, to help us respond to your comments, questions or feedback.
5. How and why we use your personal data
- To process any orders that you make, and to comply with our legal obligations. For example, your details may need to be passed to a third party such as a courier or Royal Mail to deliver the product that you ordered (who may in turn contact you by email, telephone or SMS with delivery updates), and we will need to keep your details for a reasonable period afterwards in order to fulfil any contractual, legal, or regulatory obligations we may have.
- To respond to your queries, refund requests and complaints. Handling the information you sent enables us to respond. We may also keep a record of these communications. We do this on the basis of our contractual obligations to you, our legal obligations and our legitimate interests in providing you with good service and improving our service in future.
- To process payments and to prevent fraudulent transactions. We do this on the basis of our legitimate interests in reducing the risk of credit/debit card fraud. This also helps to protect our customers from fraud.
- If you are an existing customer (who has ordered from us before), we'll use your data to send you communications by email about similar products that we sell (for example new designs) including special offers. We'll do this on the basis of our legitimate interests in updating customers with information on our latest products. You are free to opt out of receiving our direct marketing emails either when you order or at any time (see next section 'How you can stop the use of your personal data for email direct marketing').
- To send you communications required by law or which are necessary to comply with our legal obligations. These service messages will not include any promotional content.
- To display the most interesting content to you on our website, we'll use data. We do so on the basis of your consent for our website to place cookies on your device. For example, we might display a list of items you've recently looked at, or offer you recommendations.
- If you have started to buy one of our products, but have not completed the purchase, you may have provided partial information, such as your email. In that case, we might send you an email to remind you that your order remains incomplete. If you are not comfortable in receiving further emails of this kind, we will give you a simple opportunity to opt-out.
- To comply with our contractual or legal obligations to share data with law enforcement. For example, when a court order is submitted to share data with law enforcement agencies or a court of law.
- To send you feedback requests to help improve our services. These messages will not include any promotional content and do not require prior consent when sent by email or text message. We have legitimate interests to do so as this helps make our products or services more relevant to you.
- Sometimes, we'll need to share your details with a third party who is providing a service such as delivery couriers or an order fulfilment company. We do so to fulfil our contract or agreement with you. Without sharing your personal data, we'd be unable to fulfil your order.
6. How you can stop the use of your personal data for email direct marketing
There are several ways you can stop direct marketing emails from us:
- Click the 'unsubscribe' link in any email communication that we send you.
- Email us at: firstname.lastname@example.org
- Write to us at Customer Services, The Cotton Bunting Company, Unit 2, House 2, Lynderswood Farm, Lynderswood Lane, Braintree CM77 8JT
- Please note that you may continue to receive communications for a short period after changing your preferences while our systems are fully updated.
7. How we protect your personal data
- We treat your data with the utmost care and take all appropriate steps to protect it.
- We secure access to all areas of our website using 'https' technology.
- Our order processing computer systems are password-protected and the data held by them is secured by encryption.
- Any paper records we keep are stored in key-controlled areas accessible only to authorised members of staff who require such access.
- We monitor our system for possible vulnerabilities and attacks, and we carry out penetration testing to identify ways to further strengthen security.
8. How long we keep your personal data
- Whenever we collect or process your personal data, we'll only keep it for as long as is necessary for the purpose for which it was collected. At the end of the retention period, your data will be deleted.
- When you place an order, we keep the personal data you give us for seven years so we can comply with our legal and contractual obligations such as VAT accounting.
- We keep data that you give us when you make general enquiries for 12 months following the final interaction from you so we can re-open the enquiry if you need us to.
9. Who we share your personal data with
For example, delivery couriers, payment service providers, order fulfilment companies, fraud management organisations, feedback management companies, email marketing agencies and so on.
We only share your personal data with trusted third parties, and only provide them with the information necessary to perform their specific services.
Examples of the kind of third parties we work with are:
- Operational organisations such as order fulfilment companies, and delivery couriers such as APC.
- Payment service providers who manage the secure processing of your payment when you pay by card, such as Braintree and PayPal.
- Companies who support our website and other business systems. For example fraud prevention organisations such as DataCash, and feedback management companies such as Feefo.
- E-commerce companies who help us run our website and who manage our email communications with you, such as BigCommerce.
- We do not share your data with any other organisation for their own marketing purposes.
- For fraud management, we may share information about fraudulent or potentially fraudulent activity, including data about individuals, with law enforcement bodies.
We may be required to disclose your personal data to the police or other enforcement, regulatory or Government body, if told to do so.
We may, in the future, sell or merge The Cotton Bunting Company and this may involve the transfer of part of or the whole business to new owners. If this happens, your personal data may be transferred to the new owner or controlling party.
10. Where your personal data may be processed
We use an external provider to run our website, BigCommerce. BigCommerce is based in the US and is a participant in the EU-US Privacy Shield Framework and committed to providing best-in-class service and data protection. You can check its participation in the Privacy Shield here on the official site of The International Trade Administration (ITA), U.S. Department of Commerce.
Sometimes we will need to share your personal data with third parties and suppliers outside the European Economic Area (EEA). For example, if you place an order for delivery outside of the EEA (eg to Australia) this would be required in order to deliver the order.
Any transfer of your personal data will follow applicable laws and we will treat the information under the guiding principles of this Privacy Notice.
11. Your rights over your personal data
You have the right to request:
A copy of any information about you that we hold, usually free of charge, and also to have that information corrected if it is inaccurate. To ask for your information, please contact our Customer Services team.
That we stop using your personal data for email direct marketing.
If we choose not to action your request we will explain to you the reasons for our refusal.
In cases where we are processing your personal data on the basis of our legitimate interests, you can ask us to stop for reasons connected to your individual situation. We will do so unless we believe we have a legitimate overriding reason to continue processing your personal data.
To protect the confidentiality of your information, we will need you to verify your identity to our full satisfaction before proceeding with any request you make under this Privacy Notice.
12. Contacting the Regulator
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner's Office. You can contact them by calling 0303 123 1113. Or go online to ICOs Website