“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person (“Personal Data”). “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. “Data Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. Where the purposes and means of such Processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law. “Recipient” means a natural or legal person, public authority, agency, or another body, to which the Personal Data are disclosed, whether a Third Party or not. However, public authorities that may receive Personal Data in the framework of a particular inquiry in accordance with the laws of the European Union or any of its Member States shall not be regarded as recipients. The Processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the Processing. “Third Party” means a natural or legal person, public authority, agency, or body other than the Data Subject, Controller, processor and persons who, under the direct authority of the Controller or processor, are authorised to process Personal Data. “Consent” of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed. “Genetic Data” means Personal Data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question. “Data Concerning Health” means Personal Data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. “Binding Corporate Rules” means Personal Data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of Personal Data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.
GDPR PRINCIPLES FOR PROCESSING PERSONAL DATA
Take a Leaf complies with the principles of the General Data Protection Regulation (GDPR). The six overall guiding principles are:
- Lawfulness, transparency, and fairness: Take a Leaf only processes Personal Data in a way that is reasonably expected and we are open about our data protection practices
- Purpose Limitation: Take a Leaf normally only processes Personal Data for the specific purpose we collected it and no other purpose
- Data Minimisation: Take a Leaf doesn’t process any more data than we need to
- Accuracy: Take a Leaf ensures that any Personal Data that we hold is adequate and accurate
- Storage limitation: Take a Leaf does not store Personal Data for longer that we need to
- Confidentiality and integrity: Take a Leaf always processes Personal Data securely
Your privacy and security are of the utmost importance to us. We will always follow these principles and ask you how you would like us to communicate with you.
TYPES OF PERSONAL DATA WE PROCESS & HOW AND WHY WE PROCESS IT
Information You Provide When you shop with us on our website, we will require certain information from you in order to process your order. This information might include your name, delivery address, credit/debit card number and expiration date, billing address, e-mail address, telephone number, your age group, and gender. The source of the transaction data is you and/or our payment services provider. The legal basis for this Processing is your Consent. The personal information you provide is used by us only for the following purposes: – To process your order; – To improve your shopping experience on our website; – With your permission, to notify you of special offers or products that may be of interest to you. We may process information contained in any enquiry you submit to our customer services team regarding goods and/or services. The enquiry data may be processed for the purposes of responding to your enquiry. The legal basis for this Processing is Consent. Please only provide sensitive data (such as information about your health, race or religion) if you are happy to Consent to our using it to manage your enquiry. When you leave a comment on the site, we collect the data shown in the comments form and also the IP address and browser user agent string to help spam detection. The legal basis is our legitimate interest in protecting our website from security breaches. We may process information that you provide to us for the purpose of subscribing to our email notifications and/or newsletters. The notification data may be processed for the purposes of sending you the relevant notifications and/or newsletters. The legal basis for this Processing is your Consent. We may process any of your Personal Data identified in this Policy where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for this Processing is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights, and the legal rights of others.
INFORMATION COLLECTED VIA TECHNOLOGY
- Information Collected by Our Site. To make our website more useful to you, our servers (which may be hosted by a Third-Party service provider) collect information from you, including your browser type, operating system, Internet Protocol (IP) address (a number that is automatically assigned to your computer when you use the Internet, which may vary from session to session), domain name, and/or a date/time stamp for your visit. The legal basis is our legitimate interests in running our business, provision of administration and IT services, network security, and to prevent fraud.
- Google Analytics. We may also collect information about your use of our website, such as geographical location, your browser type and version, IP address, referral source, length of visit, page views, and website navigation paths, as well as information about the timing, frequency, and pattern of your service use. The source of the usage data is Google Analytics. Google Analytics collects information anonymously and reports website trends without identifying individual visitors. Analytics uses its own cookie to track visitor interactions. Website owners can view a variety of reports about how visitors interact with their website, so they can improve their website and how people find it. This usage data may be processed for the purposes of analysing the use of our website. The legal basis for this Processing is our legitimate interests, namely monitoring and improving our website. Please see the following links for more information about Google Analytics: http://www.google.com/privacy.html and http://www.google.com/analytics/tos.html.
Where the legal basis for us Processing your Personal Data is that you have provided your Consent, you may withdraw your Consent at any time. You will not suffer any detriment for withdrawing your Consent. If you withdraw your Consent, this will not make Processing that we undertook before you withdrew your Consent unlawful.
TEXT MARKETING AND NOTIFICATIONS
By subscribing to text notifications you agree to receive recurring automated marketing text messages at the phone number provided. Consent is not a condition of purchase. Text STOP to unsubscribe or HELP for help. Msg and data rates may apply.
INFORMATION COLLECTED FROM OTHER SOURCES
We may obtain information about you from other sources, such as public databases, joint marketing partners, and other Third Parties. Examples of the information we may receive from other sources include social media profile information, marketing leads and search results and links, and paid listings (such as sponsored links). The purpose of this collection is to improve our website and our products. The legal basis for this collection is our legitimate interest in running our business and to inform our marketing strategy.
OUR OTHER PURPOSES FOR PROCESSING PERSONAL DATA
The legal bases of collecting Personal Data for the below purposes are to perform a contract with you and because we have a legitimate interest in defining the types of customers who use our products and services, keeping our site updated and relevant, developing and growing our business, developing our products/services, studying how customers use our products/services, and informing our marketing strategy.
- Verifying your identity (for example when you return to the website and have already logged in).
- Personalising the advertising you see on the website so that it is more relevant to you.
- Improving the design and style of the website.
- Informing you about products, services or promotional offers that you might find interesting if you have chosen to receive these types of communications.
- Sending you service messages about your subscription or account registration, for example if you have clicked a password reset link. This could be by email, overlay on the website or push notification.
- Enabling you to share our content with others using social media or email.
- Compiling customer reviews.
- Conducting market research.
Where we need to collect Personal Data under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
RETENTION OF PERSONAL DATA
We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements. We will keep your Personal Data for as long as you have an account with us and generally for a period of 5 years following closure of your account or following our response to your query. However, where we have a statutory obligation to keep the Personal Data for a longer period or where we may need to keep your Personal Data for a longer period in case of a legal claim or dealing with ongoing queries or complaints, then the retention period may be longer.
WHO WE SHARE PERSONAL DATA WITH
Third Parties We will treat all of your Personal Data as private and confidential and in accordance with the data protection laws. We may however, need to share your Personal Data with third parties who provide services to us to enable them to provide their services to us such as IT providers, payment facilitators, delivery services and system administration services. Where we use Third Parties to process your Personal Data on our behalf, we will always carry out checks to ensure that there are appropriate protections for the safeguarding your Personal Data. We will also monitor the performance of these Third Parties (and their approved subcontractors) to ensure that your Personal Data remains secure. Any Third-Party service provider that we instruct will only process your Personal Data:
- for the same purposes for which we may use your Personal Data (as set out in this Policy);
- as is strictly necessary to perform its obligations to us;
- and in the ways instructed by us.
We require all Third Parties to respect the security of your Personal Data and to treat it in accordance with the law. We do not allow our Third-Party service providers to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with our instructions. We will not usually disclose your Personal Data other than as set out above. However, there may be circumstances where we need to share Personal Data other than as anticipated above. These include:
- where we are legally required to disclose the information, for example because a court orders us to do so;
- where the disclosure of the personal information is required for the purposes of the prevention and detection of crime. This includes sharing the personal information with tax authorities and law enforcement agencies;
- where we need to disclose the personal information for the purpose of or in connection with any legal proceedings, or for the purpose of obtaining legal advice, or the disclosure is otherwise necessary for the purposes of establishing, exercising or defending legal rights;
- where disclosure is necessary to protect your vital interests (for example if you are unwell at one of our events, we may need to seek medical assistance); and
- to any actual or prospective purchaser of our business assets or organisation.
INTERNATIONAL TRANSFERS OF PERSONAL DATA
- the country to which the Personal Data will be transferred has been granted a European Commission adequacy decision;
- the Recipient of the Personal Data is located in the US and has certified to the US-EU Privacy Shield Framework; or
- we have put in place appropriate safeguards in respect of the transfer, for example we have entered into EU standard contractual clauses with the Recipient, or the Recipient is a party to Binding Corporate Rules.
You may request more information about the safeguards that we have put in place in respect of transfers of Personal Data by referring to Our Contact Information below.
We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered, or disclosed. Our website is scanned on a regular basis for security holes and known vulnerabilities in order to make your visit to our site as safe as possible. We use regular malware scanning and your Personal Data is contained behind secured networks. Your Personal Data is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. In addition, all sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology. We implement a variety of security measures when a user places an order enters, submits, or accesses their information to maintain the safety of your Personal Data. All transactions are processed through a gateway provider and are not stored or processed on our servers. We have also put in place procedures to deal with any suspected Personal Data Breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
What are cookies? A cookie is a tiny file that asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes, and dislikes by gathering and remembering information about your preferences. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website. Should you want further information, the site www.aboutcookies.org explains how you can delete and control the cookies that are stored on your computer.
Overall, cookies help us provide you with a better website by enabling us to monitor which pages you find useful and which you do not. Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
COOKIES USED BY OUR SERVICE PROVIDERS
YOUR DATA RIGHTS
You have a number of rights in relation to your Personal Data. You have the right, within certain parameters, to:
- Request access to your Personal Data (commonly known as a “data subject access request”). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully Processing it.
- Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to Processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to Processing of your Personal Data where we are relying on a legitimate interest (or those of a Third Party) and there is something about your particular situation which makes you want to object to Processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are Processing your Personal Data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- Request restriction of Processing of your Personal Data. This enables you to ask us to suspend the Processing of your Personal Data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your Personal Data to you or to a Third Party. We will provide to you, or a Third Party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided Consent for us to use or where we used the information to perform a contract with you.
- Withdraw Consent at any time where we are relying on Consent to process your Personal Data. However, this will not affect the lawfulness of any Processing carried out before you withdraw your Consent. If you withdraw your Consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your Consent.
If you would like to exercise any of the rights set out above, please contact us using the contact details above.
If you have any complaints about how we handle your Personal Data, please contact us so we can resolve the issue, where possible. You also have the right to lodge a complaint about any use of your information with the Information Commissioners Office, the UK data protection regulator.
CHANGES TO THIS POLICY
OUR CONTACT INFORMATION
If you have any questions or comments about this Policy, the ways in which Take a Leaf collects and uses your information described above, or your choices and rights regarding such use, or if you wish to exercise your data rights, please contact us at: Phone: +44(0)1483 362874 Website: www.takealeafcbd.co.uk Email: firstname.lastname@example.org Postal Address: 34 New House, 67 – 68 Hatton Garden, London, United Kingdom