Our Commitment To Your Data And To Data Protection
Personal data is any information relating to personal or material circumstances that relates to an identified or identifiable individual. This includes, for example, your name, date of birth, e-mail address, postal address, or telephone number as well as online identifiers such as your IP address. In contrast, information of a general nature that cannot be used to determine your identity is not personal data. This includes, for example, the number of users of a website.
However, we reserve the right to put this data to additional uses to the extent permitted or required by law or necessary to support legal or criminal investigations. In this case, we will inform you again about this further data processing to the extent required by law and obtain your consent.
In the next sections we explain when and how we process personal data about you when you visit our website.
Relevant Legal Basis
In accordance with the DPA and the GDPR, the following legal basis, unless specifically described below apply to the processing of your personal data:
- the legal basis for obtaining consent is Art. 6 para. 1 lit. a) and rt. 7 GDPR,
- the legal basis for processing in order to fulfil our services and carry out contractual measures and respond to enquiries is Art. 6 para. 1 lit. b) GDPR,
- the legal basis for processing in order to fulfil our legal obligations is Art. 6 para. 1 lit. c) GDPR, and
- the legal basis for processing in order to protect our legitimate interests is Art. 6 para. 1 lit. f) GDPR.
These rights are standardised in both the DPA and GDPR. This includes:
- the right to information (Art. 15 GDPR),
- the right to rectification (Article 16 GDPR),
- the right to erasure (Article 17 GDPR),
- the right to restriction of data processing (Article 18 GDPR),
- the right to data portability (Article 20 GDPR),
- the right to object to data processing (Article 21 GDPR),
- the right to revoke any consent you have given (Art. 7 (3) GDPR), and
- the right to lodge a complaint with the competent supervisory authority (Art. 77 GDPR).
Please contact us at any time with questions and suggestions regarding data protection and to enforce your rights.
The Data Controller
The responsible body in the sense of the DPA and the GDPR is:
22 St John Maddermarket,
Norwich, NR2 1DN, UK
Processing of Personal Data
Personal data is only processed to the extent that this is necessary for the provision of the website with its functionalities and its contents as well as for the processing of the respective contractual relationship or the user's requests. As a rule, personal data is only processed with the user's consent. An exception applies in those cases in which it is not possible to obtain prior consent for actual reasons or the processing of the data is permitted by legal regulations.
i) Log Files
When the website is called up, our system automatically stores the following information in our log files:
- Browser type and the version used
- Operating system of the user
- Internet service provider of the user
- IP address of the user
- Date and time of access
- Website via which the user accessed our website
- Websites accessed by the user's system via our website.
This data is not stored together with other personal data of the user. The legal basis for the temporary storage of the data and the log files is Art. 6 para. 1 lit. f GDPR.
The hosting services used by us for the purpose of operating this website is Krystal Hosting Ltd. In doing so Krystal Hosting, process inventory data, contact data, content data, contract data, usage data, meta data and communication data of customers, interested parties and visitors of our website and services, on the basis of our legitimate interests in an efficient and secure provision of the website and services in conjunction with the provision of contractual services and the conclusion of the contract for our services, including but not limited to our services Art. 6 para. 1 lit. f) GDPR.
iv) Contacting Us
When contacting us via email, phone or social media, the data you provide will be stored by us. The data will be stored and used exclusively for the purpose of answering your request or for contacting you and the associated technical processing. The legal basis for the processing of the data is Art. 6 (1) lit. f) GDPR as well as Art. 6 (1) lit. a) GDPR. If the contact serves the conclusion of a contract, the further legal basis is Art. 6 (1) lit. b) GDPR. Your data will be deleted after your enquiry has been processed, provided that there are no legal obligations to retain data.
v) Order Process
In the course of the ordering process, the data provided by the user will be stored by us. The data is entered by the user in an input mask and transmitted to us and stored. In addition, the user's IP address as well as the date and time of registration and ordering are stored. The legal basis for the processing of the data is Art. 6 (1) lit. b) GDPR as well as Art. 6 (1) lit. a) GDPR. Your data will be deleted after your request has been processed, provided that there are no legal obligations to retain the data. In order to fulfil the contract, we pass on your data to the shipping company commissioned with the delivery, insofar as this is necessary for the delivery of ordered goods. For the processing of payments, we pass on the payment data required for this to the credit institution commissioned with the payment and, if applicable, to the payment service provider commissioned by us or to the payment service selected by you in the ordering process. We do not collect or store any payment transaction information such as credit card numbers or bank details during the payment process. You only provide this information directly to the respective payment service provider. The legal basis for the processing is Art. 6 (1) lit. b) GDPR.
vi) Registration On The Website
Users can register on our website by providing personal data. In addition, users can also order without registering. The data is entered by the user in an input mask and transmitted to us and stored. In addition, the user's IP address and the date and time of registration are stored. Your data will be deleted after processing has been completed unless there is a legal basis for the processing of the data in accordance with Art. 6 (1) lit. a) GDPR. If the registration serves to conclude a contract, a further legal basis is Art. 6 (1) lit. b) GDPR.
vii) Service Reviews
We use the rating portal Lipscore, to constantly improve our service, we offer our customers the opportunity to rate us via this independent portal, without us being able to influence this in any way. An invitation to submit a rating is generated for each order placed via our website. For this purpose, your surname, first name, email address and a reference number (order number for unique allocation) are transmitted to Lipscore. This data is neither used by Lipscore itself nor passed on to third parties. The verification of the rating is carried out on the basis of the reference number (order number) via a specially generated link. The submission of a rating is voluntary.
In order to submit a rating or to record customer feedback, it is necessary to create/open a user profile on Lipscore. In addition to a rating for the inviting company, ratings can then also be entered for any company on the Lipscore rating portal. If a rating is submitted by clicking on the link contained in the invitation, a user profile is automatically created on Lipscore after entering the personal data (name and email address for verification). By placing an order via our website, you expressly consent to the aforementioned transmission of reference data to Lipscore and to the automated dispatch of an evaluation invitation from this application in accordance with Art. 6 Para. 1 lit. a) GDPR.
In order to register for the newsletter, it is necessary to provide an email address. The indication of title and name is voluntary and serves the personal address. The data collected from the user in this respect is used exclusively for sending the newsletter and its technical administration. Registration is carried out using the "double-opt-in" procedure. By activating the confirmation link sent, the user gives us permission to process the personal data. The legal basis for the processing is Art. 6 (1) lit. a) GDPR. The user can revoke the consent to the storage of the data and its use for the newsletter dispatch by clicking on the corresponding link in each newsletter. The user can also use the other communication channels for this purpose. When registering for the newsletter, we store the IP address as well as the date and time of registration in order to be able to track possible misuse. The legal basis for the processing is Art. 6 para. 1 lit. a) and lit. f) GDPR.
ix) Google Analytics
x) Lucky Orange
xi) Magento 2
We use the services of Magento (Adobe Systems Software Ireland Limited,) for the management of data of customers, potential new customers and users for purposes of service, marketing and sales.
The legal basis is the legitimate interest in the efficient organisation of company processes based on Art. 6 Para. 1 lit. f) GDPR.
Disclosure of Personal Data to third parties
Your Personal Data will only be passed on if there is a legal obligation to do so or to service providers and partner companies that have been carefully selected in advance and are contractually obliged to comply with the requirements of data protection law.
a) Disclosure Within Affiliated Companies
We pass on your Personal Data for the conclusion and processing of contracts for offers on our website to affiliated companies. This is particularly necessary so that you can use all our offers. If you contact us with questions, complaints or returns as well as other complaints, they will also receive access to your order data in order to be able to process your request.
b) Disclosure To Service Providers
For the operation and optimisation of our website and our services and for the processing of contracts, various service companies work for us, e.g., for central IT services or the hosting of our website, for the payment and delivery of products, or order fulfilment or for the dispatch of newsletters, to whom we pass on the data required for the fulfilment of the task (e.g., name, address).
Some of these companies act for us by way of commissioned processing and may therefore use the data provided exclusively in accordance with our instructions. In this case, we are legally responsible for appropriate data protection measures at the companies we commission. We therefore agree on specific data security measures with these companies and monitor them regularly.
In contrast to order processing, in the following cases we transmit data to third parties for their own use in order to process the contract:
- In the case of delivery of goods to the necessary logistics companies and the postal service provider specified when the order was placed.
- In the case of payment for goods to the payment service provider as specified when the order was placed.
We do not collect or store any payment transaction information such as credit card numbers or bank details during the payment process. You only provide this information directly to the respective payment service provider.
c) Disclosure To Other Third Parties
We will disclose your data to third parties or government agencies within the framework of existing data protection laws if we are legally obliged to do so, e.g., due to official or court orders, or if we are entitled to do so, e.g., because this is necessary for the prosecution of criminal offenses or for the exercise and enforcement of our rights and claims.
Data Transfer To Third Countries
If we use service providers in third countries, we take additional measures to ensure an adequate level of data protection for the transfer of Personal Data in accordance with Art. 44 of the GDPR and thus ensure that the transfer is generally permissible and that the special requirements for a transfer to a third country are met (e.g., by concluding standard contracts and additional guarantees, supplementary technical and organisational measures such as encryption or anonymisation).
Based on our legitimate interest (Art. 6 (1) lit. f) GDPR), we are present in various "social media" platforms in order to communicate with our customers, interested parties and users registered there and to be able to inform them about our offers there. We would like to point out that you use these platforms and their functions on your own responsibility. This applies in particular to the use of the interactive functions (e.g., commenting, sharing, rating).
In addition, your data may be processed for market research and advertising purposes. For example, usage profiles can be created from your usage behaviour and the resulting interests. This allows, for example, advertisements to be placed within and outside the platforms that presumably correspond to your interests. Cookies are usually stored on your computer for this purpose. Independently of this, data that is not directly collected from your devices may also be stored in the usage profiles (especially if you are a member of the respective platforms and are logged in to them).
Updating Your Information
If you believe that the information, we hold about you is inaccurate or that we are no longer entitled to use it and want to request its rectification, deletion, or object to its processing, please do so within your account or by contacting us. For your protection and the protection of all of our users, we may ask you to provide proof of identity before we can answer the above requests.
Keep in mind, we may reject requests for certain reasons, including if the request is unlawful or if it may infringe on trade secrets or intellectual property or the privacy of another user. Also, we may not be able to accommodate certain requests to object to the processing of Personal Data, notably where such requests would not allow us to provide our service to you anymore.
Security And Confidentiality
To ensure the security and confidentiality of the personal data we collect on the Website, we use data networks that are protected by, among other things, industry-standard firewalls and password systems. When handling your personal data, we take appropriate technical and organisational measures to protect your information from loss, misuse, unauthorised access, disclosure, alteration, or destruction and to ensure its availability.
Personal Data And Children
Our services are aimed at people aged 18 and over. We will not knowingly collect, use or disclose Personal Data from minors under the age of 18 without first obtaining consent from a legal guardian through direct offline contact.
Databases or data sets that include Personal Data may be breached inadvertently or through wrongful intrusion. Upon becoming aware of a data breach, we will notify all affected individuals whose Personal Data may have been compromised, and the notice will be accompanied by a description of action being taken to reconcile any damage as a result of the data breach. Notices will be provided as expeditiously as possible after which the breach was discovered.
Who Should I Contact For More Information?
22 St John Maddermarket,
Norwich, NR2 1DN, UK