Privacy Policy
The Privacy Policy explains how we use any personal information we collect about you in our general business operations, our marketing activity and when you use the Apothespa Ltd website.
This Privacy Policy will detail the following:
- Our Privacy Promise
- What personal data we may collect from you and how we use the personal data about you
- Providing your personal data to others
- Website Cookies
- How you can access, update and remove your personal data from our system
- Retaining personal data
- Other websites
- Keeping your data secure
- Changes to our Privacy Policy
- Shopify
- Apothespa & Devon Soap Company Competitions
- How to contact us
- Our Privacy Promise
We are committed to safeguarding the privacy of our customers, suppliers and all of those who use the Apothespa Ltd website.
We take the collection, use and storage of your personal data very seriously and we promise to do our utmost to handle your personal data in a way that you would reasonably expect and ensure that it’s stored in a highly secure environment.
For the purposes of applicable data laws, the data controller is Apothespa Ltd, company number 08905464 and our registered offices are 2 Bridge Farm Offices, Harberton, Totnes, Devon, TQ9 7PP.
In this policy, "we", "us" and "our" refer to Apothespa Ltd.
- What personal data do we collect and process?
On the basis that it is necessary for the performance of a contract with you we use your information for the following purposes:
- To allow us to handle your orders, deliver products and process your payments and refunds.
- To let you know about your orders
The following provides a more detailed explanation of when we process personal data for contractual purposes:
i) Purchases made via Apothespa Ltd website – when purchasing a product on the Apothespa Ltd website, we’ll process the following personal data supplied by customers at the point of purchase:- Full name (first name and surname)
- Company name (if applicable)
- Delivery Address
- Billing Address
- Email Address
- Phone Number
Payment Information, either – credit card, debit card or PayPal account
The legal basis for the processing of this data is contractual as it’s required for fulfilling a requested service for the supply of products/services, referencing sales and enabling us to contact purchasers when necessary, such as in the event of resolving complaints and issuing refunds.
Purchase data is kept for no longer than 7 years for the purpose of record keeping. After 7 years, purchase data is confidentially destroyed.
ii) Product Purchases made on site at Apothespa Ltd premises – for all products which are purchased on-site we only require the processing of payment information, if paying electronically. This will include credit or debit card information which is recorded by our card reader. The legal basis for the processing of this data is contractual.
The following details other activity where we process personal data:
i) Website Usage – when using the Apothespa Ltd website, we may process personal data such as:
- Your IP address
- Your geographical location
- Your browser type and version
- Your operating system
- Referral source
- Length of visit (i.e. how long you’re on our website)
- Page views
- Website navigation paths
- Information about the timing, frequency and pattern of your website use when visiting the Apothespa Ltd website
The legal basis for the use of Cookies for the purpose of tracking website visitor activity as previously detailed is consent, when you first visit the Apothespa Ltd website, we will ask you to consent to our use of our tracking cookies in accordance with the terms of this policy via our cookies banner/pop-up.
Some of the cookies used on our website are needed for operational purposes and are absolutely necessary for our website to function, and therefore the legal process for the use of these operational cookies is legitimate interests. We will not use these operational cookies to process any personal data.
ii) Customer Website Accounts – our website provides the option to create an account using a unique username and password generated by customers themselves. This functionality is provided by a third-party organisation, Shopify Payments.
iii) To register for an account, the following personal data is required:
• Email Address
• User Generated Password
The legal processing of this data is consent as it’s the responsibility of the customer to create an account and is not required for contractual purposes.
Once an account is created, the customer is able to decide what personal data they would like their account to store for their convenience when making repeat purchases, such personal data could include:
• Full name (first and last name)
• Delivery Address
• Billing Address
• Payment information such as credit/debit card and PayPal account
The storage of this personal data is the responsibility of Shopify Payments who have their own Privacy Policy which is available to read here: https://www.shopify.com/legal/privacy
If a customer closes their account, we may retain some of their information for up to 12 months after to deal with any disputes that may arise.
iv) Enquiries - We may process personal data contained in any enquiry submitted to us regarding our services and products. This could be through any of the following:
• The contact form on our website
• Phone
• Email
• Social Media
• In person on site at Apothespa Ltd
Personal data collected through an enquiry could be either, all or a selection of the following depending on the type of enquiry made:
• Full Name (first and surname)
• Address
• Email Address
• Phone Number
This data may be used to contact you to discuss the points contained in your submitted enquiry. Your personal data may then be kept on file for a maximum of 7 years for the purposes of record-keeping.
The legal basis for the processing of this data is legitimate interests for the purposes of being able to effectively respond to your submitted enquiry.
v) Please be aware that when enquires are submitted via social media and personal data is shared, the privacy of this data is the responsibility of the social media network concerned. You can find out more information about the Privacy Policies of the social media networks that we have accounts with below:
• Facebook - https://www.facebook.com/about/privacy/update
• Twitter - https://twitter.com/en/privacy
• Instagram - https://help.instagram.com/155833707900388
vi) Email Marketing - When subscribing to receive email marketing communications from Apothespa Ltd, we will collect the following personal data from you:
• Full Name (first and surname)
• Email Address
The legal basis for this data processing is consent. We will never send marketing emails to a recipient who has not positively opted in to receive these email marketing communications. You can opt-out of receiving email marketing communications by following the unsubscribe process which is supplied via a link at the bottom of our marketing emails or by emailing lisa@apothespa.co.uk or by calling 01803 867701.
Our email marketing communications are distributed via our chosen email supplier ‘MailerLite’ a leading marketing automation platform. Your personal data (name and email address) will also be stored on the MailerLite platform. MailerLite is situated in the U.S, The European Commission has made an "adequacy decision" with respect to the data protection laws of each of these countries. Transfers to the U.S. will be protected by appropriate safeguards, namely the use of standard data protection clauses adopted or approved by the European Commission. MailerLite is a highly secure system and are members of the ANA, ESPC, OTA, and MAAWG. MailerLite also retain a law firm in the UK to consult on EU privacy issues. To find out more information on MailerLite’s security policies, please visit: https://www.mailerlite.com/legal/security-statement
vii) We contact you using any of your personal data identified in this policy in the circumstance that it’s within our customers best interests, for example, when we need to cancel bookings, recall a product or any information relating to a recent purchase. The legal basis for the processing of this data is legitimate interests.
f) We may process any of your personal data identified in this policy where necessary for the establishment, exercise or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others.
g) We may process any of your personal data identified in this policy where necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, or obtaining professional advice. The legal basis for this processing is our legitimate interests, namely the proper protection of our business against risks.
h) In addition to the specific purposes for which we may process your personal data provided in this Privacy Policy, we may also process any of your personal data where such processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
3. Providing your personal data to others
We do not disclose your personal data to any third parties, except when we are required to do so for contractual purposes or by law for information such as a court order, witness summons, or complaint from governmental authorities.
The below details contractual circumstances when your details may need to be supplied to others outside Apothespa Ltd:
- We may disclose your personal data such as your full name, delivery address, email address and phone number to our chosen couriers as reasonably necessary for the purposes of fulfilling a service contract so we can deliver purchases.
- Our courier services are supplied by Royal Mail and once we have passed on the personal data required for fulfilling the purchase contact, this personal data is then the responsibility of this organisation. See below for more information on Royal Mail Privacy Policies: https://www.royalmail.com/privacy-notice/
- Financial transactions and invoice processes relating to our services is handled by the Apothespa Ltd team through the accountancy software, 'Sage’. Sage stores both customer & supplier data in relation to invoicing and processing payments, refunding such payments and dealing with complaints and queries relating to such payments and refunds.
- At the end of each financial year, we share data contained on Sage such as full name’s, home/business addresses, phone numbers, email addresses and banking information with our accountant, MAP Accountants (registered address: 2 Bridge Farm, Totnes TQ9 7PP) only to the extent necessary for the purposes of processing our end of year accounts. You can find information about Sage’s privacy policy and practices at https://www.sage.com/en-gb/legal/privacy-and-cookies/.
- In addition to the specific disclosures of personal data set out in this section, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your personal data where such disclosure is necessary for the establishment, exercise or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
- We may disclose your personal data to our insurers and/or professional advisers as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice, or the establishment, exercise or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
4. Website Cookies
Cookies are text files placed on your computer to collect standard internet log information and visitor behavior information. This information is used to track visitor use of the website and to compile statistical reports on website activity.
If you’re not happy with the way that we use cookies, then you could choose to:
• Disable cookies on your computer or device
• Delete Apothespa Ltd cookies after you’ve visited one of our sites
• Use your browser’s anonymous setting (called ‘Incognito’ in Chrome, ‘InPrivate’ for Internet Explorer, ‘Private Browsing’ in Firefox and Safari)
To disable (or enable) cookies you can do this in your website browser settings. How you do this will depend on which browser you’re using.
It’s important to remember that our website uses cookies for technical functionality. If all cookies are disabled on your computer or device, you may not be able to use our website effectively. None of our functional cookies collect personal data.
To learn how to manage cookies using the latest browser versions, you can follow these links:
• Chrome
• Internet Explorer
• Safari
• Firefox
• Flash Cookies
For further information on cookies, please visit www.aboutcookies.org or www.allaboutcookies.org.
5. How you can access, update and remove your personal data from our system.
You have the right to request a copy of the information that we hold about you. If you would like a copy of some or all of your personal information, please contact us via one of the following:
a) Email - lisa@apothespa.co.uk
b) Phone - 01803 867701
c) Letter – Apothespa Ltd, 63 Fore Street, Totnes, Devon, TQ9 5NJ
6. Retaining Personal Data
Personal data that we process for any purpose shall not be kept for longer than has already been identified in this policy or is necessary for its purpose.
If you are a regular customer or supplier of Apothespa Ltd, we will keep your contact information on file for as long as we are providing a service and/or product to you or if we require a suppliers’ on-going services. The legal processing of this data is contractual.
If we process your data for marketing purposes, you are able to unsubscribe at any time by following the process provided in the footer of our marketing emails or by calling 01803 867701 or emailing lisa@apothespa.co.uk.
Notwithstanding the other provisions of this section, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
7. Other Websites
Our website contains links to other websites. This Privacy Policy only applies to this website so when you link to other websites you should read their own Privacy Policies.
8. Keeping your Data Secure
We have put in place appropriate physical and electronic measures, security policies and managerial procedures to safeguard and secure all personal data that we have under our control.
Only authorised employees will have access to your personal information. All employees who have access to your personal data are contractually obliged to respect the confidentiality of your personal data.
9. Changes to our Privacy Policy
Please note that we keep our Privacy Policy under regular review and may be required to change this Privacy Policy from time to time, therefore we highly recommend that you review our Privacy Policy on a regular basis to ensure you’re up to date on our latest personal data processing activities.
This Privacy Policy was last updated on 30th July 2018.
10. Shopify
i) SHOPIFY
Our store is hosted on Shopify Inc. They provide us with the online e-commerce platform that allows us to sell our products and services to you.
Your data is stored through Shopify’s data storage, databases and the general Shopify application. They store your data on a secure server behind a firewall.
Payment:
If you choose a direct payment gateway to complete your purchase, then Shopify stores your credit card data. It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). Your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that is complete, your purchase transaction information is deleted.
All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover.
PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.
For more insight, you may also want to read Shopify’s Terms of Service (https://www.shopify.com/legal/terms) or Privacy Statement (https://www.shopify.com/legal/privacy).
ii) LINKS
When you click on links on our store, they may direct you away from our site. We are not responsible for the privacy practices of other sites and encourage you to read their privacy statements.
iii) SECURITY
To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.
If you provide us with your credit card information, the information is encrypted using secure socket layer technology (SSL) and stored with a AES-256 encryption. Although no method of transmission over the Internet or electronic storage is 100% secure, we follow all PCI-DSS requirements and implement additional generally accepted industry standards.
iv) COOKIES
Here is a list of cookies that we use. We’ve listed them here so you that you can choose if you want to opt-out of cookies or not.
_session_id, unique token, sessional, Allows Shopify to store information about your session (referrer, landing page, etc).
_shopify_visit, no data held, Persistent for 30 minutes from the last visit, Used by our website provider’s internal stats tracker to record the number of visits
_shopify_uniq, no data held, expires midnight (relative to the visitor) of the next day, Counts the number of visits to a store by a single customer.
cart, unique token, persistent for 2 weeks, Stores information about the contents of your cart.
_secure_session_id, unique token, sessional
storefront_digest, unique token, indefinite If the shop has a password, this is used to determine if the current visitor has access.
11. Apothespa & Devon Soap Company Competitions
Please note we will not share your data with any third party marketing organisations.
a) If you enter our competition online at https://comp.apothespa.co.uk/
We will store your name, email and location on secure servers hosted by Siteground (please click here for their privacy policy) for as long as we are providing services to you or when you ask us to remove this data.
This data will then be transferred securely to Mailerlite (please click here for their privacy policy).
If you opt-in, we will then send you an email from Mailerlite with a discount code for our Shopify website (see section 10 for Shopify details) and also send you occasional special offer or informational emails, until you unsubscribe (which you can do at any time).
If you opt-out, Mailerlite will automatically unsubscribe you from any emails.
a) If you enter our competition in-store
One of our team members will then add your entry in online at https://comp.apothespa.co.uk/
We will store your name, email and location on secure servers hosted by Siteground (please click here for their privacy policy) for as long as we are providing services to you or when you ask us to remove this data.
This data will then be transferred securely to Mailerlite (please click here for their privacy policy).
If you opt-in, we will then send you an email from Mailerlite with a discount code for our Shopify website (see section 10 for Shopify details) and also send you occasional special offer or informational emails, until you unsubscribe (which you can do at any time).
If you opt-out, Mailerlite will automatically unsubscribe you from any emails.
12. How to contact us
Please contact us if you have any questions about our Privacy Policy or information we hold about you:
a) Email - lisa@apothespa.co.uk
b) Phone - 01803 867701
c) Letter – Apothespa Ltd, 63 Fore Street, Totnes, Devon, TQ9 5NJ