GDPR Privacy and Security Policy
Who are we?
We are Swan Textile Services/STS Embroidery (STS for short) and Divpatch.com. Our correspondence address is 15 Kelvin Hill, Basingstoke, Hampshire RG22 6EF. Being an online retailer, it is necessary to process personal data.
Lawful basis for processing personal data
Our lawful basis for processing personal data gathered through our e-commerce website under the General Data Protection Regulation (GDPR) is Legitimate interests. Specifically, our interests in processing personal data are:-
- fulfilling contracts to supply goods
- issuing obligatory electronic communications such as order confirmation emails
- subject to consent, maximising the relevance of any electronic marketing communications we send to customers and to better ensure that other information we might communicate is also relevant
- disclosing information about possible criminal acts or security threats to the authorities.
What information do we collect?
We only collect information that is entered directly into our website, so there are no external sources for personal data. Information is collected from the contents of the “shopping basket” and from the personal data inputted in the check out pages, specifically billing & delivery addresses, email address and billing & delivery names. Additionally, we may request, but do not require, contact telephone numbers. Cardholder data is entered separately into a third-party payment gateway and so is out of scope for GDPR and PCI compliance.
How long do we retain personal data?
The personal data you provide is held indefinitely so:
- repeat customers can view orders placed previously for their convenience, which also serves as providing a route to satisfying individuals’ right of access to their personal data
- repeat customers do not need to periodically recreate their account
- we can retain sales and tax collection data should it be required by HMRC or other authorities
Whilst personal data is held indefinitely, to better ensure our marketing is relevant, only order data generated within the past two years will be processed for marketing purposes.
What information do we share?
We disclose delivery name and address information to Royal Mail to allow them to deliver orders. Where orders are sent with a carrier, we may additionally disclose the telephone number and email address provided, as many carriers now send texts or email to advise of an expected delivery time slot on the morning of delivery.
All personal data shared with third-parties is necessary for completing contracts to supply goods and for complying with consumer legislation. No personal data we share with third-parties is subsequently processed for marketingh purposes, profiling or otherwise monetised.
Personal data may be disclosed when expressely requested by a law enforcement agency for the prevention of crime or when it is otherwise compulsory for us to disclose to an authority. For example, as part of HMRC inspection.
Your GDPR rights
We process personal data based on legitimate interests and as such you have the right to object to your personal data being used for marketing purposes. If you raise an objection we must discontinue processing your personal data for direct marketing.
You have the right of access to the personal data we hold about you. The personal data we hold is limited to just the information you have provided us and there are no external sources.
The right to data portability does not apply to data processing when the basis for precessing is legitimate interests.
You have the right to rectification if any personal data we hold about you is incorrect. In practise, this is likely to be limited to changes to information you have entered in to our website, such as a change of address, which you can correct yourself when logging in to your account. Nonetheless, please feel free to contact us if you have any difficulty editing your details. If you wish us to edit personal data we hold for you, we will take proportional steps to establish the identity of the person requesting the rectification.
You have the right to object to or restrict our continued processing of your personal data. Within the scope of our business, unless you have given us an order to process, regular ongoing processing is limited to marketing activities unless we have a legal obligation to disclose personal data.
How do we protect your information?
All cardholder data (CHD) is entered directly into PayPal secure PCI DSS compliant payment gateway and under no circumstances is CHD disclosed to us by PayPal. We receive a confirmation of order payment.
Connections to our website server are encrypted so information you send and receive whilst browsing our website are protected with encryption, making it harder for data to be intercepted by third-parties.
Our website stores small text files on users’ computers called cookies to improve the shopping experience. Cookies are not programs and therefore cannot contain viruses or other malicious software.
The cookies our website places on shoppers’ computers perform the following functions:
- Session cookie to test if cookies are enabled on the visitor’s browser
- Persistent cookie that stores a unique reference to the visitors’ shopping cart contents and authentication details for the customer logged in sections
- Persistent cookie that stores a reference to the visitors’ order number after an order has been generated