PRIVACY POLICY
This privacy policy explains how we collect, store and process your personal data. Personal data is any information that can be used to identify an individual, either directly or indirectly. It can refer to obvious things like your name and address, but also to online identifiers such as IP addresses.
By making a purchase, creating a Graham and Green account, using our website, signing up to online marketing, entering a Graham and Green competition, or providing your details to us in store or over the phone, you are acknowledging that your personal data may be used according to the practices set out in this policy.
Our Privacy Promise
Here at Graham and Green, we promise to be transparent with you about how we use your personal data. We are committed to maintaining the safety and security of all personal data from the point of collection to its deletion from our company.
We have to collect some personal data from you in order to provide you with our services. This means that we may also need to share this information with third parties who help us to provide these services, such as our couriers so they can deliver your items to you. We will make sure that all third parties we are engaged with treat your personal data with as much respect as we do.
Who are we?
Graham and Green
92 Walcot Street
Bath
Somerset
BA1 5BG
Phone number: 01225 418 200
Email address: mailorder@grahamandgreen.co.uk
Registered company number: 01262819
ICO registration number: ZA191724
How do we collect your personal data?
This section explains how and when we collect your personal data.
You share your data with us when
- You register for a Graham and Green account
- You sign up for our newsletter and other online marketing
- You sign up for our catalogue
- You enter our competitions
- You talk with us on the phone or in-store
- You send emails or letters to us
We collect your data when you use these services
- Transactional details when you order something from us
- Cookies gathered from the devices you use to connect to our website or social media platforms
Data from 3rd parties we work with
- Our social media platforms
- Data profiling companies Abacus and I-Behavior
What personal data do we collect from you?
We have to collect some information from you so we can provide you with our services, for example when you order items from us. We do our best to make sure that we do not collect excessive information from you and limit it to only what is necessary for us to provide the service you require.
We do not collect any special category personal data from any of our customers. This includes information about your race or ethnicity, religious or philosophical beliefs, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. Nor do we collect any information about criminal convictions and offences.
Data we collect about you
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Identity data – name and title
- Contact data – address, postcode, email address and telephone numbers
- Transactional data – details of products you have purchased from us, including date and time of purchase and spend in relation to that purchase
- Technical data – internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website
- Profile data – purchases or orders made by you, your interests, preferences, feedback and survey responses, preferences about the use of the services (including whether you are interested in certain services that we offer)
- Usage data – information about how you use our website, products and services
- Marketing and communications data – your preferences in receiving marketing from us and our third parties and your communication preferences.
Data we collect about you
We are only allowed to use personal information about you if we have a legal basis to do so, and we are required to tell you what that legal basis is. We have set out in the table below the personal information which we collect from you, how we use it, and the legal ground on which we rely when we use the personal information.
In some circumstances we can use your personal information if it is in our legitimate interest to do so, provided that we have told you what that legitimate interest is. A legitimate interest is when we have a business or commercial reason to use your information which, when balanced against your rights, is justifiable. If we are relying on our legitimate interests, we have set that out in the table below.
What we use your personal information for |
What personal information we collect |
Our legal grounds for processing |
Our legitimate interests (if applicable) |
To register you as a new customer and create your Graham and Green account |
|
Performance of a contract with you |
|
To process your transactions and deliver your items |
- Identity
- Contact
- Transaction
|
Performance of a contract with you Legitimate interests |
To provide you with delivery updates about your order |
To make suggestions and recommendations to you about items that may be of interest to you |
- Identity
- Contact
- Marketing and communications
- Technical
- Profile
- Usage
|
Legitimate interests Consent |
To develop our services and grow our business |
To send automated email campaigns to you based on your purchase intent, purchase history, frequency and activity |
- Identity
- Contact
- Marketing and communications
- Technical
- Profile
- Usage
|
Legitimate interests |
To better understand our customers and their interests, and to assist customers encountering website problems. |
To send you the Graham and Green catalogue |
|
Legitimate interests Consent |
To increase awareness of, and grow, our business |
To manage our relationship with you, including notifying you about changes to our terms or privacy notices |
- Identity
- Contact
- Transaction
|
Performance of a contract with you Necessary to comply with a legal obligation Legitimate interests |
To keep our records up to date |
To enable you to partake in a prize draw, competition or to complete a survey |
- Identity
- Contact
- Transaction
|
Performance of a contract with you Legitimate interests Consent |
To understand how customers use our services and to collaborate with third parties in order to increase awareness of our business |
To administer and protect our business and our website |
- Transaction
- Technical
- Usage
|
Legitimate interests |
Running our business, provision of administration and IT services, network security |
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you |
- Identity
- Contact
- Marketing and communications
- Usage
- Profile
|
Legitimate interests |
To study how customers use our services, to develop them, to grow our business and to inform our marketing strategy |
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences |
|
Legitimate interests |
To define types of customers for our services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy |
To share your personal data with data profiling companies, Abacus and I-Behavior so they can give your information to other retailers who might also like to market to you |
- Identity
- Contact
- Transaction
- Profile
|
Consent |
|
Who we share your data with
Website Activity
When you visit our website, and give us consent to store cookies and process your personal data, we share your browsing behaviour with Google, Facebook, Pinterest, our Email platform Ometria, and our Affiliate Network. We do this so that correct attribute our marketing spend to these sites, as well as to serve you with personalised advertising relevant to your visits to Graham and Green.
You can view Google’s Privacy & Terms website for more information.
Facebook’s Data Policy and Terms.
Pinterest’s Privacy Policy
Catalogues
Our catalogues are delivered by a mailing house, so we need to share your name and address with them. We have ensured that our chosen mailing house will treat your personal data with as much respect as we do.
When you request our catalogue directly from us, if you give us permission, then we will share your name, address and details of your purchases with data profiling companies Abacus and I-Behavior, who manage prospect pools on behalf of retailers. The participating retailers are active in the clothing, collectables, food & wine, gardening, gadgets & entertainment, health & beauty, household goods, and home interiors categories. The retailers share information on what their customers buy so that other retailers can market to people who may have an interest in their products.
Deliveries
We will share your name, address, email address and phone number with our trusted couriers so that they can make the delivery to you and send delivery updates directly to you. We use different couriers depending on the size of the item(s) you have ordered, how quickly you have requested delivery and where you live, but we will always let you know who will be delivering your order.
How long we keep your data
We work hard to ensure that we do not keep your personal data for longer than is necessary to fulfil the purpose for which it was collected. Generally, we will not retain your personal data for longer than six years, as this is the statutory period for retaining HMRC records.
How we look after your data
We will protect the data you entrust to us with appropriate measures and controls, as well as ensuring that the companies we work with are just as careful with your data.
We will always use appropriate technical and organisational measures to prevent the loss, misuse, destruction or alteration of your personal data.
We will continually test, audit and monitor our compliance with Information Security standards and relevant Data Protection regulations.We are PCI DSS compliant – we do not store any of your card details when you make a payment to us.
We ensure that the third parties we work with who process your personal data operate under a Data Sharing Agreement.
Your data outside the EEA
We transfer your personal data outside of the EEA in limited circumstances. We have ensured that the organisations who process your personal data outside of the EEA on our behalf have the appropriate safeguards in place for doing so, as required by GDPR. These organisations are:
Abacus Alliance (Epsilon International UK Limited, 67 Broad Street, Teddington, Middlesex, TW11 8QZ. This organisation provides us with a data profiling service. Abacus may transfer your personal data to the USA or India using Standard Contractual Clauses).
Braintree Payments (A service provided by PayPal (Europe) S.à r.l. et Cie, S.C.A. Braintree’s UK Office is located at 247 Tottenham Court Road, Floor 1, London, W1T 7QX. Braintree provide us with a payment gateway in order to process your transactions. They may process your personal data in any country where they have an entity, including the USA, Singapore and Australia. Braintree have Binding Corporate Rules in place).
Ometria (Ometria Limited, 3.01, The Tea Building, 56 Shoreditch High Street, London E1 6JJ. Ometria provide our email communication platform and use sub-processors subject to compliance with the EU-US Privacy Shield and Standard Contractual Clauses).
Your rights
You have the following rights with regards to your personal data:
- The right to be informed – this privacy notice explains to you how your personal data is processed by us.
- The right to access – you can request that we provide you with all of the personal data that we hold about you. We will provide this to you free of charge within one month of your request.
- The right to rectification – we like to make sure that the information we have about you is correct. You can manage your personal details within your Graham and Green account to ensure that they are up to date, or you can contact us to let us know if we have any incorrect information about you by contacting mailorder@grahamandgreen.co.uk or calling 01225 418 200.
- The right to erasure – you have the right to have your data ‘erased’ in the following situations:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected or processedWhen you withdraw consent
- When you object to the processing and there is no overriding legitimate interest for continuing the processing
- When the personal data was unlawfully processed
- When the personal data has to be erased in order to comply with a legal obligation
- The right to restrict processing – You have the right to request that we stop processing your personal data in certain situations such as:
- Where you contest the accuracy of your personal data, we will restrict the processing until you have verified the accuracy of your personal data
- Where you have objected to processing and we are considering whether our legitimate grounds override your legitimate grounds
- When processing is unlawful and you oppose erasure and request restriction instead
- Where we no longer need the personal data but you require the data to establish, exercise or defend a legal claim
- The right to object – You have the right to object to the processing of your personal data in the following circumstances:Direct marketing – remember you can opt out at any time from our marketing communications using the preference centre in your Graham and Green account, by using the ‘unsubscribe’ function in our marketing emails or by contacting us at mailorder@grahamandgreen.co.uk or calling 01225 418 200.
- Where the processing is based on our legitimate interests as detailed in the table above
- Processing for purposes of scientific/historical research and statistics
Profiling
You also have the right not to be subject to a decision that is based solely on automated processing, including profiling. Graham and Green undertake some profiling on our customers, but we do not believe these to have a legal or other significant effect on you.
Graham and Green use an automated platform to send ecommerce campaigns to customers, based on customer purchase history, frequency and activity. You can opt-out of these emails at any time.
When we share your details with data profiling companies, they analyse the pooled information from all participating retailers in order to understand consumer’s wider buying patterns. From this information, we can tailor our communications, so that we only send people suitable offers that should be of interest to them, based on what they like to buy. You can update your preferences and request us to stop sharing your information using the preference centre in your Graham and Green account or contacting us at mailorder@grahamandgreen.co.uk.
How to contact us
If you want to talk to us about anything in this privacy policy, find out more about your rights or to exercise your rights, please contact us using the information provided in the ‘Who are we?’ section of this Privacy Policy and our team will be happy to help.
Not happy?
If you feel that we have not processed your data according to the law, please let us know using the contact details in the ‘Who are we?’ section of this Privacy Policy and we will do our best to correct the situation.
If you still aren’t happy with how we are processing your personal data, you have the right to make a complaint with the ICO here. You can also call them on 0303 123 1113.