PRIVACY AND COOKIES POLICY

PRIVACY POLICY

This privacy policy explains how we collect, store and process your personal data. Personal data is any information that can be used to identify an individual, either directly or indirectly. It can refer to obvious things like your name and address, but also to online identifiers such as IP addresses.

By making a purchase, creating a Graham and Green account, using our website, signing up to online marketing, entering a Graham and Green competition, or providing your details to us in store or over the phone, you are acknowledging that your personal data may be used according to the practices set out in this policy.

Our Privacy Promise

Here at Graham and Green, we promise to be transparent with you about how we use your personal data. We are committed to maintaining the safety and security of all personal data from the point of collection to its deletion from our company.

We have to collect some personal data from you in order to provide you with our services. This means that we may also need to share this information with third parties who help us to provide these services, such as our couriers so they can deliver your items to you. We will make sure that all third parties we are engaged with treat your personal data with as much respect as we do.

Who are we?

Graham and Green
92 Walcot Street
Bath
Somerset
BA1 5BG

Phone number: 01225 418 200
Email address: mailorder@grahamandgreen.co.uk
Registered company number: 01262819
ICO registration number: ZA191724

How do we collect your personal data?

This section explains how and when we collect your personal data.

You share your data with us when

  • You register for a Graham and Green account
  • You sign up for our newsletter and other online marketing
  • You sign up for our catalogue
  • You enter our competitions
  • You talk with us on the phone or in-store
  • You send emails or letters to us

We collect your data when you use these services

  • Transactional details when you order something from us
  • Cookies gathered from the devices you use to connect to our website or social media platforms

Data from 3rd parties we work with

  • Our social media platforms
  • Data profiling companies Abacus and I-Behavior

What personal data do we collect from you?

We have to collect some information from you so we can provide you with our services, for example when you order items from us. We do our best to make sure that we do not collect excessive information from you and limit it to only what is necessary for us to provide the service you require.

We do not collect any special category personal data from any of our customers. This includes information about your race or ethnicity, religious or philosophical beliefs, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. Nor do we collect any information about criminal convictions and offences.

Data we collect about you

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Identity data – name and title
  • Contact data – address, postcode, email address and telephone numbers
  • Transactional data – details of products you have purchased from us, including date and time of purchase and spend in relation to that purchase
  • Technical data – internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website
  • Profile data – purchases or orders made by you, your interests, preferences, feedback and survey responses, preferences about the use of the services (including whether you are interested in certain services that we offer)
  • Usage data – information about how you use our website, products and services
  • Marketing and communications data – your preferences in receiving marketing from us and our third parties and your communication preferences.

Data we collect about you

We are only allowed to use personal information about you if we have a legal basis to do so, and we are required to tell you what that legal basis is.  We have set out in the table below the personal information which we collect from you, how we use it, and the legal ground on which we rely when we use the personal information.

In some circumstances we can use your personal information if it is in our legitimate interest to do so, provided that we have told you what that legitimate interest is. A legitimate interest is when we have a business or commercial reason to use your information which, when balanced against your rights, is justifiable. If we are relying on our legitimate interests, we have set that out in the table below.

What we use your personal information for What personal information we collect Our legal grounds for processing Our legitimate interests (if applicable)
To register you as a new customer and create your Graham and Green account
  • Identity
  • Contact
Performance of a contract with you  
To process your transactions and deliver your items
  • Identity
  • Contact
  • Transaction
Performance of a contract with you
Legitimate interests
To provide you with delivery updates about your order
To make suggestions and recommendations to you about items that may be of interest to you
  • Identity
  • Contact
  • Marketing and communications
  • Technical
  • Profile
  • Usage
Legitimate interests
Consent
To develop our services and grow our business
To send automated email campaigns to you based on your purchase intent, purchase history, frequency and activity
  • Identity
  • Contact
  • Marketing and communications
  • Technical
  • Profile
  • Usage
Legitimate interests To better understand our customers and their interests, and to assist customers encountering website problems.
To send you the Graham and Green catalogue
  • Identity
  • Contact
Legitimate interests
Consent
 To increase awareness of, and grow, our business
To manage our relationship with you, including notifying you about changes to our terms or privacy notices
  • Identity
  • Contact
  • Transaction
Performance of a contract with you
Necessary to comply with a legal obligation
Legitimate interests
To keep our records up to date
To enable you to partake in a prize draw, competition or to complete a survey
  • Identity
  • Contact
  • Transaction
Performance of a contract with you
Legitimate interests
Consent
To understand how customers use our services and to collaborate with third parties in order to increase awareness of our business
To administer and protect our business and our website
  • Transaction
  • Technical
  • Usage
Legitimate interests Running our business, provision of administration and IT services, network security
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you
  • Identity
  • Contact
  • Marketing and communications
  • Usage
  • Profile
Legitimate interests To study how customers use our services, to develop them, to grow our business and to inform our marketing strategy
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences
  • Technical
  • Usage
  • Profile
Legitimate interests To define types of customers for our services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy
To share your personal data with data profiling companies, Abacus and I-Behavior so they can give your information to other retailers who might also like to market to you
  • Identity
  • Contact
  • Transaction
  • Profile
Consent  

Who we share your data with

Website Activity

When you visit our website, and give us consent to store cookies and process your personal data, we share your browsing behaviour with Google, Facebook, Pinterest, our Email platform Ometria, and our Affiliate Network. We do this so that correct attribute our marketing spend to these sites, as well as to serve you with personalised advertising relevant to your visits to Graham and Green.

You can view Google’s Privacy & Terms website for more information.

Facebook’s Data Policy and Terms.

Pinterest’s Privacy Policy

Catalogues

Our catalogues are delivered by a mailing house, so we need to share your name and address with them. We have ensured that our chosen mailing house will treat your personal data with as much respect as we do.

When you request our catalogue directly from us, if you give us permission, then we will share your name, address and details of your purchases with data profiling companies Abacus and I-Behavior, who manage prospect pools on behalf of retailers. The participating retailers are active in the clothing, collectables, food & wine, gardening, gadgets & entertainment, health & beauty, household goods, and home interiors categories. The retailers share information on what their customers buy so that other retailers can market to people who may have an interest in their products.

Deliveries

We will share your name, address, email address and phone number with our trusted couriers so that they can make the delivery to you and send delivery updates directly to you. We use different couriers depending on the size of the item(s) you have ordered, how quickly you have requested delivery and where you live, but we will always let you know who will be delivering your order.

How long we keep your data

We work hard to ensure that we do not keep your personal data for longer than is necessary to fulfil the purpose for which it was collected. Generally, we will not retain your personal data for longer than six years, as this is the statutory period for retaining HMRC records.

How we look after your data

We will protect the data you entrust to us with appropriate measures and controls, as well as ensuring that the companies we work with are just as careful with your data.

We will always use appropriate technical and organisational measures to prevent the loss, misuse, destruction or alteration of your personal data.
We will continually test, audit and monitor our compliance with Information Security standards and relevant Data Protection regulations.We are PCI DSS compliant – we do not store any of your card details when you make a payment to us.
We ensure that the third parties we work with who process your personal data operate under a Data Sharing Agreement.

Your data outside the EEA

We transfer your personal data outside of the EEA in limited circumstances. We have ensured that the organisations who process your personal data outside of the EEA on our behalf have the appropriate safeguards in place for doing so, as required by GDPR. These organisations are:

Abacus Alliance (Epsilon International UK Limited, 67 Broad Street, Teddington, Middlesex, TW11 8QZ. This organisation provides us with a data profiling service. Abacus may transfer your personal data to the USA or India using Standard Contractual Clauses).
Braintree Payments (A service provided by PayPal (Europe) S.à r.l. et Cie, S.C.A. Braintree’s UK Office is located at 247 Tottenham Court Road, Floor 1, London, W1T 7QX. Braintree provide us with a payment gateway in order to process your transactions. They may process your personal data in any country where they have an entity, including the USA, Singapore and Australia. Braintree have Binding Corporate Rules in place).
Ometria (Ometria Limited, 3.01, The Tea Building, 56 Shoreditch High Street, London E1 6JJ. Ometria provide our email communication platform and use sub-processors subject to compliance with the EU-US Privacy Shield and Standard Contractual Clauses).

Your rights

You have the following rights with regards to your personal data:

  • The right to be informed – this privacy notice explains to you how your personal data is processed by us.
  • The right to access – you can request that we provide you with all of the personal data that we hold about you. We will provide this to you free of charge within one month of your request.
  • The right to rectification – we like to make sure that the information we have about you is correct. You can manage your personal details within your Graham and Green account to ensure that they are up to date, or you can contact us to let us know if we have any incorrect information about you by contacting mailorder@grahamandgreen.co.uk or calling 01225 418 200.
  • The right to erasure – you have the right to have your data ‘erased’ in the following situations:
    • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected or processedWhen you withdraw consent
    • When you object to the processing and there is no overriding legitimate interest for continuing the processing
    • When the personal data was unlawfully processed
    • When the personal data has to be erased in order to comply with a legal obligation
  • The right to restrict processing – You have the right to request that we stop processing your personal data in certain situations such as:
    • Where you contest the accuracy of your personal data, we will restrict the processing until you have verified the accuracy of your personal data
    • Where you have objected to processing and we are considering whether our legitimate grounds override your legitimate grounds
    • When processing is unlawful and you oppose erasure and request restriction instead
    • Where we no longer need the personal data but you require the data to establish, exercise or defend a legal claim
    • The right to object – You have the right to object to the processing of your personal data in the following circumstances:Direct marketing – remember you can opt out at any time from our marketing communications using the preference centre in your Graham and Green account, by using the ‘unsubscribe’ function in our marketing emails or by contacting us at mailorder@grahamandgreen.co.uk or calling 01225 418 200.
    • Where the processing is based on our legitimate interests as detailed in the table above
    • Processing for purposes of scientific/historical research and statistics

Profiling

You also have the right not to be subject to a decision that is based solely on automated processing, including profiling. Graham and Green undertake some profiling on our customers, but we do not believe these to have a legal or other significant effect on you.

Graham and Green use an automated platform to send ecommerce campaigns to customers, based on customer purchase history, frequency and activity. You can opt-out of these emails at any time.

When we share your details with data profiling companies, they analyse the pooled information from all participating retailers in order to understand consumer’s wider buying patterns. From this information, we can tailor our communications, so that we only send people suitable offers that should be of interest to them, based on what they like to buy. You can update your preferences and request us to stop sharing your information using the preference centre in your Graham and Green account or contacting us at mailorder@grahamandgreen.co.uk.

How to contact us

If you want to talk to us about anything in this privacy policy, find out more about your rights or to exercise your rights, please contact us using the information provided in the ‘Who are we?’ section of this Privacy Policy and our team will be happy to help.

Not happy?

If you feel that we have not processed your data according to the law, please let us know using the contact details in the ‘Who are we?’ section of this Privacy Policy and we will do our best to correct the situation.

If you still aren’t happy with how we are processing your personal data, you have the right to make a complaint with the ICO here. You can also call them on 0303 123 1113.

COOKIES POLICY

About cookies

Cookies are small text files that are stored on your device when you visit a website that are used to track, save and store information. They enable websites to work properly and efficiently by allowing them to recognise the user’s device and remember things like preferences and items in a basket.

About cookies

In addition to the cookies above, we also use cookies to:

  • Ensure you remain logged into the website throughout your browsing session
  • Maintain the functions that support your customer journey
  • Help us to improve your browsing experience by giving us insight into how our website is being used

We have set out in the table below each of the cookies that we use and their purpose.

Cookie Identifier Purpose
add_to_cart (Used by Google Tag Manager) Captures the product SKU, name, price and quantity removed from the cart, and makes the information available for future integration by third-party scripts.
guest-view Stores the Order ID that guest shoppers use to retrieve their order status.
login_redirect Preserves the destination page the customer was navigating to before being directed to log in.
mage-banners-cache-storage Stores banner content locally to improve performance.
mage-messages Tracks error messages and other notifications that are shown to the user, such as the cookie consent message, and various error messages, The message is deleted from the cookie after it is shown to the shopper.
mage-translation-storage Stores translated content when requested by the shopper.
product_data_storage Stores configuration for product data related to Recently Viewed / Compared Products.
recently_compared_product Stores product IDs of recently compared products.
recently_compared_product_previous Stores product IDs of previously compared products for easy navigation.
recently_viewed_product Stores product IDs of recently viewed products for easy navigation.
recently_viewed_product_previous Stores product IDs of recently previously viewed products for easy navigation.
remove_from_cart (Used by Google Tag Manager) Captures the product SKU, name, price and quantity added to the cart, and makes the information available for future integration by third-party scripts.
stf Records the time messages are sent by the SendFriend (Email a Friend) module.
X-Magento_Vary Configuration setting that improves performance when using Varnish static content caching.
form_key A security measure that appends a random string to all form submissions to protect the data from Cross-Site Request Forgery (CSRF).
mage-cache-sessid The value of this cookie triggers the cleanup of local cache storage. When the cookie is removed by the backend application, the Admin cleans up local storage, and sets the cookie value to “true.”
mage-cache-storage Local storage of visitor-specific content that enables ecommerce functions.
mage-cache-storage-section-invalidation Forces local storage of specific content sections that should be invalidated.
persistent_shopping_cart Stores the key (ID) of persistent cart to make it possible to restore the cart for an anonymous shopper.
private_content_version Appends a random, unique number and time to pages with customer content to prevent them from being cached on the server.
section_data_ids Stores customer-specific information related to shopper-initiated actions such as display wish list, checkout information, etc.
store Tracks the specific store view / locale selected by the shopper.
dc_gtm_ Throttles request rate when Google Analytics is deployed with Google Tag Manager.
AMP_TOKEN Contains a token that can be used to retrieve a Clilent ID from AMP Client ID service. Other possible values include opt-out, inflight request or an error retrieving a Client ID from AMP Client ID service.
_gac_ Contains campaign-related information for the user. Google AdWords conversion tags read this cookie if Google Analytics is linked to your AdWords account.
_gat This cookie is set by a website analytics software we use (Google Analytics), to control the rate at which data is collected from browsing sessions. The purpose of it is to ensure that the website’s performance is not adversely affected by unrestricted data flows.
ometria This cookie is used to link our website to a website analytics tool we use (called Ometria). This enables Ometria to record the traffic that is coming through our website, allowing us to use this data to improve the operation of our website.
_ga This cookie is used by Google Analytics to distinguish unique users by assigning them a randomly generated number. It is included in each page request in the site and used to collect visitor, session and campaign data for the site’s analytics reports.
_gid This cookie is used by Google Analytics. It stores and updates a unique value for each page visited in order to assist in recording the usage of our website and the individual pages on the website.

How can I change my cookie settings?

You can disable cookies through your web browser’s settings at any time. Visit your browser developer’s website to find out how to do this.

Please bear in mind that disabling cookies may affect and limit the use of our website.

Further information

If you would like more information on cookies and privacy legislation, please visit the Information Commissioner’s Office here.