- This website is for SewHayleyJane Ltd (known as SewHayleyJane throughout this document), a sewing subscription box service and sewing related stockist based in Romsey in Hampshire, United Kingdom. You can contact the company for support at firstname.lastname@example.org
- SewHayleyJane processes your data to provide our services to you, or for our legitimate interests.
- SewHayleyJane will only hold and process your data for as long as is absolutely necessary, either to provide the sewing subscription service to you, or if you signed up to our newsletter, to send you news and information related to our business and industry.
- SewHayleyJane will never sell your data with anyone outside the company. We will only ever share your information with other companies if they are providing a service to us for your benefit as a customer – for example our online payment providers (Chargebee or Stripe), which allows us to charge you for your subscription costs securely without storing your full card information and to dispatch your goods.
- We do not advertise to you without your consent and, if you give us your consent, you can withdraw it at any time by either unsubscribing from the service in question or contacting email@example.com
- Your data is held securely on our server based in London, in the United Kingdom.
- You have the right to complain to the Information Commissioner’s Office if you ever feel your data has been mishandled, but we would appreciate the opportunity to address and rectify any concerns you may have before you complain, by contacting us at firstname.lastname@example.org
How we process your data
Throughout your interactions with us we will collect only the data that we require in order to provide you with the service that you are requesting. The key information that we process is shown below:
When you access any of our services we will store a record of your IP address along with details of your request in our logs. This information is stored and used by our team to ensure the integrity of our services. Note that we do not attach IP addresses to particular users in our system, so it is effectively anonymous.
This information is regularly cleared out, usually within one year.
Authorisation & session data
Whenever you login to one of our services we will use at least two cookies that will identify your session to our services. This is necessary to provide our service to you.
- CSRF-TOKEN: This is used to make sure that when you submit a form, for example when updating your address to receive the boxes, that it really is you making the request.
- Session Cookie: This allows us to keep you logged in so you don’t need to log back in every time you load a new page.
Occassionally we use external services to provide additional functionality, for example, we used to use Disqus as a comments system, this would have stored a cookie in your browser which enabled you to comment, or sign up to comment on a blog article.
The cookies above will last as long as you are on our website or until your account is deleted.
Information We Store
When you subscribe to the subscription box service, or purchase a one off item, we collect only the information we need to deliver this service to you. Specifically:
- Your Name (and/or the delivery name to send to)
- Your Email Address
- Your/Delivery Address, Postcode, Country
- Any special offer codes you use.
- Your card data, to be charged monthly. Note, we only ever see the last 4 digits of your card number, expiry date and the type, e.g Visa.
- Our third party payment provider Chargebee will store your password, email and delivery/billing information to allow you to manage and have a subscription.
How we use your data
The data provided directly to us is housed on a secure server based in the United Kingdom. We also store some of this data with Stripe & ChargeBee (our PCI-compliant payment processors). We also use this data in our accounting software Xero & Kashflow, in order to keep legally required records of our sales (e.g for providing tax returns). Additionally when creating the address labels we upload them to the Post Office portal via Shipstation, which we can then generate the labels from.
We retain the data as long as is necessary to comply with our legal obligations – e.g we must keep our accounting records which contain your name and purchase history for VAT accounting.
However, should you wish for the data to be removed from our website or payment providers (e.g delete your account) you can request this at any time – however this does not mean all of your information is necessarily removed from our accounting records or payment platform due to our legal obligations as a limited company.
We will store your e-mail address for the purposes of managing your account with us. This will be used for transactional e-mails that relate directly to your account or services. This information is required in order to ensure you are informed about your account and can take appropriate actions in various situations. Your email address will be kept on our website or third party payment providers systems until such time as your account is deleted at your request. Note that records will still exist in our accounting and payment systems of your email to comply with our legal obligations.
If you have signed up to our newsletter you may receive occassional emails from us, you can click the unsubscribe option at the bottom of those emails at any time.
If we send you transactional e-mails, these will be passed through our external mail provider Google Apps, this is necessary to provide service to you.
The information stored in Google Apps would include the content of the messages sent, the e-mail addresses of the recipients and any other headers. This information is stored in a log that we can access to review the history and check delivery was successful.
If you send us emails, these may be passed through our mail servers. This is necessary to provide our service to you. Our email system is encrypted and secure, so your communications with us are private. We can permanently delete emails sent to us if requested.
We never store your passwords on our services in plain text. Passwords are salted and hashed using an industry standard hashing algorithm. As a good security practice, we recommend the following with regards to choosing your password:
- Use a unique password with our services that is not shared with any others.
- Choose a long secure password containing either multiple random words, or a good combination of letters, numbers & symbols.
- Exercise good password hygiene and change your password on a regular basis.
We use Google Analytics to help us track the details of visitors browsing our public website. We do not send any personal data to Google’s services through Google Analytics.
Support by e-mail
If you contact us by e-mail or through our website, you will be sharing your contact details (e-mail address and/or phone number) with us for the purposes of responding to your query. This is necessary to provide our service to you.
E-mails directly to/from our employees
If you communicate with our employees directly by e-mail (i.e. not using our normal support channels), we may retain your name & e-mail address in the mailboxes of the employee(s) that you communicate with. This is necessary to provide our service to you.
Third party processors
In some cases, we may use third parties to provide storage or computing services. We maintain a list of third parties that process data on our behalf.
- Professional Services: We may share your details with processional service companies such as accountants or accounting software.
- Payment service providers: We may share your details with company who provide us with payment services for taking payments from credit/debit cards.
- Technical service providers: We may share your details with providers we use to provide computing services.
- Email Marketing: We may share your details with e-mail marketing software providers to allow us to send e-mails to customers.
- Communication services: We may share your details with companies who provide us with communication services such as a live chat or e-mail providers.
We will not share your data with third parties for the purposes of any marketing without your consent unless otherwise specified in this privacy notice.
Correcting your personal data:
It is important to us that the information we store is up to date and accurate. You may update your details at any time through our website.
Removal of your data
In some cases, you may be able to request that we remove your personal data from our systems, please feel free to contact us at email@example.com to request deletion. We will then delete your information from all systems within 7 days which do not impact our legal obligations. E.g we must retain your information for accounting purposes, but can delete your data from our website and remove your account.
You have a lot of rights, including right to request access to and rectification or erasure of your personal data or restriction of processing of it. You also have the right to object to our processing of your data in some situations, as well as the right to data portability.
Notification of data breaches
Upon discovering any data breaches, we will notify any affected individuals as soon as its practical following our data breach notification policy. This policy dictates that in the event of a data breach concerning personal data, the affected parties will be notified by e-mail to the main e-mail address we store with your account.
Electronic storage of data
No method of electronic storage can be 100% secure, however, we have sophisticated and detailed security & development policies that govern our systems & applications to help ensure your data is as secure as it can be.
Use of our services by persons under the age of 16
We do not allow anyone under the age of 16 to signup, use or store any personal data with us on any of our services. If we discover or are notified about the presence of a user under this age, we will remove their data from our systems without notice.
Changes to this document
Our lawful basis for data processing
Under the General Data Protection Regulation, unless we have otherwise specified above, we will be processing your data as a legitimate interest. These interests include staff training, ensuring the security of our systems and to allow us to operate our business in an efficient manner.
Where our processing is based on consent, you may withdraw consent at any time.
Where our processing is necessary for us to perform our agreement with you, or to take steps to enter into a agreement with you, we will not be able to enter into a agreement with you or deliver our services to you if you do not give us the data in question.
Disclosure of information to law enforcement agencies
We may disclose your information if we are requested to by any law enforcement agency where we believe we are required to comply with the request under any applicable laws.
Data protection authority
You may have the right to lodge a complaint with your local data protection authority or the Information Commissioner’s Office (ICO) in the United Kingdom (our authority).
The ICO can be contacted at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Other information can be found on their website at ico.gov.uk.