SECTION 1 - PERSONAL INFORMATION
What information do we collect from our customers and why?
When you purchase something from our store, as part of the buying and selling process, we collect the personal information you give us such as your name, email, shipping and billing address, payment details, company name, phone number, IP address, records of your consents, information about orders you initiate and information about the device and browser you use.
Additionally, as you browse the Site, we collect information about the individual web pages or products that you view, what websites or search terms referred you to the Site, and information about how you interact with the Site.
We use this information to provide our Services (including supporting and processing orders, risk and fraud screening, authentication, and payments), to communicate with you, to provide advertising to you about our services and offerings (if consent is given), to manage our financials and to conduct surveys.
We also use this information to improve our Services.
What is the Legal Basis for Processing Personal Information ?
We are processing your information in order to fulfill contracts we might have with you (for example if you make an order through the Site), to provide our service or otherwise to pursue our legitimate business interests listed above.
We use Shopify as e-commerce platform: Shopify uses some of the personal information you provide us to conduct some level of automated decision-making -- for example, uses certain personal information (for example, ip addresses or payment information) to automatically block certain potentially fraudulent transactions for a short period of time.
We do not collect or otherwise process Personal Information about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sexual life, any actual or alleged criminal offences or penalties, or any other information that may be deemed to be sensitive under GDPR (collectively, “Sensitive Personal Information”) in the ordinary course of our business.
When you browse our store, we also automatically receive your computer’s internet protocol (IP) address in order to provide us with information that helps us learn about your browser and operating system.
We collect this information when you use or access our store, when you place an order or sign up for an account on our site.
Shopify works with a variety of third parties and service providers to help provide the Services and they may share personal information with them to support these efforts.
Shopify may also share your information in the following circumstances:
- to prevent, investigate, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of their Terms of Service or any other agreement related to the Services, or as otherwise required by law.
- if our store directs them to transfer this information (for example, if they enable a third party app that accesses customer personal information).
- to conform to legal requirements, or to respond to lawful court orders, subpoenas, warrants, or other requests by public authorities (including to meet national security or law enforcement requirements).
Personal information may also be shared with a company that acquires Shopify business or our business, whether through merger, acquisition, bankruptcy, dissolution, reorganization, or other similar transaction or proceeding.
We do not and will never share, disclose, sell, rent, or otherwise provide personal information to other companies for the marketing of their own products or services.
Shopify is responsible for all onward transfers of personal information to third parties in accordance with the EU-U.S. Privacy Shield Framework, the Swiss-U.S. Privacy Shield Framework, and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
Control over and access to your personal information
You may decline to share certain information with us, in which case we may not be able to provide our Services.
You have the right to object to or request the restriction of processing of your information, and to request access to, rectification, erasure and portability of your own information. Where we process your information on the basis of your consent, you have the right to withdraw that consent (noting that such withdrawal does not affect the lawfulness of any Processing performed prior to the date on which we receive notice of such withdrawal, and does not prevent the Processing of your Personal Information in reliance upon any other available legal basis).
EEA Residents have the following rights:
- Right to withdraw consent. You have the right to withdraw your consent to the processing of your personal information collected on the basis of your consent at any time.
- Right of access to and rectification of your personal information. You have a right to request that we provide you a copy of your personal information held by us. You may also request us to rectify or update any of your personal information that is inaccurate.
- Right to erasure. You have the right to request erasure of your personal information. When we receive a request to delete your personal data we will:
- verify that the requester is the same as the data subject
- confirm there is no legal reason to preserve this data
- forward the request to Shopify as processor of the data
After a request is received, Shopify will ensure that the relevant personal data is erased.
If erasing it is impossible, Shopify will communicate to what degree it is impossible, and why.
Personal data cannot be erased from Shopify while it is:
- Associated with a pending order
- Associated with an order made fewer than 180 days before the
request (the usual window in which a buyer can make a chargeback)
Requests should be submitted by contacting us (using the contact instructions in Section 10 below).
SECTION 2 - DATA PROTECTION
2.1. Where a Data Subject is located in the European Economic Area, that Data Subject’s Personal Data will be processed by Shopify’s Irish affiliate, Shopify International Ltd. As part of providing the Services, this Personal Data may be transferred to other regions, including to Canada and the United States. Such transfers will be completed in compliance with relevant Data Protection Legislation.
2.2. When Shopify Processes Personal Data in the course of providing the Services, Shopify will:
2.2.1. Process the Personal Data as a Data Processor, only for the purpose of providing the Services in accordance with documented instructions from you (provided that such instructions are commensurate with the functionalities of the Services), and as may subsequently be agreed to by you. If Shopify is required by law to Process the Personal Data for any other purpose, Shopify will provide you with prior notice of this requirement, unless Shopify is prohibited by law from providing such notice;
2.2.2. notify you if, in Shopify’s opinion, your instruction for the processing of Personal Data infringes applicable Data Protection Legislation;
2.2.3. notify you promptly, to the extent permitted by law, upon receiving an inquiry or complaint from a Data Subject or Supervisory Authority relating to Shopify’s Processing of the Personal Data;
2.2.4. implement and maintain appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Personal Data and appropriate to the nature of the Personal Data which is to be protected;
2.2.5. provide you, upon request, with up-to-date attestations, reports or extracts thereof where available from a source charged with auditing Shopify’s data protection practices (e.g. external auditors, internal audit, data protection auditors), or suitable certifications, to enable you to assess compliance with the terms of this Addendum;
2.2.6. notify you promptly upon becoming aware of and confirming any accidental, unauthorized, or unlawful processing of, disclosure of, or access to the Personal Data;
2.2.7. ensure that its personnel who access the Personal Data are subject to confidentiality obligations that restrict their ability to disclose the Customer Personal Data; and
2.2.8. upon termination of the Agreement, Shopify will promptly initiate its purge process to delete or anonymize the Personal Data. If you request a copy of such Personal Data within 60 days of termination, Shopify will provide you with a copy of such Personal Data.
2.3 In the course of providing the Services, you acknowledge and agree that Shopify may use Subprocessors to Process the Personal Data. Shopify’s use of any specific Subprocessor to process the Personal Data must be in compliance with Data Protection Legislation and must be governed by a contract between Shopify and Subprocessor.
SECTION 3 - CONSENT
How do you get my consent?
When you provide us with personal information to complete a transaction, verify your credit card, place an order, arrange for a delivery or return a purchase, we imply that you consent to our collecting it and using it for that specific reason only.
If we ask for your personal information for a secondary reason, like marketing, we will ask you directly for your expressed consent.
Email marketing: with your permission, we may send you emails about our store, new products and other updates.
How do I withdraw my consent?
If after you opt-in, you change your mind, you may withdraw your consent for us to contact you, for the continued collection, use or disclosure of your information, at anytime, by contacting us at email@example.com or mailing us at:
Pacific House, 382 Kenton Road Harrow, Middlesex GB HA3 8DP
SECTION 4 - SHOPIFY
Our store is hosted on Shopify Inc. They provide us with the online e-commerce platform that allows us to sell our products and services to you.
Your data is stored through Shopify’s data storage, databases and the general Shopify application. They store your data on a secure server behind a firewall.
If you choose a direct payment gateway to complete your purchase, then Shopify stores your credit card data. It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). Your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that is complete, your purchase transaction information is deleted.
All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover.
PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.
For more insight, you may also want to read Shopify’s Terms of Service (https://www.shopify.com/legal/terms) or Privacy Statement (https://www.shopify.com/legal/privacy).
SECTION 5 - THIRD-PARTY SERVICES
In general, the third-party providers used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us.
However, certain third-party service providers, such as payment gateways and other payment transaction processors, have their own privacy policies in respect to the information we are required to provide to them for your purchase-related transactions.
For these providers, we recommend that you read their privacy policies so you can understand the manner in which your personal information will be handled by these providers.
In particular, remember that certain providers may be located in or have facilities that are located a different jurisdiction than either you or us. So if you elect to proceed with a transaction that involves the services of a third-party service provider, then your information may become subject to the laws of the jurisdiction(s) in which that service provider or its facilities are located.
As an example, if you are located in Europe and your transaction is processed by a payment gateway located in the United States, then your personal information used in completing that transaction may be subject to disclosure under United States legislation, including the Patriot Act.
When you click on links on our store, they may direct you away from our site. We are not responsible for the privacy practices of other sites and encourage you to read their privacy statements.
SECTION 6 - SECURITY
To protect your personal information, Shopify takes reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.
If you provide us with your credit card information, the information is encrypted using secure socket layer technology (SSL) and stored with a AES-256 encryption. Although no method of transmission over the Internet or electronic storage is 100% secure, Shopify follows all PCI-DSS requirements and implement additional generally accepted industry standards.
SECTION 7 - COOKIES
A cookie is a small amount of data, which may include a unique identifier. Cookies are sent to your browser from a website and stored on your device. Shopify assigns a different cookie to each device that accesses our website.
Here is a list of cookies that Shopify uses.
Cookies Necessary for the Functioning of the Store:
_ab Used in connection with access to admin.
_orig_referrer Used in connection with shopping cart.
_secure_session_id Used in connection with navigation through a storefront.
Cart Used in connection with shopping cart.
cart_sig Used in connection with checkout.
cart_ts Used in connection with checkout.
checkout_token Used in connection with checkout.
Secret Used in connection with checkout.
Secure_customer_sig Used in connection with customer login.
storefront_digest Used in connection with customer login.
Reporting and Analytics:
_landing_page Track landing pages.
_orig_referrer Track landing pages.
_s Shopify analytics.
_shopify_fs Shopify analytics.
_shopify_s Shopify analytics.
_shopify_sa_p Shopify analytics relating to marketing & referrals.
_shopify_sa_t Shopify analytics relating to marketing & referrals.
_shopify_uniq Shopify analytics.
_shopify_visit Shopify analytics.
_shopify_y Shopify analytics.
_y Shopify analytics.
tracked_start_checkout Shopify analytics relating to checkout.
The length of time that a cookie remains on your computer or mobile device depends on whether it is a “persistent” or “session” cookie. Session cookies last until you stop browsing and persistent cookies last until they expire or are deleted. Most of the cookies Shopify uses are persistent and will expire between 30 minutes and two years from the date they are downloaded to your device. See the section below on how to control cookies for more information on removing them before they expire.
SECTION 7.1 - BEHAVIOURAL ADVERTISING
As described above, we use your Personal Information to provide you with targeted advertisements or marketing communications we believe may be of interest to you. For more information about how targeted advertising works, you can visit the Network Advertising Initiative’s (“NAI”) educational page at http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work.
You can opt out of targeted advertising by using the links below:
- Facebook: https://www.facebook.com/settings/?tab=ads
- Google: https://www.google.com/settings/ads/anonymous
Additionally, you can opt out of some of these services by visiting the Digital Advertising Alliance’s opt-out portal at: http://optout.aboutads.info/.
SECTION 8 - AGE OF CONSENT
By using this site, you represent that you are at least the age of majority in your state or province of residence, or that you are the age of majority in your state or province of residence and you have given us your consent to allow any of your minor dependents to use this site.
If our store is acquired or merged with another company, your information may be transferred to the new owners so that we may continue to sell products to you.
SECTION 10 - QUESTIONS AND CONTACT INFORMATION
If you would like to access, correct, amend or delete any personal information we have about you, register a complaint, or simply want more information contact our Privacy Compliance Officer at firstname.lastname@example.org or by mail at
Pacific House, 382 Kenton Road Harrow, Middlesex GB HA3 8DP
Last updated: May 23rd 2018