I may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective from 11/02/2020.
What sort of personal data do I collect?
A cookie is a small text file that may be stored on the hard drive of your computer when you access our Site. A "session cookie" expires immediately when you end your session (i.e. close your browser). A "persistent cookie" stores information on the hard drive so when you end your session and return to the same website at a later date, the cookie information is still available. When you visit our website, we may use both a session and a persistent cookie. These cookies may contain information (such as a unique user ID) that is used to track your usage of our website.
Our website and our e-mails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags and single-pixel gifs). This allows us to capture certain additional types of information about a visitor's interactions with a website or email and help us analyse our customers' online behaviour and measure the effectiveness of our website, email campaigns, and advertising
What sort of personal data do I collect?
- IP addresses;
- the type of computer or mobile device you are using;
- your operating system version;
- your mobile device’s identifiers, like your MAC Address, Identifier For Advertising (IDFA), and/or International Mobile Equipment Identity (IMEI);
- your browser type;
- your browser language;
- your device geo-location information;
- referring and exit pages, and URLs;
- platform type;
- the number of clicks on a page or feature;
- domain names;
- landing pages;
- pages viewed and the order of those pages;
- the amount of time spent on particular pages; and
If you have an online account with me I collect; your name, billing / delivery address, email, telephone number, history of orders, wish lists, your current basket. For your security, we’ll also keep an encrypted record of your login password.
Details of your interactions with me through the Temple Spa Customer Service team.
Any comments and / or product reviews.
Your social media username, if you interact with me through those channels, to help me respond to your comments, questions or feedback.
When do I collect your personal data?
When you visit my website and consent to using cookies.
When you make an online purchase and check out as a guest.
When you create an account with me.
When you open an email or click on a link within an email.
When you engage with me on social media.
When you contact the Temple Spa Customer Service team with queries, complaints etc.
When you enter prize draws or competitions with us, or a partner of ours.
When you choose to complete any surveys I send you.
How I Use Your Data
The GDPR (General Data Protection Regulation) sets out a number of different reasons for which a company may collect and process your personal data, including:
In specific situations, I can collect and process your data with your consent. For example, when you sign up to receive email newsletters.
In certain circumstances, I need your personal data to meet my contractual obligations.
For example: I collect your address details to deliver your purchase, and pass them to my trusted courier partners.
In certain situations, I require your personal data to pursue my legitimate interests but only in a way which might be reasonably be expected as part of running my business and which does not materially impact your rights as specified under GDPR. My legitimate interests include:
- selling and supplying goods and services to my customers;
- promoting, marketing and advertising my products and services (direct marketing);
- sending promotional communications which are relevant and tailored to individual customers;
- understanding my customers’ behaviour, activities, preferences, and needs;
- complying with my legal and regulatory obligations;
- handling customer contacts, queries, complaints or disputes;
- protecting myself by taking appropriate legal action against third parties who have committed criminal acts or are in breach of legal obligations to Temple Spa;
- effectively handling any legal claims or regulatory enforcement actions taken against me or Temple Spa; and
If the law requires me to, I may need to collect and process your data.
For example: I may need to pass on details of people involved in fraudulent or other criminal activities to law enforcement agencies.
How and why do I use your personal data?
To process any orders that you make by using my website, it is a contractual necessity to collect your personal data during checkout, otherwise I wouldn’t be able to process your order and comply with my legal obligations.
I will keep your details for a reasonable period afterwards in order to fulfil any contractual obligations such as refunds, warrantees, etc. and to comply with HMRC record keeping requirements.
I want to give you the best possible customer experience. One way to achieve that is to get the fullest picture I can of who you are by combining the data I have about you. I then use this to offer you promotions, products and services that are most likely to interest you. The GDPR allows this as part of my legitimate interest in understanding my customers and providing the highest levels of service.
To respond to your queries, refund requests and complaints, I may also keep a record of these to inform any future communication with me and to demonstrate how I communicated with you throughout. I do this on the basis of my contractual obligations to you, my legal obligations and my legitimate interests in providing you with the best service and understanding how I can improve my service based on your experience.
To protect my business and your account from fraud and other illegal activities. This includes using your personal data to maintain, update and safeguard your account. We’ll also monitor your browsing activity with me to quickly identify and resolve any problems and protect the integrity of my websites. We’ll do all of this as part of my legitimate interest.
To protect our, premises, assets and employees from crime, I operate CCTV systems at my Head office. I do this on the basis of my legitimate business interests.
To process payments and to prevent fraudulent transactions. I do this on the basis of my legitimate business interests. This also helps to protect my customers from fraud.
With your consent, I will use your personal data, preferences and details of your transactions to keep you informed by email and web about relevant products and services including tailored special offers, discounts, promotions, events, competitions and so on. You are free to opt out of hearing from me by any of these channels at any time by clicking unsubscribe in an email or requesting to be removed by contacting me on email@example.com or firstname.lastname@example.org.
To comply with my contractual or legal obligations to share data with law enforcement and other governmental bodies.
To send you survey and feedback requests to help improve my services. These messages do not require prior consent when sent by email. I have a legitimate interest to do so as this helps make my products or services more relevant to you.
Temple Sap works with Epsilon Abacus (registered as Epsilon International UK Ltd) a company that manages the Abacus Alliance on behalf of numerous top brand UK retailers. The participating retailers share information on what their customers buy. Epsilon Abacus analyses this pooled information to help the retailers understand consumers’ wider buying patterns. From this information, I can tailor communications, sending people suitable offers that should be of interest to them, based on what they like to buy. Your data is not shared with the other retailers in the scheme unless I obtain your consent.
I may display interest-based ads to you when you are using Facebook through tools offered by Facebook based on cookies and other tracking technologies. This tool allows me to personalise my ads based on your shopping experience with us. I do not share any of your personal information, including your shopping history, with Facebook. If you would like to opt out of re-targeted Facebook ads click here http://www.aboutads.info/choices/
I may display interest-based ads to you when you are using Google and other websites signed up to Google’s Ad programmes based on cookies and other tracking technologies. I do not share any of your personal information with Google. If you would like to opt out of re-targeted Google Ads click here http://www.aboutads.info/choices/
How I protect your personal data
I know how much data security matters to all my customers. With this in mind I will treat your data with the utmost care and take all appropriate steps to protect it including;
- Physical security for all servers
- State of the art web based anti-virus,
- Primary physical and secondary virtual firewalls,
- Email firewalls & spam filters
- Internet browsing protection via the renowned Cisco Umbrella service
- Intrusion detection systems
- Web Application Firewalls (WAFs)
- Anti DDoS (Distributed Denial of Service) protection
The website secure access to all transactional areas of my websites and apps using ‘https’ technology.
Access to your personal data is password-protected and restricted to authorised personnel only. Any sensitive data such as payment card information is tokenised to ensure it is protected.
How long will I keep your personal data?
Whenever I collect or process your personal data, I will only keep it for as long as is necessary and for the purpose for which it was collected, after which it is deleted or anonymised. I may need to keep your data for a certain length of time due to HRMC and other regulatory requirements.
Who do I share your personal data with?
We only share your personal data with trusted service providers (e.g. delivery couriers) and data processors that are GDPR compliant. I provide only the information they need to perform their specific services. They may only use your data for the exact purposes I specify in my contract with them.
If I stop using their services, any of your data held by them will either be deleted or rendered anonymous.
Examples of the kind of trusted service providers I work with are:
Temple Spa who act as a Data Processor
IT companies who support my website and other business systems.
Payment Processors such as SagePay, PayPal and Braintree Payments.
Operational companies such as delivery couriers.
Direct marketing companies who help me manage my electronic communications with you.
Google / Facebook to show you products that might interest you while you’re browsing the internet. This is based on either your marketing consent or your acceptance of cookies on my websites.
We may also be required to disclose your personal data to the police or other enforcement, regulatory or Government body, in your country of origin or elsewhere, upon a valid request to do so. These requests are assessed on a case-by-case basis and take the privacy of my customers into consideration.
To help personalise your journey through my websites I currently use the following companies, who will process your personal data as part of their contracts with us:
- AWIN (Affiliate Window)
- Rakuten Marketing
In the event that I cease trading as a Temple Spa Lifestyle Consultant then your data may be passed to Temple Spa, or another Consultant within its Spa To Go programme, but only where you have opted in to hear by email.
Where your personal data may be processed
To provide some of my services I may transfer your personal to trusted data processors in countries that are outside the EEA (the EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway and are subject to the GDPR). If I do so, then I always do so in compliance with GDPR (e.g. any me partners I use are part of me Privacy Shield) so your data is as safe as it is within the EEA.
What are your rights over your personal data?
The GDPR has introduced a number of rights you can exercise with respect to your data. You have the right to request:
- Access to the personal data I hold about you, at no cost.
- The correction of your personal data when incorrect, out of date or incomplete.
- That I stop using your personal data for direct marketing (either through specific channels, or all channels).
- That I stop any consent-based processing of your personal data after you withdraw that consent.
- That any automated decision I make may be reviewed by a member of staff.
- That I erase any personal data I hold about you.
- If I choose not to action your request I will explain to you the reasons for my refusal.
- Your right to withdraw consent
- In cases where I are processing your personal data on the basis of my legitimate interest, you can ask me to stop for reasons connected to your individual situation. I must then do so unless I believe I have a legitimate overriding reason to continue processing your personal data.
You have the right to stop the use of your personal data for direct marketing activity through all channels, or selected channels. I must always comply with your request.
How can you withdraw the consent of your personal data for direct marketing?
There are several ways you can stop direct marketing communications from us:
By click the ‘unsubscribe’ link in any email communication that I send you or by emailing me on email@example.com or contacting Temple Spa on firstname.lastname@example.org.
Please note that you may continue to receive communications for a short period after changing your preferences while my systems are fully updated.
Contacting the Regulator
If you feel that your data has not been handled correctly, or you are unhappy with my response to any requests you have made to me regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.
You can contact them by calling 0303 123 1113.
Or go online to www.ico.org.uk/concerns (opens in a new window; please note I can't be responsible for the content of external websites)
If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence.