Thank you for visiting our website www.elleroo.co.uk (the Site). This Policy sets out the basis on which any personal data provided to us by you, or received by us from third parties, will be used by us. Please read this Policy carefully. If you have any questions in relation to it, please contact us at firstname.lastname@example.org
Who we are
We are elleroo Limited, a company registered in the United Kingdom under number 10680729, whose registered office is at Wymeswold, Leicester. We are the data controller of personal data provided to us as described in this Policy.
Full details are set out in the relevant sections of this Policy below, but in summary:
We generally receive personal data relating to you directly from you. For example, we will receive that data if you place an order with us, if you contact us through the Site or otherwise, if we do business with you;
Personal data may occasionally be provided to us by third parties with whom each of you and us have some form of relationship. For example, if a family member has ordered jewellery, or has asked us to send a product to your address as a gift, then they will have provided us with your personal data;
We use your data to fulfil orders, conduct our business, keep appropriate records, meet our legal obligations and improve our Site;
We only provide your personal data to third parties for our limited business purposes or as permitted by law;
We do not share your data with third party advertisers;
We store data for specified periods for our limited business purposes;
You have certain rights, prescribed by law, in relation to the processing of your data, such as rights to request access, rectification or deletion of your personal data;
You can contact us to enquire about any of the contents of this Policy.
1.Our use of personal data
1.1 In this section we have set out:
(a) the kinds of personal data that we may collect, use, store and transfer. We have grouped that data together into different categories based on its subject matter;
(b) our purposes in processing that data; and
(c) in each case, the legal basis of our processing. The legal basis means one of the permitted based for processing set out in Article 6 of the General Data Protection Regulation (GDPR) under which we conduct the relevant processing.
Personal data we obtain from you
1.2 We may process the personal data you provide to us in registering for an account on our Site, which may include your name, email address, phone number and address. We call this account data. We use this to operate the Site, provide our products and services, ensure the security of our Site, and communicate with you.
1.3 We may process the personal data provided to us in order to make and deliver orders for our products. This might include the name, email address, phone number and address and the person ordering and the person receiving the order. It might also include personal data provided to us in order to make personalised products, such as data of births, details and names of family and friends. We call all of this order data, and we use it to prepare and fulfil orders placed with us.
1.4 We may process personal data contained in or relating to any communication that you send to us, whether through the Site, by email, or otherwise. All of this together is correspondence data. This may include the communication content and metadata associated with the communication, as well as any contact details you provide to us such as your name, email address, phone number, job title or address. We process correspondence data for the purposes of communicating with you and record-keeping. If you are a customer of ours, or have indicated your interest in our products, services or business, then we may also process correspondence data for the purposes of addressing your enquiry and providing you with occasional news about our products and services (although we will always allow you to opt out of receiving marketing communications).
1.5 If we do business with you or your organisation, whether as a supplier or some other form of commercial partner (like a referrer or distributor), then we may process personal data such as your contact details for the purposes of that business relationship. We may also process personal data within related correspondence and documents such as proposals or contracts, whether created by us or provided to us. We call all of this supplier data, and we process it for the purposes of administering our business relationships and for record-keeping.
1.6 We may process personal data relating to transactions, such as bank account details, contact details or transaction data in relation to payments made by us to you or by you to us (transaction data). This may include your contact details, any bank account or sort code information provided for the purposes of making payment, and the transaction details (such as POs or invoices). The transaction data may be processed for the purpose of supplying or receiving the relevant products or services, making and receiving payments and record-keeping. Importantly, if you are one of our customers we will not receive your credit or debit card details – these will be received only by our payment processing service providers as described below.
1.7 We may process data about your use of the Site (usage data). This may include your geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your use. This data is aggregated and anonymised in such a way that it contains no information relating to any identifiable individual: it’s not actually personal data but we mention it in this Policy for the sake of completeness. We process usage data for the purpose of improving our Site.
1.8 Our Site uses Facebook Pixel. This is a tracking pixel which identifies visitors who have come to the Site and which targets Facebook advertisements at those visitors. We do not have access to any personal data gathered via Facebook Pixel – this data is gathered and used only by Facebook, who is data controller in relation to that personal data and whose use of that personal data is governed by Facebook’s own terms.
Personal data we obtain from others
1.9 Your personal data may be provided to us by someone other than you: for example, by a family member who is purchasing a gift for you or a personalised product, or by a third party business with whom we both deal (e.g. if you are a supplier of ours then your employer might ask us to contact you and might provide us with your contact details). Normally this data will be order data, correspondence data, or supplier data as described above and will be processed by us for the purposes described above.
Our other processing
1.10 We may also process any of the data described above:
(a) for the purposes of record-keeping and back-up and restoration of our systems;
(b) as required by law or in connection with legal claims.
Our legal basis of processing
1.11 We will process personal data only on lawful bases. In particular, we will process personal data on the following lawful bases identified in Article 6 GDPR:
(c) For the performance of a contract with you, or to take steps at your request prior to entering into a contract with you (Article 6(1)(b) GDPR). This may be our basis for processing account data, order data, correspondence data, or transaction data;
(d) For our legitimate interests (Article 6(1)(f) GDPR). This may be our basis for processing:
i) account, order, correspondence and supplier data (as we have an interest in properly administering our business and communications, and in developing our business with interested parties);
ii) transaction data (as we have an interest in making and receiving payments promptly and in recovering debts);
iii) any personal data identified in this Policy where necessary in connection with legal claims (as we have an interest in the protection and assertion of our and your legal rights and the legal rights of others); and
iv) any personal data identified in this Policy in connection with backups of any element of our IT systems or databases containing that personal data (as we have an interest in ensuring the resilience of our IT systems and the integrity and recoverability of our data).
1.12 We may also process any of your personal data where necessary for compliance with law (Article 6(c) GDPR).
2. Providing your personal data to others
2.1 We may disclose your personal data to our insurers and/or professional advisers as necessary for the purposes of obtaining and maintaining insurance coverage, managing risks, obtaining professional advice and managing legal disputes.
2.2 We may disclose personal data to our suppliers or subcontractors in connection with the uses described above. For example, we may disclose:
(a) any personal data in our possession to suppliers which host the servers on which our data is stored;
(b) transaction data to our accountants and payment processing service providers. Please note that we do not receive your credit or debit card details, and that these are processed by our payment processing service providers, PayPal and Stripe, as data controllers in their own right. You should review their privacy policies for further information;
(c) correspondence data to email marketing providers; and
(d) transaction data and other relevant personal data to third parties for the purposes of fraud protection, credit risk reduction and debt recovery.
2.3 We do not allow our data processors to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions and applicable law.
2.4 We may disclose your personal data as necessary to comply with law (e.g. to Government or law enforcement).
2.5 If any part of our business or operations is sold to, transferred to, or integrated with, another organisation (or if we enter into negotiations for those purposes), your personal data may be disclosed to that organisation.
3. International transfers of your personal data
Some of the third parties to whom we may transfer your personal data, discussed above, may be located outside the EEA or may transfer your personal data to their own service providers located outside the EEA. If so, then we will ensure that transfers by our appointed data processors will only be made lawfully (e.g. to countries in respect of which the European Commission has made an "adequacy decision”, or with appropriate safeguards such as the use of standard clauses approved by the European Commission or the use of the EU-US Privacy Shield). You may contact us if you would like further information about these safeguards.
4. Data security
4.1 We take appropriate technical and organisational security measures to prevent your personal data from being lost, used, accessed, altered or disclosed by accident or without authorisation.
4.2 If we become aware of any personal data breach, then we will notify you and the ICO as required by law.
5. Retaining and deleting personal data
5.1 We will only process your personal data as long as is needed for the purposes for which we process it and will delete it afterwards. In particular:
(a) usage data which is anonymised (and therefore not personal data) may be retained by us indefinitely (but is typically deleted within a few months);
(b) communications data which relates only to enquiries and not to a business relationship will be retained for the period of the enquiry or chain of correspondence and then deleted after approximately twelve months;
(c) order, supplier and transaction data, and communications data relating to our business relationship with you, will be retained for approximately seven years after the end of the relevant business relationship;
(d) any personal data provided to us to produce personalised products will be retained for approximately twelve months after fulfilment of the order and will then be deleted.
5.2 We may retain your personal data longer where necessary to comply with law or in special circumstances permitted by law (e.g. to defend legal claims). When we back up our systems then data may be stored temporarily in the back-up beyond its usual retention period. However, that data will be overwritten or deleted in making subsequent back-ups.
6. Your legal rights under GDPR
6.1 We have summarised below the rights that you have under data protection law. You can read guidance from the Information Commissioner’s Office at www.ico.gov.uk for more information. You have:
(a) the right to access: if requested, we must confirm what personal data of yours we process, and must provide you with access to that data and further information about our processing;
(b) the right to rectification: if requested, we must correct or complete any inaccurate or incomplete personal data of yours;
(c) the right to erasure: you can request that we erase your personal data in limited circumstances (for instance, if we use it for marketing or no longer need it for our other purposes). This is not an absolute right and we may be entitled to retain your data where necessary (e.g. to comply with law);
(d) the right to restrict processing: you can request that we restrict the processing of your personal data in limited circumstances. Where processing has been restricted, we may continue to store your personal data and will observe the restrictions on processing except in the case of processing permitted by applicable law (for example, in connection with legal claims or for reasons of public interest);
(e) the right to object to processing: you can object to our processing of your personal data on the basis of our legitimate interests. We may be entitled to continue processing in certain circumstances (e.g. if we have compelling grounds to do so, or to comply with law);
(f) the right to data portability: you have a right to receive your data from us in an easily-portable format in limited circumstances: i.e. if we process that data on the basis of a contract with you and by automated means. This is unlikely to apply in most circumstances; and
(g) the right to complain: if you believe we are in breach of applicable law, you can complain to the Information Commissioner’s Office. For more information, see https://ico.org.uk/concerns/.
6.2 You may exercise any of your rights in relation to your personal data by written notice to us.
7. About Cookies
|Name of Cookie||Essential or Non-essential?||Type of cookie||First or third part cookie||Session or Persistent||Expiry time||Purpose|
|PHPSESSID||Essential||HTTP Cookie||First party||Session||1 hour|
|Default||Essential||HTTP Cookie||First party||Session||1 hour|
|Language||Essential||HTTP Cookie||First party||Persistent||29 days|
|Currency||Essential||HTTP Cookie||First party||Persistent||29 days|
|_hjIncludedInSample||Essential||HTTP Cookie||First party||Session||1 hour|
|_ga||Non-essential||HTTP Cookie||First party||Persistent||729 days||Google Analytics tracking code|
|_gid||Non-essential||HTTP Cookie||First party||Session||1 hour||Google Analytics tracking code|
|_gat||Non-essential||HTTP Cookie||First party||Session||1 hour||Google Analytics tracking code|
|__utma||Non-essential||Analytical||First party||Persistent||729||Google Analytics tracking cookie|
|__utmb||Non-essential||Analytical||First party||Session||Google Analytics tracking cookie|
|__utmc||Non-essential||Analytical||First party||Session||Google Analytics tracking cookie|
Google Analytics trackingcookie
You may block cookies by activating settings on your browser which allow you to refuse the setting of some or all cookies. If you choose to block all cookies (including essential cookies) you may not be able to access all or some parts of our Site.
Most cookies we use are known as session cookies. These cookies will expire whenever you close your browser or shut down your computer, and such cookies need not be blocked. Other cookies used for specific purpose will expire when that purpose is no longer required.
You can find out more about blocking cookies in specific browsers at http://aboutcookies.org.
8.Third Parties and Security
8.1 The Site may contain links to third party websites or refer to third party service providers and other entities. If you follow a link to any third party website or deal with any third party entity referred to on the Site, then you should note that these third parties may have their own privacy and cookie policies, and that we are not responsible for their use of any personal data which you may provide to them. You should ensure that you have read and understood any relevant policies.
8.2 Although we do our best to ensure the security of personal data provided to us (and to use only reputable service providers), any transmission of data via the Internet is by its nature insecure and we cannot guarantee the security of any personal data you provide to us.