Privacy policy for Southwest Firewood

Introduction:

At South West Firewood, we are committed to protecting and respecting your privacy. This policy explains when and why we collect personal information about people and how we keep it secure.

“Southwest Firewood” is the data controller and as such we are responsible for the storage of your personal data (referred to as “we”, “us” or “our” in this privacy notice).

If any of your personal information changes i.e when you have changed your email address, phone number, move address, changed your name etc, please contact us and let us know how it has changed so that we can update our records. We may contact you periodically to check that the personal data we hold for you is accurate and up to date.

Terms & Definitions:

Our GDPR compliant privacy policy should be legible and understandable for the general public, as well as our customers, clients, associates or business partners. To ensure this, we would like to first explain the terminology used.

In this privacy policy we may use the following terms:

Consent – freely given, specific, informed and explicit consent by statement or action signifying agreement to the processing of their personal data.

Data Controller – the entity that determines the purposes, conditions, and means of the processing of personal data.

Data Erasure – also known as the Right to be Forgotten, it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data.

Data Portability – the requirement for controllers to provide the data subject with a copy of his or her data in a format that allows for easy use with another controller.

Data Processor – the entity that processes data on behalf of the Data Controller.

Data Protection Authority – national authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the Union.

Data Protection Officer – an expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR.

Data Subject – a natural person whose personal data is processed by a controller or processor

Encrypted Data – personal data that is protected by technological measures to ensure that the data is only accessible/readable by those with specified access.

Enterprise – any entity engaged in economic activity, regardless of legal form, including persons, partnerships, associations, etc.

Filing System – any specific set of personal data that is accessible according to specific criteria, or able to be queried.

Genetic Data – data concerning the characteristics of an individual which are inherited or acquired which give unique information about the health or physiology of the individual.

Personal Data – any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.

Personal Data Breach – a breach of security leading to the accidental or unlawful access to, destruction, misuse, etc. of personal data.

Privacy Impact Assessment – a tool used to identify and reduce the privacy risks of entities by analysing the personal data that are processed and the policies in place to protect the data.

Processing – any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.

Profiling – any automated processing of personal data intended to evaluate, analyse, or predict data subject behavior.

Pseudonymisation – the processing of personal data such that it can no longer be attributed to a single data subject without the use of additional data, so long as said additional data stays separate to ensure non-attribution.

Recipient – entity to which the personal data are disclosed.

Regulation – a binding legislative act that must be applied in its entirety across the Union.

Right to be Forgotten – also known as Data Erasure, it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data.

Right to Access – also known as Subject Access Right, it entitles the data subject to have access to and information about the personal data that a controller has concerning them.

Subject Access Right – also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them.

Who we are:

South West Firewood is a small family run business based just outside Dumfries in South West Scotland. Southwest Firewood provides premium firewood logs to clients and customers.

If you need to contact us about anything related to this privacy notice, you can do so via:

Email: info@southwestfirewood.co.uk
Visit: https://southwestfirewood.co.uk/contact-us
Write to: Southwest Firewood, Corses Cottages, Parkgate, Dumfries, DG1 3NN
Phone: Steve: 07703 041764 – Murray: 07703 042602

What personal data we collect and why we collect it:

While you visit our site, we’ll track: Products you’ve viewed: we’ll use this to, for example, show you products you’ve recently viewed. Location, IP address and browser type: we’ll use this for purposes like estimating taxes and shipping. Shipping address: we’ll ask you to enter this so we can, for instance, estimate shipping before you place an order, and send you the order! We’ll also use cookies to keep track of cart contents while you’re browsing our site. When you purchase from us, we may ask you to provide information including your name, billing address, shipping address, email address, phone number, credit card/payment details and optional account information like username and password. We’ll use this information for purposes, such as, to: Send you information about your account and order. Respond to your requests, including refunds and complaints. Process payments and prevent fraud. Set up your account for our store. Comply with any legal obligations we have, such as calculating taxes. Improve our store offerings. Send you marketing messages, if you choose to receive them. If you create an account, we will store your name, address, email and phone number, which will be used to populate the checkout for future orders. We generally store information about you for as long as we need the information for the purposes for which we collect and use it, and we are not legally required to continue to keep it. We will also store comments or reviews if you choose to leave them.

We may collect the following data about you:
• Your name
• Your email address
• Your address
• Your phone number
• Your date of birth
• Your business name
• When you voluntarily provide feedback or testimonials
• Any other personal data you choose to post on our website
• Data about how you use our website
• Technical data such as your IP address, your login data, details about your browser, length of visit to pages on our website, page views and navigation paths, details about the number of times you use our website, time zone settings and other technology on the devices you use to access our website
• Your marketing and communication preferences
• Any other information that you directly provide to us whether through our contact form, over the phone, by email or otherwise

We hold this information because we require it to provide the product, service or support which you have requested. This may mean that you will be asked to sign or tick consent forms in the future. If you don’t consent to our processing this information when asked to do so it may mean that we cannot provide a service to you.

We do not collect any Sensitive Data about you. Sensitive data refers to data that includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. We do not collect any information about criminal convictions and offences. We do not carry out automated decision making or any type of automated profiling.

Our website is built on the WordPress platform. WordPress alone does not collect any personal data about visitors, and only collects the data shown on the User Profile screen from registered users. However, some of our plugins may collect personal data such as contact forms, eCommerce systems, security plugins and Google analytics.

How we may use your data:

We will use your data in order to:
• Process financial transactions to enable you to purchase goods, products or services.
• Send you customer communications about enhancements to products or services you have bought.
• Enable us to perform a contract with you and process orders, respond to enquiries related to the order and deal with complaints.
• Reply to any enquiries you make about our products or services
• Send you marketing communications where we are allowed by law to do so
• Personalise your experience on our websites
• Monitor the use of our website and online services
• Keep records of orders placed and communications in relation to such orders
• Keep records of communications
• Analyse your use of our website and other online services
• Administer and protect our business and website
• Deliver relevant website content and advertisements to you
• Understand the effectiveness of our advertising
• Comply with any legal obligations we are subject to or as required by a government authority
• Manage our business
• Obtain professional advice
• Process a job application
• Seek your views or comments on the services we provide
• Notify you of changes to our services

Marketing communications:

Our lawful ground of processing your personal data to send you marketing communications is either for your consent or our legitimate interests. Under the Privacy and Electronic Communications Regulations, we may only send you email or text marketing communications if (1) you made a purchase or asked for information from us about our goods or services or (ii) you agreed to receive marketing communications and in each case you have not opted out of receiving such communications since. Under these regulations, if you are a limited company or business, we may send you marketing emails without your consent. You can still opt out of receiving marketing emails from us at any time. We do not share your personal data with any third party for their own marketing purposes or if we ever did we would get your express consent. You can ask us to stop sending you marketing messages at any time by emailing us at info@southwestfirewood.co.uk
If you opt out of receiving marketing communications this opt-out does not apply to personal data provided as a result of other transactions, such as purchases, or ongoing contracts etc.

Lawfulness of processing:

Under GDPR, we are only legally allowed to process your personal data if we have a lawful ground for doing so.

The legal basis for processing your data are:

Consent – the individual (a data subject) whom the personal data is about has consented to the processing by way of placing an order (customer data), making an enquiry (prospect data), or by consenting to receive future marketing material from us (marketing data) etc.

Contractual – processing is necessary in relation to a contract which the data subject has entered into with the business, or because the data subject has asked for something to be done so they can enter into a contract with the business.

Legal obligation – processing is necessary because of a legal obligation that applies to the business (except an obligation imposed by a contract).

Legitimate interests – processing is necessary for the businesses’ legitimate interest or those of a third party to whom the personal data is disclosed, except where such interests are overridden by the interests, rights or freedoms of the data subject. With reference to User Data that we have obtained through cookies on our website or other online services for the purposes of maintaining our website, ensuring relevant content is provided to you, ensuring the security of our website, backups and/or databases and to enable publication and administration of our website, other online services, and information, the processing is necessary for the purposes of our legitimate interests which in this case are to enable us to properly manage our website and our business. With reference to Technical Data (which includes data about your use of our website and online services such as your IP address, your login data, details about your browser, length of visit to pages on our website, page views and navigation, details about the number of times you visit or use our website, time zone settings and other technology on the devices you use to access our website). We process this data to analyse your use of our website and other online services, to manage and protect our business, website, and interests, to deliver relevant content to you and to understand the effectiveness of any marketing or strategy. Where the processing of personal data is based on Article 6(1) lit. Our legitimate interest is to carry out our business in favor of the well-being of all our employees and the shareholders.

How we collect your data:

We may collect data about you by you providing the data directly to us (for example by filling in forms on our site, placing an order, phone conversations, by sending us emails or customer referrals). We may automatically collect certain data from you as you use our website by using cookies and similar technologies. Please see our cookie policy for further information about this at:

https://southwestfirewood.co.uk/cookie-policy

We may receive data from third parties such as Google analytics based outside the EU, advertising networks such as Facebook based outside the EU, search engine information providers such as Google based outside the EU, providers of technical, payment and delivery services, fraud detection agencies and data brokers or aggregators. We may also receive data from publicly available records or sources such as Companies House and the Electoral Register based inside the EU.

How long we retain your data:

We review our retention periods for personal information on a regular basis, we are legally required to hold some types of information to fulfil our statutory obligations. We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any enquiries, transactions or agreements. When deciding what the correct time is to keep the data for we look at its amount, nature and sensitivity, the potential risk of harm from unauthorised use or disclosure, the processing purposes, if these can be achieved by other means and legal requirements. For tax purposes, the law requires us to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they stop being customers. In some circumstances, we may anonymise your personal data for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

If you leave a comment on our website, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue. For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username unless you ask and we do this for you). Website administrators can also see and edit that information.

What rights you have over your data:

Under data protection laws you have rights in relation to your personal data that include the right to request access, correction, erasure, restriction, transfer, to object to processing, to the portability of data and (where the lawful ground of processing is consent) to withdraw consent.

You can see more about these rights at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights

The accuracy of your information is important to us. We’re working on ways to make it easier for you to review and correct the information that we hold about you. In the meantime, if you change email address or any of the other information we hold is inaccurate or out of date, please e-mail us at info@southwestfirewood.co.uk

You have the right to ask for a copy of the information Southwest Firewood holds about you (we may charge £10 for information requests) to cover our costs in providing you with details of the information we hold about you.

If you wish to exercise any of the rights set out above, please contact us. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive or refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who does not have a right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We will try to respond to all legitimate requests within 28 days. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you. If you are not happy with any aspect of how we collect and use your data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would appreciate if you would contact us first so that we can try to resolve it for you.

If you have an account on this website, have left comments, or submitted enquiries to us by email you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we edit or erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, tax, or security purposes.

How we protect your data:

We have put various security measures in place to prevent your personal data from being accidentally lost, used, altered, disclosed, or accessed without authorisation. Our internal storage systems, cloud servers or devices are all password protected with restricted access for our staff only. We also allow access to your personal data only to those employees or authorities who have a need to know such data. They will only process your personal data on our instructions and they must keep it confidential. We have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach if we are legally required to.

As a company, we have carried out a Privacy Impact Assessment and internal Audit. Our website follows HTTPS Protocol for secure communication over a computer network, the communication protocol is encrypted using Secure Sockets Layer or an (SSL certificate). The principal motivation for HTTPS is authentication of the accessed website and protection of the privacy and integrity of the exchanged data while in transit. It protects against man-in-the-middle attacks. The bidirectional encryption of communications between a client and server protects against eavesdropping and tampering of the communication. In practice, this provides a reasonable assurance that one is communicating without interference by attackers with the website that one intended to communicate with, as opposed to an impostor. Historically, HTTPS connections were primarily used for payment transactions on the World Wide Web, e-mail and for sensitive transactions in corporate information systems. HTTPS is, however, being used more often by web users than the original non-secure HTTP, primarily to protect page authenticity on all types of websites; secure accounts; and keep user communications, identity, and web browsing private. Our website also has another layer of security called Sitelock: SiteLock, the Global Leader in business website security solutions, is the only web security solution to offer complete, cloud-based website protection. Its 360-degree monitoring finds and fixes threats, prevents against hackers and future attacks, accelerates website performance and meets PCI compliance standards for businesses of all sizes. SiteLock protects over 12 million websites worldwide. Our website and database is also backed up on a daily basis.

Disclosure or transfer of your personal data:

We may have to share your personal data with the parties set out below:
Government or legal bodies that require us to report processing activities or otherwise disclose your personal data. Market researchers and fraud prevention agencies. Visitor comments may also be checked through an automated spam detection service. Third parties to whom we sell, transfer, or merge parts of our business or our assets (assignment clause). We require all third parties to whom we transfer your data to respect the security of your personal data and to treat it in accordance with the law. We would only allow such third parties to process your personal data for specified purposes and in accordance with our instructions.

This can involve the transferring your data outside the European Economic Area (EEA). We are subject to the provisions of the General Data Protection Regulations that protect your personal data. Where if we transfer your data to third parties outside of the EEA, we will ensure that certain safeguards are in place to ensure a similar degree of security for your personal data. As such: We may transfer your personal data to countries that the European Commission have approved as providing an adequate level of protection for personal data by; or If we use US-based providers that are part of EU-US Privacy Shield, we may transfer data to them, as they have equivalent safeguards in place; or Where we use certain service providers who are established outside of the EEA, we may use specific contracts or codes of conduct or certification mechanisms approved by the European Commission which give personal data the same protection it has in Europe. If none of the above safeguards is available, we may request your explicit consent to the specific transfer. You will have the right to withdraw this consent at any time. European data protection law requires data about European residents which is transferred outside the European Union to be safeguarded to the same standards as if the data was in Europe.

Our third party suppliers such as web/email hosting providers process our website data on our behalf as part of the services they provide us with. They, as our data processors do have access to our website and can therefore see any accounts set up and the information they contain on our website. They do not however, have access to your or our data through any other means and apply the strictest code of conduct themselves in terms of data protection, only we have direct access to our emails and communications which are all password protected.

What data breach procedures we have in place:

The GDPR has introduced a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. We must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we must also inform those individuals without undue delay. We have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not we need to notify the relevant supervisory authority and the affected individuals.

We must also keep a record of any personal data breaches, regardless of whether we are required to notify.

We know how to recognise a personal data breach.

We understand that a personal data breach isn’t only about loss or theft of personal data.

We have prepared a response plan for addressing any personal data breaches that occur.

We have allocated responsibility for managing breaches to a dedicated person or team.

Our staff know how to escalate a security incident to the appropriate person or team in our organisation to determine whether a breach has occurred.

What third parties we receive data from:

Our website does not receive data about users from any third parties, including advertisers.

What automated decision making and/or profiling we do with user data:

Our website does not include any automated decision making – for example, allowing customers to apply for credit, or aggregating their data into an advertising profile.

Comments:

When visitors leave comments on the site we may collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection. An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture (if you choose to upload one) is visible to the public in the context of your comment.

Media:

From time to time we are sometimes sent images of our products or services in use by clients or Southwest Firewood staff take images on site when they have the permission of the client or customer. We only use these images to promote our products and services via our website or on social media. None of the pictures we take contain any sensitive information.

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Cookies:

The Cookies We Set

Strictly Necessary Cookies:

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.

Account related cookies:

If you create an account with us then we will use cookies for the management of the signup process and general administration. These cookies will usually be deleted when you log out however in some cases they may remain afterwards to remember your site preferences when logged out.

Login related cookies:

We use cookies when you are logged in so that we can remember this fact. This prevents you from having to log in every single time you visit a new page. These cookies are typically removed or cleared when you log out to ensure that you can only access restricted features and areas when logged in.

Orders processing related cookies:

This site offers e-commerce or payment facilities and some cookies are essential to ensure that your order is remembered between pages so that we can process it properly.

Forms related cookies:

When you submit data to through a form such as those found on contact pages or blog posts, cookies may be set to remember your user details for future correspondence.

Site preferences cookies:

In order to provide you with a great experience on this site, we provide the functionality to set your preferences for how this site runs when you use it. In order to remember your preferences, we need to set cookies so that this information can be called whenever you interact with a page is affected by your preferences.

Third Party or non-essential Cookies:

In some cases, we also use cookies provided by trusted third parties. The following section details which third party cookies we have on our website.

To protect our brand, the ongoing security of your information or data and our website, we may use cookies to track the I.P addresses of some visitors or registered users. We do this by using carefully chosen third party software or plugins which help improve the overall security of our website against the threat of hackers, malware or security breaches.

This site uses Google Analytics which is one of the most widespread and trusted analytics solutions on the web for helping us to understand how you use the site and ways that we can improve your experience. These cookies may track things such as how long you spend on the site and the pages that you visit so we can continue to produce engaging content.

For more information on Google Analytics cookies, see the official Google Analytics page. https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

From time to time we might test new features and make subtle changes to the way that the site is presented. When we are still testing new features these cookies may be used to ensure that you receive a consistent experience whilst on the site, ensuring that we understand which optimisations our users appreciate the most.

We also use social media buttons and/or plugins on this site that allow you to connect with your social network in various ways. For these to work the following social media sites including some or all of the following; Facebook, Linkedin, Instagram & Youtube, will set cookies through our site which may be used to enhance your profile on their site or contribute to the data they hold for various purposes outlined in their respective privacy policies.

If you leave a comment on our site you may opt-in to save your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year. If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser. When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed. If you edit, comment on or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content or links to other websites:

Our website may contain links to other websites run by other organisations. This privacy policy applies only to our website, so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access those using links from our website.

In addition, if you linked to our website from a third party site, we cannot be responsible for the privacy policies and practises of the owners and operators of that third party site and recommend that you check the policy of that third party site.

We may use embedded content from other websites on our own website and as such these features behave in the exact same way as if the visitor has visited the other website. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

eCommerce & payments:

We collect information about you during the checkout process on our store. We accept payments through Stripe & PayPal. By using our payment gateway, when processing payments, some or all of your data will be passed directly to and stored by Stripe & PayPal through our checkout system, including information required to process or support the payment, such as login details, the purchase total, and billing information. Therefore Stripe & PayPal are the data controllers of your financial and personal information relating to the sale. Please see the Stripe & PayPal Privacy Policies for further information by visiting:

https://stripe.com/gb/privacy

https://www.paypal.com/ee/webapps/mpp/ua/privacy-full

Who in our team has access to your data:

Only the partners in the business have full access. Part time employees are given a specific order sheet on paper for deliveries and at the end of the day/week they are normally burned (biomass boiler is good for disposing of personal data on paper). Part time employees may have call records on private mobile phones if they have had to call the customer on a delivery. For example, website administrators, cloud hosting/email suppliers, staff including the business owner can access: Enquiry or contact forms, order information like what was purchased, when it was purchased and where it should be sent, and customer information like your name, email address, and billing and shipping information. We as a company have access to this information to help fulfill orders, process refunds and provide our services to you. We will not sell or rent your information to third parties. We will not share your information with third parties for marketing purposes.

The legal information contained in this policy was sourced and compiled to the best of our knowledge. We reserve the right to change or update this policy but can confirm that the information supplied is accurate as of the 25/05/2018.