For the purpose of the Data Protection Act from the 25 May 2018, the EU General Data Protection Regulation 2016/679 (the GDPR), the data controller is Graf Limited (company no. 11080410), having its registered office at Rahu 16, Tallinn, Estonia 11619 (“Company/we/us”).
WHAT DO WE COLLECT AND HOW DO WE USE YOUR PERSONAL INFORMATION?
Personal information we collect from you
How we use that personal information
Full name, title, address, email address, phone number (mobile and/or landline) and date of birth when you create an account with us either via our Site or by telephone.
To open an account with us;
To process and deliver your orders;
To verify your identity;
To update you regarding our service e.g. new terms and conditions;
To enable you to store your details for future purchases;
To anticipate and resolve problems with any products or services supplied to you;
To administer your participation in promotional activities.
Email address when you”Join the So Posh” via our Site, sign up for our newsletter or otherwise request information from us.
To email you with our news, new product information, offers, discounts and competition opportunities
Your IP address, technical information about your phone, tablet or computer, browsing history on our Site, your basket contents whilst using our Site.
To help prevent payment fraud when you make a purchase
To help us tailor the Site and offers to suit you better
To suggest products we feel may be of interest to you
To enable us to manage stock levels, product demand
Your name, title, email address, telephone number and any other personal information you submit to us (by post, phone, email, messenger or via social media) when you make a product or customer services query or message us.
To answer your query or respond to your message as necessary
Your name, title, email address, delivery address, billing address, debit/credit card/Paypal details when you make a purchase from us.
To accept the order and take payment
To deliver the order to you, resolve problems with any order and manage refunds and returns
To contact you to obtain feedback regarding your order or your experience of purchasing from So Posh (unless you ask not to do so)
To contact you by email regarding our news, promotions and other information you may be interested in (unless you ask not to do so)
Your name, title, email address, telephone number and any other personal information you submit to us (by post, phone, email, messenger or via social media) when you enter a competition via our Site, social media or other
To enter you into the competition
To contact you by email regarding our news, promotions and other information you may be interested in (unless you ask us not to do so)
We may automatically collect non-personal information about you such as the type of internet browsers you use or the site from which you linked to our Site. You cannot be identified from this information and it is only used to assist us in providing an effective service on our Site. We may from time to time supply the owners or operators of third party sites from which it is possible to link to our Site with information relating to the number of users linking to our Site from their sites. You cannot be identified from this information.
We may store some information (commonly known as a “cookie”) on your computer when you look at our Site. This information facilitates your use of our Site and helps us to understand how our Site is used. You can erase or block some cookies from your computer if you want to (your help screen or manual should tell you how to do this), but certain So Posh services may not work correctly or at all if you set your browser not to accept cookies.
MARKETING AND COMMUNICATION
It is very important to us that we provide you with the highest level of service. In order to help us do this, from time to time we may contact you using one of the contact methods you have provided, with details of our newsletters, surveys, products and services which we think may be of interest to you, as well as relevant advertising messages. If at any time you do not wish to receive emails from So Posh, please click the ‘unsubscribe’ link included in the footer of every marketing email we send. Alternatively, send an e-mail message titled “unsubscribe” to firstname.lastname@example.org. Please note that active customers will continue to receive order and account communications from us.
LEGAL BASIS FOR USING YOUR INFORMATION?
So Posh only uses or shares your personal information only where we have a proper reason to do so.
These reasons are:
Contract – your personal information is processed in order to fulfil a contractual arrangement e.g. in order to send you your Order
Consent – where you agree to us using your information in this way e.g. for storing your payment card details
Legitimate Interests – this means the interests of So Posh in managing our business to allow us to provide you with the best products and service in the most appropriate way e.g. to manage our stock levels, for business development and risk management
Legal Obligation – where there is statutory or other legal requirement to use or share the information e.g. when we have to use your information for law enforcement purposes or statutory compliance
Here is a list of the ways that we may use your personal information, and which of the reasons described above we rely on to do so. Where we list legitimate interests as a reason, we also describe below what we believe these legitimate interests are:
What we use your personal information for
Our reasons(legal basis)
Explanation of So Posh’es Legitimate Interest
Set up So Posh account
To enable So Posh and you to efficiently manage your transactions and purchasing activities
Storing payment details
Customer services including query management, refunds, returns, customer verification
Legal obligation and/or legitimate interest
Maintaining accurate records, efficient customer service and product preferences
To detect and prevent crime (e.g. fraud)
Legal obligation and/or legitimate interest
Complying with legal obligation e.g. FCA regulation, improving crime detection and prevention and make process improvements
Website personalisation and administration
Developing products, services and design to attract and retain customers, improve interaction and support new product development
Marketing and communication of promotions, new products, competitions and on-line advertising
Developing products, services and design to attract and retain customers, improve interaction and engagement
Notification of service updates e.g. Site changes.
Developing product and services to retain customers and improve interaction and engagement
Contact you to undertake customer satisfaction surveys, invite product reviews or participate in market research.
Developing product and services to retain customers and improve interaction and engagement
For network security
To maintain the security of So Posh network and infrastructure to ensure confidentiality of all information
Planning, forecasting and management information.
To support business development, planning, supply levels to ensure we can respond to demand
WHO WE SHARE YOUR INFORMATION WITH AND WHY
Other than the disclosures referred to in this policy, we will not disclose any personal information without your permission unless we are legally entitled or obliged to do so (for example, if required to do so by Court Order or for the purposes of prevention of fraud or other crime). We will only disclose and/or transfer your personal information to a third party having ensured that steps have first been taken to ensure that your privacy rights continue to be protected. Graf OU may disclosure or transfer personal information as part of a reorganisation or a sale of the assets of a So Posh.
So Posh works with a number of national and international trusted suppliers, individuals, agencies and businesses in order to provide you the high quality goods and services you expect from us such as delivery companies, fraud prevention agencies, beauty and cosmetic brands and market research companies amongst others. Some examples of the categories of third parties with whom we share your data are:
So Posh works with a number of trusted partners who supply products and services on our behalf. We will only hold the minimum amount of personal information needed in order to fulfil the orders you place or for them to provide a service on our behalf.
DELIVERY AND LOGISTICS PARTNERS
In order for you to receive your goods, So Posh works with a number of delivery and logistics partners. We only pass limited information to them in order to ensure successful delivery of your order.
So Posh works with businesses and individuals who support our Site and business systems.
So Posh works with marketing companies who help us manage our electronic communications with you or carry out surveys, analytics, and product reviews on our behalf.
PAYMENT PROCESSING COMPANIES
So Posh works with trusted third party payment processing providers in order to securely take and manage payments.
KEEPING OUR RECORDS ACCURATE
We aim to keep our information about you as accurate as possible. If you would like to review or change the details you have supplied us with, or you would like to remove your published Submission from the Site you may do so at any time by using the Contact Us page on this Site.
You should be aware that the internet is an insecure environment. We have implemented technology and employee policies to help safeguard your privacy from unauthorised access and improper use. We will continue to update these measures, as appropriate, when new technology becomes available.
THIRD PARTY SITES AND SOCIAL MEDIA
We cannot be responsible for the privacy policies and practices of other third party sites (including but not limited to Facebook, YouTube, Twitter), or for advertisers on our site, even if you access them using links from our Site and we recommend that you check the policy of each site you visit. If you linked to our Site from a third party site, we cannot be responsible for the privacy policies and practices of the owners or operators of that third party site and we recommend that you check the policy of that third party site and contact its owner or operator if you have any concerns or questions. Unless expressly stated, we are not agents for these third party sites or for any third party advertisers on our Site, nor are we authorised to make representations on their behalf.
TRANSFERRING YOUR PERSONAL INFORMATION OUTSIDE THE EUROPEAN ECONOMIC AREA
We may need, as part of the services offered to you though our Site, to communicate your details outside the European Economic Area (“EEA”).
We are obliged to satisfy ourselves before transferring your information to a country outside the EEA that it provides adequate protection for your data protection rights. So Posh only transfers your personal information to those third parties where we can be sure that we can protect your privacy and your rights, for example the third party is located in a country which the EU has deemed to have adequate data protection laws in place, where that third party is certified on the EU-US Privacy Shield or where we have a contract in place with that third party which includes the European Commission’s standard data protection clauses. Our Site is hosted on servers located in Estonia.
HOW LONG WE KEEP YOUR INFORMATION
If we collect your personal information, the length of time we retain it is determined by a number of factors including the purpose for which we use that information and our obligations under other laws. We will not keep your personal information for longer than is necessary for the purpose or purposes for which they are collected, unless there is another legal reason for us to retain the information. We will take all reasonable steps to destroy or erase from our systems all data which is no longer required. We will keep your personal information for the duration of your account being active and for 7 years after our contract with you has terminated.
WHAT ARE YOUR RIGHTS
We endeavour to process all personal information in line with your rights under GDPR. In particular, You have the rights to:
Withdraw your consent to Our processing your personal Information at any time. You can do this at any time by changing your “Preferences” when you log in to your account or by contacting us at email@example.com. In certain circumstances, We can process your personal Information without your consent in line with the lawful processing requirements in GDPR. These include (amongst other reasons) where processing is necessary to comply with a legal obligation, or to protect your vital interests
Ask us to rectify inaccurate or incomplete personal Information. We would seek to rectify the data as soon as possible and usually within one month unless the request is complex
Ask us to erase your personal Information. This is commonly referred to as the right to be forgotten. This right is only applicable where there is no compelling reason for the continued processing of your personal Information. There are some circumstances where this right to erasure does not apply and in such cases We would notify You of the reason(s) why We need to retain your personal Information (unless prevented to do so by law)
Restrict processing of your personal Information where, for example, the data is inaccurate, being processed unlawfully or where the data is no longer relevant to the specific purpose for processing. In such cases, We would retain the data but We would not process it further without your consent, or if processing your Information is for establishing, exercising or defending a legal claim, or for the protection of rights of other individuals, or for public interest reasons. In such circumstances, We would let You know that We intend to lift the restriction on processing your personal Information
Request access to your personal Information via a subject access request. your request should be made to us in writing and We may ask you for proof of your identity before providing You with the data. There is usually no fee for making such a request however, in limited circumstances, We can charge an administrative fee (which will be based on the administrative cost of providing the information)
You have the right to ask us not to process your personal Information for marketing purposes (including profiling). We will usually inform You (before collecting your data) if We intend to use your data for such purposes or if We intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms We use to collect your data. You can also exercise the right at any time by contacting us at firstname.lastname@example.org
Obtain and reuse your personal Information for your own purposes across different services (right to data portability). This right is only applicable to data that You have provided to us, where We are processing the data based on your consent or for the performance of a contract and when the processing is carried out by automated means. Where this right applies, the data will be provided to You in a structured, commonly used and machine-readable format
Please be aware that we will need to verify your identity before providing any personal information to you. We do this to protect your information. We may also ask you to provide us some additional voluntary information to help us process your request more efficiently.
If at any time you would like to contact us with your views about our privacy practices, or with any enquiry relating to your personal information, you can do so by sending an e-mail to us at email@example.com, or via post at Graf Limited having at Rahu 16, Tallinn, Estonia 11619. If you have any complaints regarding our handling of your personal Information, we would appreciate the chance to deal with your concerns in the first instance.