Privacy Policy

Last updated: 24/05/2018

 

INTRODUCTION

Flowtography takes your privacy very seriously. This privacy policy has been prepared in line with the EU’s General Data Protection Regulation (GDPR) which takes effect on 25 May2018. The GDPR promotes fairness and transparency for all individuals in respect of their personal data. This privacy policy applies to all data we process, and by using Flowtography you consent to our collection and use of such data. If you would like to get in touch about anything in this policy or about your personal data then please contact us at francesca@flowtography.co.uk

 

CONTENTS

  1. Data we collect
  2. What personal data do we share with third parties and who are they?
  3. Why do we share data outside of the EU
  4. How do we keep your personal data secure?
  5. Changes to our privacy policy and control
  6. Your data protection rights
  7. About us

 

  1. DATA WE COLLECT

As a data controller we collect a variety of data in order to deliver our services. We use a service called PORT to ensure that we collect and manage your personal data transparently, fairly and securely. Whenever we collect Personal Information from you, we let you know and you will be able to access the following precise information:

  • data we have collected from you
  • the basis on which we are holding it (e.g. because you gave us consent)
  • what we will do with it
  • how long we will hold it for
  • where it is stored
  • who it might be shared with
  • your rights in relation to the data, and
  • information on how you can access and manage this data.

We have provided further detail below about the specific types of data we collect and our reasons for doing so.

 

1.1. WHAT DATA DO WE ASK YOU TO PROVIDE TO US AND WHY?

We collect the following data:

  • Personal information: This includes your name, address, e-mail address; phone number; gender and date of birth; country, as well as the names, dates of birth, gender and other details about your family members and other participants in a photography session, together with and other information that you elect to provide to us.
    • Payment Information: Information about your debit/credit card and bank account information provided by you to our payment service providers, that we require for the purpose of processing payment for our goods and services.
      • Other Information: Personal details you choose to give when corresponding with us by phone or e-mail or visit our studio.

       

      In providing our services we create photographs which may identify you, your family members and other participants and that may be considered personal data.  Our photographs may be produced in print and digital format.  You are responsible for ensuring that all participants in a photograph sessions have been provided with a copy of this privacy policy.

      We use this data to: Provide account access, Personalise user experience, Provide goods or services, Send direct marketing

      We collect this data using the lawful basis: Legitimate Interest

       

      HOW WE USE YOUR PERSONAL INFORMATION

      We use your personal information in the following ways:

        To provide you with our services and to create and deliver the products you have requested and contact you regarding your use of the services. Such use is necessary to respond to or implement your request and for the performance of the contract between you and us.
          As necessary for certain legitimate business interests, which include the following:
          • where we are asked to deal with any enquiries or complaints you make;
          • to provide postal communications which we think will be of interest to you;
          • if you ask us to delete your data or to be removed from our marketing lists and we are required to fulfil your request, to keep basic data to identify you and prevent further unwanted processing; and
            • to (a) comply with legal obligations, (b) respond to requests from competent authorities; (b) protect our operations; (c) protect our rights, safety or property, and/or that of our affiliated businesses, you or others; and (d) enforce or defend legal rights, or prevent damage.
              • With your consent, we may use your photographs to promote and advertise our business, including (a) in our studio and in our printed publications, presentations, promotional materials (including leaflets, brochures, stickers, bookmarks, posters, factsheets, calendars); (b) on our website and other digital advertising of our services; and (c) in social media forums such as Instagram, Pinterest and Facebook.
                • We may provide you with information about goods or services, events and other promotions we feel may interest you. We will contact you by email only with your consent, if this was given at the time you provided us with the personal data.
                  • We may use your personal data for other purposes which you have consented to at the time of providing your data.

                    As used in this Privacy Policy, “legitimate interests” means our interests in conducting and managing our business. When we process your personal data for our legitimate interests, we make sure to consider and balance any potential impact on you, and your rights under data protection laws. Our legitimate interests do not automatically override your interests. We will not use your personal data for activities where our interests are overridden by the impact on you, unless we have your consent or those activities are otherwise required or permitted to by law. You have the right to object at any time to processing of your personal data that is based on our legitimate interests, on grounds relating to your particular situation (for more information on your rights, please see “Your Data Protection Rights” section below).

                     

                    1.2. What data do we collect when you visit our website, and why?

                    We collect cookies. Cookies are harmless small pieces of data that websites send to a user’s computer and are stored on the user’s web browser. They are designed to enable the website to remember information, such as what a user might have put in a shopping cart for example. Think of cookies as being like a bookmark for websites! They are extremely common and are used by almost every website you visit.

                    We use cookies to gather information on visitor’s journeys through our website. Collecting this information allows us to understand how visitors use our website and gives us the ability to improve and tailor our website to the needs of our users.

                    Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.

                    If you do not want this website to track your cookies you can click to opt out on the cookie notice at the bottom of the page. Don’t worry you will still be able to view my website with or without accepting the cookies.  

                     

                    1. WHAT PERSONAL DATA DO WE SHARE WITH THIRD PARTIES AND WHO ARE THEY?

                    We share your personal data with third parties in the following situations:

                    • Service Providers: we sometimes engage selected third parties who act on our behalf to support our operations, such as (i) card processing or payment services (see the section below headed “Payment Information”), (ii) IT suppliers and contractors (e.g. data hosting providers or delivery partners) as necessary to provide IT support and enable us to provide our goods/services, and (iii) providers of specialist services, including retouching, printers, framers and book binders. Pursuant to our instructions, these parties may access, process or store your personal data in the course of performing their duties to us and solely in order to perform the services we have hired them to provide.
                      • Business Transfers: if we sell our business or our company assets are acquired by a third party personal data held by us about our customers may be one of the transferred assets.
                        • Administrative and Legal Reasons: if we need to disclose your personal data (i) to comply with a legal obligation and/or judicial or regulatory proceedings, a court order or other legal process. (ii) to enforce our Terms & Conditions or other applicable contract terms that you are subject to; (iii) to protect us, our members or contractors against loss or damage. This may include (without limit) exchanging information with the police, courts or law enforcement organisations.

                         

                        1. PAYMENT INFORMATION

                        Any credit/debit card payments and other payments you make will be processed by our third party payment providers and the payment data you submit will be securely stored and encrypted by our payment service providers using up to date industry standards. Please note that we do not ourselves directly process or store the debit/credit card data that you submit.

                        We store and use this card or payment information for the purpose of processing any future payments that you make for additional goods and services. We will store this data in accordance with our legal obligations under applicable law and only for so long as legally permitted.

                        You may choose to opt out of us holding your card or payment data although this means that you will need to re-supply us with card/payment details for the purpose of making any future purchases.

                        1. DATA TRANSFERS

                        Your personal data will be transferred to and stored in countries other than the country in which the information was originally collected, including the United States and other destinations outside the European Economic Area (“EEA”) to our service providers for the purposes described above.

                        Please note that the countries concerned may not provide the same legal standards for protection of your personal data that you have in the United Kingdom or EEA. Where we transfer your personal data to countries outside of the EEA we will take all steps to ensure that your personal data continue to be protected. We will implement appropriate safeguards for the transfer of personal data to our service providers in accordance with the applicable law, such as relying on our service providers’ Privacy Shield certification or implementing standard contractual clauses for data transfers. If you would like to receive more information on the safeguards that we implement, including copies of relevant data transfer contracts, please contact us as indicated below.

                         

                        We share personal data with the following third parties:

                        MailChimp – Data is transferred outside of the European Economic Area to United States under the protection of EU/US Privacy Shield.

                        WordPress – Data is not transferred outside of the European Economic Area.

                        WordPress 4.9 – Data is not transferred outside of the European Economic Area.

                        There are certain situations in which we may share access to your personal data without your explicit consent; for example, if required by law, to protect the life of an individual, or to comply with any valid legal process, government request, rule or regulation.

                         

                        1. WHY DO WE SHARE DATA OUTSIDE OF THE EU?

                        We may transfer personal data to a country outside of the European Economic Area (EEA), for example if a third party we share data with has servers located outside of the EEA. If this is the case we will obtain your consent or otherwise ensure that the transfer is legal and your data is secure by following the EU’s guidelines.

                        You can see above where we send data outside of the EEA and on what basis we do so.

                         

                        1. HOW DO WE KEEP YOUR PERSONAL DATA SECURE?

                        We keep your data secure:

                        • by encrypting personal data
                        • by using Secure Socket Layer (SSL) technology when information is submitted to us online

                        In the unlikely event of a criminal breach of our security we will inform the relevant regulatory body within 72 hours and, if your personal data were involved in the breach, we shall also inform you.

                         

                        1. CHANGES TO OUR PRIVACY POLICY AND CONTROL

                        We may change this privacy policy from time to time. When we do, we will let you know by adding notices to our website or mobile app, notifying customers of only significant changes. By continuing to access or use our services after those changes become effective, you agree to be bound by the revised privacy policy.

                         

                        1. YOUR DATA PROTECTION RIGHTS

                        Certain applicable data protection laws give you specific rights in relation to your personal data. In particular, if the processing of your personal data is subject to the GDPR, you have the following rights in relation to your personal data:

                        • Right of access: If you ask us, we will confirm whether we are processing your personal data and, if so, provide you with a copy of that personal data along with certain other details. If you require additional copies, we may need to charge a reasonable fee.
                          • Right to rectification: If your personal data is inaccurate or incomplete, you are entitled to ask that we correct or complete it. If we shared your personal data with others, we will tell them about the correction where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your personal data so you can contact them directly.
                            • Right to erasure: You may ask us to delete or remove your personal data, such as where our legal basis for the processing is your consent and you withdraw consent. If we shared your data with others, we will tell them about the erasure where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your personal data with so you can contact them directly. We may continue processing personal data where this is necessary for a legitimate interest in doing so, as described in this Privacy Policy.
                              • Right to restrict processing: You may ask us to restrict or ‘block’ the processing of your personal data in certain circumstances, such as where you contest the accuracy of the data or object to us processing it. We will tell you before we lift any restriction on processing. If we shared your personal data with others, we will tell them about the restriction where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your personal data so you can contact them directly.
                                • Right to object: You may ask us at any time to stop processing your personal data, and we will do so:
                                  • If we are relying on a legitimate interest to process your personal data — unless we demonstrate compelling legitimate grounds for the processing or
                                    • If we are processing your personal data for direct marketing.
                                      • Right to withdraw consent: If we rely on your consent to process your personal data, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing of your data before we received notice that you wished to withdraw your consent.
                                        • Right to lodge a complaint with the data protection authority: If you have a concern about our privacy practices, including the way we handled your personal data, you can report it to the UK data protection authority (the Information Commissioner’s Office or ICO), or, as the case may be, any other competent data protection authority of an EU member state that is authorised to hear those concerns (you may find EU Data Protection Authorities’ contact information here).

                                          If you wish to exercise any of these rights please contact us as described in the “Contact” section below. We may also need to ask you for further information to verify your identity before we can respond to any request.

                                          Since we use PORT, we are able to give you direct access to your personal data so that you can exercise the above rights.

                                          We also give you the option to manage your data via:

                                          • email
                                          • telephone

                                          While we do not hold personal data any longer than we need to, the duration will depend on your relationship with us.

                                           

                                          1. ABOUT US

                                          We are Flowtography and our address is 14 Fels Way, Mayland, Chelmsford, Essex, CM3 6AN, United Kingdom. We are the data controller responsible for your personal data. You can contact us at francesca@flowtography.co.uk.