General Data Protection Regulation (GDPR):
As of 25 May 2018, the new European General Data Protection Regulation (GDPR) comes into effect. The GDPR changes how personal data can be used, and also allows individuals to be able to find out what information organisations have about them, and to have that data deleted in certain circumstances.
How Do We Use Your Personal Data?
Purple Wyvern Jewels uses personal data in four different ways:
> To see how users, in general, view our website in order to make improvements to this website and improvements to the variety of products we offer.
> To respond to enquiries.
> To fulfil any contractual agreement with a customer.
> To fulfil our legal requirements for reporting of income to the UK tax authority.
Purple Wyvern Jewels values your privacy and therefore we will never sell any customers personal information to anyone else.
What Personal Data Do We Collect & Who Has Access To It?
The personal data collected depends on how an individual interacts with Purple Wyvern Jewels. This may be by viewing this website, contacting us directly, interacting via any of our social media or purchasing a product. The majority of personal data is passed electronically to Purple Wyvern Jewels by other companies and therefore these companies will have access to that data too. We have therefore split this information up by how we receive personal data:
Occasionally we will receive personal data directly from a customer. This is typically when a product return has been initiated and a customer has provided their name and other personal details when returning the item for a refund or for an exchange.
Any personal data that is in paper form will be shredded before it is discarded. As information in paper form is typically related to an order, due to legal requirements for UK income reporting, this information will be kept for a significant time period. Please see the "How To Do I Make A Personal Data Information Request & Request For That Information To Be Deleted?" section below for more information.
We use Google Analytics to see how viewers browse our website. We look at general trends of viewers rather than at an individual specific level. The type of personal data Google Analytics collects is:
> IP address
> Country location
> Type of viewing device
Google Analytics doesn't currently have the ability for us to be able to delete an individual users data from the information collected. However, they do now allow data to be automatically deleted after a chosen time period. As we look at general viewer trends from this data, it's useful for us to have a decent timeframe to see how that usage changes. However we realise that people do not want that data to be held indefinitely, therefore we have enabled automatic deletion as follows:
> The data held within our Google Analytics account has been set to automatically delete after 26 months.
We use a variety of social media:
> Instagram (inactive)
> Wordpress blog (inactive)
Social media websites typically require a user login and therefore should enable you to delete any online comments directly yourself. If you message us via one of these websites, the type of personal data that we might receive through a social media website are:
> Email address
We do not specifically delete any interactions through our social media websites, therefore if you wish for us to delete direct messages, then please contact us.
We receive automatic emails with regards messages sent through this website via our contact form, messages sent through Etsy's, eBay's and Amazon's messaging system. The type of personal data that we receive through these types of messages are:
> Email address *
* Amazon never provides customer's email addresses, any contact always goes through Amazon's messaging system.
We also receive automatic emails when a customer places an order with us through this website, Etsy, eBay or Amazon and also from PayPal if payment has been made via their service. The type of personal data that we receive through these sales confirmation emails are:
> Email address
> Telephone number **
** This website is the only one through which we receive emails containing telephone number information.
Amazon never provides any customer's details in sales confirmation emails.
Any direct emails, emails generated from other websites messaging systems and sales confirmation emails will be kept until such time as deletion has been requested or when we automatically carry out our yearly personal data deletion process. Please note that due to legal requirements for UK income reporting, emails regarding orders will be kept for a significant time period. Please see the "How To Do I Make A Personal Data Information Request & Request For That Information To Be Deleted?" section below for more information.
We use PayPal as our payment provider. The type of personal data that PayPal provides us with is:
> Email address
PayPal holds payment details on their secure servers and NEVER provide us with any card payment data.
SupaDupa has created an "anonymising customer data" function that allows us to anonymise a customer's order data within the admin area of our website. If you want to request your order data to be anonymised in the admin area of our website and/or have other data deleted, please see the "How To Do I Make A Personal Data Information Request & Request For That Information To Be Deleted?" section below for more information.
Etsy, eBay & Amazon
If you have contacted us through Etsy, eBay or Amazon, or placed an order with us through these websites, these companies will have the same access to that information. We are NEVER provided with any card payment data through these websites, and if you have used PayPal to make your purchase, please see the PayPal section above. Please see also the Google Gmail section above for the personal data that is sent by automatic emails these websites generate.
Inactive Selling Websites - DaWanda & Folksy
If you have previously contacted us through DaWanda or Folksy, or previously placed an order with us through these websites, these companies will have the same access to that information. We are NEVER provided with any card payment data through these websites, and if you have used PayPal to make your purchase, please see the PayPal section above. These websites generate automatic emails with regards contact messages and order confirmations that contain the following type of personal data:
> Email address
DaWanda sends name and address through order confirmation emails, and name only through contact emails. Folksy only sends email and name through order confirmation emails. Please also see the Google Gmail section above regarding the use of our email provider.
How To Do I Make A Personal Data Information Request & Request For That Information To Be Deleted?
A request can be made at any time via our contact form. Please be specific as to whether you are making a personal data information request, or whether you are making a personal data deletion request.
> Under GDPR rules, we have one month to reply in full to any request.
> Replies to requests for personal data information will detail what type of personal data information we hold about you.
> Replies to requests for personal data deletion will detail whether we had personal data information about you and confirm whether that data has been deleted. Please note that not all personal data deletion requests will be fulfilled. Any information pertaining to an open order will be kept until that order has been completed, plus order information will need to be kept for a time*** for us to fulfil our legal requirements for reporting of income to the UK tax authority.
*** Records of income for a UK business need to be kept for at least 5 years after the 31st January submission deadline of the relevant tax year. If no deletion request is made sooner, we will delete any paper records and email containing personal data information along with anonymising order information on our website in May, for the appropriate reported tax year. (For example, if a purchase is made on 6th April 2018 at the beginning of the tax year, that information has a submission deadline of 31st January 2020. That data would then need to be kept until 31st January 2025.) This means that personal data could be held for approximately 7 years. By setting a yearly time period to delete data that is no longer legally needed, and including deletion of any other personal data that we received for the same time period, ensures that we do not hold personal data information indefinitely.
How To Do I Make A Complaint?
If you believe Purple Wyvern Jewels has misused your data in any way, please contact us to let us know. If you are unsatisfied with our response, or unsatisfied with our response to a personal data deletion request, under GDPR you have the right to lodge a complaint with a supervisory authority. The UK supervisory authority is the Information Commissioner's Office (ICO).
> If you wish to make a complaint please click on the link for the ICO's contact details.