GDPR Privacy and Security Policy

1. Who are we?

Our company is Anglia Sports & Schoolwear Ltd (company number 02705642) and our correspondence address is 8 & 9 Brunel Business Centre, Enterprise Way, CLACTON-ON-SEA, CO15 4QW. We have been appointed by the school your child attends to supply you with your child’s school uniform under the online trading name www.yourschoolwear.co.uk. Being an online retailer, we are of necessity a processor of personal data.

2. Lawful basis for processing personal data

Our lawful basis for processing personal data gathered through our e-commerce website under the General Data Protection Regulation (GDPR) is Legitimate Interests. Specifically, our interests in processing personal data are:

• fulfilling contracts to supply goods

• issuing obligatory electronic communications such as order confirmation emails

• subject to consent, maximising the relevance of any electronic marketing communications we send to customers and to better ensure that other information we might communicate is also relevant.

• disclosing information about possible criminal acts or security threats to the authorities

3. What information do we collect?

We only collect information that is entered directly into our website, so there are no external sources for personal data. Information is collected from the contents of the ‘shopping basket’ and from the personal data inputted in the checkout pages, specifically billing & delivery addresses, email address and billing & delivery names. Additionally, we request, but do not require, contact telephone numbers. Cardholder data is entered separately into a third-party payment gateway and so is out of scope for GDPR and PCI compliance.

4. How long do we retain personal data?

The personal data you provide is held indefinitely so:

• repeat customers can view orders placed previously for their convenience, which also serves as providing a route to satisfying individuals’ right of access to their personal data

• repeat customers do not need to periodically recreate their account

• we can retain sales and tax collection data should it be required by HMRC or other authorities

Whilst personal data is held indefinitely, to better ensure our marketing is relevant, only order data generated within the past two years will be processed for marketing purposes.

5. What information do we share?
   
   We employ a third-party, Trek Logistics Ltd (company number 11980897), to stock and dispatch consignments to our customers. The personal data we share with them is used only for processing orders and returns. Other than for collection orders, Trek Logistics will in turn disclose delivery name and address information to Royal Mail to allow them to deliver orders. Where Trek Logistics sends orders with a carrier, they may additionally disclose the telephone number and email address provided, as many carriers now send texts or email to advise of an expected delivery time slot on the morning of delivery.

We share billing name, billing address and email address with our payment processor for them to check that the details given match the card issuer’s records and for issuing customers with an electronic confirmation of payment. Customers' orders are imported from our website into our order processing and stock control system, which is stored on a secure remote hosted server (cloud storage). Additionally, we share some non-personal data necessary for payment processing and for commissioning refunds.

All personal data shared with third-parties is necessary for completing contracts to supply goods and for complying with consumer legislation. No personal data we share with third-parties is subsequently processed for marketing purposes, profiling or otherwise monetised.

Personal data maybe disclosed when expressly requested by a law enforcement agency for the prevention of crime or when it is otherwise compulsory for us to disclose to an authority. For example, as part VAT inspection by HMRC.
 

6. Your GDPR rights

We process personal data based on legitimate interests and as such you have the right to object to your personal data being used for marketing purposes. If you raise an objection we must discontinue processing your personal data for direct marketing.

You have the right of access to the personal data we hold about you. The personal data we hold is limited to just the information you have provided us and there are no external sources.

The right to data portability does not apply to data processing when the basis for processing is legitimate interests.

You have the right to rectification if any personal data we hold about you is incorrect. In practise, this is likely to be limited to changes to information you have entered in to our website, such as a change of address, which you can correct yourself when logging in to your account. Nonetheless, please feel free to contact us if you have any difficulty editing your details. If you wish us to edit personal data we hold for you, we will take proportional steps to establish the identity of the person requesting the rectification.

You have the right to object to or restrict our continued processing of your personal data. Within the scope of our business, unless you have given us an order to process, regular ongoing processing is limited to marketing activities unless we have a legal obligation to disclose personal data.

6. How do we protect your information?
   
   All cardholder data (CHD) is entered directly in to WorldPay’s secure PCI DSS compliant payment gateway and under no circumstances is CHD disclosed to us by WorldPay. We only receive a transaction number to reference your purchase, which is required in the event we need to refund your purchase.

Connections to our website server are encrypted so information you send and receive whilst browsing our website are protected with encryption, making it harder for data to be intercepted by third-parties.

We attest through annual self-assessment submitted to WorldPay that all our payment channels meet the standards set by the PCI SSC for the secure processing of CHD.

7. Use of Cookies
   
   Our website stores small text files on users’ computers called cookies to improve the shopping experience. Cookies are not programs and therefore cannot contain viruses or other malicious software.

The cookies our website places on shoppers’ computers perform the following functions:

• Session cookie to test if cookies are enabled on the visitor’s browser

• Persistent cookie that stores a unique reference to the visitor’s shopping cart contents and authentication details for the customer logged in sections.

• Persistent cookie that stores a reference to the visitor’s order number after an order has been generated.

We operate an ‘implied consent’ cookie policy which means we assume you are happy with our use of cookies. If you are not happy, then you should either not use our website, delete the cookies having visited our site, or you should browse the site using your browser’s anonymous usage setting (called “Incognito” in Chrome, “InPrivate” for Internet Explorer, “Private Browsing” in Firefox and Safari etc.)
 

The WorldPay payment gateway has it’s own Cookie Policy which can be viewed via the link https://www.worldpay.com/uk/worldpay-cookies. Please note that the payment gateway functionality may require your browser to have third-party cookies enabled. This is because the payment gateway requests your browser supply a cookie placed on your computer by our website at a point in time when your browser has been redirected to the payment gateway, thus making it a third-party cookie at runtime.