GDPR Privacy and Security Policy
- Who are we?
Our company is Anglia Sports & Schoolwear Ltd (company number 02705642) and our correspondence address is 8 & 9 Brunel Business Centre, Enterprise Way, CLACTON-ON-SEA, CO15 4QW. We have been appointed by the school your child attends to supply you with your child’s school uniform under the online trading name www.yourschoolwear.co.uk. Being an online retailer, we are of necessity a processor of personal data.
- Lawful basis for processing personal data
Our lawful basis for processing personal data gathered through our e-commerce website under the General Data Protection Regulation (GDPR) is Legitimate Interests. Specifically, our interests in processing personal data are:
- fulfilling contracts to supply goods
- issuing obligatory electronic communications such as order confirmation emails
- subject to consent, maximising the relevance of any electronic marketing communications we send to customers and to better ensure that other information we might communicate is also relevant.
- disclosing information about possible criminal acts or security threats to the authorities
- What information do we collect?
We only collect information that is entered directly into our website, so there are no external sources for personal data. Information is collected from the contents of the ‘shopping basket’ and from the personal data inputted in the checkout pages, specifically billing & delivery addresses, email address and billing & delivery names. Additionally, we request, but do not require, contact telephone numbers. Cardholder data is entered via a third-party payment gateway and is out of descoped for our GDPR and PCI compliance.
- How long do we retain personal data?
The personal data you provide is held indefinitely so:
- repeat customers can view orders placed previously for their convenience, which also serves as providing a route to satisfying individuals’ right of access to their personal data
- repeat customers do not need to periodically recreate their account
- we can retain sales and tax collection data should it be required by HMRC or other authorities
Whilst personal data is held indefinitely, to better ensure our marketing is relevant, only order data generated within the past two years will be processed for marketing purposes.
- What information do we share?
We employ a third-party, Trek Logistics Ltd (company number 11980897), to stock and dispatch consignments to our customers. The personal data we share with them is used only for processing orders and returns. Other than for collection orders, Trek Logistics will in turn disclose delivery name, address information, email and telephone numbers to the chosen delivery company to allow them to deliver the orders they collect and communicate updates directly with recipients concerning their delivery.
We share billing name, billing address and email address with our payment processor for them to check that the details given match the card issuer’s records and for issuing customers with an electronic confirmation of payment. Customers' orders are imported from our website into our order processing and stock control system, which is stored on a secure remote hosted server (cloud storage). Additionally, we share some non-personal data necessary for payment processing and for commissioning refunds.
All personal data shared with third-parties is necessary for completing contracts to supply goods and for complying with consumer legislation. No personal data we share with third-parties is subsequently processed for marketing purposes, profiling or otherwise monetised.
Personal data maybe disclosed when expressly requested by a law enforcement agency for the prevention of crime or when it is otherwise compulsory for us to disclose to an authority. For example, as part VAT inspection by HMRC.
- Your GDPR rights
We process personal data based on legitimate interests and as such you have the right to object to your personal data being used for marketing purposes. If you raise an objection we must discontinue processing your personal data for direct marketing.
You have the right of access to the personal data we hold about you. The personal data we hold is limited to just the information you have provided us and there are no external sources.
The right to data portability does not apply to data processing when the basis for processing is legitimate interests.
You have the right to rectification if any personal data we hold about you is incorrect. In practise, this is likely to be limited to changes to information you have entered in to our website, such as a change of address, which you can correct yourself when logging in to your account. Nonetheless, please feel free to contact us if you have any difficulty editing your details. If you wish us to edit personal data we hold for you, we will take proportional steps to establish the identity of the person requesting the rectification.
You have the right to object to or restrict our continued processing of your personal data. Within the scope of our business, unless you have given us an order to process, regular ongoing processing is limited to marketing activities unless we have a legal obligation to disclose personal data.
- How do we protect your information?
All cardholder data (CHD) is transmitted directly between customers' devices and ClearAccept’s secure PCI DSS compliant payment gateway. No CHD transits through our webserver or internal network. Under no circumstance is full CHD disclosed to us by ClearAccept. We receive a transaction number to reference your purchase for refunding purposes and notification whether transactions are successful. We restrict Staff access to ClearAccept's merchant portal to those who need access to perform their role in the business and the data visible to them is limited to the minimum required to perform their role. Our Merchant Administrator has the greatest access to CHD and can view truncated card numbers (four digits masked) as well as card type and issuer to assist with customer enquiries.
Connections to our website server are encrypted so information you send and receive whilst browsing our website are protected with encryption, making it harder for data to be intercepted by third-parties.
We attest through annual self-assessment that all our payment channels meet the standards set by the PCI SSC for the secure processing of CHD.
- Use of Cookies
Our website stores small text files on users’ computers called cookies to improve the shopping experience. Cookies are not programs and therefore cannot contain viruses or other malicious software.
The cookies our website places on shoppers’ computers perform the following functions:
- Session cookie to test if cookies are enabled on the visitor’s browser
- Persistent cookie that stores a unique reference to the visitor’s shopping cart contents and authentication details for the customer logged in sections.
- Persistent cookie that stores a reference to the visitor’s order number after an order has been generated.
We operate an ‘implied consent’ cookie policy which means we assume you are happy with our use of cookies. If you are not happy, then you should either not use our website, delete the cookies having visited our site, or you should browse the site using your browser’s anonymous usage setting (called “Incognito” in Chrome, “InPrivate” for Internet Explorer, “Private Browsing” in Firefox and Safari etc.)
The ClearAccept payment gateway has it’s own Privacy Policy that can be viewed at the following web address: https://www.clearaccept.com/privacy-policy.