Privacy and Security Policy
Crystals and Ice Bead Shop is committed to respecting and upholding everybody's right to privacy, to process personal data securely and to comply with legislation prevailing in the UK. This policy describes what we do to achieve this.
• We will only use your data to improve your experience with Crystals and Ice Bead Shop.
• We will protect your data.
• You can decide which communication channels we can contact you on.
• We will not store your data any longer than necessary.
Definition of terms used in this Policy
'We', 'Us' and 'Our' refer to Crystals and Ice Bead Shop.
'You' and 'Your' refer to a client of Crystals and Ice Bead Shop. This may be a customer, supplier or member of our emailing list.
'Processing' means collecting and storing data, and using it to contact you if consent is given.
'Our website' means https://www.crystals-and-ice.co.uk
'Device' means any computer, tablet, smart phone or other equipment equipped with a web browser and connected to the internet.
'GDPR' means the General Data Protection Regulation.
'PCI-DSS' means Payment Card Industry Data Security Standard.
'HMRC' means Her Majesty's Revenue and Customs, the UK tax authority.
'Full card details' means the card number, expiry date, name of account holder and CVC number of any debit, credit or charge card.
'Information' and 'Data' are used interchangeably.
The data controller and data protection officer for Crystals and Ice Bead Shop is James Stevenson, and our contact address and details are shown on the 'About Us' page of our website and at the foot of every page.
Why do we process personal data?
We need to collect and store your personal information so that we can fulfil your order, and contact you in the event of any query about it. If you have given consent, we also add your email address to our emailing list.
If we have purchased items from you, we need a record of the provenance of those items for security reasons.
Our legal basis under Article 6 of the GDPR for processing personal data in any given instance is one or more of:
6.a) Consent has been given for the specific purpose of joining our emailing list to receive occasional news and updates from us. You may give consent by ticking the 'Opt-in' box in our online checkout when placing an order, or by contacting us by email. You may withdraw consent (opt out) at any time - see below.
6.b) Processing is necessary for the performance of a contract to which you are party, specifically the supply of goods by or to Crystals and Ice Bead Shop.
6.c) Processing is necessary for compliance with a legal obligation to which we are subject, in particular the retention of records for a specified time for tax purposes (see below).
6.f) Processing is necessary for the purposes of legitimate interests pursued by the data controller, specifically the collection of statistical data to assist in improving our offer and website to the mutual benefit of you and us.
How do you opt out?
If you have previously opted in to our emailing list, you can withdraw consent (opt out) by:
- Using the 'Unsubscribe' link in any marketing email that you have received from us.
- Contacting us via our 'Contact Us' page.
- Contacting us by email, post or telephone.
What data do we process?
The personal information we collect and store is limited to that shown on our order confirmations and invoices, as follows:
- Your invoice name and address
- Your delivery name and address if different
- Your telephone number
- Your email address
- Your payment reference or method in abbreviated form (see below)
- A list of the items you purchased from us or sold to us
- An indicator to show if you have opted in to our emailing list.
If you have opted in to receiving our occasional emails but have not purchased anything from us or sold anything to us, the only personal information we store is your name and email address.
When do we collect data?
When you register for an account with us
When you sign up for any of our marketing communications
When you engage with us on social media
When you engage with us via any methods of advertising, for example paid advertising on Google
When you contact us by any means with queries, complaints etc.
When you enter prize draws or competitions
When you comment on, or review our products and services
When you fill in any contact us forms on the website
Crystals-and-ice.co.uk is a secure website protected by Secure Socket Layer (SSL), as indicated by the padlock symbol in your browser. SSL protects data by encrypting it as it travels over the internet between your web browser and the server.
Crystal-and-ice.co.uk operates on the ShopWired ecommerce platform. All information that they store and process on our behalf (the website), about our customers, is held on servers hosted with Amazon Web Services (AWS). ShopWired do not store data on any devices, internal databases or networks outside of AWS. All data stored on the platform is encrypted whilst 'at rest' and 'in flight', i.e. when stored on servers the data is encrypted, and encryption is used when we access the data.
All data processed by our platform is processed in a manner which ensures its security.
Any data transferred between devices in the network is transferred in an encrypted state. No data is transferred by our systems outside of the EEA.
Online payments and financial data
Online payments are made through the secure website of our Payment Service Provider (PSP), which is PayPal. The PSP is PayPal, and they are PCI-DSS compliant to the highest level, ensuring that your card details are secure. We never see your full card details because you enter them directly through the PSP website. The only payment information we see and store is either the last 4 digits of the card number and the expiry date, or the PayPal transaction number.
Offline payments and financial data
We will not collect and store your bank account number or full card details longer than it takes to process your transaction, or where there is a requirement for legal and tax record keeping. All data that we have to store for these reasons are securely stored under lock and key and access is restricted. Offline payments, including payments made in person at our office by debit and credit card are processed through a mobile PDQ card machine supplied by Transax Merchant Services. Offline payments are securely processed by Elavon Financial Services DAC, and they are PCI-DSS compliant to the highest level, ensuring that your card details are secure.
How is personal information stored?
Personal information is stored electronically and is encrypted to prevent unauthorised access. Any personal information in the form of printed copies of sales orders and invoices is kept securely under lock and key, and only for the time required for legal and tax compliance reasons. It is then securely and safely destroyed.
Your right to rectification
In accordance with article 16 of the GDPR, if you notice that we have stored any of your personal data incorrectly, please let us know and we will correct it straight away.
How long do we keep your data for?
HMRC rules require us to keep records for at least 5 years after the January tax return submission date. To make sure we comply, we keep sales and purchase invoices for 6 years before deleting or destroying them.
If you have opted in to our emailing list you may request that your email address is removed from the list at any time.
Your 'right to be forgotten'
In accordance with article 17 of the GDPR, your personal data will be deleted when:
a) The information is no longer necessary for the purposes for which it was collected, or
b) You withdraw consent and there is no other legal ground for processing under Article 6 (see 'Why do we process personal data?' above).
Can we supply a copy of the data we hold?
Yes, just get in touch and we will send a copy of all your personal data that we hold straight away. In some cases we may need to ask for proof of identity before doing so. If you believe that any information we hold about you is incorrect or incomplete then please write to or email us as soon as possible and we will promptly correct any information found to be incorrect.
Do we share your personal data?
No. We never share your personal data with third parties, except:
- with carriers such as Royal Mail for the purpose of delivery
- with payment service providers as detailed above
In the unlikely event of a data breach, we will contact the UK supervising authority (Information Commissioner's Office) and yourself in accordance with articles 33 and 34 of the GDPR.
Like most websites, ours uses 'cookies' to make various features work. Cookies are small text files, some of which contain personal data, that our website places on your device. If you do not wish to give consent for cookies to be received you can set your web browser to block them, but this may prevent the website working correctly and you may not be able to use the shopping basket or checkout.
Cookies help our website to analyse traffic and visitors and help our site respond to you as an individual.
We use traffic log cookies to identify which pages are being used on our site and analyse visitor behaviour through statistics.
This policy was updated on 2nd May 2018.
It’s likely that we’ll need to update this Privacy Notice from time to time. We’ll notify you of any significant changes, but you’re welcome to come back and check it whenever you wish.