SHORTBREAD HOUSE OF EDINBURGH LIMITED

PRIVACY POLICY  

Shortbread House of Edinburgh Limited (the "Company", "we", "us" or "our") is committed to protecting and respecting the privacy of individuals whose data it processes ("you" or "your").

Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting https://www.shortbreadhouse.co.uk you are accepting and consenting to the practices described in this policy.

Structure of this policy

1.         IMPORTANT INFORMATION AND WHO WE ARE

2.         CATEGORIES OF DATA SUBJECTS

(A)        VISITORS TO OUR WEBSITE

(B)        CUSTOMERS

(C)        BUSINESS CONTACTS

(D)        JOB APPLICANTS

3.         DISCLOSURES OF YOUR PERSONAL DATA

4.         DATA RETENTION       

5.         INTERNATIONAL TRANSFERS

6.         DATA SECURITY

7.         YOUR LEGAL RIGHTS

8.         CHANGES TO THIS PRIVACY NOTICE

9.         FURTHER INFORMATION

 

1.         IMPORTANT INFORMATION AND WHO WE ARE

We are committed to protecting the privacy and security of personal data which is entrusted to us.

This privacy policy aims to give you information on how we collect and process your personal data as a controller of data supplied by you as a customer, through your use of this website, by applying for employment and/or to work with us, by sending us correspondence and/or providing us with products and/or service.

In addition, it outlines your data protection rights under the EU data protection regime introduced by the General Data Protection Regulation (Regulation 2016/679) (the “GDPR").

Please contact Shortbread House of Edinburgh Limited (registered number SC115377) of 25 Tennant Street, Edinburgh EH6 5NA if you have any queries in relation to the processing of your personal data under this policy.

We have appointed a privacy manager who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the data privacy manager at info@shortbreadhouse.com.

2.         CATEGORIES OF DATA SUBJECTS

(A)        VISITORS TO OUR WEBSITE

The following section of this policy sets out how we may process personal data (as a controller) about visitors to our website.

The kind of information we hold about you

We may collect, use, store and transfer different kinds of personal data about you which you provide to us though our website including: name, date of birth, address, email address, telephone numbers, technical data, including internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website, usage data (including information about how you use our website, products and services, and information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our website (including date and time)); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.

We also work closely with third parties (including, for example, sub-contractors in technical, payment and delivery services) and may receive information about you from them.

We do not collect any sensitive personal data or special categories of personal data about you through our website (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

How we collect your data

We use different methods to collect data from and about you including through:

§      direct interactions with you, including by filling in forms. This includes personal data you provide when you order or make a purchase from us; and

§      automated technologies or interactions. As you interact with our website, we may automatically collect technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies.

How we will use information about you

Your personal data may be processed by us or our sub-processors (or any of their affiliates, agents, delegates or sub-contractors) for the following purposes:

§      to carry out our obligations arising from any contracts entered into between you and us and to provide you with the information and products that you request from us (including passing your contact details on to our carriers for delivery purposes and passing your contact and credit/debit card details on to our service providers for the purposes of processing your order and payment);

§      to provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about on the basis of our legitimate interests if you are a customer or with your prior consent;

§      to notify you about changes to our service to pursue our legitimate interests;

§      to ensure that content from our website is presented in the most effective manner for you and for your computer and to use data analytics to improve our website, marketing, customer experiences on the basis of our legitimate interests;

§      to comply with legal or regulatory requirements;

§      to scan and monitor electronic communications sent to us (including attachments) for viruses or malicious software, to process and encrypt personal data to protect and manage email traffic, and to store personal data on our systems to pursue our legitimate interests including for document retention purposes; and

§      such other actions as are necessary to manage the activities of the Company by processing instructions and enforcing or defending the rights and/or interests of the Company, in order to comply with our legal obligations and/or to pursue our legitimate interests.

We will use your personal data in the following circumstances: where it is necessary for our legitimate interests or those of a third party and where your interests and fundamental rights are not overridden by those interests, or where we need to comply with a legal or regulatory obligation.

Links to websites

Where the website provides links to other websites, we will not be responsible for the data protection/privacy/cookie usage policies of such other websites, and you should check these policies on such other websites if you have any concerns about them. If you use one of these links to leave our website, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting a linked website and such websites are not governed by this policy. You should always exercise caution and review the privacy policy applicable to the website in question.

Cookies

A cookie is a small file which asks permission to be placed on your computer. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular website. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

Our website uses two cookies. The cookies we use are "shopping cart" and "analytical" cookies. The shopping cart cookie allows our site to remember which items you have chosen to buy and is essential for the operation of our checkout. The analytical cookie we use is "Google Analytics", which allows us to recognise and count the number of visitors to our site and to see how visitors move around the site when they are using it. This helps us to improve the way our website works, for example by ensuring that users are finding what they are looking for easily. Read more about Google Analytics: https://www.google.com/intl/en/analytics/standard/

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly.

(B)        CUSTOMERS

The following section of this policy sets out how we may process personal data (as a controller) about our customers (being current, previous and/or potential customers) and our customer's employees and representatives.

The kind of information we hold about you

We may collect, use, store and transfer different kinds of personal data about you which you provide to us including: name, date of birth, address, email address, bank details and telephone numbers.

How we will use information about you

We will use your personal data in the following circumstances: where it is necessary for the performance of a contract, for our legitimate interests or those of a third party and where your interests and fundamental rights are not overridden or where we need to comply with a legal or regulatory obligation.

Your personal data may be processed by us or our sub-processors (or any of their affiliates, agents, delegates or sub-contractors) for the following purposes:

§      to carry out our obligations arising from any contracts entered into between you and us and to provide you with the information and products that you request from us (including passing your contact details on to our carriers for delivery purposes and passing your contact and credit/debit card details on to our service providers for the purposes of processing your order and payment);

§      to provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about on the basis of our legitimate interests if you are a customer or with your prior consent;

§      to notify you about changes to our service to pursue our legitimate interests;

§      to ensure that content from our website is presented in the most effective manner for you and for your computer and to use data analytics to improve our website, marketing and customer experiences on the basis of our legitimate interests;

§      to comply with legal or regulatory requirements;

§      to scan and monitor electronic communications sent to us (including attachments) for viruses or malicious software, to process and encrypt personal data to protect and manage email traffic, and to store personal data on our systems to pursue our legitimate interests including for document retention purposes; and

§      such other actions as are necessary to manage the activities of Company by processing instructions and enforcing or defending the rights and/or interests of the Company, in order to comply with our legal obligations and/or to pursue our legitimate interests.

Basis on which we process your data and right to withdraw consent

If we consider it necessary to obtain your consent in relation to the use your personal data, we will contact you to request this consent. In such circumstances, we will provide you with full details of the personal data that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. If you decide to provide your consent, you have the right to withdraw your consent at any time, although that will not affect the lawfulness of processes based on consent before its withdrawal. To withdraw your consent or to opt out of receiving any of our marketing communications, please contact our privacy manager at info@shortbreadhouse.com or follow the unsubscribe instructions included in each electronic communication. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Where such processing is being carried out on the basis that it is necessary to pursue our legitimate interests, such legitimate interests do not override your interests, fundamental rights or freedoms.

(C)        BUSINESS CONTACTS

The following section of this policy sets out how we may process personal data (as a controller) about our business contacts and (current, previous and/or potential) service providers (and employees of service providers) and data subjects that have provided a business contact to, or have corresponded with us.

The kind of information we hold about you

We may collect, use, store and transfer different kinds of personal data about you which you provide to us including: name, date of birth, address, email address, telephone numbers, place of work and job title.

How we will use information about you

We will use your personal data in the following circumstances: where it is necessary for our legitimate interests or those of a third party and where your interests and fundamental rights are not overridden or where we need to comply with a legal or regulatory obligation.

Your personal data may be processed by us or our sub-processors (or any of their affiliates, agents, delegates or sub-contractors) for the following purposes:

§      to carry out our obligations arising from any contracts entered into between you and us (including receiving goods and/or services from you);

§      to communicate with you to pursue our legitimate interests;

§      to ensure that content from our website is presented in the most effective manner for you and for your computer and to use data analytics to improve our website, marketing, customer experiences on the basis of our legitimate interests;

§      to comply with legal or regulatory requirements;

§      to scan and monitor electronic communications sent to us (including attachments) for viruses or malicious software, to process and encrypt personal data to protect and manage email traffic, and to store personal data on our systems to pursue our legitimate interests including for document retention purposes; and

§      such other actions as are necessary to manage the activities of the Company by processing instructions and enforcing or defending the rights and/or interests of the Company, in order to comply with our legal obligations and/or to pursue our legitimate interests.

Basis on which we process your data and right to withdraw consent

If we consider it necessary to obtain your consent in relation to the use your personal data, we will contact you to request this consent. In such circumstances, we will provide you with full details of the personal data that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. If you decide to provide your consent, you have the right to withdraw your consent at any time, although that will not affect the lawfulness of processes based on consent before its withdrawal. To withdraw your consent or to opt out of receiving any of our marketing communications, please contact our data privacy manager at info@shortbreadhouse.com or follow the unsubscribe instructions included in each electronic communication. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Where such processing is being carried out on the basis that it is necessary to pursue our legitimate interests, such legitimate interests do not override your interests, fundamental rights or freedoms.

(D)        JOB APPLICANTS

The following section of this policy sets out how SHOE may process personal data (as a controller) about applicants of jobs or placements and potential workers and contractors.

SHOE is the data controller of the personal data that you provide or which is provided to or collected by SHOE during and/or in connection with any application for a position at SHOE.

In connection with your application for work with us, we will collect, store, and use the following categories of personal data about you: name, title, address, telephone number, personal email address, date of birth, gender, employment history, qualifications, information provided to us during telephone calls, interviews and/or meetings with you, information contained in your CV and cover letter or email and references.

We may also collect, store and use the following "special categories" of sensitive personal data: Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions, information about your health, including any medical condition, health and sickness records and/or information about criminal convictions and offences.

We may collect personal data about candidates from the following sources: you, the candidate directly; recruitment agencies; background check providers; credit reference agencies; your named referees; and data from third parties is from a publicly accessible source including Companies House records and social media (such as LinkedIn).

Your personal data may be processed by SHOE or its sub-processors (or any of their affiliates, agents, employees, delegates or sub-contractors) for the following purposes:

(a)        to assess your skills and qualifications, to consider your suitability for the position and to decide whether to enter into a contract with you;

(b)        to carry out background and reference checks, where applicable;

(c)        to communicate with you about and in connection with the recruitment process;

(d)        to keep records related to our hiring processes;

(e)        to comply with legal or regulatory requirements;

(f)         to scan and monitor emails sent to us (including attachments) for viruses or malicious software, to process and encrypt personal data to protect and manage email traffic, and to store personal data on our systems to pursue our legitimate interests including for document retention purposes; and

(g)        such other actions as are necessary to manage the activities of the SHOE, including by processing instructions, monitoring and recording electronic communications (including telephone calls and emails) for quality control, analysis and training purposes, and enforcing or defending the rights and interests of SHOE, in order to comply with its legal obligations and/or to pursue its legitimate interests.

We process this personal data on the basis of our legitimate interests (in order to decide whether to appoint you to work for us) and/or in order to comply with applicable laws.

Once we receive your CV and covering letter or your application form, we may process that information to decide whether SHOE has any suitable vacancies and if you meet the basic requirements to be shortlisted for that role. If you do, we will decide whether your application is strong enough to invite you for an interview. If we decide to call you for an interview, we will use the information you provide to us at the interview to decide whether to offer you the work. If we decide to offer you the work, we will then take up references and we may carry out other checks before confirming your appointment.

If you fail to provide information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application. For example, if we require a credit check or references for this role and you fail to provide us with relevant details, we will not be able to take your application further.

We may use your sensitive personal data in the following ways:

•           we will use information about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made during the interview; and

•           we will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure equal opportunity monitoring and reporting.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.

If your application is successful, the information you provide during the application process will be retained by SHOE as part of your employee file and held in accordance with the privacy section of SHOE's staff handbook and our data retention policy or applicable laws.

If your application is unsuccessful, the information you have provided will be retained by SHOE for six (6) months after we have communicated to you our decision to you. We retain your personal information for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal information in accordance with our data retention policy or applicable laws and regulations.

3.         DISCLOSURES OF YOUR PERSONAL DATA

We will not disclose personal information we hold about you to any third party except as set out below.

We may disclose your personal data to third parties who are providing services to us, including IT service providers, marketing service providers, background and/or credit reference services, telephone service providers, document storage providers, backup and disaster recovery service providers and to payment, carrier and delivery service providers.

We may also disclose personal data we hold to third parties:

§      in order to provide you with the information and products that you request from us (including passing your contact details on to our carriers for delivery purposes and passing your contact and credit/debit card details on to our service providers for the purposes of processing your order and payment);

§      in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;

§      if we are permitted by law to disclose your personal data to that third party or are under a legal obligation to disclose your personal data to that third party; and/or

§      if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms and conditions (available at https://www.shortbreadhouse.co.uk/terms-and-conditions/ and other agreements; or to protect the rights, property, or safety of the Company, our customers, or others.

4.         DATA RETENTION

We will retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

5.         INTERNATIONAL TRANSFERS

The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff may be engaged in, among other things,  the fulfilment of your order, the processing of your payment details and the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing. We will take steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

Whenever your personal data is transferred out of the EEA by us, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

§      we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries;

§      where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries; and/or

§      where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.

Please contact us if you want further information on the specific mechanism used when transferring your personal data out of the EEA.

6.         DATA SECURITY

We have put in place measures to ensure the security of the personal data we collect and store about you. We will use reasonable endeavours to protect your personal data from unauthorised disclosure and/or access, including through the use of network and database security measures, but we cannot guarantee the security of any data we collect and store.

The transmission of information via the Internet is not completely secure. Although we will seek to protect your personal data, we cannot guarantee the security of your data transmitted to us. Once we have received your information, we will use strict procedures and security features to prevent unauthorised access.

7.         YOUR LEGAL RIGHTS

In certain circumstances, by law you have the right to:

§      request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;

§      request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;

§      request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);

§      object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes;

§      request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it;

§      request the transfer of your personal information to another party; and

§      withdraw your consent. If we are processing your personal data on the basis of your consent, you have the right to withdraw such consent at any time. Withdrawing your consent will not affect the lawfulness of processes based on consent before its withdrawal. To withdraw your consent or to opt out of receiving marketing communication, please contact our privacy manager at info@shortbreadhouse.com or follow the unsubscribe instructions included in each electronic marketing communication. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

If you wish to exercise any of the rights set out above, please contact our privacy manager at info@shortbreadhouse.com.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the opportunity to deal with your concerns before you approach the ICO so please contact us in the first instance.

8.         CHANGES TO THIS PRIVACY NOTICE

We may update this privacy notice from time to time, and will communicate such updates through our website. We may also notify you from time to time about the processing of your data. Please check back frequently to see any updates or changes to our privacy policy.

9.         FURTHER INFORMATION

If you have any queries about this policy or your personal data, or you wish to submit an access request or raise a complaint about the way your personal data has been handled, please do so in writing and address this to the privacy manager at Shortbread House of Edinburgh Limited, 25 Tennant Street, Edinburgh EH6 5NA or by email to info@shortbreadhouse.com.

Shortbread House of Edinburgh Limited is a private limited company registered in Scotland (registered number SC115377) and its registered office address is 25 Tennant Street, Edinburgh EH6 5NA.