On 25th May 2018, the EU introduced the General Data Protection Regulation (GDPR). The GDPR pertains to the collection and processing of personal data and the right to an individual’s privacy. It states that any organisation processing personal data must have fair and lawful grounds to do so, and must give you the rights to access, amend and delete that data.
Personal data may include anything which helps to identify an individual, such as your name or online identifier (e.g. a browser cookie or IP address).
The GDPR does not refer to anonymous data which can be used to identify behavioural trends but which cannot identify that visitor.
Outdoorfood Ltd. acts as the ‘data controller’ of the personal information we hold about you; we wish to be accountable for that data, and GDPR compliant.1. What information do we collect and how do we use it?
We use this information primarily for your safety, or to make your buying experience as seamless as possible.
Broadly speaking, the data we collect can be broken into four categories:
To be able to sell through www.firepotfood.com and to fulfil and deliver your order, we require certain information from you. This includes your name, billing and shipping address, email address, phone number, items in your basket and payment details. This information is encrypted for your security.
We use these details to process your order, to communicate with you over the status of it and to confirm receipt of payment. We also keep a record of your order history.
Your name, shipping address, phone and email address are shared with third parties for parcel delivery purposes.
When you order through us, you are given an option to sign up for news and promotions. If you give us permission to do so, your email address can be used to send you news and offers we feel are relevant to you. You can opt out of these at any time.
Health and safety
As a food producer, we are liable for food safety and the hygiene standards of our kitchen and the meals that we make in it. We operate from a certified and approved premises where each of our meals are hand-cooked and hand-packed, and we take health and safety very seriously.
In the unlikely event that there is a problem with our food, we need to be able to track which meals were sent to our customers so that we can recall batches if and when necessary. We retain the details of your order and your contact details for this reason and would use them to contact you in such circumstances should the need arise. As our meals have a five-year shelf life, we would retain this data for at least that period.
We also collect aggregate data about your session, browser and device type, your geographic location and how you were referred to our website (via a search engine or social media, for example), however much of this is anonymised.
We use this data to analyse browsing habits and buying preferences. This is used to help us spot any behaviour trends in our customer behaviour, and to improve our website and communications in line with this.
You have the ability to remove this data or to change your browser settings to stop cookies being stored without your explicit consent.
Unless expressly requested by a customer, data collected through the shop is retained while the website is live. Were the website to be taken offline, personal data would be purged within 90 days.2. Why might we contact you?
There are a number of reasons why we might contact you, or might need to contact you.
- When you make an order through the website, we will contact you to confirm receipt of your payment and to let you know that we have shipped your food to you.
- We may also contact you to keep you updated on your order status or to discuss refunds if there is a problem with your order.
- In the unlikely event that a batch of food is contaminated, we would contact you to recall your meals if we believe that they might be affected.
- You may be contacted by a third party courier to facilitate the safe delivery of your package.
Marketing and enquiries
- If you have signed up to receive our newsletter, we may contact you to update you with news from the kitchen, stories which you might find interesting, or with exclusive offers. You can always opt out of these emails.
- We might contact you for feedback on our product range.
- If you contact us via social media or enquire via the website, we may respond using your email address or phone number if supplied.
Under the GDPR, you have the right to:
- Access your data
- We will provide a copy of your data free of charge. However, we reserve the right to charge a reasonable administration fee if a request is unfounded or excessive.
- Amend and/or correct your data
- If you wish to amend your data, you can email firstname.lastname@example.org and we will make the requested changes to your record in the system
- Request a copy of your data
- You have the right to be sent a copy of your data in a commonly used machine-readable format
- You can make a request to obtain a copy of your data by emailing email@example.com
- Your data is stored in logs on the merchant system for approximately one month and then moved to a backup location for a year or more.
- Request that your data is deleted
- To request that your data is deleted, please email firstname.lastname@example.org with your request. You will need to allow one month for your request to be removed from the merchant system logs.
- Please note:
- We cannot erase data if it is:
- Associated with an order that is pending (i.e. not yet paid for)
- Associated with an order made less than 180 days before the erasure request (for refund purposes)
- In the above cases, we will be able to re-submit the erasure request after that period has passed
- Your personal data will be removed but non-personal data will be retained (e.g. revenue information and order details).
Within one month of your request, we commit to:
- Confirming what personal data we store about you
- Providing a copy of the data in a common electronic format or on paper, if requested
If the request is more complex, we may need longer to respond, however we will still contact you within the first month to acknowledge your request and provide justification for the longer timeframe required.
4. What have we done to ensure your security?
PCI DSS compliant
We have chosen a merchant system which is compliant with the Payment Card Industry Data Security Standard (PCI DSS). This information security standard is aimed at reducing online fraud and protects cardholder data.
Secure transactional channels:
All online transactions are handled under a secure certificate (denoted by the ‘https’ in the website address). This means that sensitive data is encrypted by a layer of security so that the data exchange cannot be read or tampered with by unauthorised parties.
Email marketing communications:
When you make a purchase on our website, you have the option to opt-in to promotional and email communications from us. If you have left this box ticked during one of your transactions, or entered your email in our newsletter sign-up field, you will be marked in our system as ‘accepts marketing’.
From the 3rd May 2018, we changed the default status to opt you out of these emails, requiring you to manually tick this box if you wish to receive them.
In either case, any email marketing communications we send you provide you with a link to opt out of communications of this nature.
All Outdoorfood Ltd customers have the choice to refine or opt out of receiving marketing communications from us.
How to opt out of email marketing communications:
- During a transaction - When you make a purchase, leave the box ‘Keep me up to date on news and exclusive offers’ unticked.
- Having received an email - If you do not wish to continue to receive marketing from us, click on the ‘Unsubscribe’ link at the bottom of our emailers.
How to amend your personal data in our systems:
- Email us - You can email us on email@example.com to amend any piece of data you feel needs changing.
Like most other businesses, we use third party tools to help us process your orders (web store and related apps), deliver them (couriers), manage our finances (accounting software), stay organised (CRM and project management applications), keep in touch (social media, email marketing), and market our products.
The action of ordering from us automatically instructs some of these parties (‘processors’) to process your data. In some cases, we have legitimate cause to process your data because, without it, we would not be able to process your order (e.g. web store, accounting software, couriers). In others where we do not have the same legitimate interest, we request your consent (e.g. email marketing). We will never sell your data.
As far as third party systems go, they too are bound by the new regulations and provide their own reassurance against commercially sensitive data.
If you leave our website (by clicking a link, for example) please be aware that these parties will have their own privacy policies.