At Katie Tinkler, we are committed to ensuring that your privacy is protected whilst purchasing your greeting cards and original gouache paintings. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement. We may change this policy from time to time by updating this page. We’ll notify you of any significant changes but you should check this page from time to time to ensure that you are happy with any changes. When we collect and process your personal data, we are doing so on our own behalf, and not on behalf of any third parties.
The legal bases
The law on data protection sets out a number of reasons for which a company may collect and process your personal data including:
Consent – for example, where you have ticked a box to receive emails
Contractual obligations – for example, where we need your data to fulfil our contract with you
Legal compliance – for example, where the law requires us to
Legitimate interest – where we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not impact your rights, freedoms or interests.
What information we collect
We may collect the following information:
Contact information including email address
Demographic information such as postcode, preferences and interests
Other information relevant to customer surveys and/or offers
Sharing personal data
As mentioned, we do not sell any personal information to third parties. However, we do share your data with the following types of companies so that we can provide our services to you:
Companies that help get your orders to you – i.e. delivery companies, warehouses, and payment service providers.
Professional service providers – i.e. data agencies, website hosts, and marketing agencies to help with things we are not able to do ourselves.
Fraud prevention agencies
Companies approved by you – i.e. social media sites, if you choose to link your account. To do this we may share your data with service providers inside and outside the UK and EU however we will only transfer personal data to service providers outside the EU and UK where there is an adequate safeguard in place (typically the Standard Contract Clauses), available on request.
Advertising, marketing and your communications preferences
We may use your Identity, Contact, Technical, Tracking, Usage and Profile Data to form a picture of what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you and tell you about them. This is what we call direct marketing.
We may carry out direct marketing by email, phone, text or post. For example, you might have the newsletter hit your inbox or a cool promotion land on your door mat.
On our website, we always try hard to make it really clear what we are doing and what communications you will be sent, whether it’s you deciding to sign up to the newsletter or as part of creating an account or the purchase journey – and you have a right at any time to change your mind and say no thank you and opt out (but we’d be really sorry to see you go, so please give us a chance by fine tuning your preferences before really leaving us!). The easiest way to opt out is to use the unsubscribe link at the bottom of the communication.
Of course, there are lots of different ways you’ll see adverts for out and about, and not all of these are based on using personal data – sometimes we just buy good old-fashioned advertising space in the real world and websites and social media. If you see our adverts on websites and in social media, these may not be directed specifically at you, we might just have bid for the space. But here are some things we may do that may be specifically directed at you:
Emails, for example the newsletter;
Text messages, for example with discount codes;
Promotions by post, such as great money off shipping offers, or from our trusted retail partners; and/or
Phone calls, to tell you something that might be relevant to you and your business.
We will only keep your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they stop being customers for tax purposes.
We also make a promise to you that you can come back at any time in the future and re-print products you have ordered from us in the past. So, unless you actively delete this information, we keep it, so we can keep our promise to you.
In some circumstances you can ask us to delete your data; see Your legal rights below for further information.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you
Your legal rights
If the General Data Protection Regulation applies to you because you are in the European Union, you have rights under data protection laws in relation to your personal data:
The right of access – that’s a right to make what’s known as a ‘data subject access request’ for a copy of the personal data we hold about you;
The right to rectify – that’s a right to make us correct personal data about you that may be incomplete or inaccurate;
The right to erasure – that’s also known as the ‘right to be forgotten’ where in certain circumstances you can ask us to delete the personal data we have about you (unless there’s an overriding legal reason we need to keep it);
The right to restrict processing – that’s a right for you in certain circumstances to ask us to suspend processing personal data;
The right to data portability – that’s a right for you to ask us for a copy of your personal data in a common format (for example, a .csv file);
The right to object – that’s a right for you to object to us processing your personal data (for example, if you object to us processing your data for direct marketing); and
Rights in relation to automated decision making and profiling – that’s a right you have for us to be transparent about any profiling we do, or any automated decision making.
These rights are subject to certain rules around when you can exercise them. You can see a lot more information on them, if you are interested, on the UK Information Commissioner’s Office website.
If you wish to exercise any of the rights set out above, please contact us at email@example.com.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
You have the right to make a complaint at any time to the Information Commissioner's Office (“ICO”), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us at firstname.lastname@example.org in the first instance.
Last updated 29/09/23