1.0 Our Core Beliefs On User Privacy and Data Protection
We believe that user privacy and data protection are essential elements of your rights as a customer and user of our website. As such, we have a duty of care to those customers of which we hold their personal information.
We view data is a liability, and we will only collect and process it when absolutely necessary to give you the best experience possible while navigating through our website.
We hate spam as much as you do, and wish our inboxes were free from it.
Finally, we will never ever sell, rent or distribute your personal information to anyone not directly involved in the provision of the services that you have requested of us.
2.0 Applicable Legislation
Just like our general business operation and internal systems, this website is designed to comply with the following legislation (both national and international) with regards to data protection, cookie control and privacy:
- UK Data Protection Act 1988 (DPA)
- EU Data Protection Directive 1995 (DPD)
- EU General Data Protection Regulation 2018 (GDPR)
Our compliance with the above pieces of legislation, all of which are extremely thorough in their own right, means that our website is likely to also be compliant with other countries’ data protection and user privacy laws. If you are unsure about whether this site is compliant with your own country’s specific data protection and user privacy legislation you should contact our data protection officer (details of whom can be found in section 11.0) for clarification.
3.0 Information We Collect and Why:
This website collects and uses personal information for the following reasons:
3.1 Site Visitor Tracking
Like most websites, our site uses Google Analytics (GA) to track your interaction. We use this data to determine the number of people using our site, to better understand how they find and use our web pages and to see their journey through the website in order to make improvements to user experiences in future.
Although GA stores data such as your geographical location, device, internet browser and operating system, none of this information enables us to personally identify you in any way. In common with all other sites that use GA, Google itself does hold a record of your computer’s IP address which could be used to personally identify you to them, but they do not grant us access to this information. We consider Google to be a third party data processor (see section 6.0 below).
3.2 Usability Improvements
We use an industry standard piece of software made by Hotjar Ltd, a company based in Malta, to track usability issues on our site. None of the data that is provided to us provides us with any means to personally identify you, as your visit is simply stored as a computer generated “session ID”.
In order to track and help us improved the usability of the site for you, our customers, a Hotjar cookie is stored on your computer to enable us to see if there are any repeat issues should you visit the site multiple times.
Hotjar are considered to be a third party data processor (see section 6.0 below).
3.3 Site Security and Protection
All data sent to or from our site is encrypted using SSL/TLS.
While most of the visitors to our site are either genuine artwork buyers or keen photographers, every now and then our systems come under threat from nasty software and people out there who try to damage websites around the world.
To help protect us from such activity, we use site security tools provided by Defiant, Inc. based in Seattle, USA. These tools make use of publicly available information regarding your published IP address to assess threat levels to the site. No personally identifiable information is ever provided to us from them, or to them from us.
Defiant, Inc. are considered to be a third party data processor (see section 6.0 below).
3.4 Customer Orders
In order to send your prints, guides or workshop joining packs to you, it’s really quite essential that we have your contact details!
In order for us to provide our lifetime limited warranty, we store your name, email address, postal address and delivery information on our systems for the life of each product you purchase.
As part of the user account creation process, your name, email address, postal address and delivery information will be stored as a unique account with your email address and password of your choice on our servers. Our systems encrypt this information via SSL, and you can delete your own account at any time by visiting the “my account” section on the website.
In order for us to track how effective our advertising methods are in relation to sales, we also make use of the Google Adwords system and tracking cookies to measure their performance. Just as with Google Analytics, this makes Google a third party data processor (see section 6.0 below) for Adwords tracking as well as for Analytics.
3.5 Our Blog
Should you choose to add a comment to any posts that we have published on our blog, the name and email address you enter with your comment will be saved to our website’s database, along with your computer’s IP address and the time and date that you submitted the comment.
This information is stored in the UK in our datacentre and not shared with any other service. It is only used to identify you as a contributor to the comment section of the respective blog post and is not passed on to any of the third party data processors detailed below. Only your name will be shown on the public-facing website although if the supplied email address is linked to a Gravatar account, your Gravatar photo will also be displayed.
Your comment and it’s associated personal data will remain on this site until we see fit to either 1.) remove the comment or 2.) remove the blog post. Should you wish to have the comment and it’s associated personal data deleted, please contact our privacy email address, from email address that you commented with – sending a link to the comment and blog post in question.
If you are under 16 years of age you MUST obtain parental consent before posting a comment on our blog.
NOTE: You should avoid entering personally identifiable information to the actual comment field of any blog post comments that you submit on this website.
3.6 Contact forms and email links
If you decide contact us using the contact form on our contact us page or an email link such as to firstname.lastname@example.org, none of the data that you supply will be stored by this website or passed to / be processed by any of the third party data processors defined in section 6.0. Instead, the data will be collated into an email and sent to us over the Simple Mail Transfer Protocol (SMTP).
Our own SMTP servers are protected by TLS (sometimes known as SSL) meaning that the email content is encrypted using SHA-2, 256-bit cryptography before being sent across the internet. The email content is then decrypted by our local computers and devices.
However, not all mail servers are secured in such a way. Therefore, we would suggest that you always consider email as an insecure medium and not include personal, confidential or otherwise sensitive information within an email.
3.7 Live Chat Facility
From time to time, you may notice a small “live chat” box appear in the bottom of your screen while browsing our site.
This exists when one of our team is available to chat with you about our products and processes or to help with any decisions you’re trying to make about our images.
This service is called “Zopim” or “Zendesk Chat” and is provided and managed by ZenDesk, another third party data processor based in San Francisco (see section 6.0 below).
In order for us to keep a track of any conversations with you, Zendesk makes use of a cookie on your computer from zopim.com. While publicly accessible information about your IP address, along with your browser and device type is passed to us at the point of initiating a chat session, none of this is personally identifiable and it is never stored on our servers.
3.8 Email Newsletter
If you choose to join our email newsletter, the email address that you submit to us will be forwarded to MailChimp who provide us with email marketing services. We consider MailChimp to be a third party data processor (see section 6.0 below). The email address that you submit will not be stored within our own database or in any of our internal computer systems.
We use a “double-opt-in” system, which requires your confirmation to an automated email that is sent at the point of sign up to ensure you intended to receive our newsletters in future.
Your email address will remain within MailChimp’s database for as long as we continue to use MailChimp’s services for email marketing or until you specifically request removal from the list. You can do this by unsubscribing using the unsubscribe links contained in any email newsletters that we send you or by requesting removal via email. When requesting removal via email, please send your email to us from the email account that is subscribed to the mailing list.
If you are under 16 years of age you MUST obtain parental consent before joining our email newsletter.
While your email address remains within the MailChimp database, you will receive periodic (approximately one per month) newsletter-style emails from us.
4.0 How We Store Your Personal Information
As detailed in sections 3.4 and 3.5 above, if you submit an order, or make a comment to a blog post published on our website, some personal information will be stored within our database and UK systems. This is currently the only occasion where your personal data will be stored by us. This data is currently stored in an identifiable fashion, but protected via SSL and strong username and password combinations across all of our staff and systems.
Due to the nature of our business, and needing to send real orders to real customers, pseudonymisation is not yet practical for us to implement at this stage, although it is being investigated on an ongoing basis. At such point where it is practical and does not create any delay to order fulfilment, we will look to implement a sensible solution around this topic.
5.0 About This Website’s Server
This website is hosted within a UK data centre located just outside of London, with industry-standard security features as follows:
- Data floor segregation from external building perimeter.
- Prox tag entry on all access points, doors; internal and external.
- Biometric access via mantrap after manual initial approval by on-site staff. Visual identity checks against recorded information and approved individuals photograph, government issued ID.
- All racks and suits locked by personal lock code or key.
- CCTV monitored and recorded 24/7 at all entry points, and each row of the data centre.
- On site security, around the clock.
- Hourly floor walks, both internally and externally.
- Steel-gated and reinforced security fence around the compound.
- Site and staff compliant to security standards including ISO 27001, PCI-DSS, BPSS and BS7858.
- ANPR for any vehicles accessing the site prior to entry to the compound via pre-approved registrations.
Full details of our hosting data centre can be provided on request.
All traffic (transferral of files) between this website and your browser is encrypted and delivered over HTTPS.
6.0 Our Third Party Data Processors
We use a number of third parties to process personal data on our behalf. These third parties have been carefully chosen and all of them comply with the legislation set out in section 2.0. To our understanding, all 6 of these third parties are EU-U.S Privacy Shield and GDPR compliant.
7.0 Links to other websites
8.0 Cookie Removal
The browsers of most computers, smartphones and other web-enabled devices are typically set up to accept cookies. You have the option to control the acceptance of cookies yourself and, if you wish, to block them entirely by configuring your Internet browser. Please refer to the documentation for your browser to change your cookie preferences.
The procedure for deleting or disabling cookies on your device depends on the browser you are using.
If you are using a PC, you may delete cookies by using the keyboard shortcut [CTRL]+[SHIFT]+[Delete]
If this procedure is not successful or if you are using a Mac computer, please follow the guidelines via the following links depending on the browser you are using:
Please remember that cookies are used to enable and improve certain functions on our website. If you choose to switch certain cookies off, it is likely to affect how our website works.
9.0 Data Breaches
We will report any unlawful data breach of this website’s database or the database(s) of any of our third party data processors to any and all relevant persons and authorities within 72 hours of the breach if it is apparent that personal data stored in an identifiable manner has been stolen.
10.0 Data Controller
The data controller of this website is:
Paul Reiffer - Photographer
PO Box 9390
11.0 Data Protection Officer
All data protection and privacy queries can be directed to our Data Protection Officer:
Director, Reiffer Media Ltd.
Telephone: +44(0)208 123 0257
12.0 Data Removal
You have the right to request the inspection and/or removal of all personally identifiable information we hold about you.
In the case of our third party processors, an application for such inspection or removal should be made directly to them, using the links provided in section 6.0 above.
For removal or inspection requests from our website, these should be made by email to email@example.com using the email address that was provided at the point you placed an order, made a blog comment, or registered for an account. All requests will be responded to within 21 days.
Please note that by nature of our lifetime warranty provision, the removal of all data we hold about you as a customer will prevent us from being able to offer this guarantee and will therefore invalidate your warranty from that point.
This policy was last updated on 10th March 2019.