Last updated 15th April 2019

Introduction

We, RefStuff Limited are a data controller for the purposes of the General Data Protection Regulation (GDPR). We collect information from you and may receive information about you from third parties.

The policy sets out the different areas where user privacy is concerned and outlines the obligations & requirements of the users, the website and website owners. Furthermore the way this website processes, stores and protects user data and information will also be detailed within this policy.

RefStuff Limited is registered as a Data Controller with the ICO under reference number: A8455621

If you would like to discuss anything in this privacy notice, please contact: Data Protection Officer kevin@refscorer.com

The categories of customer information that we collect, process, hold and share include:

  • personal information (such as name, address, billing address, shipping address, phone number, email address)

When you make an order through our site all Information will be held electronically unless a request is received to erase the data.

Why we collect and use this information

We use the data:

  • to process orders for delivery, updated delivery and address information from carriers or other third parties, which we use to correct our records and deliver your next purchase or communication more easily
  • to collect payment details – we use third party provider PayPal as our payment processor
  • to send you information on new products and recommendations. We use your personal information to recommend features, products, and services that might be of interest to you, identify your preferences, and personalise your experience.
  • to communicate with you. We use your personal information to communicate with you in relation to RefStuff Limited services via different channels (e.g., by phone, email, chat).
  • to provide updated services and inform you of any updates to any existing products
  • to contact customers regarding any queries
  • to maintain our own accounts and records
  • to send aftersales surveys
  • to send mailchimp advertising information via text and email
  • to collect testimonials
  • to promote Ambassadors throughout our website (with written consent only)

Collecting information

Whilst the majority of information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with data protection legislation, we will inform you whether you are required to provide this data or if you have a choice in this.

Storing and retention of customer data

Customer data is kept securely on our system within a firewall, passwords and backed up to secure location to avoid any issues with GDPR being broken. The database is shared exclusively to administration and unable to access without sufficient passwords and logins. We take securing your personal data very seriously and update firewalls, virus software regularly to avoid any issues with data being accessed. Social media accounts Instagram, Facebook, Twitter are also secured by software. We hold personal data electronically on our CRM computer system.

Data Security

Our databases are updated regularly with firewalls, passcodes and run through virus system to deplete any viruses. Our data storage system uses generally accepted industry standards to protect the information submitted both during transmission and once they have received it. We maintain appropriate administrative, technical and physical safeguards to protect personal data against accidental or unlawful destruction, accidental loss, unauthorised alteration, unauthorised disclosure or access, misuse and any other unlawful form of processing.

This includes firewalls, secure data transfer sites such as password protected cloud storage and transfer platforms using AES256 bit standard encryption and other access and authentication controls. Our hosting provider uses SSL technology to encrypt data during transmission through public internet and employ application-layer security features to further anonymise personal data.

Who we share customer information with

We share customer information with:

  • Administration Team
  • Website developer
  • RefStuff Limited staff and contractors
  • Financial organisation – to collect payments
  • Security organisations
  • Social Media accounts (if social media forms completed)

Requesting access to your personal data

Under data protection legislation, customers have the right to request access information about them that we hold. To make a request for your personal information, or be given access to your information that we have stored, contact our designated Data Protection Officer Kevin Houghton at kevin@refscorer.com

Subject Access Requests for information will be processed within 30 days and in most cases you will not be charged for us complying with your request. We can refuse or charge for requests that are manifestly unfounded or excessive. We can also refuse requests if they encroach on someone else’s privacy. If we refuse a request, we will tell you why and give you details about your right to complain to the supervisory authority and to a judicial remedy.

You also have the right to:

  • object to processing of personal data that is likely to cause, or is causing, damage or distress
  • prevent processing for the purpose of direct marketing
  • object to decisions being taken by automated means
  • in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
  • claim compensation for damages caused by a breach of the Data Protection regulations
  • object to your personal data being processed
  • request to request erasure from our records, but only to a certain extent where some of the data we hold is required to be retained for the purposes of complying with our legal obligations, Statutory Funding Rules, insurance purposes, HMRC requirements.

Where the processing of your data is based on your consent, you have the right to withdraw this consent at any time.

If you have a concern about the way we are collecting or using your personal data, we ask that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/

Personal Data Breaches

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.

Personal data breaches can include:

  • access by an unauthorised third party
  • deliberate or accidental action or inaction by a controller or processor
  • sending personal data to an incorrect recipient
  • computing devices containing personal data being lost or stolen
  • alteration of personal data without permission
  • loss of availability of personal data

If we recognise that a personal data breach has occurred we will instigate our response plan. Responsibility for managing and investigating breaches has been allocated to the company directors and staff are aware that they should escalate a security incident directly to the directors so they can determine whether a breach has occurred. All breaches will be recorded even if they do not need to be reported to the Supervisory Authority (ICO).

If a breach has occurred the directors will:

  • Notify the data controller, if applicable, within 24 working hours of the breach being identified
  • Assess the likely risk to individuals as a result of the breach and inform you about the breach without undue delay when it is likely to result in a high risk to your rights and freedoms. This could be because we assess there is a high and immediate risk of the data breach resulting in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage to you.
  • Notify the ICO without undue delay and no later than 72 hours after the breach has been identified if it is established that the likelihood and severity of the resulting risk to individual’s rights and freedoms is high

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

 

Further information and Resources