Privacy and the General Data Protection Regulation
The General Data Protection Regulation (GDPR) sets a high bar for global privacy rights and compliance. Since our customers can sign up to our mailing list, we need to ensure we are compliant.
Sarah Colson Ltd do not and have never collected email addresses from any sources other than:
- By opting in online through our website (explicit consent requires that each contact takes an action to consent).
- By signing up at an event on our physical mailing list forms (requiring the contact to fill-in their own details).
You can unsubscribe at any point and you will be deleted from our list.
These new regulations mean that you have the following rights:
- The right to be informed: companies must publish a privacy notice, in addition to explaining transparently how they use this personal data.
- The right of access: individuals will have the right to demand details of any of their data that a company may hold. This information must be provided within 30 days.
- The right to rectification: if a person’s data is incorrect or incomplete, he or she has the right to have it corrected. If the company that holds the information has passed any of that information to third parties, the company must inform the third party of the correction and inform the person which third parties have their personal data.
- The right to be forgotten: a person may request the removal of his or her personal data in specific circumstances.
- The right to restrict processing: under certain circumstances, an individual can block the processing of his or her personal data.
- The right to data portability: a person can access their data for their own use anywhere they prefer.
- The right to object: a person can object to the use of their personal data for most purposes.
How we use your information
Newsletter Sign Up
Our website is built using Squarespace. In order to send newsletters and process payments we must use some third-party services to accept data from, or embed content into, our site, with Squarespace acting as a pass-through for the data or displaying the content.
Squarespace are complying with GDPR and have issued the following information:
- In recognition of the global nature of our user base, Squarespace Ireland Limited, our Irish entity, is going to provide services to our users outside of the US. For users who are not residents of or who do not have their principal place of business in the US, the Terms of Service will be an agreement with Squarespace Ireland Limited and the laws of Ireland will apply. If you are a resident of or have your principal place of business in the United States of America or any of its territories or possessions, the Terms of Service will be an agreement with Squarespace, Inc. and the laws of the State of New York will apply.
- We incorporated a Data Processing Addendum (DPA) into our updated Terms of Service that may apply to you if you (or your use of our services) is subject to EU data protection law (including the GDPR). The DPA will be posted on May 14 and will explain how we handle, on your instructions, your and other people’s personal information that you collect or submit using our services.
To send email campaigns to you we use a very popular provider called MailChimp.
All MailChimp forms collect the email address, IP address, and timestamp associated with everyone who submits the form.
This means you consent to us using this information to:
- Transfer your contact information to MailChimp
- Store your contact information in our MailChimp account
- Send you marketing emails from our MailChimp account
- Track interactions (for example, whether you opened the email, if you clicked a link and which link it was) for email marketing and ad placement purposes.
Their GDPR statement reads:
‘MailChimp’s GDPR preparation started more than a year ago, and as part of this process we are reviewing (and updating where necessary) all of our internal processes, procedures, data systems, and documentation to ensure that we are ready when the GDPR goes into effect.’
Processing Payments & Site Interaction
To process payments we use Paypal and Stripe.
Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry. To accomplish this, they make use of best-in-class security tools and practices to maintain a high level of security at Stripe.
Their GDPR statement reads:
‘At Stripe, privacy, data protection, and data security are at the very heart of everything we do. We’re continuously working to reset the bar for ourselves in the security and data privacy realm, and view the GDPR as an opportunity for the entire industry to come together on this and improve.‘
‘Stripe started its efforts towards GDPR compliance back in 2016, and we are working to ensure that our services are GDPR-compliant on the effective date of May 25, 2018.’
Neither we or PayPal retain any financial information you may submit as part of the purchasing process. PayPal monitor every transaction, 24/7 to prevent fraud, email phishing and identity theft. Every transaction is heavily guarded behind PayPal's advanced encryption. If something appears suspicious, their dedicated team of security specialists will identify suspicious activity and help protect you from fraudulent transactions.
Your data is encrypted before transmission to prevent misuse of the transmitted data by third parties. SSL (Secure Socket Layer) is a security technology which guarantees that your personal data, including credit card information, login data and payment method, are securely transferred via the Internet. The data is encrypted so that is only readable by the PayPal payment system.
Your data which is encrypted, is as follows:
- Personal data (address data, telephone number, etc.)
- Login data (username and password)
- All methods of payment selected, credit card and bank account
We use Google Analytics to track user interaction.
This information is used to determine the number of people using our site, to better understand how they find and use our web pages and to track their journey through the website.
Although Google Analytics records data such as your approximate geographical location, device, internet browser and operating system, none of this information personally identifies you to us.
We will report any unlawful data breach of this website’s database or the database(s) of any of our third-party data processors to any and all relevant persons and authorities within 72 hours of the breach if it is apparent that personal data stored in an identifiable manner has been stolen.
The data controller of this website is Sarah Colson, of Sarah Colson Ltd.