Introduction
Here at BITCH the relationship we have with you is important. We’re not a nosey BITCH so how we handle and respect your privacy and your trust is fundamental to that.
This privacy policy document describes as a customer, or potential customer, how we collect, use, transfer and process your personal information.
This privacy policy applies when you visit, purchase or use our websites, events, apps, and other services. Your acceptance of Our Privacy Policy is deemed to occur upon your first use of Our Site. If you do not accept and agree with this Privacy Policy, you must stop using Our Site immediately.
We want to be as transparent as we can within the policy but if you have any questions then don’t hesitate to reach out to us by emailing the Data Protection BITCH (Officer) at DPO@Bitchorganics.com
As is the common concern with many people, if you tell use you don’t want to receive marketing messages, we will stop sending them. However, it is important to note that we will continue to send essential information relating to any product or service you have purchased.
We periodically review this policy and any changes made will be reflected on our website (www.bitchorganics.com) and will take effect from date of publication.
Who we are?
We are a limited company incorporated in England and Wales under company number 08591549. Our registered office is at 86-90 Paul Street 3rd Floor, London, EC2A 4NE. Our correspondence address is at 86-90 Paul Street 3rd Floor, London, EC2A 4NE
We provide hair care products and services to individuals and companies. Within this policy we detail how we handle your data under the role of Data Controller.
If you are unsure of anything, or have any questions then you can contact us at any time by emailing us at DPO@Bitchorganics.com or writing to us a 86-90 Paul Street 3rd Floor, London, EC2A 4NE.
What information do we collect?
The type of information that we collect about you depends on the interactions that you have with us. Typically, we will Specify the types of personal information you collect, e.g. names, addresses, usernames, etc.
The type of data we may collect is:
- Identity data
- Title, First name, Surname,
- Contact data
- Company name, company address, email address(es), telephone numbers, company registration numbers.
- Financial data
- Payments to, and payments from you.
- Technical data
- IP Addresses, login data, browser type, version, time zone, location, operating system and platform and other technology on the devices you use to access our services. Usernames, passwords, preferences.
- Usage data
- How you use our website
- order history and products used, information about your browser, network, and device. Webpages visited prior to coming to our site, and your IP address.
- order history and products used, information about your browser, network, and device. Webpages visited prior to coming to our site, and your IP address.
How do we collect it?
The majority of data will be obtained through direct interactions with you primarily by use of our website, but also by phone, email, events and other means. Typically, this will be in the enquiry of, usage of, purchase of our products and services.
We may also obtain data through
- Technologies when interacting with our website.
- Data research conducted by ourselves or any third party under legitimate interest rules.
- We do not hold sensitive personal data and financial details such as credit card details.
- How do we use personal information?
- We will use personal information in the performance of the contract between us, where there is legitimate interests, and where we need to comply with the law.
- Enabling access, purchase of and notification of any products or services you have purchased
- Setting up the accounts necessary to obtain all of the producst you have purchased, including those that may be provided by third parties.
- delivering marketing and events communication
- carrying out feedback, polls and surveys
- internal research and development purposes
- providing goods and services
- legal obligations (e.g. prevention of fraud)
- meeting internal audit requirements
What legal basis do we have for processing your personal data?
We will normally process personal data:
- Where we have the consent to do so
- Where we need it to perform a contract that we have entered into.
- For carefully considered and specific purposes which are in our interests and enable us to enhance the products and services we provide, but which we believe also benefit our customers.
- Where we have a legal obligation
Data Collected about Other Individuals
As you use our products and services, you may import Personal Information into our system about other individuals - for example you may purchase a product as a gift for someone. You are responsible for making sure you have the appropriate legal permission for us to collect and process information about those individuals as outlined in our terms and conditions.
When do we share personal data?
We treat your personal data confidentially, but we may share this data with third-party suppliers that are necessary for providing your services and/or conducting our business operations:
We will share information with:
- Courier companies, including but not limited to Royal Mail and DPD. This is limited to personal data for the provision of delivery services such as title, first name, surname, address details, phone numbers, email address, and description of products purchased.
- SquareSpace for the website logistics, order processing, data lead forms, marketing and the CRM. Squarespace needs the data to run this website, and to protect and improve it’s platform and services. Squarespace analyses the data in a de-personalised form. We hold a Data Protection Agreement (DPA) with respect to GDPR https://www.squarespace.com/dpa
- Xero as our accountancy software package.
Where do we store and process personal data?
For the data stored in Arlo this will be stored outside of the Eurpoean Economic Area. All data in Arlo is encrypted at rest and stored in AWS, a provider that is fully compliant with GDPR. Read more at https://aws.amazon.com/compliance/gdpr-center/ We hold a Master Subscription Agreement (MSA) with Arlo who is a Data Processor on our behalf as the Data Controller. This MSA comprises a Data Protection Agreement (DPA) with respect to GDPR - https://www.arlo.co/legal/master-subscription-agreement#schedule-2-data-protection-addendum-agreement
For data stored in Xero, then Xero uses a top-tier, third-party data hosting provider (Amazon Web Services) with servers located in the U.S., to host our online and mobile services. For more information about AWS’s approach to compliance with the GDPR, see https://aws.amazon.com/compliance/gdpr-center/. When personal data is hosted or processed outside of the European Economic Area then Xero ensures it remains protected by appropriate safeguards in line with EU law. Xero has also completed a SOC 2 Type 2 report. The report covers the Trust Services Principles and Criteria for Security, Availability, and Confidentiality. SOC 2 audits are carried out by Ernst and Young, so it's an independent assessment of Xero's control environment against an internationally recognised assurance standard. You can request a copy of Xero’s SOC 2 report at https://www.xero.com/about/security/soc-report/.
How do we secure personal data?
We take care to protect your information. We use generally accepted technical and organisational measures to safeguard your data from loss, misuse, or unauthorised alteration or destruction.
Where we have to transfer, share or store your personal data with our partners for further processing, we ensure full security and privacy of the data by having “processor agreements” in place with our partners.
Please note however that where you are transmitting information to us over the internet this can never guaranteed to be 100% secure.
How long do we keep your personal data for?
We will hold your data in record for as long as necessary to comply with our legal, tax and business requirements and obligations.
If you stop interacting with us the we will delete or archive your information as much as is feasible after 7 years.
Your rights in relation to personal data
You have rights under the GDPR:
- to access your personal data
- to be provided with information about how your personal data is processed
- to have your personal data corrected
- to have your personal data erased in certain circumstances
- to object to or restrict how your personal data is processed
- to lodge a complaint with the Information Commissioner’s Office.
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
https://ico.org.uk/concerns/
Tel: 0303 123 1113.
How to contact us?
For more details, please address any questions, comments and requests regarding our data processing practices to our Data Protection Officer at DPO@Bitchorganics.com
Use of cookies and other technologies
You may include a link to further information, or describe within the policy if you intend to set and use cookies, tracking and similar technologies to store and manage user preferences on your website, advertise, enable content or otherwise analyse user and usage data. Provide information on what types of cookies and technologies you use, why you use them and how an individual can control and manage them.
Linking to other websites / third party content
Our website may at times include links to third-party website, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share date about you. We do not control these third-party websites and are note responsible for their privacy statements. When you leave our site we recommend you check their statements.
We also do not endorse of take any responsibility for the content or information contained within any linked website.