Your privacy is very important to me and I am committed to protecting your personal data. I promise to keep your data safe and to give you ways to manage and review your marketing choices at any time.
Rian Hotton operates worldwide. As part of my business, I offer our customers an e-commerce service accessible from our website www.rianhotton.com.
To provide my services, I collect personal data about you. Data collection takes place on my website, by phone, by email, through social media websites (e.g. Facebook), through written correspondence and through other media I may use from time to time as technology develops.
This policy is intended to provide you with detailed information on my use of your personal data.
Rian Hotton, is the “controller” in respect of your personal data for the purposes of EU General Data Protection Regulation (GDPR) No. 2016/679 of 27 April 2016 with effect from 25 May 2018.
In the personal data collection forms on the site or in paper format, the customer is notably informed of the mandatory nature, or not, of the data collection. In the event of failure to provide a mandatory data field, Rian Hotton will not be able to perform its services.
WHO COLLECTS PERSONAL DATA?
Collecting your personal data is Rian Hotton, operating from London, United Kingdom.
HOW THE LAW PROTECTS YOU
2.1 LAWFUL REASONS FOR PROCESSING
Your privacy is protected by law. Under data protection law, I am allowed to use your personal data only if I have a lawful reason. I must have one or more of the following lawful reasons:
To perform a contract or to take steps at your request prior to entering into a contract (e.g. to process and fulfil an order for goods, or to open and manage a Rian Hotton customer account), or
Where I am required to do so to comply with my legal obligations (e.g. to keep records), or
Where it is in my legitimate interests or those of a third party, or
Where you have consented
A “legitimate interest” is where there is a business, commercial or other reason to use your information but it should not unfairly go against what is right and best for you. Examples of legitimate interests given in the EU General Data Protection Regulation (GDPR) include fraud prevention, direct marketing and sharing data within a corporate group.
Managing our delivery and returns operations
Management of customer service (phone/email/social), follow-up of after-sales orders, product returns and refunds
Anti-fraud measures during the payment of the order and management of unpaid invoices after ordering
Sending targeted marketing promotions by email, mobile notification, social network, other websites or via other media as technology develops
Personalising our sites (mobile and desktop) and applications to customers
Measurement of visits to sites (mobile and desktop) and mobile applications;
Providing sharing tools on social networks
Running competitions (e.g. prize draws) Legitimate interests
Sharing data with commercial partners Consent
Police authorities in the context of court orders concerning anti-fraud measures
Customs services in case of delivery abroad
Commercial partners including marketing and advertising firms.
I also use sub-contractors for the following operations:
detection and investigation of financial crime, e.g. fraud
delivering your orders and parcels and handling returns
customer services, including management of phone calls and printing and sending post
customising the content of mobile sites and applications
implementation of maintenance and technical development of my website, internal applications and information system
collection of customer reviews
sending marketing communications (e.g. email, SMS, post)
You can request a copy of the data I hold about you.
You can query any data I hold about you that you think is inaccurate or incomplete.
This is often referred to as the “right to be forgotten”. It is not an absolute right to demand that organizations stop using or delete your data. An organization may be entitled to keep and continue to use the data (e.g. to comply with a legal obligation to retain records, or so that the organization can handle complaints and show that it treated you fairly in any period that the law gives you to lodge a complaint or legal claim).
It may sometimes be possible to restrict processing of data so that it can only be used for certain purposes (e.g. legal claims or to exercise legal rights). In such circumstances, I would not use or share the data in other ways while processing is restricted. You can ask me to restrict the use of your data: if it is inaccurate; if it has been used unlawfully but you do not want me to delete it; if it is not relevant any more but you want me to keep it for use in legal claims; if you have already asked me to stop using it but you are waiting for me to tell you if we are allowed to keep using it.
As explained in section 4.1 in relation to credit scoring systems, if you apply for credit and not satisfied with the result, you have the right to seek an explanation and request that a person manually reviews the decision. You can also ask that I do not make a decision based solely on the automated score generated by our credit scoring system.
This right entitled individuals to ask organizations to transfer their data to another organization (e.g. you wish to move from one social media service to another; from one music streaming service to another; from one bank to another). It seems unlikely to me that you would want to move the data I hold (e.g. your purchase history with me or details of your account transactions) to another organization but you have the right to ask.
In Spain, the AEPD: www.agpd.es/portalwebAGPD/index-idfr-idphp.php
In Portugal, the CNPD: www.cnpd.pt/index.asp
In Belgium, the CPVP: www.privacycommission.be/fr
In Switzerland, the PFPDT: www.edoeb.admin.ch/edoeb/de/home.html
In Italy, the Garante per la Protezione dei dati personali : http://www.garanteprivacy.it
Rian Hotton implements all the procedures required to obtain the guarantees necessary to secure such transfers.
Invoices related to purchases are kept for 10 years.
For more information on the retention periods applied by Rian Hotton, you can contact the data protection officer (see point 12).
to receive offers from Rian Hotton partners to whom your details will be sent Rian Hotton will not send you personalised requests by email or text message if you have not consented to such unless I am allowed to do so under the Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002.
For email, by clicking on the “unsubscribe” link provided in each email or by going to the My Account section of our website in the newsletter section;
For text messages (SMS), by sending a “STOP” message to the number indicated or by going to the My Account section of our website in the newsletter section;
In all cases, by speaking with a customer services adviser
third-party cookies from third-party partner companies to identify your interests and send you personalised offers. These third-party cookies are directly managed by the companies that publish them and must also comply with the data protection regulations.
to adapt the presentation of my site according to the type of device used (e.g. tablet),
to adapt the presentation of my site according to the preferences of each user,
to memorise information relating to a form that you have filled in on my site (registration or access to your account, subscribed service, contents of your shopping basket, etc.),
to allow you to access reserved and personal areas of my site (e.g. My Account, through login information),
to implement security measures (e.g. when you are asked to log back into your account after a certain period of time),
to share information with advertisers on other websites to offer you relevant advertising in line with your interests. As such, I use advertising cookies,
You can set your web browsing software so that cookies are saved in your device or, on the contrary, are blocked ‒ either systematically or depending on their source. You may also configure your web browsing software so that you are prompted each time to allow or block cookies before a cookie can be saved to your device.
You have the option to object to the storing of cookies by visiting the website
In France, the CNIL: www.cnil.fr
In Spain, the AEPD: www.agpd.es/portalwebAGPD/index-idfr-idphp.php
In Portugal, the CNPD: www.cnpd.pt/index.asp
In Belgium, the CPVP: www.privacycommission.be/fr
In Switzerland, the PFPDT: www.edoeb.admin.ch/edoeb/de/home.html
In Italy, the Garante per la protezione dei dati personali : www.garanteprivacy.it
2.2 MY PROCESSING & REASONS
I collect and record personal data to carry out the following processing:
What I use personal data for:
Customer account, shopping cart and order management;
Managing payment transactions
Recording conversations with customer services by email or social media for the purposes of improving our customer services, fraud prevention and compliance with legal requirements
Customer satisfaction management (collection of customer reviews on products and customer service performance) Legitimate interests
Statistics, analytics, selection and segmentation of customers to improve knowledge of customers, how they use our products and services and their changing needs
WHO I SHARE YOUR DATA WITH
I share your data within Rian Hotton and its associated companies and I may also share it with public authorities and partners who can use the data for their own purposes (they are recipients) and suppliers only for the account and according to our instructions (our sub-contractors).
The recipients of the data include:
Fraud prevention agencies
secure payment on our website and mobile applications
4.1. YOUR RIGHTS UNDER DATA PROTECTION LAWS
Under Articles 14 to 22 of EU General Data Protection Regulation (GDPR), you have the following rights:
Right of access:
Right of rectification:
Right to object to processing, or to ask me to delete, remove or stop using it:
Right to limit processing:
Right to object to profiling:
In relation to marketing profiling (selecting you for specific promotions and making product recommendations), you can also object to this but then the offers and recommendations you receive will be less relevant and no longer targeted to your interests.
Right to portability:
It is worth noting also that, under the EU General Data Protection Regulation (GDPR), if an organization that is processing your data detects a breach of data security that could create a high risk to your rights, then that organization may be required to notify you of the breach so you are aware of it. In such circumstances, the organization would also be required to notify the relevant supervisory authority.
4.2 HOW TO EXERCISE YOUR RIGHTS
You can exercise your rights in the following ways:
Please include your surname, first name, address, email and, if possible, your customer reference to accelerate consideration of your request.
I may require proof of identity before fulfilling your request.
I will contact you to acknowledge receipt of your request and I will then answer fully within one month. In some cases, due to the complexity of the request or the number of requests, this period may be extended by 2 months.
4.3 CONSEQUENCES OF EXERCISING THE RIGHT OF OPPOSITION TO MARKETING PROFILING
In relation to marketing profiling (selecting you for specific promotions and making product recommendations), you may continue to receive marketing promotions but they will be less relevant to you and no longer be targeted to your interests.
4.4 WITHDRAWAL OF CONSENT
Where I am processing your data based on your consent (see section 2 above), you may withdraw your consent at any time by contacting me at the above address or by informing me by other means I provide, e.g. clicking “unsubscribe” at the bottom of an email.
4.5 WHAT IF YOU ARE NOT SATISFIED WITH THE RESPONSE YOU RECEIVE FROM US?
If you try to exercise your rights and I do not reply or you do not think my response is satisfactory, you can complain to the data protection supervisory authority in your country of residence:
You are hereby informed that personal data concerning you may be transmitted for the purposes of processing set out above to companies located in countries outside the European Union that do not have an adequate level of protection with regard to personal data protection.
Prior to the transfer outside the European Union, and in accordance with the regulations in force,
Activities I currently undertake outside the EU including the following:
Purpose Data Country of Destination Management of Data Transfer
Sharing data with social network United States Privacy Shield/Standard contractual clauses
For more information on managing cross-border flows, you can contact the Data Protection Officer.
HOW LONG WILL MY DATA BE KEPT?
Rian Hotton has set specific rules concerning the retention period of the Users’ personal data.
6.1. General rules concerning the management of the commercial relationship:
To calculate the most relevant retention period, Rian Hotton distinguishes:
– Prospects who have never made a purchase from Rian Hotton
– “Customers” who have made at least one purchase
A distinct retention period will be applied to prospects and customers.
Regarding prospects, the starting point of the retention period is the creation of the account.
Regarding customers, the starting point of the retention period is their last purchase at Rian Hotton. The retention period of a customer’s data will differ depending on whether or not the customer adheres to a loyalty programme.
6.2. Specific rules for certain data processing:
For some types of processing, the retention of data is subject to specific retention periods.
Here are some examples:
Anti-fraud instructions are kept for 3 years.
WHAT SECURITY MEASURES ARE TAKEN TO PROTECT MY DATA?
7.1. GENERAL RULES
As a data “controller” under the EU General Data Protection Regulation (GDPR), I take all measures to preserve the security and confidentiality of data, and in particular to prevent data from being distorted, damaged or unauthorised third parties having access to data.
I have deployed a robust security system to ensure the highest security of data collected and to detect data breaches.
When using sub-contractors, we ensure their compliance with data protection laws.
7.2. RULES APPLICABLE TO BANK DATA, CREDIT CARDS AND DEBIT CARDS
To ensure payment security, I use the services of a payment service provider, Stripe, that is certified by the Payment Card Industry in relation to data security (PCI-DSS). This standard is an international security standard whose objectives are to ensure the confidentiality and integrity of cardholder data, and therefore secure the protection of card and transaction data.
When you place an order for payment by debit card with me, my order taking system connects in real time with the Stripe system which collects your data and carries out various checks to avoid abuse and fraud. The data is stored on Stripe servers and is not transmitted to me or my servers at any time. Stripe requests authorisation from your bank and sends me a transaction number that allows transactions up to the amount of the authorisation.
So that you do not have to enter your details every time you place an order, you can choose, by ticking the box provided, to have your credit and debit cards associated with your online account saved and stored securely by Stripe. You can consult the list of your saved cards (in hidden mode), but also delete all or part of its content, in the “Payment Methods” section of the “My Purchases” section under “My Account”. In this case, your deleted cards will no longer appear in your online account or in future orders.
In order to be able to debit your account during invoicing or to credit it following a return, Stripe keeps the bank data associated with the authorisation number only as long as it is needed to process the payment transaction (payment after ordering the goods) and to handle any subsequent claim (returns, disputes).
If you have made the choice to save your credit or debit cards, they will be automatically deactivated when the card expires.
7.3. FIGHT AGAINST ONLINE FRAUD
In order to secure payments and deliveries and ensure an optimal quality of service, the personal data collected on the site are also processed by Rian Hotton to determine the level of fraud risk associated with each order and, if necessary, to help adapt the conditions of execution thereof.
WHAT SHOULD I KNOW ABOUT DATA COLLECTED BY SOCIAL NETWORKS?
Rian Hotton offers you the option to use social networks to improve my commercial relationship and offer you targeted advertising offers through these networks.
If you use social networks to communicate and interact with me (including Facebook Messenger, Facebook Connect, and the Facebook, Instagram or Twitter “share” buttons) it is likely that this will involve a data exchange between Rian Hotton and the social network.
For example, if you are connected to Facebook on your computer and you visit a page of the Rian Hotton site, Facebook is likely to collect this information. Likewise, if you click on the “tweet” button on a Rian Hotton site page, Twitter will collect this information.
We recommend that you consult the personal data management policies of the various social networks you use to know the personal data that may be transmitted and what it will be used for.
IS DATA ON MINORS UNDER THE AGE OF 16 COLLECTED?
In accordance with the general terms and conditions, the user must be 16 years old or more to create an account on Rian Hotton website and make purchases.
When creating an account, the user has the option to communicate the data of his children. The user may transmit data concerning minors under the age 16 to Rian Hotton. He ensures that he is the holder of parental authority and expressly agrees to transmit theses personal data of a minor to Rian Hotton.
I use your contact details to send you targeted advertisements by email, post, mobile notification, on social networks or third-party websites. I will comply with the rules applicable to each channel.
The Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 permit electronic marketing (email, SMS, phone) to existing customers for similar products and services without consent as long as the customer is given an easy means to opt-out on each occasion, e.g. by clicking an “unsubscribe” link.
Otherwise, your consent is required before I can market to you by electronic means. I seek your consent at various points, e.g. when creating a new account online or online banners asking if you would like to sign up to my newsletters by email.
You are asked to consent to the following:
to receive Rian Hotton offers by email
In all cases, you can opt-out of marketing at any time as follows:
When creating an account, tick “no” in the boxes related to marketing;
10.3. MARKETING BY POST
I have a legitimate interest in sending you marketing materials by post but I will not do so if you tell us that you do not want to receive marketing materials in this way. You can opt-out of marketing by post at any time by going to the My Account section of our website, by speaking with a customer services adviser or by writing to us at the address in the previous section. Please note that, if you have been pre-selected to receive a marketing publication by post before you opt-out, then you may still receive that publication. It can take a few weeks for an opt-out request to be effective.
10.4. EMAIL RETARGETING
After browsing our site, you may receive an email even though you have not provided your email address to me. How is this possible?
I, like many other retailers, use the services of companies that identify internet users who have already visited my website and send them personalised emails.
Who collected my email address?
This processing involves commercial partners who have already collected your email address from other sources, as well as your consent to authorise the sending of advertising.
COOKIES, TAGS & TRACKERS
When using my online services, information relating to the navigation of your device (computer, tablet, smartphone, etc.), may be recorded in “cookies” files placed on your device, subject to any choices you have expressed about cookies. You can set your browser settings to reject cookies but please bear in mind that, if you do this, certain personalised features of my site cannot be provided to you.
11.1 WHAT IS A COOKIE?
A cookie is a small text file saved by the browser of your computer, tablet or smartphone which keeps limited user data to facilitate browsing and allow certain features, e.g. online shopping baskets and personal recommendations based on what you have viewed.
There are two types of cookies:
first party cookies, by Rian Hotton for the purposes of browsing and the operation of the site;
11.2 WHY ARE COOKIES, TAGS & TRACKERS USED?
Cookies that I use on my site and mobile applications (apps) allow us:
11.3 HOW TO CONFIGURE COOKIES, TAGS AND TRACKERS?
Rian Hotton collects your prior consent to the use of advertising, audience measurement and social network sharing cookies in accordance with data protection law.
At any time, you can express and modify your wishes in terms of cookies, by the means described below.
Configuration of your web browsing software
How do you implement your preference based on the browser you use?
To manage cookies and your preferences, each browser is configured in a different way. It is described in your browser’s help menu, which will explain to you how to modify your cookies preferences.
Persistent marketing and analytics cookies
These cookies contain a unique user ID which will enable Klarna to recognize the user’s device the next time that user returns to a merchant using Klarna’s services. These are persistent cookies, stored on the device for a period of up to 540 days as of the last interaction with Klarna, or until they are deleted and allow Klarna (i) to show personalized marketing of Klarna products, including credit promotions to the user, and (ii) to perform analytics of the user behaviour.
By connecting the unique user ID stored in the cookie on the device to the information Klarna has about the user, Klarna will be able to recognize the user of that device. The information Klarna collects through the cookies is not shared with any third party.
Klarna Bank AB (publ) is subject to Swedish Data Protection legislation, and is the data controller for the purpose of processing the personal data as described above. Klarna has a data protection officer and a team consisting of personal data experts. Klarna also has a customer service team handling questions relating to personal data. You are welcome to contact Klarna at firstname.lastname@example.org. Please visit www.klarna.com for more information about Klarna, and how Klarna processes personal data.