This privacy policy describes how and why we collect and use personal data and provides information about individuals’ rights.

The statement applies to personal data provided to us, both by individuals themselves or by others on behalf of individuals.

Where we ask you to provide, or automatically collect, information by which you can be identified and non identifying information when using this website, we use it in accordance with this privacy statement. Or where listed in another form before collecting personal data.

 

Caroline Shelley Studios respects your privacy and we are committed to protecting personal data that we hold. This includes whilst you are browsing and purchasing prints and products from our website.

​

When we collect and process your personal data, we are doing so on our own behalf, and not on behalf of any third parties, but third parties are used to fulfil our services.

  

PERSONAL DATA

GDPR stands for the General Data Protection Regulation, which came into effect in the EU (including the UK) on 25th May 2018. This legislation gives you greater control, security and transparency of your personal data.

Under the UK GDPR and the Data Protection Act (2018), including The Data Protection, Privacy and Electronic Communications (Ammendments etc) (EU Exit) Regulations 2019, personal data is defined as ‘any information relating to an identified or identifiable natural person (‘data subject’), by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.

When collecting and using personal data, our policy is to be transparent about why and how we process personal data.

We process personal data for numerous purposes, and the means of collection, lawful basis of processing, use, disclosure, and retention periods for each purpose differ, and are set out in the relevant sections below.

The personal data that is provided to us, is provided either directly from the individual concerned, from a third party acting on behalf of an individual, or from publicly available sources (such as internet searches, and Companies House).

Where we receive personal data from a third-party that relates to an individual, we request that this third-party informs the individual of the necessary information regarding the use of their data. Upon communication with the individual, we inform them where we collected the data from.

​

THE DATA CONTROLLER - A data controller is the individual or legal person who controls and is responsible to keep and use personal data in paper or electronic files.

Caroline Shelley ("we", "us", "our") is the data controller.

​

THE LEGAL BASIS

The law on data processing and protection sets out a number of reasons for which a company or trading entity may collect and process your personal data (Article 6 of the GDPR). The most applicable to Caroline Shelley Studios are below. Any time personal data is to be processed at least one of these must apply: 

• Consent – for example, where you have ticked a box to receive emails.

• Contractual Obligations – for example, where we need your data to fulfil our contract with you.

• Legal Obligation / Compliance – for example, where the law requires us to.

• Legitimate Interest – where we require your data to pursue our legitimate interests; In a way which might reasonably be expected, as part of running our business and which is not in conflict with and does not impact your rights, freedoms or interests.

   

WHAT INFORMATION WE COLLECT AND STORE

WHO - We collect data from all users of our website, anyone who contacts us through other means (including email & social media), and any individual or company who we use services from, including to provide our merchandise.

These include: customers, browsers (including prospective customers), suppliers (including manufacturers & printers), and other business contacts.

Individuals who visit our website often fall into multiple categories, for example, where site visitors become future customers. Data held and processed for the original purpose may also become data that is held and processed for an additional purpose.

​

WHY - There are several reasons why we will process the personal data that an individual may provide to us when visiting our website, these include:

• Services – to process, produce and deliver your orders, to fulfil our contractual obligation to you, as part of the products you are purchasing (receiving goods). Where a supplier is helping us to deliver professional services to our customers. We request that customers only provide the personal data that is required for us to fulfil our contractual obligation. 

• Administration / Management – to administer and maintain our website and to improve internal operations, systems and applications including troubleshooting, data analysis, testing, research, obtaining feedback, statistical and survey purposes. Managing our relationship with customers and suppliers. Developing our business services, such as identifying customer needs and improvements in service delivery. Maintaining and using IT systems and internal business records.

• Function – in order to allow individuals to use some functionality of our website, certain personal data must be entered in order for features to work as intended. To ensure that the website displays well and is optimised appropriately.

• Security – in order to keep our website safe and secure, we may sometimes collect personal data, for instance login information and other data that can be used to confirm an individual’s identity. Quality and risk management activities – we have security measures in place to protect our and our customers’ and suppliers' personal information, which involve detecting, investigating and resolving security threats.  Personal data may be processed as part of the security monitoring that we undertake; for example, automated scans to identify harmful emails. We have policies and procedures in place to monitor the quality of our services.

• Compliance - Complying with any requirement of law, regulation or a professional body (where we are a member), we are subject to legal, regulatory and professional obligations. We need to keep certain records to show we adhere to those obligations and those records may contain personal data.

• Marketing / Communications - Promotion and development of our business activities and services. We may use contact details to provide information that we think will be of interest about us and our services, for example, industry updates and insights and invites to events. Some personal data may be used in order to measure or understand the effectiveness of the advertising we serve to individuals, and to ensure that only relevant advertising appears.

​

WHAT - The exact data that we hold depends on what data was entered and for what purpose. We collect and use your personal information primarily to provide services to you (such as, for orders and delivery).

We also collect and use your information mainly for marketing purposes - mostly for offers and customer surveys, including demographic information (such as preferences and interests). To send you details we think will be of interest. 

We may collect the following information:

• Identity Information (Services / Security / Legal Compliance) - Name, Age, Address

• Contact Information (Services / Functionality / Marketing) - Name, Email Address,   Postal Address, Phone Number 

• Demographic Information (Marketing) - General Geographic Location, Age Group, Preferences, Interests

• Financial Information (Services / Functionality / Legal Compliance) - Payment Data, Credit / Debit Card Information

• Technical Information (Functionality / Services / Security / Admin) - IP addresses (used to connect an individual’s computer to the internet), login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform (all usually collected automatically by our use of cookies). 

• Other interaction details, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any email address used to message our customer service or info email addresses.

​

HOW - We collect personal data directly through your interactions, asking for the information on forms and applications (including website plugins). When individuals contact us by phone, e-mail or otherwise. This includes information provided when an individual registers to use our website, subscribes to our services, makes an enquiry, comments on publications, enters a competition, promotion or survey or reports a problem with our website. We also collect data automatically through the use of cookies (see Cookie Policy below for detailed information).

​

We use third parties who may collect data on our behalf. Including in technical, payment and delivery services, advertising networks, analytics providers and search information providers.

We use third-party banking services to verify payment, we use Wix Payments and connected third-party payment service providers and payment networks, including Apple Pay, and the individual debit and credit card merchants. Wix Processing Services are provided by Adyen N.V. or by Stripe Inc., their affiliates, and the acquiring bank.

Your purchase is deemed successful once we take payment. Once payment is retrieved we will process, produce and dispatch your order. Payment is attempted immediately upon placing your order, but can take up to a few days (If there are insufficient funds in your account, payment may be declined or take longer).​ We will contact you by email immediately after you have ordered from us. We will also contact you when your order has been dispatched. Both of these also signify your purchase was completed successfully.

​

We store your data in our Customer Relationship Management (CRM) database. To do this we currently use Ascend by Wix. We use the Customer Relationship Management tool to improve our services and to update our customers of additional products and services we provide. Individuals can withdraw their consent and update their preferences at any time by visiting the website or using a link within one of our emails.

 In addition, personal data may be securely archived with restricted access and other appropriate safeguards where there is a need to continue to retain it. More detailed information in our sharing personal data section below.

​

SHARI​NG PERSONAL DATA

We do not sell any personal information to third parties. However, we do share with and may transfer your data to the following types of third party organisations that assist us in providing goods, services or information to you:

• Companies that help get your orders to you – i.e. delivery companies, warehouses, and payment service providers.

• Professional service providers – i.e. data agencies, IT (Information Technology) services including website hosts & cloud-based software, and marketing agencies, mostly to help with things we are not able to do ourselves. Fraud prevention agencies.

• Companies approved by you – e.g. social media sites, if you choose to link your account.

• Auditors and other professional advisers - e.g. accountants

• Those required by law or regulations - e.g. tax authorities, law enforcement agencies (disclosure). Such as to check that we are complying with applicable law and regulation, to investigate an alleged crime or to establish, exercise or defend legal rights. Only where we are legally permitted to do so in accordance with applicable law or regulation.

​

To do this we may share your data with service providers inside and outside the UK and EU, however we will only transfer personal data to service providers outside of these locations where they comply with GDPR or where there is an adequate safeguard in place (typically the Standard Contract Clauses), available on request.

​

DATA PROCESSORS

Our website is made on and hosted by Wix.com (the primary data processor), which holds the data we collect.​​

​

We also use third party processors to process your personal data, for the purposes of providing services including order production, financial transactions and shipping. These are Printify, Printful, The Print Space including Creative Hub and Shopify (where Shopify is connected to these).

 

We use Wix Analytics, Google Analytics™ and Google Adwords to collect data primarily for marketing and website function purposes. This is done automatically through our use of cookies (see Cookie Policy below for detailed information).

 

For more information about how they process your data please click on the links above. 

Before engaging with third parties, we conduct risk assessments to verify the compliance level of those third parties.

 

LOCATIONS OF PROCESSING

The data that we collect from you will be controlled by us in the UK. Our data is stored on a live cloud based platform. Our data is stored on third party servers.  If personal data is transferred outside the UK to a country without a designated adequacy rating, we will request the data subject’s consent before processing the data. Consent will not be sought where the processor stipulates that the data will be processed in accordance with the GDPR (e.g. in Standard Contractual Clauses).

​

DATA PROCESSING LOCATIONS (THIRD PARTY)

• Wix - is located in Israel, which is considered by the European Commission to be offering an adequate level of protection for the Personal Information of EU Member States residents. Wix can store our site-visitors' data in a number of locations, including data centres located in the United States of America, Ireland, South Korea, Taiwan and Israel. The processing of the data may take place within the territory of the European Union, Israel or a third country, territory, or one or more specified sectors within that third country, of which, the European Commission has decided that it ensures an adequate level of protection (transfer on the basis of an adequacy decision). Any transfer to a third country, outside the European Union, that does not ensure an adequate level of protection according to the European Commission, will be undertaken in accordance with the Standard Contractual Clauses (2010/87/EU) set out in Appendix 1 of the Wix Data Processing Agreement (DPA).

• Printify - The personal data collected is processed at their offices in San Francisco (USA) and Riga (Latvia) and in any data processing facilities operated by third parties listed in their privacy policy. By submitting your personal data, you agree to this transfer, storing or processing by them. If they transfer or store your information outside the EEA in this way, they will take steps to ensure that your privacy rights continue to be protected.

• Printful - Users of the EEA, including us have their data processed by Printful Latvia in Riga, Latvia. Other data is processed by Printful Inc. in North Carolina, USA. All the information you provide may be transferred or accessed by their parent company in the United States their affiliate companies and subsidiaries in other countries, such as Latvia, Poland, Spain, and the UK and their Service Providers. When we transferring your information they ensure appropriate protection of your information, including, as applicable, entering into the European Commission’s Model clauses for the transfer of personal data to third countries (i.e., the standard contractual clauses) and any equivalent clauses issued by the relevant competent authority of the UK.

• The Print Space (including Creative Hub) - Is UK based and operates in the UK, Europe and is expanding into other territories, including the USA. Many of their external third parties are based outside the EEA so their processing of your personal data will involve a transfer of data outside the EEA. Whenever this happens the following safeguards are implemented: Where using certain service providers, they may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries. Where using providers based in the US, they may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US. For further details, see European Commission: EU-US Privacy Shield. Please contact them if you want further information on the specific mechanism used when transferring your personal data out of the EEA.

• Shopify - Is GDPR compliant. Is a Canadian company, but processes data about individuals across the world. They may send your personal information outside of your state, province, or country, including to the United States. This data may be subject to the laws of the countries where they send it. When they send your information across borders, steps are taken to protect your information. If you are in Europe, the UK, or Switzerland, your personal information is controlled by their Irish affiliate, Shopify International Ltd. Your information is then sent to other Shopify locations and to service providers who may be located in other regions, including Canada (where they are based) and the United States. When they send your personal information outside of Europe, they do so in accordance with European law. If you are in Europe, the UK, or Switzerland, when they send your personal information to Canada it is protected under Canadian law, which the European Commission has found will adequately protect your information. If they then send this personal information outside of Canada (for example, when sending this information to Subprocessors), this information is protected by contractual commitments that are comparable to those provided in Standard Contractual Clauses.

• Google Analytics™ and Google Adwords - Google has headquarters in California, USA with offices around the world, including the UK. They are GDPR compliant. They provide personal information to affiliates and other trusted businesses or persons for processing. They use service providers to help operate data centres, deliver products and services, improve internal business processes, and offer additional support to customers and users. Google Analytics data stored in Google's distributed file system is replicated to separate systems in different data centres. Google operates a geographically distributed set of data centers that is designed to maintain service continuity in the event of a disaster or other incident in a single region. Google relies on Standard Contractual Clauses (SCCs) for transfers of online advertising and measurement personal data out of Europe.

​

THIRD PARTY WEBSITES

Our site may contain links to and from the websites of our partner networks, advertisers and affiliates. When following any of these links, please note that these websites have their own privacy policies and we do not accept any responsibility or liability for the policy or other website content. Please check these policies before you submit any personal data to them.

​

ADVERTISING, MARKETING AND YOUR COMMUNICATIONS PREFERENCES

We may use your Identity, Contact, Technical, Tracking, Usage and Profile Data to form a picture of what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you and tell you about them. This is what we call direct marketing.

 

We may carry out direct marketing by email, phone, text or post. For example, you might have the newsletter hit your inbox or a promotion land through your letter box.

​

On our website, we always aim to make it clear what we are doing and what communications you will be sent, whether it’s you deciding to sign up to the newsletter, as part of creating an account, or the purchase journey – and you have a right at any time to change your mind and and opt out. The easiest way to opt out is to use the unsubscribe link at the bottom of the communication.

 

There are lots of different ways you’ll see our adverts, not all of these are based on using your personal data – we may buy advertising space in the real world, on websites and social media. If you see our adverts on websites and in social media, these may not be directed specifically at you, but through us independently purchasing the space.

Adverts specifically directed at you may include:

• Emails - for example a new product email or newsletter

• Text messages - e.g. with discount codes

• Postal Communication - such as money off shipping offers, or from our trusted retail partners

• Phone calls - for something that might be relevant to you and your business

​

SECURITY OF YOUR INFORMATION

We protect your data by using a trusted website host and database. To help protect the privacy of data and personally identifiable information you transmit through use of this website we maintain safeguards. Our website host uses SSL and several other techniques to keep our website secure. Also only using payment gateways with the most secure tools.

We restrict access to your personal data to those who need to know that information (confidentiality) to provide benefits or services to you.

​

DATA RETENTION

We will only keep your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting obligations. We retain the personal data processed by us in a live cloud environment.

We may keep data for longer in order to establish, exercise, or defend our legal rights and the legal rights of our customers. Personal data we do not use is securely archived, with restricted access and other appropriate safeguards, where there is a need to continue to retain it. We also review how and where we store any data to ensure that we meet our obligation to store data securely.​

​

To determine the appropriate retention periods for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. The retention period varies depending on the type of data we hold, which is listed below:

• Website Visitors (and contacts through other direct means, including email & social media) - We keep your data until you ask us to remove it, primarily for marketing, to improve our offerings & services, and website functionality improvements. 

• Customers - By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years, including after they stop being customers, for tax and regulatory purposes.

• Suppliers (including Manufacturers) - retained for as long as we use your services and longer where required by law (for example, for tax reporting purposes).

• Business Contacts - personal data shall not be retained where there is no evidence that a business contact is engaged with us or our communications.

 

DATA RETENTION PERIODS (THIRD PARTIES)

• Wix - for as long as the Caroline Shelley Studios website and managing account is active, and longer if needed (e.g. if legally obligated or to protect their interests).

• Printify - will archive and stop actively using any personal identifiable information about you within 6 months from the last time we used Printify to fulfil services to you. They will delete personal data from their archives no later than 6 years from the last time we used Printify or upon our or your request.

• Printful - They may retain your personal data for as long as we have a Printful account or if any legal bases for personal data processing still exists. Where we unsubscribe they will stop the processing of the personal data for such purposes. Where we use Printful services on your behalf for fulfilment, they will keep your personal data as long as necessary to comply with their legal obligation to retain information relating to provision of services, for example, for tax purposes. If we delete our Printful account or otherwise cease to use their services, they may continue to store copies of our customers' personal data as necessary to comply with their legal obligations, to resolve disputes, to prevent fraud and abuse, to enforce agreements, and/or to protect their legitimate interests (where permitted by the applicable law to continue to store copies to protect their legitimate interests).

• The Print Space (including Creative Hub) - will only retain your personal data for as long as reasonably necessary to fulfil the purposes they collected it for, including the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. Retaining your personal data for a longer period in the event of a complaint or if they reasonably believe there is a prospect of litigation in respect to their relationship with you. Their dedicated retention policy can be requested by contacting them.

• Shopify - If we close our store, stop subscribing, or have our account terminated, they retain our store information for two years before beginning the personal information erasure process. By default, Shopify will not erase personal data if the customer has made an order in the last 6 months (180 days), in case a chargeback occurs.

• Google Analytics™ and Google Adwords - They retain the data collected for different periods of time depending on what it is, how they use it, and how we configure our settings (see their policy for exact details, link above). Some data can be deleted anytime and other data they retain for longer periods of time when necessary for legitimate business or legal purposes, such as security, fraud and abuse prevention, or financial record-keeping. When we delete data, they follow a deletion process to make sure that data is safely and completely removed from servers or retained only in anonymised form. Attempting to ensure that services protect information from accidental or malicious deletion. Because of this, there may be delays between when deleting something and when copies are deleted from their active and backup systems.

​

We want you to be able to come back at any time in the future and re order products you have ordered from us in the past. So, unless you actively delete this information, we keep it, to provide this service. You may delete your account at any time, and associated data (barring legal exceptions) by emailing customerservice@carolineshelleystudios.com

​

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

 

YOUR LEGAL RIGHTS

The General Data Protection Regulation applies to you if you are in the U.K. or European Union, you have rights under these laws in relation to your personal data:

• The right to be informed – an obligation on us to inform you how we collect and use your personal data (this privacy policy).

• The right of access – referred too as a subject access request (SAR), to obtain a copy of the personal data we hold about you.

• The right of rectification – to make us correct inaccurate personal data about you and to complete any incomplete data.

• The right to erasure – also known as the ‘right to be forgotten’, in certain circumstances you can ask us to delete the personal data we have about you (unless there is an overriding legal reason to keep it).

• The right to restrict processing – for you in certain circumstances to ask us to suspend, restrict or suppress processing personal data.

• The right to data portability – for you to move, copy or transfer personal data easily, across services, in a common format (for example, a .csv file), in a safe and secure way.

• The right to object - for you to object to us processing your personal data, including the absolute right to object to us processing your data for direct marketing

• Right in relation to automated decision making and profiling - for us to be transparent about any profiling we do, or any automated decision making, including the right not to be subject to a decision based solely on automated processing.

​

Under the UK GDPR and the Data Protection Act (2018), you may ask for a copy of the information we hold about you and you may request rectifications be made to this information if it is inaccurate or not up to date.

If you wish to exercise any of the rights set out above or send a complaint, please contact us at

 customerservice@carolineshelleystudios.com

​

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

 

You have the right to make a complaint at any time to the Information Commissioner's Office (“ICO”), the UK supervisory authority for data protection issues.

For further information about your rights and how to complain please refer to their website: 

www.ico.org.uk.

​

​

 

PRIVACY POLICY CHANGES

We reserve the right to change this privacy policy, please check this page from time to time to ensure that you are happy with any changes. Such variations become effective upon us posting them on this website, by updating this page. We will notify you of any significant changes by email. Your subsequent use of this website will be deemed to signify your acceptance of the variations.

​

This Privacy Policy was last updated on 25th April 2022.