The below describes what personal data we process and for what purposes, and also the choices you have in connection with such processing.
Personal data processed by us
We only process personal data that we obtain when you pay for purchased products and/or services through our online store front. We are the data controllers for such personal data that you voluntarily choose to submit in the free text field that is displayed to you when you choose to pay through our online store front. This means that we may process categories of personal data such as your name but also information about your purchases.
How we use personal data (purpose of processing) and legal basis for the processing (why the processing is necessary)
We process your personal data to provide our services and products, to fulfil relevant agreements with you and to otherwise administer our business relationship with you. The legal basis we rely on is to fulfil our contractual obligations towards you, to comply with applicable laws and to pursue our legitimate interests.
We always process personal data in accordance with applicable law, and we have implemented appropriate security measures compliant with local information security requirements to protect your personal data from misuse, unauthorized access or disclosure, loss, alteration or destruction.
We will retain your personal data for no longer than permitted under applicable law after which time your personal data will be destroyed or deleted. We only retain your personal data to allow us to process the payment link and ensure compliance with our legal requirements.
We do not carry out any such processing that is defined as solely automated decision making, including profiling, under the General Data Protection Regulation (“GDPR”) that has legal effects or otherwise similarly significantly affects you.
We may share your personal data with our service providers (e.g. those storing your personal data or processing the payment of your payment link) in connection with the above purposes. This will be done confidentially and only to the extent permitted by applicable laws.
We do not process personal data obtained from third parties.
We share personal data with iZettle AB, Regeringsgatan 59, 111 56, Stockholm, Sweden in its capacity of personal data controller.
If we share your personal data with data processors we only share them for purposes compatible with the purposes for which we have collected the data.
Third country transfer
Some of the service providers we use may be located outside of the EEA, including the US. Some of these countries may not have equivalent data protection laws to those which apply in your country.
However, when we transfer your data, we will comply with all applicable laws in respect of such transfer, including taking steps to keep it secure, and ensure that appropriate safeguards are in place to ensure there is adequate protection.
If we sell all or part of our business, or make a sale or transfer of assets, including a sale in bankruptcy or are otherwise involved in a merger or business transfer, we may transfer your personal data to a third party as part of that transaction.
Below you can read more about your rights.
Please note that if you request for us to erase, block, restrict, or transfer your data, or if you object to the processing, and we agree to comply with your request, we may be unable to continue to provide our products and services to you. You will remain liable for any amount to be paid through a payment link, but which remains unpaid on the date that the processing ceases.
There are exceptions to the rights below, so access may be denied, for example where we are legally prevented from making a disclosure.
Right to be informed
Right of access
You have the right to make a subject access request about the personal data that we process about you. This can include a query as to whether or not we process any of your personal data. If you wish to access your personal data you can either send us a written request signed by you and post it to the following address “The Data Controller, Nutmeg Gifts Limited, 115 Lower Richmond Road, London, SW15 1EX” or contact us at email@example.com, providing sufficient information to enable you and your data to be identified.
Right of rectification
You have the right to ask us to rectify inaccurate or incomplete personal data that we hold about you.
Right of erasure of personal data
You have the right to erasure if:
- the personal data is no longer necessary for the purposes it was collected or processed for (and no new lawful purpose exists)
- your particular situation gives you the right to object to processing on grounds of legitimate interest (see more below) and there is no justified reason for continuing the processing;
- the lawful basis for the processing is your consent, and you withdraw your consent, and no other lawful grounds exist,
- processing the personal data has been unlawful, or
- there is a legal obligation for us to erase the data.
If you want to ask us to erase the personal data that we hold about you please contact us using the following contact details The Data Controller, Nutmeg Gifts Limited, 115 Lower Richmond Road, London, SW15 1EX” or contact us at firstname.lastname@example.org.
Right to restrict the processing of personal data
You have the right to ask us to restrict the processing of you personal data. You have this right if
- the personal data we hold about you is inaccurate,
- the processing is unlawful and you ask us to restrict the use of personal data instead of erasing it,
- we no longer need the personal data for the purposes of the processing, but if we still need it for the establishment, exercise or defense of legal claims, or
- you have objected to the processing claiming that the legal basis of legitimate interest is invalid and are waiting for the verification of this claim.
Right to object to the processing of your personal data
Where our lawful basis for processing your data is our legitimate interests, you have the right to object to the processing of your personal data if:
- you can show that your interests, rights and freedoms regarding the personal data outweigh our interest to process your personal data, or
- we process your personal data for direct marketing purposes, including but not limited to profiling.
This means that we will cease such processing unless we
- demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or
- require the personal data in order to establish, exercise or defend legal rights.
Right to data portability
You have the right to data portability:
- for personal data that you provided to us, and
- if the legal basis for the processing of the personal data is the fulfilment of contract or consent.
We will send a copy of your data in a commonly used and machine-readable format to you or a person/ organization appointed by you, where technically feasible and where the exercise by you of this right does not adversely affect the rights and freedoms of others.
Contact us or the data protection authority
In the EEA, you may also make a complaint to our supervisory body for data protection matters, namely ICO, the Information Commissioner´s Office by contacting them at 0303 123 1113 (local rate) or 01625 545 745 (if you prefer to use a national rate number) or send a letter to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom or send an e-mail to ICO by following this link: https://ico.org.uk/global/contact-us/email/.
You also have the right to seek a remedy through local courts if you believe your rights have been breached.