Privacy and Cookies Policy
UPDATED MAY 2018
PRIVACY AND COOKIES POLICY
We ask that you read this Privacy and Cookies Policy carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and on how to contact us and supervisory authorities in the event you have a complaint.
We are Neal's Yard (Natural Remedies) Limited (‘Neal’s Yard Remedies’ ‘we’ ‘us’ or ‘our’), a company registered in England and Wales under company number 01597194. Our registered office is at Peacemarsh, Gillingham, Dorset, SP8 4EU. Our main trading address is: Neal's Yard, Covent Garden, London, WC2H 9DP.
We collect, use and are responsible for certain personal information about you. When we do so we are regulated by the General Data Protection Regulation (‘GDPR’) which applies across the European Union (including in the United Kingdom) and we are responsible as ‘controller’ of that personal information for the purposes of those laws.
CHANGES TO THIS PRIVACY AND COOKIES POLICY
This Privacy and Cookies Policy was published on 23 May 2018 and last updated on 23 May 2018. We may change this Privacy and Cookies Policy from time to time when we do we will inform you via banner at the top of the site for two weeks.
www.nealsyardremedies.com (‘Site’) is operated by Neal's Yard Remedies. We collect information that you provide to us by filling in forms on our Site. This includes information provided at the time of registering to use our Site (where applicable), subscribing to our services (where applicable), ordering products through our Site, personalising our Site with your preferences, posting material or requesting further services.
PLACING AN ORDER
We keep details of the transactions you make through our Site and the fulfilment of orders. This includes payment details, your name, billing and postal addresses, the items you ordered and your email and telephone number.
If you checkout as a guest we will store your order details; name, email address, billing and shipping address, order details and payment method.
We collect details of your visits to our Site including, but not limited to, which URL you used to get to our Site, searches you make, traffic data, location data, weblogs and other communication data, whether this is required for our own billing purposes or otherwise and the resources that you access. We collect these details to better understand how our customers arrive on and use our Site and enable us to improve it.
If you purchase a Gift Card the details of both the sender (you) and the recipient (if applicable) are stored in your order history.
PAYMENT OF AN ORDER
We use third-party suppliers to provide our payment gateway and to record our order fulfilment. This includes name, billing and shipping address and order amount which will check if your payment passes fraud security.
If PayPal is chosen as the payment method, you will be taken to the PayPal Site to complete payment by logging into your PayPal account and confirming payment is to be made.
All information you provide to us is stored on our secure servers. Any payment transactions will be encrypted using SSL technology.
DISPATCHING YOUR ORDER
We use Parcelforce to fulfil our order delivery. We pass your name, telephone and postal address plus order value (for insurance purposes) to Parcelforce so that they can track your parcel and communicate to you via telephone to provide the delivery time details.
If you are logged into your account whilst on the Site, the Site will track purchase choices made and record them in your ‘My Account’ order history. These choices are then fed into our cloud based predictive intelligence engine which in turn will suggest other related products that may compliment and add value to your existing purchase choices, known as personalised sorting rules or product recommendations. If you create a wish list, these details will be stored in your account profile. These will not be made public unless you specifically choose to do this in the wish list settings.
If you are a member of our Loyalty programme, both your online and in-store purchase history will be stored in your accounts ‘Loyalty’ history.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone. Although kept on your account, your password is not visible to us.
SECURITY OF SHARED INFORMATION
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your information transmitted to our Site, any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access and require our suppliers to do the same.
THIRD PARTY SITES
Our Site may, from time to time, contain links to and from the Sites of our partner networks, advertisers and affiliates. If you follow a link to any of these Sites, please note that these Sites have their own privacy and cookies policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal information to these Sites.
GOOGLE ANALYTICS TRACKING
Our Site tracks and gathers data using a third-party app by Google called Google Analytics. This stores information anonymously on Google’s servers. It gathers information such as a visitor’s country of origin, the device used, pages visited and basket value. We use these stats to identify any pinch points for our customer journeys and then use it to improve their journey through our Site. These statistics help us to identify the most common devices used to visit our Site, so we can target specific roadmap improvements for those commonly used platforms (mobile, iPad etc) Google Analytics only reflects the code update being applied to anonymize your IP address therefore the user’s identity cannot be tracked back to their online account details.
SITE DEVELOPMENT AND MAINTENANCE
We used a third-party service integrator to support the maintenance and development of the Site. This means that they can see and access live customer data if required. This only happens if we are making improvements to areas such as your account functionality, improvements in ordering or other areas that interact with customers and their data. They cannot export this data without our approval or use it for anything other than providing us support to improve our service to you.
What are cookies?
We don't store personally identifiable information such as credit card details in cookies we create, but we do use encrypted information gathered from them to help improve your experience of the site. For example, they remember the items you have in your basket and also recommend related products to show you when you're browsing.
Here's a list of the main cookies we use, and what we use them for.
__cq_dnt, cqcid, cquid, dw, dwanonymous_xxxx, dw_dnt, dwsecuretoken_xxxx, dwsid, dwac_xxxx, sid,
Session cookies are temporary cookies which only exist during the time you use the website (or more strictly, until you close the browser after using the website). Session cookies help our websites remember what you chose on the previous page, avoiding the need to re-enter information.
__cfduid, _cd_bc, __cq_seg, __cq_uuid, _ga, _gat, _gid, uuid
Performance cookies allow us to capture information about how people use our website, for example, which pages are viewed the most and how people move around our website. This information is then used to make improvements to our website and services.
Third Party Cookies
When you visit the Neal’s Yard Remedies website you may notice some cookies that aren't related to us. If you go on to a web page that contains embedded content, for example from YouTube, you may be sent cookies from these websites. We don't control the setting of these cookies, so please check the third-party websites for more information about their cookies and how to manage them.
- Google – These cookies help us collect and analyse visitor information such as browser usage, new visitor numbers and response to marketing activity. That information helps us to improve the website and your shopping experience, and to make our marketing campaigns relevant.
- Affiliate Window - These cookies show us how you found our website and which website you came from. This helps us know which of our online marketing channels is most effective and enable us to reward some external websites for directing you to us.
- YouTube – These cookies allow us to display video content from YouTube on our website.
- Snap Widget – This cookie allows us to display content from our social media channels on our website.
- New Relic, Pingdom & CloudFlare – These cookies are used to monitor website performance and customer experience to inform improvements to our website.
If you take the opportunity to 'share' content from Neal’s Yard Remedies content with friends through social networks – such as Facebook and Twitter - you may be sent cookies from these websites. We don't control the setting of these cookies, so please check the third-party websites for more information about their cookies and how to manage them.
More information about cookies
If you'd like to learn more about cookies in general and how to manage them, aboutcookies.org (opens in a new window). If you'd like to opt out of cookies, please go to the Network Advertising Initiative website (opens in a new window).
Changes to our cookies policy
Any changes we may make to our Cookies Policy in the future will be posted on this page.
We will keep details of purchases made through our till system and the fulfilment of your orders. This may include payment details, your name, email address and the items ordered. We will collect details of your visits to store and your order history if you use your loyalty card customer. We will ask you for your email address and postcode for us to communicate and gather demographic locations on our store customers, this will be explained to you when asked for your details at the point of ordering and you can choose not to give this information at any time.
With your permission you may provide us with your name, address, email, phone number and business card (if applicable) for skin consultations, in-store events, out of stock notifications or our VIP customer list. This information will be kept and then destroyed securely once it has been used for the purpose you provided it to us.
CLICK & RESERVE
Stock can be reserved on our Site to be collected in-store by giving you name, email address and telephone number along with the store location. You will then receive an email from the store confirming the click and reserve.
BOOKING A THERAPY
When you book a therapy, we will ask for: full name, contact telephone number, email address (optional). This can be saved in paper form (diary) or in our third-party supplier booking system software.
If we have a specific requirement for the therapist to fulfil your treatment then we may make a note of this, such as requiring downstairs toilet access. This won’t include medical information, this will be discussed, if necessary, in your private session with your therapist. Please note that therapists are independent third parties and data controllers in their own right. The personal data you provide to your therapist is not shared with us without a legitimate business reason to do so or your consent.
Paying for the therapy: Payment can be made cash directly to the therapist or by card at our store till point (see Retail Store section for more information on this).
Occasionally we may need to contact you regarding your booking, we will use the telephone number given or email provided to us at time of booking. For example, if you have a complaint, we need to change your booking, or we require further information to fulfil your requirements.
If you have any general queries regarding your data when you make or have made a therapy room booking with us, please email email@example.com
BOOKING A COURSE
When you book a course, we take the course details, your name, address, email address, telephone, allergies (if relevant), qualification details if needed and payment. Payment can be made via our Site or by telephone.
BOOKING A DIPLOMA COURSE
When booking a Diploma Course, we take the following details; name, address, email address, date of birth, next of kin, allergies (if relevant), payment status (not details) and exam results. Please note that we may contact the IFPA by email to confirm your exam results.
If you submit case studies during your course by email or post, this information is retained for evidence of you completing the work. On each case study we ask only for your case study client’s initial or first name plus course module/title.
Your online course will start and be delivered by a Moodle website (http://nealsyardremedies.education), this is a commonly used for online course delivery. You will be asked to register on the Site to take your course. You will be asked to set-up a username (your email address) and password to start.
We use WebAnywhere and Moodle to deliver our online courses. We pass your name and email address to these third parties to setup your access to the online course. This data is stored in Moodle and this online course platform allows you to login and monitor progress on your enrolled course. This data is stored for however long you wish to have access to your enrolled courses within the Moodle platform. This allows you to access your course information for however long you wish. We will remove you from the platform once you inform us that you wish to be removed, however this will also revoke access to any courses you may be signed up to.
Occasionally we may need to contact you regarding your booking, we will do this via telephone or email using the details on your booking.
We may contact you by email about other courses that you may find of interest via MailChimp. You can opt-out by clicking on the unsubscribe link on the email.
Once your course is completed you will receive the necessary qualification certificate (for diploma and CPD courses only), this will feature your name, the course you completed and when. We keep a record the certificate has been sent but not a copy of the certificate.
When you join our loyalty programme the following details are collected from the form you fill in: name, address, email address, date of birth (optional), time and location of signing up for your loyalty card, marketing opt-in preference and acceptance of our terms and conditions.
We use a third-party supplier to support our loyalty programme. We will delete your data from our loyalty database after 2 years of inactivity on your loyalty card. For more information on the terms and conditions for our loyalty card please click here [INSERT AS LINK TO LOYALTY T&CS].
Instagram: We use Instagram to post marketing activity, we occasionally use the paid advertising service to target users based on demographics. We promote products, offers, news and brand messages – this is all run through Facebook Advertising platform.
COMPETITIONS, PROMOTIONS AND SURVEYS
When entering our promotions or competitions, you provide your name, email address and mailing address. If you win, we will send the prize to the address entered and notify you by email. When you enter a competition or promotion, you are also able to opt-in to hear from us by email or post, and be the first to know all our competitions, offers and news. You may unsubscribe from this by following the unsubscribe instructions in any email received.
We will only contact you by email following a competition if you opted-in to do so. Unless you have opted-in to receiving marketing communications, your data will be deleted after 3 months.
Occasionally, we run joint competitions with other likeminded companies where data will be collected on entry, we collect this data but do not distribute it. It’s used for our own marketing purposes and will only be shared with the partner company with your express permission.
If you have taken part in a survey your data will not be shared with a third party and used only internally for us to improve our service. If you wish your data to be removed, you can email firstname.lastname@example.org
We use internal analytics software to run business analysis on customer transactional data, this imports from our Site, tills, payment gateways and databases. The data includes name, addresses and email of those who have placed an order including the related transactional data. This is so we can ensure we offer the best promotions, offers and discounts.
UNSUBSCRIBING FROM MARKETING COMMUNICATIONS
If you have consented to us sending you marketing information you have the right to change your mind and ask us not to send you marketing information any more. We will always ask you (before collecting your information) if you would like to receive information from us for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your information.
Catalogue Mailings / Postcards: Please email email@example.com with your full name, customer no. (if you have one) and your postal address and we will remove you from our postal mailings.
Emails: If you would like to unsubscribe from any email newsletters you can also click on the ‘unsubscribe’ button at the bottom of the email newsletter. It may take up 72 hours for this to take place. Or contact firstname.lastname@example.org
As a business we use Microsoft Office. Information is saved on a secure server with restricted access and password protected. Information is retained in line with our Data and Records Management Policy.
CONTACTING CUSTOMER CARE
If you contact our store team by email, they will only hold this data to deal with your enquiry and it will be deleted promptly. Information is retained in line with our Data and Records Management Policy.
SPECIAL CATEGORY DATA
Generally, we do not seek to collect special category data (, this used to be referred to as "sensitive personal information” under the Data Protection Act 1998) - that is, information relating to: race or ethnic origin; political opinion; religious or other similar beliefs; trade union membership; physical or mental health; sexual orientation; criminal records. We recommend that you do not provide such information to us. If you choose to do so for any reason, this will mean that you have given (and we accept) your explicit consent for us to use that information for the reasons described in this policy, or as explained at the time you provide the information.
DISCLOSURE OF YOUR INFORMATION
We do not sell our customer lists and we will never pass your details on to third parties for any purpose unless you have consented to us doing so unless it is for the following reasons:
- in the event that we sell or buy any business or assets, in which case we may disclose your personal information to the prospective seller or buyer of such business or assets;
- in the event that we outsource any of our business functions under which we collect or store your information (including the hosting and maintenance of our Site, email marketing, catalogues and postal mailings and statistical reports and analysis) in which case we will ensure that any such service provider keeps your information confidential and adheres to at least the same obligations of security with regard to your information as undertaken by us; or
- we have a legitimate business reason to do so; or
- if we are under a duty to disclose or share your personal information in order to comply with any legal or contractual obligation, or
- in order to enforce or apply our Terms and Conditions and other agreements; or
- to protect our rights, property, or safety of our employees, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
Under the GDPR you have a number of important rights. In summary, those include rights to:
- Fair processing of information and transparency over how we use your use personal information
- access to your personal information and to certain other supplementary information that this Privacy and Cookies Policy is already designed to address
- require us to correct any mistakes in your information which we hold
- require the erasure of personal information concerning you in certain situations
- receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations
- object at any time to processing of personal information concerning you for direct marketing
- object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you
- object in certain other situations to our continued processing of your personal information
- otherwise restrict our processing of your personal information in certain circumstances
- You can claim compensation for damages caused by our breach of any data protection laws
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals rights under the General Data Protection Regulation.
If you would like to exercise any of those rights, please:
- email, call or write to email@example.com
- let us have enough information to identify you full name, address and if you’re an existing customer
- let us have proof of your identity and address a copy of your driving licence or passport and a recent utility or credit card bill
- let us know the information to which your request relates including any invoice or customer number, if you have them
TRANSFER OF YOUR INFORMATION OUT OF THE EEA
The information that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff maybe engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services (i.e. management of survey processes etc.). Such countries do not have the same data protection laws as the United Kingdom and EEA. Any transfer of your personal data will be subject to appropriate contractual arrangements that are designed to help safeguard your privacy rights and give you remedies in the unlikely event of a misuse of your personal information. By submitting your personal information to us, you agree to this transfer, storing or processing.
We may transfer your personal information to the following which are located outside the European Economic Area (EEA) as follows:
- Salesforce who provide our ecommerce platform. Salesforce has self-certified under the EU-U.S. Privacy Shield framework set out by the U.S. Department of Commerce and the European Union and will process your personal data in the USA in compliance with EU data protection legislation.
- MailChimp who provide our Education email marketing service. Mailchimp has self-certified under the EU-U.S. Privacy Shield framework set out by the U.S. Department of Commerce and the European Union and will process your personal data in the USA in compliance with EU data protection legislation.
- Astound who provide some of our software integration services. Astound has self-certified under the EU-U.S. Privacy Shield framework set out by the U.S. Department of Commerce and the European Union and will process your personal data in the USA in compliance with EU data protection legislation
For more information on the EU–U.S. Privacy Shield, please visit the U.S. Department of Commerce’s Privacy Shield website at www.privacyshield.gov
The aforementioned list will be updated from time to time.
If you would like further information please contact us at firstname.lastname@example.org
HOW WE KEEP YOUR PERSONAL INFORMATION SECURE
We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.
HOW TO COMPLAIN
We hope that our Customer Care Team email@example.com can resolve any query or concern you raise about our use of your information.
The GDPR also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns/ or telephone: 0303 123 1113.