Privacy and Cookies Notice
UPDATED FEBRUARY 2019
We ask that you read this Privacy and Cookies Notice carefully as it contains important information on who we are and how we look after personal information that you share with us. Looking after the information you share is important to us and we want you to be confident that your personal information is safe and secure and want you to understand how and why we collect, use and protect your personal information. The below notice explains what information we collect and why we collect it, what circumstances we share your information and the rights and choices you have in relation to your personal information.
We are Neal's Yard (Natural Remedies) Limited (‘Neal’s Yard Remedies’ ‘we’ ‘us’ or ‘our’), a company registered in England and Wales under company number 01597194. Our registered office is at Peacemarsh, Gillingham, Dorset, SP8 4EU. Our main trading address is: Neal's Yard, Covent Garden, London, WC2H 9DP.
We collect, use and are responsible for certain personal information about you. When we do so we are regulated by data protection laws, including the Data Protection Act 2018 (‘Data Protection Legislation’) which applies across the United Kingdom and complements the European Union‘s General Data Protection Regulation. We are responsible as ‘controller’ of that personal information for the purposes of those laws.
CHANGES TO THIS PRIVACY AND COOKIES NOTICE
This Privacy and Cookies Notice was last updated on 11 February 2019. We may change this Privacy and Cookies Notice from time to time when we do, we will inform you via a banner at the top of the Site (as defined below) for two weeks.
www.nealsyardremedies.com (‘Site’) and the Neal’s Yard Remedies mobile app (‘App’) are operated by Neal’s Yard Remedies. We collect information that you provide to us by filling in forms on our Site or via our App. This includes information provided at the time of registering to use our Site and App (where applicable), subscribing to our services (where applicable), ordering products through our Site and App, personalising our Site and App with your preferences, posting material or requesting further services.
PLACING AN ORDER
We keep details of the transactions you make through our Site and App and the fulfilment of orders. This includes payment details, your name, billing and postal addresses, the items you ordered and your email and telephone number.
If you checkout as a guest we will store your order details; name, email address, billing and shipping address, order details and payment method.
We collect details of your visits to our Site and App including, but not limited to, if applicable which URL you used to get to our Site, searches you make, traffic data, location data, weblogs and other communication data, whether this is required for our own billing purposes or otherwise and the resources that you access. We collect these details to better understand how our customers arrive on and use our Site and App and enable us to improve them.
If you purchase a Gift Card the details of both the sender (you) and the recipient (if applicable) are stored in your order history.
PAYMENT OF AN ORDER
We use a third-party supplier, Sagepay, to provide our payment gateway and to record our order fulfilment. This includes name, billing and shipping address and order amount which will check if your payment passes fraud security.
If PayPal is chosen as the payment method, you will be taken to the PayPal Site to complete payment by logging into your PayPal account and confirming payment is to be made.
All information you provide to us is stored on our secure servers. Any payment transactions will be encrypted using SSL technology.
DISPATCHING YOUR ORDER
We use Parcelforce to fulfil our order delivery. We pass your name, telephone and postal address plus order value (for insurance purposes) to Parcelforce so that they can track and deliver your parcel and communicate with you via telephone to provide the delivery time details.
If you are logged into your account whilst on the Site, the Site will track purchase choices made and record them in your ‘My Account’ order history. These choices are then fed into our cloud based predictive intelligence engine which in turn will suggest other related products that may compliment and add value to your existing purchase choices, known as personalised sorting rules or product recommendations. If you create a wish list on the Site or App, these details will be stored in your account profile on the Site or within the App. These will not be made public unless you specifically choose to do this in the wish list settings if available.
If you are a member of our Loyalty programme, both your online and in-store purchase history will be stored in your accounts ‘Loyalty’ history.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Site and our Site via our App, you are responsible for keeping this password confidential. We ask you not to share a password with anyone. Although kept on your account, your password is not visible to us.
If you are using our App, we may use GPS technology on your device to determine your current location. This is to assist us in enriching / customising your experience and provide you with GPS enabled functionality in locating your nearest Neal’s Yard Remedies store or Therapy Room. If you wish to use this location data service which engages your device’s GPS tracker, you will be asked to consent to your data being used for this purpose upon registering to use the App. You can withdraw your consent at any time by turning off the location services settings for the App on your device.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your information transmitted to our Site and App, any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access and require our suppliers to do the same.
Our Site and App may, from time to time, contain links to and from the sites of our partner networks, advertisers and affiliates. If you follow a link to any of these sites, please note that these sites have their own privacy and cookies policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal information to these sites.
Our Site and App tracks and gathers data using a third-party app by Google called Google Analytics. This stores information anonymously on Google’s servers. It gathers information such as a visitor’s country of origin, the device used, pages visited and basket value. We use these stats to identify any pinch points for our customer journeys and then use it to improve their journey through our Site and App. These statistics help us to identify the most common devices used to visit our Site or App, so we can target specific roadmap improvements for those commonly used platforms (mobile, iPad etc.). Google Analytics only reflects the code update being applied to anonymize your IP address therefore the user’s identity cannot be tracked back to their online account details.
We used a third-party service integrator to support the maintenance and development of the Site and App. This means that they can see and access live customer data if required. This only happens if we are making improvements to areas such as your account functionality, improvements in ordering or other areas that interact with customers and their data. They cannot export this data without our approval or use it for anything other than providing us support to improve our service to you.
What are cookies?
We don’t store personally identifiable information such as credit card details in the cookies we create, but we do use encrypted information gathered from them to help improve your experience of the Site and App. For example, they remember the items you have in your basket and also recommend related products to show you when you’re browsing.
Here’s a list of the main cookies we use, and what we use them for.
__cq_dnt, cqcid, cquid, dw, dwanonymous_xxxx, dw_dnt, dwsecuretoken_xxxx, dwsid, dwac_xxxx, sid,
Session cookies are temporary cookies which only exist during the time you use the Site or App (or more strictly, until you close the browser after using the Site or App). Session cookies help our Site and App remember what you chose on the previous page, avoiding the need to re-enter information.
__cfduid, _cd_bc, __cq_seg, __cq_uuid, _ga, _gat, _gid, uuid
Performance cookies allow us to capture information about how people use our Site or App, for example, which pages are viewed the most and how people move around our Site or App. This information is then used to make improvements to our Site, App and services.
Third Party Cookies
When you visit the Site or App you may notice some cookies that aren’t related to us. If you go on to a web page that contains embedded content, for example from YouTube, you may be sent cookies from these websites. We don’t control the setting of these cookies, so please check the third-party websites for more information about their cookies and how to manage them.
- Google – These cookies help us collect and analyse visitor information such as browser usage, new visitor numbers and response to marketing activity. That information helps us to improve the Site, App and your shopping experience, and to make our marketing campaigns relevant.
- Affiliate Window – These cookies show us how you found our Site and which website you came from. This helps us know which of our online marketing channels is most effective and enable us to reward some external websites for directing you to us.
- YouTube – These cookies allow us to display video content from YouTube on our Site.
- Snap Widget – This cookie allows us to display content from our social media channels on our Site.
- New Relic, Pingdom & CloudFlare – These cookies are used to monitor website, mobile app performance and customer experience to inform improvements to our Site and App.
If you take the opportunity to ‘share’ content from Neal’s Yard Remedies content with friends through social networks – such as Facebook and Twitter - you may be sent cookies from these websites. We don’t control the setting of these cookies, so please check the third–party websites for more information about their cookies and how to manage them.
More information about cookies
If you'd like to learn more about cookies in general and how to manage them, aboutcookies.org (opens in a new window). If you'd like to opt out of cookies, please go to the Network Advertising Initiative website (opens in a new window).
Changes to our cookies notice
Any changes we may make to our Cookies Notice in the future will be posted on this page.
We will keep details of purchases made through our till system and the fulfilment of your orders. This may include payment details, your name, email address and the items ordered. We will collect details of your visits to store and your order history if you use your loyalty card. We will ask you for your email address and postcode for us to communicate and gather demographic locations on our store customers, this will be explained to you when asked for your details at the point of ordering and you can choose not to give this information at any time.
With your permission you may provide us with your name, address, email, phone number and business card (if applicable) for skin consultations, in-store events, out of stock notifications or our VIP customer list. This information will be kept and then destroyed securely once it has been used for the purpose you provided it to us.
CLICK & RESERVE
Stock can be reserved on our Site to be collected in-store by giving you name, email address and telephone number along with the store location. You will then receive an email from the store confirming the click and reserve.
BOOKING A THERAPY
When you book a therapy, we will ask for: full name, contact telephone number, email address (optional). How we save your information may depend on whether you book a therapy in store or online, this can be saved in paper form (diary) or in our third-party supplier booking systems software, Premier Spa and/or MindBodyOnline.
We will give the information that you have provided in your therapy booking to the relevant therapist who will be providing you with the therapy. This information is shared on the basis that we have a legitimate interest in sharing this information with the therapist for the provision of the therapy services to you. If you have a specific requirement for the therapist to fulfil your treatment then we may make a note of this, such as requiring downstairs toilet access. This won’t include medical information, this will be discussed, if necessary, in your private session with your therapist.
Please note that therapists are independent third parties and data controllers in their own right. The personal data you provide to your therapist is not shared with us without a legitimate business reason to do so or your consent. We may process your personal data on behalf of the therapist, for example, where we process your therapy booking or where you pay for the therapy at our store till point.
Paying for the therapy: Payment can be made in cash directly to the therapist or by card/cash at our store till point (see Retail Store section for more information on this).
Occasionally we may need to contact you regarding your booking for example regarding a change in the booking, a complaint or if we require additional information from you. We will use the telephone number given or email provided to us at time of booking.
If you have any general queries regarding your data when you make or have made a therapy room booking with us, please email email@example.com
BOOKING A COURSE OR WORKSHOP
When you make a booking, we take the course/workshop details, your name, address, email address, telephone, allergies (if relevant), qualification details if needed and payment. Payment can be made via our Site, App or by telephone.
BOOKING A DIPLOMA COURSE
When booking a Diploma Course, we take the following details; name, address, email address, date of birth, next of kin, allergies (if relevant), payment status (not details) and exam results. Please note that we may contact the IFPA by email to confirm your exam results.
If you submit case studies during your course by email or post, this information is retained for evidence of you completing the work. On each case study we ask only for your case study client’s initial or first name plus course module/title.
Your online course will start and be delivered by a Moodle website (http://nealsyardremedies.education), this is a commonly used for online course delivery. You will be asked to register on the Site to take your course. You will be asked to set-up a username (your email address) and password to start.
We use WebAnywhere and Moodle to deliver our online courses. You will be asked to set up a username (your email address) and password. We pass this information to WebAnywhere and Moodle to setup your access to the online course. This data is stored in Moodle to allow you to login and monitor progress on your enrolled course. We will remove you from the platform once you inform us that you wish to be removed, however this will also revoke access to any courses you may be signed up to.
Occasionally we may need to contact you regarding your course or workshop booking, we will do this via telephone or email using the details you have provided to us.
We may contact you by email about other training services that you may find of interest via MailChimp. You can opt-out by clicking on the unsubscribe link on the email.
Once your course is completed you will receive the necessary qualification certificate (for diploma and CPD courses only), this will feature your name, the course you completed and when. We keep a record the certificate has been sent but not a copy of the certificate.
When you join our loyalty programme the following details are collected from the form you fill in: name, address, email address, date of birth (optional), time and location of signing up for your loyalty card, marketing opt-in preference and acceptance of our terms and conditions.
We use a third-party supplier to support our loyalty programme. We will delete your data from our loyalty database after 2 years of inactivity on your loyalty card. For more information on the terms and conditions for our loyalty card please read our Loyalty Terms and Conditions .
Instagram: We use Instagram to post marketing activity, we occasionally use the paid advertising service to target users based on demographics. We promote products, offers, news and brand messages – this is all run through the Facebook Advertising platform.
Mention Me (Refer a Friend): We use Mention Me to operate our Refer a Friend program. Mention Me process customer email addresses and certain order data for the purposes of: Enrolling customers onto our refer-a-friend programme; Monitoring the programme and safeguarding against gaming or fraudulent use of the programme; Communicating with customers in connection with operation of the programme and delivery of rewards; Reporting on the performance of the programme. Mention Me’s own data policy can be found here: https://mention-me.com/help/privacy_policy_s
When entering our prize draws or promotions, you may be required to provide us with your name, email address and mailing address. We use a third party provider, PromoVeritas, to choose a winner at random. Name and email address data is passed to PromoVeritas to carry this service out and deleted once the winner has received their prize. If you win, we will notify you as described in the prize draw/promotion terms and will send the prize to the address you provide to us. When you enter a prize draw or promotion, you are also able to opt-in to hear from us by email or post and be the first to know about our prize draws, offers and news. You may unsubscribe from this by following the unsubscribe instructions in any email received.
We will only contact you following a prize draw / promotion if you opted-in to do so. Unless you have opted-in to receiving marketing communications, your data will be deleted after 3 months.
Occasionally, we run joint prize draws / promotions with other likeminded companies where data will be collected on entry, we collect this data but do not distribute it. It’s used for our own marketing purposes and will only be shared with the partner company with your express permission.
We use third party providers such as SurveyMonkey and Mention Me to carry out surveys and promotions on our behalf. If you agree to take part, your data will be processed in accordance with their privacy notices as appropriate for the purposes of carrying out and administering the services which they offer. The responses and data you provide will be used by us for research and marketing purposes which will enable us to improve and enhance the services and experiences we offer to you. For example, we may publish a quote/review on our Site, App or a catalogue, that you have provided about a product.
We use internal analytics software to run business analysis on customer transactional data, this imports from our Site, tills, payment gateways and databases. The data includes name, addresses and email of those who have placed an order including the related transactional data. This is so we can ensure we offer the best promotions, offers and discounts.
If you have consented to us sending you marketing information you have the right to change your mind and ask us not to send you marketing information any more. We will always ask you (before collecting your information) if you would like to receive information from us for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your information.
Catalogue Mailings / Postcards: Please email firstname.lastname@example.org with your full name, customer no. (if you have one) and your postal address and we will remove you from our postal mailings.
Emails: If you would like to unsubscribe from any email newsletters you can also click on the ‘unsubscribe’ button at the bottom of the email newsletter. It may take up 72 hours for this to take place. Or contact email@example.com
If you contact our Customer Care or store team by email, phone or letter, we will hold this data to deal with your enquiry. Information is retained in line with our Data and Records Management Policy.
Generally, we do not seek to collect special category data that is, information relating to: race or ethnic origin; political opinion; religious or other similar beliefs; trade union membership; physical or mental health; sexual orientation; criminal records. We recommend that you do not provide such information to us. If you choose to do so for any reason, this will mean that you have given (and we accept) your explicit consent for us to use that information for the reasons described in this notice, or as explained at the time you provide the information.
We do not sell our customer lists and we will never pass your details on to third parties for any purpose unless you have consented to us doing so or it is for the following reasons:
- in the event that we sell or buy any business or assets, in which case we may disclose your personal information to the prospective seller or buyer of such business or assets;
- in the event we outsource any of our business functions under which we collect or store your information (including the hosting and maintenance of our Site, email marketing, catalogues and postal mailings and statistical reports and analysis) in which case we will ensure that any such service provider keeps your information confidential and adheres to at least the same obligations of security with regard to your information as undertaken by us; or
- we have a legitimate business reason to do so; or
- if we are under a duty to disclose or share your personal information in order to comply with any legal or contractual obligation, or
- in order to enforce or apply our Terms and Conditions and other agreements; or
- to protect our rights, property, or safety of our employees, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
Under the Data Protection Legislation, you have a number of important rights. In summary, those include rights to:
- fair processing of information and transparency over how we use your use personal information;
- access to your personal information and to certain other supplementary information that this Privacy and Cookies Notice is already designed to address;
- require us to correct any mistakes in your information which we hold;
- require the erasure of personal information concerning you in certain situations;
- receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations;
- object at any time to processing of personal information concerning you for direct marketing;
- object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you;
- object in certain other situations to our continued processing of your personal information;
- otherwise restrict our processing of your personal information in certain circumstances;
- you can claim compensation for damages caused by our breach of any data protection laws.
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals rights under the General Data Protection Regulation.
If you would like to exercise any of those rights, please:
- email firstname.lastname@example.org
- let us have enough information to identify you full name, address and if you’re an existing customer
- let us have proof of your identity and address a copy of your driving licence or passport and a recent utility or credit card bill
- let us know the information to which your request relates including any invoice or customer number, if you have them
The information that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff maybe engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services (i.e. management of survey processes etc.). Such countries do not have the same data protection laws as the United Kingdom and EEA. Any transfer of your personal data will be subject to appropriate contractual arrangements that are designed to help safeguard your privacy rights and give you remedies in the unlikely event of a misuse of your personal information. By submitting your personal information to us, you agree to this transfer, storing or processing.
We may transfer your personal information to the following which are located outside the EEA as follows:
- Salesforce who provide our ecommerce platform
- MailChimp who provide our Education email marketing service
- Astound who provide some of our software integration services
- SurveyMonkey who administer some surveys on our behalf
- MindBodyOnline who provide and administer our Therapy Rooms booking app
Salesforce, MailChimp, Astound, SurveyMonkey Inc. and MindBodyOnline all participate in and have certified its compliance with the EU-U.S. Privacy Shield framework set out by the U.S. Department of Commerce and the European Union and will transfer your personal data as part of its delivery of its service to us.
For more information on the EU–U.S. Privacy Shield, please visit the U.S. Department of Commerce’s Privacy Shield website at www.privacyshield.gov
The third party service provider list above will be updated from time to time.
If you would like further information please contact us at email@example.com
We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.
We hope that our Customer Care Team firstname.lastname@example.org can resolve any query or concern you raise about our use of your information.
Data Protection Legislation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns/ or telephone: 0303 123 1113.