Privacy Notice – E Cups Ltd

 

This Privacy Notice sets out how E Cups Ltd (the Data Controller) collects and uses your personal data.  Any references to “we”, “us”, “our”, or “controller” in this Privacy Notice mean E Cups Ltd.

 

This Privacy Notice is structured in a way for you to easily find the specific details of what we do with your personal data.

 

When we refer to:

 

·      UK GDPR, we mean the UK General Data Protection Regulation

·      DPA18, we mean the Data Protection Act 2018

·      PECR, we mean the Privacy & Electronic Communications Regulation 2003

 

This Privacy Notice was last updated April 2022.

 

Our contact details

 

E Cups Ltd is the data controller for the personal data we process about you.

 

You can contact us to discuss the use of your personal data via one of the following ways:

 

·      Postal Address: Appletree House, The Lane, Gate Helmsley, York YO41 1JT

·      Telephone: 07813 964541

·      Email: hello@ecups.co.uk

·      Website: https://www.ecups.co.uk/

 

Data Protection Officer

 

Although we do not meet one of the criteria to legally appoint a Data Protection Officer under UK GDPR, we take our data protection compliance obligations seriously.  We use the services of an external data protection consultant where necessary to help ensure we collect and use your personal data in a manner you would expect us to.

 

How we get your personal data

 

We usually obtain your personal data directly from you for the following reasons:

 

·      when you make enquires about our products;

·      when you purchase any of our products;

 

If we have met you at a networking event, business club or some other form of social engagement we may have swapped business cards or contact details.

 

We may also obtain your personal data indirectly, which includes:

 

·      Information you have made publicly available, e.g. on social media platforms;

 

There may be occasions when we have obtained your details by word-of-mouth referrals, introductions and recommendations from other businesses.

 

Why we need your personal data and what we do with it

 

The table below sets out why we need your data, the personal data I will need, what I will do with your data, the lawful ground I rely on to process your data, how long I intend to keep your data, and the data processors I use.

 

 

Personal data needed

What we do with your data

Lawful grounds relied on

How long your data is kept

Data processors or 3rd parties used

When you make an enquiry about our products

Name;

 

Contact details

(1) To respond to your enquiry.

 

(2) To keep in touch with you after we have responded to your enquiry.

 

(3) To send you marketing information.

Contractual Obligation

 

Legitimate Interest

Enquiries 12 months

 

Marketing – until you unsubscribe

Data maybe available to our App provider Web Intellect Ltd

When you purchase our products

Name

 

Contact details

 

Purchasing details

 

Financial details

 

(1) To process purchase orders.

 

(2) To supply you with our products.

 

(3) To process invoices.

 

(4) To deal with any issues relating to our products delivery, payment, etc.

 

(5) To keep in touch with you and send you marketing information.

Contractual Obligation

 

Legal Obligation

 

Legitimate Interest

Contracts and Invoicing – kept for 6 years

 

Marketing – until you unsubscribe

Intuit Quickbooks (Data Controller in their own right)

When we buy your products or use your services

Name

 

Contact details

 

Payment details, e.g. bank details

 

(1) To make our own enquiries about your products or services.

 

(2) To buy your products or services.

 

(3) To pay you for the products or services bought.

Contractual Obligation

 

Legal Obligation

Payment information – kept for 6 years

Intuit Quickbooks (Data Controller in their own right)

 

Lawful grounds to use your personal data

 

Here is a bit more information on the lawful grounds relied on to collect and use your personal data.

 

Contractual obligation (GDPR Article 6(1)(b))

This lawful ground allows us to use your personal data to respond to your enquiries about our services, to provide you with quotes, and to allow us to provide you with our products and get paid for the products we sell.

 

We require certain information from you to enable us to fulfil our contractual obligation with you.  If you are not able to provide all the necessary information, we need it may mean we are not be able to respond to your enquiry or sell you our products.  Any arrangements may therefore not proceed or may need to be terminated.

 

Legal obligation (GDPR Article 6(1)(c))

There are times when we must process your personal data for us to comply with a legal or regulatory requirement.  In these cases we will usually rely on the lawful ground known as “legal obligation” as the processing is necessary for us to fulfil our legal obligation to which we are subject to.  For example:

 

·      We have a legal obligation under finance and tax laws to keep certain information relating to payments and tax.

·      We have a legal obligation to provide the police or other law enforcement body with information if they are investigating a potential crime.

 

Legitimate interests (GDPR Article 6(1)(f)

We rely on the legitimate interest lawful ground to keep in touch with you and to send you marketing after we have been introduced or you have made enquiries about our products or bought our products.

 

We rely on “soft opt in” to keep in touch with you and send you marketing information.  UK GDPR allows us to use the legitimate interests lawful ground for direct marketing purposes when soft opt in applies.  This is because it is not deemed to be an unreasonable expectation for anyone who has a relationship with our business to receive marketing from us.

 

This also complies with the UK’s e-Privacy laws, currently PECR, which governs how a business can undertake electronic direct marketing.  We can rely on soft opt-in to keep in touch and send email marketing to our prospective and existing customers. 

 

We always give you the opportunity to object to marketing related communications when we first collect your personal data and with every marketing communication thereafter.

 

Sharing your personal data with other businesses

 

We do not share, sell or rent your personal data to other businesses for them to use for their own marketing purposes.

 

We may sometimes need to share your data with other organisations, such as when we have a legal obligation to do so.  Whenever we are asked to share your personal data we always ensure we have a lawful ground to do so and we fully document the reasons for the sharing.

 

Using data processors and 3rd parties

 

There are times when we may need to use other businesses to help us fulfil the delivery of the sale of our products to you.  These other businesses will either be:

 

·      data processors as they are acting under our strict instruction on what they can and cannot do with your personal data; or

·      joint data controllers as they have their own purposes to process your personal data.

 

When we do use other businesses to process personal data on our behalf (data processors) we ensure there are appropriate UK GDPR compliant contracts in place. 

 

A data processor is not allowed to do anything with your personal data other than what we have instructed them to do with it. They will not share your personal data with any other business apart from us, unless they are required to do so by law. They will hold it securely and retain it for the period we instruct.

 

Transferring personal data outside of the UK

 

Sometimes it is not possible for us to store or process your personal data wholly in the UK.  When your personal data does need to be transferred or stored outside of the UK we make sure we comply with UK GDPR.

 

We will usually rely on one of the following safeguards to be in place to make the transfer:

 

·      An Adequacy Regulation is in place with the country where the personal data is being transferred to.  This means the UK has deemed the receiving country to have similar data protection laws in place.

·      Standard Contractual Clauses or the UK’s International Data Transfer Agreement.

 

If we are unable to rely on the above safeguards it might be that we need to obtain your explicit consent to make the transfer of personal data to a country outside of the UK.

 

Your rights

 

Depending on the reasons why we need your personal data and the legal basis relied on, there are various rights available to you.  You can:

 

  • access the personal data we keep about you and be given specific information about the processing. This right always applies regardless of the reason we need your personal data.

 

  • ask us to rectify personal data we hold about you that you think is inaccurate. This right always applies regardless of the reason we need your personal data.

 

  • ask us to delete your personal data. This right only applies in specific circumstances depending on the reason we need to use your personal data.

 

  • ask us to restrict the processing of your personal data. This right only applies when specific circumstances apply.

 

  • object to the processing when we have relied on legitimate interest to undertake that processing activity and you believe we have infringed your rights.

 

  • transfer your personal data from us to another service provider. This right only applies to personal data you have given directly to us and when the lawful ground for the processing is consent or contractual basis and the processing is automated.

 

We do not undertake any solely automated decision making, including profiling, about you.

 

To find out more about how to exercise your rights please refer to the guidance on the Information Commissioner’s Office website.  https://ico.org.uk/your-data-matters/

 

You do not need to pay a fee to exercise any of your rights.  However, if your request is manifestly unfounded or excessive, we do have the right to either charge a reasonable fee or refuse the request.

 

We shall respond to a valid request within one month of receiving it.

 

If you wish to exercise one of your rights, please contact us via one of the methods shown in the “Our contact details” section.

 

How to make a complaint about us to the Information Commissioner’s Office

 

If you are not happy with how we am processing your personal data or you believe we have not dealt with one of your rights correctly you are entitled to make a complaint to the Information Commissioners Office (ICO).  The ICO has several ways in which you can get in touch with them, including post, email, and online forms.  For full details how to make a complaint please refer to their website.  https://ico.org.uk/make-a-complaint/

 

Links to other websites

 

Our website may provide links to websites of other organisations.   This Privacy Notice does not cover how those organisations process your personal data when you visit their website.  We advise you to read their Privacy Notices.