Privacy policy
G17MVG’s privacy policy for holding customers' personal information is a legally required document that explains how our organisation collects, uses, stores, shares, and protects customer data. Its primary goal is to provide transparency and comply with various data protection laws like GDPR, CCPA, and others.
Here are the key elements that are included in our comprehensive privacy policy:
1. Identity and Contact Information
Company Details: G17MVG, 88 Horley Road, Redhill, Surrey, RH1 5AA. G17MVG@gmail.com. 07888744618
Data Protection Officer (DPO): Marie Griffin (contact details above)
2. Information Collection
What Data is Collected: G17MVG collects personal information (name, email address, physical address, phone number, payment details,)
How Data is Collected: G17MVG collects details directly from the user via forms and 3rd parties.
3. Purpose and Legal Basis for Processing
Why Data is Used: The specific purposes for G17MVG to collect and use each category of personal data is for processing orders, providing services, customer support, marketing, website improvement, legal compliance
Legal Basis (especially for GDPR): Specify the legal ground for processing the data ensuring that G17MVG has received consent to hold the information and customers have the right to withdraw consent at any time.
4. Data Sharing and Disclosure
Third Parties: G17MVG will share necessary details with third parties for payment processors, shipping companies and analytics providers.
Purpose of Sharing: Necessary Information will only be shared with third parties to receive payments and to ship products to customers.
Sale of Data: G17MVG does not sell personal details to any third parties.
5. Data Security and Retention
Security Measures: SSL/TLS Encryption (HTTPS): This is fundamental. Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), encrypt the data exchanged between the customer's web browser and the online store's server. This prevents cybercriminals from reading sensitive information, like credit card numbers or passwords, while it's in transit across the internet. Websites using this are identified by "https" in the address bar and a padlock icon.
PCI DSS Compliance: The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards for any entity that stores, processes, or transmits cardholder data. Online stores must comply with these requirements, which often involve:
Using strong access control measures.
Encrypting stored cardholder data.
Regularly testing security systems and processes.
Tokenization/Trusted Payment Gateways: Many online stores do not directly store credit card numbers. Instead, they use third-party payment gateways (like PayPal, Stripe, etc.) which handle the sensitive data. The store receives a "token" (a non-sensitive placeholder) from the gateway, which is used for recurring payments without storing the actual card
Data Minimization: Only collecting and retaining customer data that is strictly necessary for business operations, reducing the amount of valuable information available to potential attackers.
Encryption at Rest: Sensitive data that must be stored (like personal profiles, order history, etc.) is encrypted when stored on the server to make it unreadable if a breach occurs.
Access Control: Restricting access to customer data within the company to only those employees who absolutely need it to perform their job (the principle of least privilege).
Strong Authentication: Requiring strong passwords, and often implementing Multi-Factor Authentication (MFA) for employee accounts with access to sensitive systems.
Firewalls: Using Web Application Firewalls (WAFs) and other network firewalls to monitor and filter incoming and outgoing network traffic to block common web attacks.
Regular Software Updates/Patching: Keeping all e-commerce platforms, operating systems, and security software up-to-date to patch vulnerabilities that hackers could exploit.
Security Audits and Testing: Conducting regular internal and external security audits, vulnerability scans, and penetration testing to proactively find and fix weaknesses.
Monitoring for Suspicious Activity: Employing systems that continuously monitor the website and network for unusual access attempts or suspicious activity, often linked to intrusion detection and prevention systems.
Data Retention: G17MVG will keep customer personal data for only 12 months and then will be destroyed.
6. User Rights and Choices
Right to be InformedYou have the right to know how your personal data is being collected, used, shared, and protected. This is typically fulfilled through a transparent and accessible Privacy Policy and clear notices at the point of data collection (e.g., a cookie banner).
Right of AccessYou have the right to request and receive a copy of the personal data a company holds about you. This is often referred to as a Data Subject Access Request (DSAR).
Right to RectificationYou have the right to have inaccurate or incomplete personal data about you corrected without undue delay.
Right to ErasureAlso known as the "Right to be Forgotten," this allows you to request the deletion of your personal data when it is no longer necessary for the purpose it was collected, or if you withdraw your consent. (There are exceptions, such as legal requirements to keep certain records).
Right to Restrict ProcessingYou have the right to temporarily stop a company from processing your data
under certain conditions, such as when you are contesting the accuracy of the data.
Right to Data PortabilityYou have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another company without hindrance.
Right to ObjectYou have the right to object to the processing of your personal data in certain situations, notably for direct marketing purposes.
Rights related to Automated Decision Making and ProfilingYou have the right not to be subject to a decision based solely on automated processing (like profiling) if it produces legal effects or similarly significant effects on you.
.