Your privacy is extremely important to us and this privacy notice provides you with details of how we collect and process your personal data through your use of our website. It explains what personal information we might collect from you and how we use this information.
“Paper White Floral Design” is the data controller and as such we are responsible for the storage of your personal data (referred to as “we”, “us” or “our” in this privacy notice).
If any of your personal information changes i.e when you have changed your email address, phone number, move address, changed your name etc, please contact us and let us know how it has changed so that we can update our records. We may contact you periodically to check that the personal data we hold for you is accurate and up to date.
Terms & Definitions:
Consent – freely given, specific, informed and explicit consent by statement or action signifying agreement to the processing of their personal data.
Data Controller – the entity that determines the purposes, conditions, and means of the processing of personal data.
Data Erasure – also known as the Right to be Forgotten, it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data.
Data Portability – the requirement for controllers to provide the data subject with a copy of his or her data in a format that allows for easy use with another controller.
Data Processor – the entity that processes data on behalf of the Data Controller.
Data Protection Authority – national authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the Union.
Data Protection Officer – an expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR.
Data Subject – a natural person whose personal data is processed by a controller or processor
Encrypted Data – personal data that is protected by technological measures to ensure that the data is only accessible/readable by those with specified access.
Enterprise – any entity engaged in economic activity, regardless of legal form, including persons, partnerships, associations, etc.
Filing System – any specific set of personal data that is accessible according to specific criteria, or able to be queried.
Genetic Data – data concerning the characteristics of an individual which are inherited or acquired which give unique information about the health or physiology of the individual.
Personal Data – any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.
Personal Data Breach – a breach of security leading to the accidental or unlawful access to, destruction, misuse, etc. of personal data.
Privacy Impact Assessment – a tool used to identify and reduce the privacy risks of entities by analysing the personal data that are processed and the policies in place to protect the data.
Processing – any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.
Profiling – any automated processing of personal data intended to evaluate, analyse, or predict data subject behavior.
Pseudonymisation – the processing of personal data such that it can no longer be attributed to a single data subject without the use of additional data, so long as said additional data stays separate to ensure non-attribution.
Recipient – entity to which the personal data are disclosed.
Regulation – a binding legislative act that must be applied in its entirety across the Union.
Right to be Forgotten – also known as Data Erasure, it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data.
Right to Access – also known as Subject Access Right, it entitles the data subject to have access to and information about the personal data that a controller has concerning them.
Subject Access Right – also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them.
Who we are:
Paperwhite Floral Design specialises in bespoke floral styling for weddings, events, private and corporate clients.
Created by Abbie Walsh, and based in the seaside town of Troon, South Ayrshire, our focus is on providing our clients with unrivalled customer service, the best quality of blooms and creative design.
If you need to contact us about anything related to this privacy notice, you can do so via:
Write to: 125 Templehill Street, Troon, Ayrshire, Scotland, KA10 6BQ
Phone: 01292 318622
What personal data we collect and why we collect it:
While you visit our site, we’ll track: Location, IP address and browser type: When you wish to enquire about a service from us, we may ask you to provide information including your name, , email address, phone number etc. We’ll use this information for purposes, such as, to: Respond to your requests, including admin and complaints. Comply with any legal obligations we have. Send you marketing messages, if you choose to receive them. We will also store comments or reviews if you choose to leave them.
We may collect the following data about you:
• Your name
• Your email address
• Your address
• Your phone number
• Your business name
• When you voluntarily provide feedback or testimonials
• Any other personal data you choose to post on our website
• Data about how you use our website
• Technical data such as your IP address, your login data, details about your browser, length of visit to pages on our website, page views and navigation paths, details about the number of times you use our website, time zone settings and other technology on the devices you use to access our website
• Your marketing and communication preferences
• Any other information that you directly provide to us whether through our contact form, over the phone, by email or otherwise
We hold this information because we require it to provide the product, service or support which you have requested. This may mean that you will be asked to sign or tick consent forms in the future. If you don’t consent to our processing this information when asked to do so it may mean that we cannot provide a service to you.
We do not collect any Sensitive Data about you. Sensitive data refers to data that includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. We do not collect any information about criminal convictions and offences. We do not carry out automated decision making or any type of automated profiling.
Our website is built on the WordPress platform. WordPress alone does not collect any personal data about visitors, and only collects the data shown on the User Profile screen from registered users. However, some of our plugins may collect personal data such as contact forms, eCommerce systems, security plugins and Google analytics.
How we may use your data:
We may use your data in order to:
• Send you customer communications about enhancements to products or services you have enquired about.
• Enable us to perform a contract with you, respond to enquiries and deal with complaints.
• Reply to any enquiries you make about our products or services
• Send you marketing communications where we are allowed by law to do so
• Personalise your experience on our websites
• Monitor the use of our website and online services
• Keep records of enquiries and communications
• Analyse your use of our website and other online services
• Administer and protect our business and website
• Deliver relevant website content or advertisements to you
• Understand the effectiveness of our marketing
• Comply with any legal obligations we are subject to or as required by a government authority
• Manage our business/brand
• Obtain professional advice
• Seek your views or comments on the services we provide
• Notify you of changes to our services
Our lawful ground of processing your personal data to send you marketing communications is either for your consent or our legitimate interests. Under the Privacy and Electronic Communications Regulations, we may only send you email or text marketing communications if (1) you made a purchase or asked for information from us about our goods or services or (ii) you agreed to receive marketing communications and in each case you have not opted out of receiving such communications since. Under these regulations, if you are a limited company or business, we may send you marketing emails without your consent. You can still opt out of receiving marketing emails from us at any time. We do not share your personal data with any third party for their own marketing purposes or if we ever did we would get your express consent. You can ask us to stop sending you marketing messages at any time by emailing us at email@example.com
If you opt out of receiving marketing communications this opt-out does not apply to personal data provided as a result of other transactions, such as purchases, or ongoing contracts etc.
Lawfulness of processing:
Under GDPR, we are only legally allowed to process your personal data if we have a lawful ground for doing so.
The legal basis for processing your data are:
Consent – the individual (a data subject) whom the personal data is about has consented to the processing by way of placing an order (customer data), making an enquiry (prospect data), or by consenting to receive future marketing material from us (marketing data) etc.
Contractual – processing is necessary in relation to a contract which the data subject has entered into with the business, or because the data subject has asked for something to be done so they can enter into a contract with the business.
Legal obligation – processing is necessary because of a legal obligation that applies to the business (except an obligation imposed by a contract).
Legitimate interests – processing is necessary for the businesses’ legitimate interest or those of a third party to whom the personal data is disclosed, except where such interests are overridden by the interests, rights or freedoms of the data subject. With reference to User Data that we have obtained through cookies on our website or other online services for the purposes of maintaining our website, ensuring relevant content is provided to you, ensuring the security of our website, backups and/or databases and to enable publication and administration of our website, other online services, and information, the processing is necessary for the purposes of our legitimate interests which in this case are to enable us to properly manage our website and our business. With reference to Technical Data (which includes data about your use of our website and online services such as your IP address, your login data, details about your browser, length of visit to pages on our website, page views and navigation, details about the number of times you visit or use our website, time zone settings and other technology on the devices you use to access our website). We process this data to analyse your use of our website and other online services, to manage and protect our business, website, and interests, to deliver relevant content to you and to understand the effectiveness of any marketing or strategy. Where the processing of personal data is based on Article 6(1) lit. Our legitimate interest is to carry out our business in favor of the well-being of all our employees and stakeholders.
How we collect your data:
We may receive data from third parties such as Google analytics based outside the EU, advertising networks such as Facebook based outside the EU, search engine information providers such as Google based outside the EU, providers of technical, payment and delivery services, fraud detection agencies and data brokers or aggregators. We may also receive data from publicly available records or sources such as Companies House and the Electoral Register based inside the EU.
How long we retain your data:
We review our retention periods for personal information on a regular basis, we are legally required to hold some types of information to fulfil our statutory obligations. We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any enquiries, transactions or agreements. When deciding what the correct time is to keep the data for we look at its amount, nature and sensitivity, the potential risk of harm from unauthorised use or disclosure, the processing purposes, if these can be achieved by other means and legal requirements. For tax purposes, the law requires us to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they stop being customers. In some circumstances, we may anonymise your personal data for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
If you leave a comment on our website, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue. For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username unless you ask and we do this for you). Website administrators can also see and edit that information.
What rights you have over your data:
Under data protection laws you have rights in relation to your personal data that include the right to request access, correction, erasure, restriction, transfer, to object to processing, to the portability of data and (where the lawful ground of processing is consent) to withdraw consent.
You can see more about these rights at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights
The accuracy of your information is important to us. We’re working on ways to make it easier for you to review and correct the information that we hold about you. In the meantime, if you change email address or any of the other information we hold is inaccurate or out of date, please e-mail us at firstname.lastname@example.org
If you wish to exercise any of the rights set out above, please contact us. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive or refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who does not have a right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We will try to respond to all legitimate requests within 28 days. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you. If you are not happy with any aspect of how we collect and use your data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would appreciate if you would contact us first so that we can try to resolve it for you.
If you have an account on this website, have left comments, or submitted enquiries to us by email you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we edit or erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, tax, or security purposes.
How we protect your data:
We have put various security measures in place to prevent your personal data from being accidentally lost, used, altered, disclosed, or accessed without authorisation. Our internal storage systems, cloud servers or devices are all password protected with restricted access for our staff only. We also allow access to your personal data only to those employees or authorities who have a need to know such data. They will only process your personal data on our instructions and they must keep it confidential. We have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach if we are legally required to.
As a company, we have carried out a Privacy Impact Assessment and internal Audit. Our website follows HTTPS Protocol for secure communication over a computer network, the communication protocol is encrypted using Secure Sockets Layer or an (SSL certificate). The principal motivation for HTTPS is authentication of the accessed website and protection of the privacy and integrity of the exchanged data while in transit. It protects against man-in-the-middle attacks. The bidirectional encryption of communications between a client and server protects against eavesdropping and tampering of the communication. In practice, this provides a reasonable assurance that one is communicating without interference by attackers with the website that one intended to communicate with, as opposed to an impostor. Historically, HTTPS connections were primarily used for payment transactions on the World Wide Web, e-mail and for sensitive transactions in corporate information systems. HTTPS is, however, being used more often by web users than the original non-secure HTTP, primarily to protect page authenticity on all types of websites; secure accounts; and keep user communications, identity, and web browsing private. Our website also has another layer of security called Sitelock: SiteLock, the Global Leader in business website security solutions, is the only web security solution to offer complete, cloud-based website protection. Its 360-degree monitoring finds and fixes threats, prevents against hackers and future attacks, accelerates website performance and meets PCI compliance standards for businesses of all sizes. SiteLock protects over 12 million websites worldwide. Our website and database is also backed up on a daily basis.
Disclosure or transfer of your personal data:
We may have to share your personal data with the parties set out below:
Government or legal bodies that require us to report processing activities or otherwise disclose your personal data. Market researchers and fraud prevention agencies. Visitor comments may also be checked through an automated spam detection service. Third parties to whom we sell, transfer, or merge parts of our business or our assets (assignment clause). We require all third parties to whom we transfer your data to respect the security of your personal data and to treat it in accordance with the law. We would only allow such third parties to process your personal data for specified purposes and in accordance with our instructions.
This can involve the transferring your data outside the European Economic Area (EEA). We are subject to the provisions of the General Data Protection Regulations that protect your personal data. Where if we transfer your data to third parties outside of the EEA, we will ensure that certain safeguards are in place to ensure a similar degree of security for your personal data. As such: We may transfer your personal data to countries that the European Commission have approved as providing an adequate level of protection for personal data by; or If we use US-based providers that are part of EU-US Privacy Shield, we may transfer data to them, as they have equivalent safeguards in place; or Where we use certain service providers who are established outside of the EEA, we may use specific contracts or codes of conduct or certification mechanisms approved by the European Commission which give personal data the same protection it has in Europe. If none of the above safeguards is available, we may request your explicit consent to the specific transfer. You will have the right to withdraw this consent at any time. European data protection law requires data about European residents which is transferred outside the European Union to be safeguarded to the same standards as if the data was in Europe.
Our third party suppliers such as web/email hosting providers process our website data on our behalf as part of the services they provide us with. They, as our data processors do have access to our website and can therefore see any accounts set up and the information they contain on our website. They do not however, have access to your or our data through any other means and apply the strictest code of conduct themselves in terms of data protection, only we have direct access to our emails and communications which are all password protected.
What data breach procedures we have in place:
The GDPR has introduced a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. We must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we must also inform those individuals without undue delay. We have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not we need to notify the relevant supervisory authority and the affected individuals.
We must also keep a record of any personal data breaches, regardless of whether we are required to notify.
We know how to recognise a personal data breach.
We understand that a personal data breach isn’t only about loss or theft of personal data.
We have prepared a response plan for addressing any personal data breaches that occur.
We have allocated responsibility for managing breaches to a dedicated person or team.
Our staff know how to escalate a security incident to the appropriate person or team in our organisation to determine whether a breach has occurred.
What third parties we receive data from:
Our website does not receive data about users from any third parties, including advertisers.
What automated decision making and/or profiling we do with user data:
Our website does not include any automated decision making.
The Cookies We Set
Strictly Necessary Cookies:
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Account related cookies:
Login related cookies:
Forms related cookies:
When you submit data to through a form such as those found on contact pages or blog posts, cookies may be set to remember your user details for future correspondence.
Site preferences cookies:
In order to provide you with a great experience on this site, we provide the functionality to set your preferences for how this site runs when you use it. In order to remember your preferences, we need to set cookies so that this information can be called whenever you interact with a page is affected by your preferences.
Third Party or non-essential Cookies:
This site uses Google Analytics which is one of the most widespread and trusted analytics solutions on the web for helping us to understand how you use the site and ways that we can improve your experience. These cookies may track things such as how long you spend on the site and the pages that you visit so we can continue to produce engaging content.
For more information on Google Analytics cookies, see the official Google Analytics page. https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
From time to time we might test new features and make subtle changes to the way that the site is presented. When we are still testing new features these cookies may be used to ensure that you receive a consistent experience whilst on the site, ensuring that we understand which optimisations our users appreciate the most.
We also use social media buttons and/or plugins on this site that allow you to connect with your social network in various ways. For these to work the following social media sites including some or all of the following; Facebook, Linkedin, Instagram & Youtube, will set cookies through our site which may be used to enhance your profile on their site or contribute to the data they hold for various purposes outlined in their respective privacy policies.
If you leave a comment on our site you may opt-in to save your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year. If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser. When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed. If you edit, comment on or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Embedded content or links to other websites:
In addition, if you linked to our website from a third party site, we cannot be responsible for the privacy policies and practises of the owners and operators of that third party site and recommend that you check the policy of that third party site.
Who in our team has access to your data:
Only members of our team have access to your information or data. For example, website administrators, cloud hosting/email suppliers, staff including the owner can access: Enquiry or contact forms, customer information like your name, email address, address etc. We as a company/brand have access to this information to help fulfil enquiries or provide services. We will not sell or rent your information to third parties. We will not share your information with third parties for marketing purposes.
The legal information contained in this policy was sourced and compiled to the best of our knowledge. We reserve the right to change or update this policy but can confirm that the information supplied is accurate as of the 25/05/2018.