Privacy Notice

Introduction

Under data protection law, individuals have a right to be informed about how companies and organisations use any personal data that we hold about them. We comply with this right by providing privacy notices to individuals where we are processing their personal data. This privacy notice explains how we collect and use personal data about our customers in line with the requirements of UK GDPR (United Kingdom General Data Protection Regulation). We will also explain what rights you have with regards to your personal data and how you can exercise those rights. We may change our privacy notice so please check this page from time to time, as your continued use of our website and services indicates your acceptance of any changed terms that may have occurred during the interim. 

You can find details on specific areas of our privacy policy in the sections below:

1. Who we are
2. Key Contact
3. The categories of personal data that we collect, process, hold & share
4. How is your personal information collected?
5. Lawful basis for processing
6. Special Category Data
7. How does this work in practice?
8. How we may disclose personal information
9. International Transfers
10. Storage, Retention & Disposal
11. Your rights
12. Complaints

1. Who we are

Giftaboo Ltd (Company No. 13662721) is a private limited company that provides children’s subscription boxes designed to capture the fun and excitement of board games. 

2. Key Contact

Please read this notice carefully. In the event that you have any questions or concerns regarding the processing of your data you can contact:

Data Protection Officer 
Email: [email protected]

3. The categories of personal data that we collect, process, hold & share

We collect information from you for one or more of the following purposes:

To enter into a contract for the sale of our children’s subscription boxes or store purchases
To ensure that we can tailor the subscription boxes to your child's preferences
To ensure that purchases are delivered to the correct customer addresses
To effectively communicate with customers on the progress of their orders
To provide our customers with a newsletter (if requested)
To manage compliments and complaints
To comply with the law regarding data sharing

4. How is your personal information collected?

Giftaboo Ltd collects the majority of your personal data directly from customers via our website (www.giftaboo.co.uk). If a customer sends a postal communication to our written address we will also record the details required to respond to that communication.

5. Lawful basis for processing

When processing your personal data we will rely on one of the following grounds as set out in Article 6 of UK GDPR:

a. Contract: This is the main lawful basis used for processing personal data as the processing is necessary for the contract that we have with our customers, or because we have been asked to take specific steps before entering into a contract.

b. Legal Obligation: We also record some details to comply with our legal obligations on data sharing or for tax purposes.

c Consent: There will be occasions when we seek your consent to process particular types of data. Generally this will only be for marketing purposes such as providing our newsletter.

Where we have obtained consent to use personal data, this consent can be withdrawn at any time. We will make this clear when we ask for consent, and explain how consent can be withdrawn.

d. Legitimate Interests: The processing is necessary for our legitimate interests. We rely on this basis to process your children’s data which allows us to tailor our subscription boxes to their preferences. We would also rely on this lawful basis for processing queries from customers or suppliers that are not in respect of specific steps which may lead to a contract being entered into.

Some of the reasons listed above for collecting and using your personal data overlap, and there may be several grounds which justify the Trust’s use of your data.

6. Special Category Data

Under UK GDPR there are certain types of data that are recognised as needing greater protection due to its sensitive nature. We do not process any types of special category data such as racial or ethnic origin, religious or philosophical beliefs, biometric data and data concerning health. 

7. How does this work in practice?

To assist with your understanding of how this all works in practice we have prepared a table below:

The data being processed
Our lawful basis
What else we need to tell you
Customer email address, name and postal address

Contract

These details are required to be able to process orders. Giftaboo Ltd uses Stripe Ltd to process our online orders and we do not retain any of your payment details. Email address and name of customer (for marketing purposes)

Consent 

If a customer “opts-in” to receive our company newsletter we will send this via email until notified otherwise.
Child’s name, age, likes and favourite games

Legitimate Interests

We need this information to be able to tailor our subscription boxes to your child’s preferences and make sure they get the most out of the service.

8. How we may share personal information 

We sometimes need to share the personal information we process with the individual themselves, and also with other organisations. Where this is necessary we are required to comply with all aspects of the UK GDPR. What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.  

Where necessary or required we share information with:

Delivery companies and couriers such as Royal Mail Group Ltd
Payment processing companies. Giftaboo Ltd currently processes online payments through Stripe Ltd
Police forces, prison and probation services, courts and tribunals

We do not share information about our customers with any third party unless the law and our policies allow us to do so.

Giftaboo Ltd reserves the right to use or disclose any personal information as needed to satisfy any law, regulation or legal request, to fulfil your requests, or to cooperate in any law enforcement investigation or an investigation on a matter of public safety. 

9. International Transfers
Giftaboo Ltd does not transfer data outside of the United Kingdom.

10. Storage, Retention & Disposal

Giftaboo Ltd will only store the minimum amount of personal data necessary to provide our services to you. Your data will be stored securely and will be subject to access controls.

Personal data will only be retained for as long as necessary. These periods vary depending upon the type of data. 

All data will be disposed of in a secure and confidential manner. All electronic and physical data will be disposed of in such a manner that it cannot be reconstituted by any third party.

11. Your rights

Under the United Kingdom General Data Protection Regulation 2018, you have the following rights: 

The right to be informed
As a data controller, we are obliged to provide clear and transparent information about our data processing activities. This is provided by this privacy policy and any related communications we may send you.

The right to rectification
When you believe we hold inaccurate or incomplete personal information about you, you may exercise your right to correct or complete this data. This may be used with the right to restrict processing to make sure that incorrect/incomplete information is not processed until it is corrected.

The right to erasure
Where no overriding legal basis or legitimate reason continues to exist for processing personal data, you may request that we delete the personal data. This includes personal data that may have been unlawfully processed. We will take all reasonable steps to ensure erasure.. This is also known as ‘the right to be forgotten’.

The right to access
You may request a copy of the personal data we hold about you free of charge. Once we have verified your identity and, if relevant, the authority of any third-party requester, we will provide access to the personal data we hold about you as well as the following information:

1. The purposes of the processing
2. The categories of personal data concerned
3. The recipients to whom the personal data has been disclosed
4. The retention period or envisioned retention period for that personal data
5. When personal data has been collected from a third party, the source of the personal data

If there are exceptional circumstances that mean we can refuse to provide the information, we will explain the same. If requests are malicious or manifestly unfounded we reserve the right to refuse them. If answering requests is likely to require additional time or occasions unreasonable expense (which you may have to meet), we will inform you.  

The right to restrict processing
You may ask us to stop processing your personal data. We will still hold the data, but will not process it any further. This right is an alternative to the right to erasure. If one of the following conditions applies you may exercise the right to restrict processing:

1. The accuracy of the personal data is contested.
2. Processing of the personal data is unlawful.
3. We no longer need the personal data for processing but the personal data is required for part of a legal process.
4. The right to object has been exercised and processing is restricted pending a decision on the status of the processing.

  The right to data portability
You may request your set of personal data be transferred to another controller or processor, provided in a commonly used and machine-readable format. This right is only available if the original processing was on the basis of consent, the processing is by automated means and if the processing is based on the fulfilment of a contractual obligation

The right to object
The right to object to us processing certain types of information when:

1. Processing is based on legitimate interest;
2. Processing is for the purpose of direct marketing;
3. Processing is for the purposes of scientific or historical research; or
4. Processing involves automated decision-making and profiling.

The Information Commissioner’s Office provides more information about these rights.

  If you would like to contact us about any of these rights, please email us at [email protected] or write to us at:

3 Wellfield Court, Royston, Barnsley. S71 4QN

We will respond to you within 30 days of receiving your request and you will not be charged for this service. 

12. Complaints

Should you wish to discuss a complaint, please feel free to contact us using the details provided above. All complaints will be treated in a confidential manner.

Should you feel unsatisfied with our handling of your data, or about any complaint that you have made to us about our handling of your data, you are entitled to escalate your complaint to a supervisory authority. For the UK, this is the ICO (Information Commissioner’s Office), which is also our lead supervisory authority. The ICO’s contact information can be found at https://ico.org.uk/global/contact-us/.