At Cotterell & Co, we understand that privacy is very important to our customers. We respect your privacy and handle all your personal data in line with the latest data protection laws. We take the utmost care to protect your personal data and we will never sell on your details. Our full privacy policy is below which should cover everything you need to know. For data access requests or queries on this policy, please contact our Data Protection Officer (see section 10).

1. Our Company Information

Our business name is Cotterell Light Centres Limited trading as “Cotterell & Co”.
Cotterell Light Centres Limited is a registered company in Scotland under the reference SC192594.
The company VAT Number is GB 743 111 374.

Registered address:        89 Seaward Street, Glasgow, G41 1HJ.
Trading Addresses:         28/30 Carnoustie Place, Glasgow, G5 8PH.
                                        122 Causewayside, Edinburgh, EH9 1PU.
                                        9 Chollerton Drive, Newcastle, NE12 9SZ.

2. About this policy

This Privacy Policy explains how we use your personal data:

• how we collect, store and process your data.
• who we share your data with and the reasons why we do so.
• how long we retain your data and the reasons for this.

This policy also explains your rights in relation to your personal data.

3. What is Personal Data?

Personal data is defined by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’. In general, personal data covers any information about you that enables you to be identified.

4. Your Rights

Under GDPR, you have the following rights regarding your personal data:

• “the right to be informed” which is the primary purpose of this policy.
• “the right to access” the personal data we hold about you.
• “the right to rectification”, to correct any inaccurate or incomplete data we hold on you.
• “the right to erase” your personal data or “the right to be forgotten”.
• “the right to restrict processing” of your personal data for a specific purpose or purposes.
• “the right to data portability”, to request certain personal data, collected under contract or consent, is copied to another service or business.
• “rights relating to automated decision-making and profiling. We do not use your personal data in this way.
• “the right to object” to the collection, holding, processing of your personal data.

Further information about your rights can also be obtained from the Information Commissioner’s Office (ICO). You can also contact the ICO to lodge a complaint. 

5. The personal data that we collect

We may collect some or all off the following personal data:

• Contact Information such as your name, address, email and phone number.
• Business details such as business name, job title, address, email, phone, VAT & company numbers.
• Payment information such as credit card details, PayPal account details or bank details.
• Order and enquiry history.
• Automatically collected “device information” using technologies such as cookies, log files, beacons, tags and pixels is collected through our websites and mailing lists. (More information is list in section 11).

We do not collect or hold any sensitive information. In most cases we only collect personal data directly from our customers, however in some cases we may supplement this with publicly available information.

6. How we use your personal data

All data collected is processed in line with the GDPR requirement for “a lawful basis for using personal data”. The six lawful bases for personal data are: consent, legitimate interests, performance of a contract, legal obligation, vital interests and public task.
 
Under the legal bases of “legitimate interest” to provide you with the best possible sales & service, your personal data may be used for one or more of the following purposes:

• Performance of a contract of sale, including: processing, confirming, fulfilling, shipping and invoicing.
• To communicate with you (following your initiation of contact).
• Screen orders for potential risk of fraud.

With your prior consent (verbal or by electronic opt-in), we may use your personal data for:

• Electronic newsletters and digital marketing material.
• Contacting you by telephone or post with marketing information.
• Your consent for this can be withdrawn at any time.

Additionally, we may require to process your information for contractual obligations and, where the law requires us to, collect, process and/or disclose your personal data.

7. How long we store your personal data

We only store your personal data for as long we deem necessary. The reasons we store your data include:

• Fulfilling our contracts of sale and providing accurate, satisfactory after sale service.
• Sales/Tax requirements including credit/debit card transactions and VAT details.
• Regulatory requirements including our Health & Safety responsibilities.
• Continuing to provide you with marketing material, where you have opted in to do so.

To fulfil our responsibilities as listed above, especially in respect to our health and safety obligations, we will store all sales data for a minimum of 10 years. If you have provided your consent to receive marketing materials, we will continue to store your data until consent is withdrawn. We will offer ways to easily withdraw consent in digital marketing material wherever possible.

8. How we store and transfer your data

We store your personal data in the following methods:

• Manual records are kept for;
  • Credit Card Receipts
  • Order, Collection & Approval Forms
  • Delivery & Return Notes
  • Quotation & Enquiry Forms
  • Temporary notations (which are destroyed after their use)

We have various methods in place to ensure the security of our manual records. All manually stored data is housed in our secure offices and warehouses. All manual data is disposed of by shredding to protect personal data.

• In the following IT systems;
  • Electronic Point of Sale (EPOS)
  • Internal PC networks
  • Cloud based file storage systems
  • Email servers
  • Stock management system
  • eCommerce websites
  • 3^rd Party Marketplaces
  • Courier shipping systems

We regularly review our electronic security to ensure we protect all personal data. Where we use systems provided to us by a 3^rd party, we review their security and policies to ensure the security of data stored. The data we share with external 3^rd parties is detailed in section 9. We take steps to ensure all personal data shared is handled safely, securely, and in accordance with your rights, our obligations, and the third party’s obligations under the law. We do not share any of your personal data outside of the EEA.

9. How and why we share your data

We will never sell your personal information or use your information for the purposes other than those outlined below.

Exclusively for the purpose listed, we contract with the following third parties to complete our contracts of sale:

• Payment Processing; SagePay, PayPal, Elavon & Shopify
• In-Store Order processing; Cybertill
• Website order processing; Shopify, Marketspan, Mandrill, Linnworks & xSellco
• Order shipping; Royal Mail, DPD, UK Mail, Parcelforce and other fulfilment partners
• 3^rd party marketplaces; Amazon, eBay & Houzz
• Digital Advertising; Google, Facebook, Bing, Mailchimp (Opt-outs are available in section 12).

In some circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.

10. How to contact us and access your personal data

If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.

All subject access requests should be made in writing and sent to the email or postal addresses below. To make this as easy as possible for you, a Subject Access Request Form is available for you to use. You do not have to use this form, but it is the easiest way to tell us everything we need to know to respond to your request as quickly as possible. There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.

We will respond to your subject access request within one month of receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.

To contact us about anything to do with your personal data and data protection, including to make a subject access request, please email dpo@cotterellandco.com or write to: FAO Data Protection Officer, Cotterell Light Centres Limited, 122 Causewayside, Edinburgh, EH9 1PU.

11. How we collect additional data on our websites

When you visit our websites, we automatically collect certain information about your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device. Additionally, as you browse the Site, we collect information about the individual web pages or products that you view, what websites or search terms referred you to our sites, and information about how you interact with the Site. We refer to this automatically-collected information as “Device Information”. Please note that we do not alter our Site’s data collection and use practices when we see a Do Not Track signal from your browser.

We collect Device Information using the following technologies:

• “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more about cookies, and how to disable cookies, visit http://www.allaboutcookies.org.
• “Log files” track actions occurring on the Site, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.
• “Web beacons”, “tags”, and “pixels” are electronic files used to record information about how you browse our sites.

We use your Personal Information to provide you with targeted advertisements or marketing communications we believe may be of interest to you. For more information about how targeted advertising works visit the NAI: http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work.

You can opt out of targeted advertising by using the links below:

• Facebook: https://www.facebook.com/settings/?tab=ads
• Google: https://www.google.com/settings/ads/anonymous
• Bing: https://advertise.bingads.microsoft.com/en-us/resources/policies/personalized-ads 

12. Updates to this policy

We may update this privacy policy from time to time to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons. Any changes will be made available on our websites and from our stores.