Hello I am Sune Nightingale and I am the Data Protection Officer for Boilerstoves. Boilerstoves is a Stovesonline website. Stovesonline is a Data Controller (registered with the ICO, registration number Z267172X). In order to provide you with the high quality service we aim for we have to store and use information about you. This page summarises how we deal with your personal information. Our general stance is that we use your information to provide a great service and that's where it ends. We do not pass that information on to others outside of the context of providing our service to you. I have tried to keep this summary understandable and friendly. If you feel like it would be helpful for me to cover additional topics then do just drop us a line: email@example.com, input is welcomed.
Under the EU GDPR (General Data Protection Regulations) this is also the category of Personally Identifiable Information – PII, which is basically information that can be used to identify you - for example your name, address and telephone number.
So how do we handle your Personal Information and PII?
When you contact us, request a quote or place an order with us we store your name, address, delivery address and contact details in our database. Emails you send to us also represent a store of your information. We store this information so that we can deal quickly and efficiently with your request. There is security in place to stop unauthorised access to this information and we have an archiving policy in place too.
Update, View, Remove your information
We are of course happy to remove (also known as the 'right to be forgotten') or update your personal information in our records on request – in fact just to be clear that is your right. Just contact us via firstname.lastname@example.org and we will help to facilitate that. What I will say though is that were you have placed an order with us we will all need to think carefully about any bad consequences of removing your data. For example you would not want to invalidate a warranty by trying to force us to remove all details of a sale – and neither could we always do that because HMRC says we have to retain invoices for at least 8yrs. In essence we will do whatever we can to help and any motive for retaining data is just to ensure good service to you – we are not doing anything with it for business gain in the meantime.
We work hard to keep our websites, our systems and your data secure. Our website is fully SSL which means that you can see the little padlock symbol popping up in the address bar. That means that the communication back and forth between you and our website is encrypted and secure. I am not going to detail exactly how else we keep things secure – that would be a security risk in itself! Suffice to say that we take security seriously at every step of the way.
In the database if you go no further than contacting us then we get rid of your details after a year. If you do place an order with us then we do need to keep most information because we need to know what we sold to you, especially if there is a product recall or similar (touch wood I can't really remember any of those), and we need to store up invoices for at least 8 years, but the motivation for keeping the information is to provide a better service, not to do anything else with it in the meantime. Emails are kept for a year, then deleted.
What we don't do
- We do not store Sensitive Information like your card details.
- We do not try to cross reference your information with information about you from other sources.
- We do not sneakily pass your personal information on to 3rd parties. Do NOT expect cold calls or cold emails from anyone as a result of dealing with us.
- We do not add you to our mailing lists without your clear consent – we do not hide this so you don't quite notice it, we do not add you just because you have ordered from us.
- We do not send you marketing post by snail mail.
- We do not 'mine' your data – for example we do not process it to try to find out who in our database is wealthy and that we should therefore contact (like some charities got slapped on the wrist for).
- We sometimes use Facebook advertising, but we do not track this on our website – ie there is no chance of Facebook cross referencing the information they have about you with the fact that you have visited our website. We have removed from our sites what is called the "Facebook Pixel"
Third parties we do use
We use Pay 360 as our card transaction provider. They run a tight ship with rock solid security in place – and it should be because card transactions is the thing they are experts at, leaving us free to be stove experts. Pay 360 will store personal information about you and the transaction to log what has happened and to enable us to refund money back to your card. We never store your card details and have no access to them via Pay360. So if you need to place an additional order then it should reassure you that you now know why we will ask for the card details again. Pay360 are GDPR and DCI PSS compliant
We use Google Analytics to see website user stats, graphs, trends that sort of thing. This information is not PII. We have ensured that the only bit of data which we pass to Google which could even vaguely identify you, which is your IP address, is encrypted so that they cannot use it to identify you. Our analytics data is deleted/archived every 26 months. Google is GDPR compliant
We use Google Adwords – the adverts you see on Google and across some other websites. On our site we use an adwords tracker. Basically this tells us if you came to our site from one of those adverts so we can start to tell if the advert is working, or if we are wasting our money! Before we turn on that adwords tracker we ask for your consent. If you don't give it then we do not turn it on. Simple. Google is GDPR compliant
We use PCA Predict by Loquate to provide accurate and handy postcode address lookups. The only bit of your information that we pass to them is the postcode used for the lookup. This saves us all time and keeps addresses more correct – which means your order is more likely to arrive in the right place. PCA Predict is GDPR compliant
Deliveries and our suppliers - if you place an order with us then we of course need to provide our couriers and delivery companies with your address and contact details and if part of your order is fulfilled direct from one of our suppliers (if for example your stove is coming straight from the manufacturer) then of course they will also need your details to go ahead with the order.