Data protection is a matter of trust and we would like to give you the assurance that your data is in good hands with us. The protection and legally compliant collection, processing and use of your data is an important concern for us. This policy explains how your personal information is collected, used and disclosed by Seasonal Sangha Limited. It also tells you how you can access and update your personal information, which in turn allows you to make certain choices about the use of your personal information.
Who is responsible for www.seasonalsangha.com?
The company responsible within the meaning of the European General Data Protection Regulation (GDPR) and the UK’s Data Protection Act (DPA) for data processing is:
Seasonal Sangha Limited
Bishops Cottage, The Batch,
Priddy, Wells, BA5 3BD,
Company Number 13510463
In the following, “we”, “us” or “Seasonal Sangha”.
You can reach us at firstname.lastname@example.org or at our above-mentioned postal address or by using our Contact Form.
When you use our website
Each time you visit www.seasonalsangha.com, we collect the technical access data that your browser automatically transmits to our server in the course of page requests. The access data includes the following information in particular:
- Date and time of access;
- Address of the pages called up and the requesting pages;
- Content of the request (addresses and names of the requested files);
- Information on the browser or app used and the operating system (versions, language settings);
- Online identifiers (e.g. IP address, device identifiers, session IDs);
- Error messages, if applicable (if the requested content cannot be displayed); and
- the page you previously visited from which you accessed a page of www.seasonalsangha.com via a link.
During your visit, your access data is automatically stored in the server log files of our server and then anonymised by shortening or deleting your IP address. It is then no longer possible to draw any direct conclusions about you on the basis of the server log files.
In addition, during your visit to www.seasonalsangha.com, we record information that you actively provide to us by using the functions provided. For example, we find out which products you are interested in when you save an item to your wish list or use the search function.
When you register for a Seasonal Sangha customer account
In order to shop in our Seasonal Sangha Online Shop or sign up for a Sangha Membership, you need a personal Seasonal Sangha customer account.
If you register for a Seasonal Sangha customer account, we will set up password-protected direct access to your master data stored with us (e.g. name, address, phone number, e-mail address, payment data, order data ordered products, and other details (e.g. which type of membership you have purchased whether The Seed, The Bloom, or Life Time). The mandatory details required for registration are usually marked separately, e.g. with an asterisk (“*”). In the case of voluntary information, we indicate why we are requesting this information. In addition, for security reasons, we temporarily store the IP address used by you during registration.
Registering in our Seasonal Sangha Online Shop makes it easier for you to shop with us in the future and provides you with a personalised and simple shopping experience. For example, your address and payment methods will be preselected for your next order. The customer account also allows us to store your data (e.g. order data and lists the products you have previously purchased).
You can delete your Seasonal Sangha customer account and the data stored in it at any time. To do so, simply send us an informal message, e.g. by e-mail to email@example.com or use our contact form. Please note: The deletion of your customer account does not automatically extend to the order transactions and the personal data stored for them.
When you order something
We record which products you order. We also store data that is directly related to the processing of your orders. Order data includes in particular:
- Details of the products ordered, such as item numbers and size.
- E-mail address
- Invoice and delivery address
- Payment data
- Order numbers
If you have made a purchase of goods and services from us, we are entitled to send you information about our own similar goods and services via the e-mail address sent when you made the purchase. You can object to this use of your e-mail address at any time.
When you contact us
If you contact us via the contact form on our web site, by e-mail, by phone or by any other means, we will collect the communication data that arises in the process. Depending on which channel you use to contact us, this may include, for example, your contact details (such as your email address or phone number) and the content of your message to us. We only record phone conversations with Seasonal Sangha Customer Service if you have expressly consented to this (e.g. for training or quality purposes).
If you subscribe to the Seasonal Sangha newsletter
Insofar as you have registered for the Seasonal Sangha newsletter, we store the data you have provided for this purpose for the purpose of compiling and sending the newsletter.
The newsletter is sent by e-mail. You will only receive the newsletter after registering for the newsletter. In order to meet the requirements of the GDPR and the DPA, we use the so-called DOI procedure (“double opt-in”). If you register for our newsletter, you will receive a confirmation e-mail to the electronic mailbox named by you in the input field. This e-mail contains a confirmation link which you must click on. Only after completing this step, you have successfully registered for the newsletter. To carry out the procedure, the IP address, date and time of registration are stored. This is to prevent misuse. The data is passed on to our dispatch service provider in order to deliver the newsletter to you.
The legal basis for data processing is your consent. Existing customers may receive newsletters from us who have not given explicit consent. Our legitimate interest is to inform our existing customers about our products through promotional e-mails and thus to maintain contact with these customers. We will only process your data for as long as is necessary to fulfil the purpose for which it was collected and for as long as there are no legal or official retention obligations that prevent us from deleting it.
Our newsletters are sent via the dispatch service provider MailChimp. The data processing is carried out by The Rocket Science Group LLC. The e-mail addresses of our newsletter recipients, as well as their other data described in these notes, are stored on MailChimp’s servers. MailChimp uses this information to send and evaluate the newsletter on our behalf. MailChimp does not use the data of our newsletter recipients and does not pass them on to third parties. The newsletters contain a so-called “tracking pixel”, i.e. a pixel-sized file that is retrieved from the MailChimp server when the newsletter is opened. In the course of this retrieval, information such as information about your system, your IP address and the time of the retrieval are collected. The statistical surveys also include the determination of whether the newsletters are opened, how often they are opened and which links are clicked. For technical reasons, this information can be assigned to the individual newsletter recipients, but it is neither our nor MailChimp’s intention to observe individual users.
Your personal data will be stored until you unsubscribe from the newsletter and, after unsubscribing from the newsletter distribution list, may be stored in a blacklist to prevent future mailings. The data from the blacklist will only be used for this purpose and will not be merged with other data. The data will be permanently deleted if you submit a deletion request to us. For this purpose, please contact our data protection officer.
You have the possibility to revoke your consent at any time. To do so, please contact us. If you have any questions regarding data security at MailChimp, you must contact MailChimp.
Blog and Profile Data
Within the Blog you may be able to display certain personal information, share certain details, engage with others, exchange knowledge and insights, post and view relevant comment. Comment and data is publicly viewable. You have choices about the information on your comment. You don’t have to provide additional information on your comment; however, profile information helps you to get more from our Services. It’s your choice whether to include sensitive information in your comment and to make that sensitive information public. Please do not post or add personal data in your comment that you would not want to be available.
For what purposes does Seasonal Sangha use my data?
When you visit www.seasonalsangha.com, we process the access data, server log files and cookies that arise in the process in order to provide you with the content and functions you have called up and to ensure the stability and security of our IT systems and databases.
If you use www.seasonalsangha.com with your Seasonal Sangha customer account, the legal basis is the performance of contract and/ or pre-contractual measures.
If you use www.seasonalsangha.com without logging in, the legal basis is our legitimate interest.
We process your data for the performance of contracts concluded with you and for the provision of services at your request. The purposes are primarily based on the specific content of the contract or the purpose of the services you have requested. The legal basis for this data processing is the performance of contract and/ or pre-contractual measures.
Customer service and communication in the context of existing customer relationships
We process your data to carry out our customer service. This includes, for example:
- Processing of your concerns and enquiries
- Non-commercial communication with you
The legal basis for this data processing is the performance of contract and/ or pre-contractual measures.
Our payment service provider for payments by credit card is Stripe, 510 Townsend Street San Francisco, CA 94103 United States. So that you do not have to re-enter your card details each time you make a purchase by credit card, your cards are stored in encrypted form for 36 months on our behalf by Stripe. The legal basis for this is our legitimate interest in making future purchases easier for you. For this purpose, Stripe provides us with an individual pseudo card number for your deposited credit card for each credit card you use, which only takes the last 3 digits of your real credit card number. This enables us to offer you payment with your last credit card used during the next payment process by entering the last 3 digits of your real card number without saving your real credit card data or having to transfer them to us again from Stripe during the payment process. You then only have to enter the check digit which is transmitted to Stripe. This procedure increases the protection of your credit card data, which can remain under lock and key at Stripe during the entire process. This fulfils the requirements of the cross-industry regulatory standards in payment transactions (PCI-DSS regulations). If you then select the credit card for payment, we only transmit the pseudo card number and the check digit in encrypted form to Stripe and Stripe then recognises which credit card number stored in the system is to be charged on the basis of the pseudo card number.
If you decide to pay by credit card in the check-out process, a two-stage risk or authentication check is carried out by your credit card company. For this purpose, the following data will be transmitted to the credit card company in a first step:
- Your name (title, first name, surname)
- your address
- If you have a different delivery address,
- Your e-mail address.
If the transmitted data show deviations that could indicate an increased risk, a second level of verification is carried out, in which an additional interaction of the cardholder is required (request for a second factor).
Stripe is commissioned as our processor for the technical control of payment transactions including the implementation of customer authentication. Further recipients are the banks involved -the card-issuing bank – the issuer – and our bank as the credit card-accepting bank – the acquirer.
The data is transferred for the following purposes and is based on the following legal grounds:
a) Execution of the contract
b) Obligation for customer authentication
c) Prevention of card misuse
Internal market research, optimisation and further development of our offer and service
We use your access data and the data you provide (e.g. master data, order data, returns data) for internal statistical and market research purposes. Before doing so, we pseudonymise or anonymise your data, e.g. by replacing your name and other data suitable for identification by random data.
This allows us to determine, for example, which pages and products of our shop are particularly popular, which devices our customers generally use or from which regions our website is accessed. This information helps us to continuously optimise our existing offer and to develop new functions and services.
The legal basis for this data processing is our legitimate interest. Insofar as you have consented to us processing your data for certain purposes, the legal basis is your consent.
For marketing purposes, our websites use so-called conversion and retargeting tags (also “Facebook pixel”) of the social network Facebook, a service of Facebook Inc., 1601 Willow Road, Menlo Park, California 94025, USA (“Facebook”). We use Facebook Pixel to analyse the general use of our websites and to track the effectiveness of Facebook advertising (“conversion”). In addition, we use the Facebook pixel to play you individualised advertising messages based on your interest in our products (“retargeting”). For this purpose, Facebook processes data that the service collects via cookies and similar technologies on our websites.
The data collected in this context may be transferred by Facebook to a server in the USA for analysis and stored there. In the event that personal data is transferred to the USA, Facebook has submitted to the controller-to-controller standard contractual clauses.
If you are a Facebook member and have allowed Facebook to do so via your account privacy settings, Facebook may also link the information collected about your visit to us to your member account and use it to target Facebook ads. You can view and change the privacy settings of your Facebook profile at any time.
Sharing your Data
In principle, we only pass on your data if:
- you have given your express consent;
- the disclosure is necessary for the assertion, exercise or defence of legal claims and there is no reason to assume that you have an overriding legitimate interest in not having your data disclosed;
- we are legally obliged to disclose your data;
- the disclosure is legally permissible and necessary for the performance of contractual relationships with you; or for the performance of pre-contractual measures taken at your request.
If we pass on data to our service providers, they may only use the data to fulfil their tasks. Processing of your data by the commissioned service providers takes place within the framework of commissioned processing in accordance with the GDPR and the DPA. These service providers have been carefully selected and commissioned by us. They are contractually bound to our instructions, have suitable technical and organisational measures in place to protect the rights of the data subjects.
How long will my data be stored?
In all other cases, we delete your personal data with the exception of such data that we must continue to hold in order to comply with statutory retention periods. However, in these cases we will restrict processing, i.e. your data will only be used to comply with legal obligations.
If you cancel or delete your Seasonal Sangha customer account, we will delete all data stored about you there. If complete deletion of your data is not possible or not necessary for legal reasons, the data in question will be restricted for further processing. As a rule, your order and payment data and, if applicable, further data are subject to statutory retention obligations. We are therefore obliged to retain this data for up to six years.
Even if your data is not subject to a statutory retention obligation, we may refrain from deleting it in cases permitted by law and instead block it. This applies in particular in cases where we may still need the data in question for the further processing of the contract or for legal prosecution or legal defence. In this respect, the statutory limitation periods are decisive for the duration of the blocking.
You have a number of ‘Data Subject Rights’ below is some information on what they are and how you can exercise them. There is more information on each right on the Information Commissioners (ICO) website and you can simply follow the links provided to learn more.
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
Where the processing of your personal information is based on consent, you have the right to withdraw that consent without detriment at any time by contacting us.
The above rights may be limited in some circumstances, for example, if fulfilling your request would reveal personal information about another person, if you ask us to delete information which we are required to have by law, or if we have compelling legitimate interests to keep it. We will let you know if that is the case and will then only use your information for these purposes. You may also be unable to continue using our services if you want us to stop processing your personal information.
We encourage you to get in touch if you have any concerns with how we collect or use your personal information. You do however also have the right to lodge a complaint directly with the ICO, their contact details can be found on their website.
Please direct all requests for information, requests for information or objections to data processing to us.
We maintain appropriate technical measures to ensure data security, in particular to protect your data from risks during data transmissions and from unauthorised access by third parties. These measures are adapted to the current state of the art. To secure the personal data you enter on our website, we use Transport Layer Security (TLS), which encrypts the information you enter.
No automated decision-making
We do not use automated decision-making including profiling.
Social Media Sharing
Our website contains links to social networks such as Facebook, Instagram and YouTube you access the parts of our website that contain such links, no personal data is transmitted to the operators of these social networks. Only when you click on the link and thereby visit the social network in question does the operator of the visited network receive personal data relating to you. For more information about the data processing that takes place when you visit a social network and the person responsible for this , please refer to the web site of the respective social network and the above linked Privacy Policies.
Data processing via our online presence in social networks
We maintain online presences in various social networks, currently Facebook, Instagram and YouTube. With regard to the data processing that takes place on the occasion of visiting these online presences, the respective operator of the social network and we may be joint controllers..
Our website contains links to these social networks, which are clearly marked by the respective logo. When you call up the parts of our website that contain such links, no personal data is transmitted to the operators of these social networks. Only when you click on the link and thereby visit the social network in question does the operator of the visited network receive personal data relating to you. For more information about the data processing that takes place when you visit a social network and the person responsible for this, please refer to the web site of the respective social network and the above linked Privacy Policies.
The processing of your personal data on the occasion of your visit to our online presences is based on our legitimate interests in effective user information and communication with users. We would like to point out that data processing will take place outside the UK or the EEA, namely in particular on servers located in the USA. This may result in risks for users because, for example, it could make it more difficult to enforce users’ rights.
With regard to requests for information and the assertion of other data subject rights, we point out that these should be asserted directly with the operators if possible. Only the operators have access to their users’ data and can provide information directly and take appropriate measures.
Do Not Track
Do Not Track is a privacy preference you can set in most browsers. We support Do Not Track because we believe that you should have genuine control over how your info gets used and our site responds to Do Not Track requests.
Do Not Sell My Personal Information
We do not sell information that directly identifies you, like your name, address or phone records.
From time to time we may use the personal information we collect from you to identify particular products offers which we believe may be of interest to you. We may contact you to let you know about these products and services and how they may benefit you.
You may give us your consent in a number of ways including by selecting a box on a form where we seek your permission to send you marketing information, or sometimes your consent is implied from your interactions or relationship with us. Where your consent is implied, it is on the basis that you would have a reasonable expectation of receiving a marketing communication based on your interactions or relationship with us.
Direct Marketing from generally takes the form of e-mail but may also include other less traditional or emerging channels. These forms of contact will be managed by Seasonal Sangha, or by our contracted service providers. Every directly addressed marketing form sent or made by us or on our behalf should include a means by which customers may unsubscribe (or opt out) of receiving similar marketing in the future. You can ask us to remove or amend any previous consent you provided by contacting us.
Content Delivery Network
Databases or data sets that include Personal Data may be breached inadvertently or through wrongful intrusion. Upon becoming aware of a data breach, Seasonal Sangha will notify all affected individuals whose Personal Data may have been compromised, and the notice will be accompanied by a description of action being taken to reconcile any damage as a result of the data breach. Notices will be provided as expeditiously as possible after which the breach was discovered.
Confirmation of Confidentiality
All company employees must maintain the confidentiality of Personal Data as well as company proprietary data to which they may have access and understand that that such Personal Data is to be restricted to only those with a business need to know. Employees with ongoing access to such data will sign acknowledgement reminders annually attesting to their understanding of this company requirement.