Privacy

My Expert Midwife Privacy Notice, DRAFT - June 2019

This Privacy Notice sets out how My Expert Midwife (known as a Data Controller) collects and uses your personal data.

When we refer to “we”, “us” “our” or “controller” in this Privacy Notice we mean My Expert Midwife.

Our Privacy Notice is structured in a way for you to easily find the specific details of what we do with your personal data, depending on which of our services you are using, for example buying one of our products, or signing up to our newsletter.

Part 1 of our Privacy Notice is information we must tell everyone regardless of the nature of our relationship with you. Parts 2 to 6 give information that is specific to your relationship with us

Part 1 – General Information

Part 2 – If you make a purchase from our website

Part 3 – If you make an enquiry about our products or service 

Part 4 – If you would just like to receive our newsletters and blogs

Part 5 – If you stock our products

Part 6 – If you are a supplier

 

PART 1 – GENERAL INFORMATION

Our contact details

My Expert Midwife is the data controller for the personal data we process about you.

You can contact us regarding the use of your personal data via one of the following ways: Email: advice@myexpertmidwife.com

Postal Address: Unit 4 Stoneacre, Grimbald Crag Close, Knaresborough HG4 8PJ

How we get your personal data

Most of the time we obtain personal data directly from you, for example when you purchase one of our products, or ask us a question about our products.

There are some occasions when we obtain personal data indirectly, for example buying in a contact details mailing list.

Your rights

Depending on the purpose and the legal basis we rely on for processing your personal data, there are various rights available to you. You can:

  • access the personal data we keep about you and be given specific information about the processing. This right always applies regardless of the processing activity we undertake.
  • ask us to rectify personal data we hold about you that you think is inaccurate. This right always applies regardless of the processing activity we undertake.
  • ask us to delete your personal data but only when specific circumstances apply.
  • ask us to restrict the processing of your personal data but only when specific circumstances apply.
  • object to the processing when we have relied on legitimate interest to undertake that processing activity and you believe we have infringed your rights.
  • transfer your personal data from us to another service provider or give it to you. This right only applies to personal data you have given to us and when the processing is based on your consent or contractual basis and the processing is automated.

To find out more about how to exercise your rights please refer to the guidance on the Information Commissioner’s Office website - https://ico.org.uk/your-data-matters/.

We do not undertake any solely automated decision-making, including profiling, about you.

You do not have to pay a fee to us to exercise any of your rights. However, if your request is manifestly unfounded or excessive we may either charge a reasonable fee or refuse the request.

We shall respond to valid requests within one month of receiving it.

If you wish to make a request, please contact advice@myexpertmidwife.com

How to make a complaint about us to the Information Commissioner’s Office

If you are not happy with how we are processing your personal data or you believe we have not dealt with one of your rights correctly you are entitled to make a complaint to the Information Commissioners Office (ICO). The ICO has several ways in which you can get in touch with them, including post, email, and online forms. For full details how to make a complaint please refer to their website - https://ico.org.uk/make-a-complaint/.

Sharing your information

We do not share, rent or sell your information with any third parties for the purposes of direct marketing.

When we need to use data processors who are third parties to provide any aspect of the service we provide to you we ensure we have appropriate contracts in place that are GDPR compliant. The data processor is not allowed to do anything with your personal data unless we have instructed them to do it. They will not share your personal data with any organisation apart from us, unless they are required to do so by law. They will hold it securely and retain it for the period we instruct.

Our data processors include:

  • Mailchimp – used to store your contact details and other information about you;
  • Microsoft Onedrive for Business – used to store My Expert Midwife business data which may include your personal data;
  • Shopify – Used to host our ecommerce store. Information that you enter when placing an order on our website is held by Shopify so that we can make sure you receive your order. Your information is also stored if you have chosen to receive newsletters via our stay updated page, or contacted us via the contact us page.
  • Flow Solutions UK – The fulfilment and packing service that we use, when you place an order through myexpertmidwife.co.uk. Flow Solutions access your data through the Shopify ecommerce site and use it to process your order only.
  • 2Flow Logistics Solutions – The fulfilment and packing service that we use, when you place an order through myexpertmidwife.ie. Flow Solutions access your data through the Shopify ecommerce site and use it to process your order only.
  • Freshdesk – When you contact us via email your information may be stored by Freshdesk, in order that we are able to respond to your enquiry.

Transferring personal data outside of the UK and EU

- We use the marketing platform Mailchimp to store your contact details and other personal data which allows us to undertake our marketing activities. Mailchimp is operated by The Rocket Science Group LLC, who are based in Georgia in the United States of America. All our data on the Mailchimp platform is therefore transferred and stored in the USA. We rely on the following exception in GDPR to undertake the transfer of personal data:

Adequacy decision in place (GDPR Article 45)

Mailchimp is registered under the EU-US Privacy Shield Framework. Their certificate can be viewed U.S. Department of Commerce’s Privacy Shield website  https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active

- We use Freshdesk to log and reply to support tickets, and within this system we store contact information and details on previous support issues. The data held in Freshdesk may be transferred and stored outside of the EEA. We rely on the following exception in GDPR to undertake the transfer of personal data:

Adequacy decision in place (GDPR Article 45)

Freshdesk is registered under the EU-US Privacy Shield Framework. Their certificate can be viewed U.S. Department of Commerce’s Privacy Shield website https://www.privacyshield.gov/participant?id=a2zt0000000GnbQAAS&status=Active

- We use Shopify to host our ecommerce shops, and store your contact details and personal data that allows us to carry out our contractual obligation to you, and send you the products that you have ordered. Your personal information is processed by Shopify’s Irish affiliate, Shopify International Ltd. As part of their service , your data may be transferred to other regions, including to Canada and the United States.

 Adequacy decision in place (GDPR Article 45)

Shopify is registered under the EU-US Privacy Shield Framework. Their certificate can be viewed U.S. Department of Commerce’s Privacy Shield website https://www.privacyshield.gov/participant?id=a2zt0000000TNSNAA4&status=Active

The EU Commission has made a partial finding of adequacy for Canada. This adequacy finding covers data that is subject to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

Visitors to our website

In operating our website, www.myexpertmidwife.co.uk and www.myexpertmidwife.ie we use a third-party service, Google Analytics, to collect and process standard internet log information about your visits to our website and the resources that you access, including, but not limited to, traffic data, location data, weblogs and other communication data all of which enables us to improve our services to you.  We are not able to identify anyone from this data.

To gather the standard internet log information we place cookies on your computer. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. The cookies are downloaded to your computer automatically and stored on the hard drive of your computer. All computers have the ability to decline cookies.

We rely on the legitimate interests legal basis (GDPR Article 6(1)(f)) to allow us to place cookies on your computer. You always have the right to not have cookies placed on your computer and this can be done by activating the setting on your browser which enables you to decline the cookies. However, should you choose to decline cookies, you may be unable to access particular parts of our website.

Children’s information

We do not collect personal data directly from children.

Sensitive Information

We may receive sensitive information via email, onto Freshdesk, this is stored on Freshdesk

Links to other websites

Our website may provide links to websites of other organisations. Our Privacy Notice does not cover how those organisations process your personal data when you visit their website. We advise you to read their Privacy Notices.

Changes to our Privacy Notice

We keep our Privacy Notice under review to ensure it remains accurate and up to date. This Privacy Notice was last updated in June 2019.

PART 2 – IF YOU MAKE A PURCHASE FROM OUR WEBSITE

What personal data do we need?

We need to collect the following personal data from you:

  • Name (first and last name)
  • Postal address
  • Billing Address
  • Email address
  • Mobile number (Optional – Except for Ireland)

How do we get your personal data?

We gather your personal data directly from you when you place an order via www.myexpertmidwife.com / www.myexpertmidwife.ie

Why we need your personal data and the legal basis we rely on for the processing

We need your personal data to process your order and send the products that you have purchased to the order address.

Additionally, we would like to keep you informed of our new products and special offers. We also think that you would be interested in our informative blogs, and news.

The legal basis we rely on are:

Contractual obligation (GDPR Article 6(1)(b))

The order that you have placed with us is under contract or with a view to entering into a contract. We require certain information from you to enable us to fulfil our pre-contractual and contractual obligations. If you are not able to provide all the necessary information we need we may not be able to process your order, and you will not receive your products.

Legitimate interests (GDPR Article 6(1)(f)

GDPR allows us to rely on legitimate interests for direct marketing purposes. We have undertaken a legitimate interest assessment, which balances our business purposes for the processing against your right to privacy. The outcome of the balancing test justifies our use of legitimate interests for this purpose as it would not be an unreasonable expectation for anyone who has enquired about our products or made a purchase to receive information from My Expert Midwife relating to pregnancy, birth and beyond, and information about new and existing products.

This also complies with e-Privacy laws, currently the Privacy & Electronic Communication Regulations 2003, which governs how a business can undertake electronic direct marketing. We can rely on soft opt-in for individual customers to undertake email marketing to both existing and prospective customers.

We always give you the opportunity to object to receiving marketing communications from us, when we first collect your personal data and with every marketing communication thereafter. You can change your marketing preferences at any time by clicking the “unsubscribe” link in the marketing email you receive.

Who do we share your personal data with?

When you place an order via our website, your data is collected and stored by Shopify, the host of our ecommerce store. Information that you enter when placing an order on our website is held by Shopify so that we can make sure you received your order.

In order to complete your order, information that you have entered whilst placing your order is shared with our fulfilment partners, Flow, and 2Flow. Appropriate contracts are in place, that are GDPR compliant with all third parties (data processors)

  • Flow Solutions UK – The fulfilment and packing service that we use, when you place an order through myexpertmidwife.co.uk. Flow Solutions access your data through the shopify ecommerce site and use it to process your order only.
  • 2Flow Logistics Solutions – The fulfilment and packing service that we use, when you place an order through myexpertmidwife.ie. Flow Solutions access your data through the shopify ecommerce site and use it to process your order only

How long do we keep your personal data?

We only keep your personal data for as long as is necessary.

Marketing contact details are held for as long as you want to remain on our marketing contact list.

We may retain anonymised data for marketing purposes.

Part 3 – IF YOU MAKE AN ENQUIRY ABOUT OUR PRODUCTS OR SERVICES

What personal data do we need?

We only need to collect an email address from you in order to answer your query. On occasion we may wish to phone you and in which case a phone number will be requested.

We may collect sensitive personal data such as health information, if you choose to supply this to us.

How do we get your personal data?

We gather your personal data directly from you when contact us via advice@myexpertmidwife.com or via the website contact forms.

Why we need your personal data and the legal basis we rely on for the processing

We need your personal data in order to reply to your questions.

The legal basis we rely on is:

Consent (GDPR Article 6(1)(a))

By submitting your contact details and other personal information when asking a question to My Expert Midwife you have given your consent for us to use your personal data for this purpose.

Who do we share your personal data with?

Your personal data is used by internal employees and contract staff for the purposes as set

out in “why we need your personal data”.

We use Freshdesk to facilitate the answering of your queries.

How long do we keep your personal data?

We only keep your personal data for as long as is necessary.

PART 4 – IF YOU WOULD JUST LIKE TO RECEIVE OUR NEWSLETTERS 

What personal data do we need?

We only need to collect an email address from you.

We do not collect any of the special categories of personal data.

How do we get your personal data?

We gather your personal data directly from you when you sign up to receive marketing information from us, which includes our newsletters and other interesting information from My Expert Midwife.

Why we need your personal data and the legal basis we rely on for the processing

We need your personal data to be able to send you marketing information by email.

The legal basis we rely on is:

Consent (GDPR Article 6(1)(a)

By submitting your contact details to receive marketing from us you have given your consent for us to use your personal data for this purpose.

You always have the right to withdraw your consent to receive marketing, you can do this by clicking the “unsubscribe” link in the marketing email you receive.

Who do we share your personal data with?

Your personal data is used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

We use Mailchimp to distribute our newsletters and marketing information.

How long do we keep your personal data?

We only keep your personal data for as long as is necessary.

Marketing contact details are held for as long as you want to remain on our marketing contact list.

PART 5 – OUR STOCKISTS

What personal data do we need?

For us to supply you with the products that you have ordered from us we need to collect and use a small amount of information about you and your business, this is also likely to include some information about the individuals who work at your business.  The personal data we are likely to need is;

  • Your business name;
  • The name (first and last name) of the person who we are liaising with at your business (in some cases this may be several staff members details);
  • Business postal address;
  • Business email address;
  • Business telephone number;
  • Business mobile number;
  • Bank details to enable payment to be made;
  • Any other information you feel is relevant for the purposes of the processing.

We do not collect any of the special categories of personal data.

How do we get your personal data?

We obtain your data directly from you when you place an order or make an enquiry about our products and services. We gather the relevant information from you to enable us to process payment to you for those services and goods.

We may also obtain some data, such as your business name and contact details, indirectly from publicly available sources or recommendations from 3rd parties.

Why we need your personal data and the legal basis we rely on for the processing

We need your personal data to complete your order and send you your goods. We will also use your personal data to send you an invoice or to raise any queries about the order.

The legal basis we rely on is:

Contractual obligation (GDPR Article 6(1)(b))

The order that you have placed with us is done so under contract or with a view to entering into a contract (i.e. you have asked us to send you products in exchange for payment)

We require certain information from you to enable us to fulfil our part of the pre-contractual and contractual obligations, e.g. we need to have certain information to process your order and send you your products. If you are not able to provide all the necessary information for us to do this, we will not be able process your order.

Who do we share your personal data with?

Your personal data is used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

Our Accountant will see personal data relating to stockist and any payments we make.

How long do we keep your personal data?

We only keep your personal data for as long as is necessary.

We keep all financial data (which includes supplier information) for 6 years from end of the financial year it relates to.

PART 6 – OUR SUPPLIERS

What personal data do we need?

For us to pay you for the service or goods you have provided to us we need to collect and use a small amount of information about you and your business, this is also likely to include some information about the individuals who work at your business. The personal data we are likely to need is;

  • Your business name;
  • The name (first and last name) of the person who we are liaising with at your business (in some cases this may be several staff members details);
  • Business postal address;
  • Business email address;
  • Business telephone number;
  • Business mobile number;
  • Bank details to enable payment to be made;
  • Any other information you feel is relevant for the purposes of the processing.

We do not collect any of the special categories of personal data.

How do we get your personal data?

We obtain your data directly when we start to use your services or have purchased goods from you. We gather the relevant information from you to enable us to process payment to you for those services and goods.

We also obtain some data, such as your business name and contact details, indirectly from publicly available sources or recommendations from 3rd parties to enable us to contact you to enquire about the services and goods you provide prior to us making a purchase. 

Why we need your personal data and the legal basis we rely on for the processing

We need your personal data to either enquire about the services or goods you provide that we may be interested in purchasing or to make a purchase. We then use your personal data to pay for those goods and services when you invoice us or to raise any queries about the payment.

The legal basis we rely on are:

Contractual obligation (GDPR Article 6(1)(b))

The services or goods you have provided to us are done so under contract or with a view to entering into a contract (i.e. we have asked you for a quote for the goods or to undertake the service for us).

We require certain information from you to enable us to fulfil our part of the pre-contractual and contractual obligations, e.g. we need to have certain information to make the purchase and to process payment. If you are not able to provide all the necessary information for us to do this, we will not be able to purchase the goods or services you provide or be able to make payment once purchased.

Legal obligation (GDPR Article 6(1)(c))

We have a legal obligation to pay for any services or goods we have purchased.

Who do we share your personal data with?

Your personal data is used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

Our Accountant will see personal data relating to suppliers and any payments we make.

How long do we keep your personal data?

We only keep your personal data for as long as is necessary.

We keep all financial data (which includes supplier information) for 6 years from end of the financial year it relates to.