1. Introduction1.1 We, Parsley Box Limited (“we”, “us”, “our”) take privacy, and the security of personal data, very seriously, and we are committed to ensuring that we safeguard your personal data at all times and in the best way possible.
1.2 We are registered with the Information Commissioner's Office and our registration number is ZA260662.
1.3.1 who we are;
1.3.2 what personal data we collect about you;
1.3.3 how, when and why we collect, store, use and share your personal data;
1.3.4 how we keep your personal data secure;
1.3.5 how long we keep your personal data;
1.3.6 your rights in relation to your personal data; and
1.3.7 how to contact us, or the relevant supervisory authorities, should you have a complaint.
1.4 In order for us to provide our products to you we need to collect, use, and process or deal with, certain personal data about you. When we do so we are subject to the provisions of the United Kingdom General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018, and we are responsible as what is described as a “controller” of that personal data for the purposes of those laws.
1.4.1 by email at [email protected];
1.4.2 by telephone on 0800 612 7225; or
1.4.3 by post at Parsley Box Customer Care, Level 6, Quartermile One, 15 Lauriston Place, Edinburgh EH3 9EN.
1.6 This website is not intended for children and we do not knowingly collect data relating to children.
“personal data” has the meaning given to it by the UK GDPR and means any information relating to an identified or identifiable individual (known as a “data subject”);
“processing” means any operation or actions performed on personal data; for example collection, recording, organisation, structuring, storing, altering, deleting or otherwise using personal data; and
“you” and “your” refers to the person whose data is processed.
2. Your personal data, how we collect it and the purposes for which we use it2.1 UK data protection law requires that we only use your personal data for the purposes for which it was acquired, or where we have a proper reason for using it. Those reasons may include the following:
2.1.1 Where you have given consent to the use of your personal data for one or more specific purposes.
2.1.2 Where the use is necessary for the performance of a contract to which you are party, or in order to take steps at your request prior to entering into a contract.
2.1.3 Where the use is necessary for compliance with a legal obligation that we are subject to.
2.1.4 Where the use is necessary in order to protect your vital interests or those of another person.
2.1.5 Where the use is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us.
2.1.6 Where the use is necessary for the purposes of our legitimate interests or those of a third party, except where those interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.
2.2 The reasons set out above represent the general position as to the purposes for which data may be used. The specific position in relation to your personal data is set out below.
2.3 The data we will need to collect so that we can supply our products may include some or all of the following:
2.3.1 Your name and contact details. This will include your address, telephone numbers and email address. We collect this information when you request a catalogue and when you place an order with us online, by telephone, by email or by using our catalogue order forms, to allow us to process your order and deliver those products to you.
We use your email address to send you confirmation of your catalogue request and notification of the status of your order and we will contact you by email or telephone if any problems occur regarding delivery of your order. We may also use your email address for marketing purposes. We may provide this information to third party service providers for the purpose of processing your order (see also section 4 ‘Sharing your data with others’).
We use your address for postal marketing for us or others (see also section 5 “Third parties”). In either case, communications will be in relation to products and services which we believe may be of interest to you, or which are relevant to any products that we have supplied.
2.3.2 Where you are located and your order(s). This may include your IP address, browser information (including referrers), device information (such as iOS IDFA), IDFV for limited non‐advertising purposes, Android AAID, and, when enabled by you, location information provided by your device. We may use this information for advertising, analytics and to provide other specific content to you.
2.3.3 Analytics information. We use data analytics to monitor and improve website functionality and improve our offerings to customers. The data analytics software may record information on how often you use the Websites, what you do on the Websites, aggregated usage, performance data, errors and debugging information, and where the Websites were accessed from. We do not link the information we store within the analytics software to any personally identifiable information.
2.3.4 Automated information. We automatically receive and record information from your browser or your mobile device when you visit the Websites, such as your IP address or unique device identifier, cookies and data regarding which pages you visit. This allows us to operate effectively and provide our products and our customer care services. We store this information in log files. We may combine this information with other information that we or our partners collect about you, including across different devices. We use this information to prevent fraud and to keep our Website and customer services secure, to analyse and understand how our services work for customers and Website visitors, and to provide advertising, including across your devices, and a more personalised experience for members and visitors. We may also automatically collect device‐specific information when you access, or use our Websites. This may include information such as the hardware model, operating system information, debugging information, browser information, IP address, and device identifiers.
2.3.5 Information about your online presence, particularly where you have connected your account to an external third party application, such as Facebook or Twitter. We may learn about the products you are interested in from your browsing and purchasing behaviour on (and off) the Websites and related apps and suggest potential purchases based on this information.
2.3.6 Information required by us to enable us to check and verify your identity. We may need to collect this information in order to verify your age for the purpose of selling alcohol‐based products. This may include passport details, driving licence details, date of birth and/or cards bearing the PASS hologram.
2.3.7 Information about your account with us including history and invoices, preferences, password and payment methods. We collect this information to award you points and to allow you to manage your interactions with us.
2.3.8 Details of the method by which you intend to pay for the products, and billing information. This is used to assist us with ensuring your payments for products are processed efficiently.
2.4 We may use your personal data to resolve disputes with us.
2.5 We also use your personal data:
2.5.1 To provide our products and customer services to you so that we can comply with our contract with you or take any steps that it is necessary for us to take before entering into a contract with you.
2.5.2 To prevent or detect fraud, either against you or against any other person involved in any matter in which you are involved. This will help to prevent any damage either to you, a third party, or to us.
2.5.3 To comply with our internal business policies, and for operational reasons such as security, confidentiality, competency and efficiency control, training and client care. This will help us to deliver the best products and services to you.
2.5.4 To gather and provide any information required by, or relating to, audits, enquiries or investigations.
2.5.5 To comply with our internal business policies, and for operational reasons such as security, confidentiality, competency and efficiency control, training and client care. This will help us to deliver the best products and services to you.
2.5.6 For audits and external quality reviews in relation to standards adopted by us (for example ISO standards, professional standards etc).
2.5.7 For statistical analysis to enable us better to manage our business; for example in relation to our financial performance, customer base and product range.
2.5.8 For maintaining and updating records to ensure accuracy of processing.
2.5.9 To comply with legal and regulatory obligations to make information returns to regulators and legally‐constituted bodies.
2.5.10 To ensure safe working practices, and for staff administration and assessment purposes.
2.5.11 For marketing our services, and those of selected third parties, to existing and former clients and third parties.
2.5.12 For credit control and credit reference checks in relation to the services we perform.
2.6 The purposes set out above will not apply to special category personal data. This includes personal data revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs and health conditions. We do not process special category personal data.
2.7 In most cases we will collect data about you directly from you. However we may also acquire information about you from publicly‐available sources or third party suppliers such as post‐code look‐up services.
2.8 We may obtain personal data through information technology‐related methods, including cookies. Please see our cookies policy for further details.
2.9 We may receive or obtain information (for example, an email address or IP address) about a person who is not yet a registered customer of ours, for example when a non‐customer chooses to subscribe to our newsletter or our corporate or shareholder interest communications or a customer invites a non‐customer to visit the Websites. Non‐customer information is used only for the purposes given when it was submitted, such as to provide you with our newsletter or other communications.
2.10 From time to time, we may also source names and addresses of prospective customers from reputable marketing services providers for the purposes of direct marketing. We only use this data for the purposes it was supplied to us and the data subjects can request no further contact from us using our contact details set out at section 1.5.
2.11 Note that failure to provide any personal data requested may prevent or delay the supply of our products.
2.12 Please note that it is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
3. Contacting you3.1 In addition to the general matters dealt with above, we may also use your personal data to provide you with updates concerning our products and special offers, or other related matters which might concern you or be of interest to you. This may be by post, telephone, email or text message. You may opt‐out of receiving such communications at any time by changing your preferences at https://parsleybox.com/members/preferences/, or contacting us directly using our contact details set out at section 1.5.
3.2 We regard ourselves as having a legitimate interest in processing your personal data for these purposes, and we take the view that we do not require your consent in order to do so. From time to time we undertake legitimate interest assessments in order to balance our interests in contacting you with your interests in relation to your personal data. Where we believe that consent is required, we will contact you specifically for this, and will do so in a clear and transparent manner.
3.3 You have, at all times, the right to request that we do not contact you for any purpose other than supplying our products. We may require that you confirm your marketing preferences from time to time so that we can be sure that your views remain the same. You have the right to opt‐out of receiving marketing communications at any time and can unsubscribe by: (i) using the “unsubscribe” link in emails or “STOP” number in text messages; (ii) instructing the person contacting you; or (iii) contacting us at any time using our contact details set out at section 1.5.
4. Sharing your data with others4.1 It may be necessary for us to share your personal data with others in order to:
4.1.1 supply our products to you;
4.1.2 enable third parties to provide data analytics services to us
4.1.3 process your payments;
4.1.4 comply with our contractual obligations to you;
4.1.5 comply with our legal or regulatory obligations;
4.1.6 comply with any contractual, legal or regulatory obligations that we are subject to; or
4.1.7 correspond with you via email or by post.
4.2 The third parties with which your personal data may be shared include:
4.2.1 professional advisers such as accountants, lawyers, experts, financial advisers, auditors and quality reviewers;
4.2.2 other companies within our corporate group;
4.2.3 financial intermediaries and lenders, our bank, insurers, insurance brokers and payment processors (including Braintree, a service of Paypal);
4.2.4 research companies;
4.2.5 manufacturing, order processing and delivery companies and suppliers of other services in relation to our products; and
4.2.6 analytics and security providers.
4.4 When sharing your personal data, we will ensure at all times that those with whom it is shared process it in an appropriate manner, and take all necessary measures in order to protect it. We will only ever allow others to handle your personal data if we are satisfied that their measures to protect your personal data are satisfactory.
4.5 Please be aware that, from time to time:
4.5.1 we may be required to disclose your personal data to, and exchange information about you or relating to you with, government, law enforcement and regulatory bodies and agencies in order to comply with our own legal and regulatory obligations; and/or
4.5.2 it may be necessary for us to share data for statistical purposes. We will always take steps to try to ensure that information shared is anonymised, but where this is not possible we will require that the recipient of the information keeps it confidential at all times.
4.6 Your personal data is shared with Experian Ltd for the purposes of managing a service called Club Canvasse, a home shopping and direct retailer data co‐operative of which Parsley Box Limited are members. By sharing information on what customers buy and pooling that with contributions from other members of the co‐operative, the service allows Parsley Box Limited to better understand our customers and to communicate with you more effectively. Please note, your personal information is not shared with any of the other members of the co‐operative, and only aggregated data on the number and value of purchases is provided to members e.g. we will receive a report which states how many customers who have bought from us in the last 0–12mths, and who have also bought from other members of the co'operative in the last 0–12mths, or the last 24 mths, last 36 mths etc. To understand more please click through to Experian's website to understand more about their marketing services.
5. Third parties5.1 We may share demographic and transactional information with business partners, but it will be aggregated and de‐personalised, so that personal data is not revealed.
6. How your personal data is kept secure6.1 In order to ensure your personal data is kept secure at all times, and to prevent a breach of confidentiality, we have put in place security measures that are intended to prevent your personal data from being accidentally lost or used or accessed unlawfully.
6.2 We operate various security measures in order to prevent the loss of, or unauthorised access to, your personal data. We restrict access to your personal data to those with a genuine business need to access it, and we have procedures in place to deal with any suspected data security breach. We will notify you, and any applicable regulator, of a suspected data security breach where we are legally required to do so.
6.3 In addition, all personal data transferred between your browser and our Websites or between our Websites and third parties is encrypted to prevent it being intercepted.
6.4 For more information on how we protect you and your personal data, please see our Security Policy.
7. International Transfers7.1 In order for us to provide you with our products and services, it may be necessary for us to share your personal data with those who are outside the UK where, for example, those persons are based outside the UK or where electronic services and resources are based outside the UK. Where this is the case, special rules apply to the protection of your data.
7.2 In such cases we will always take steps to ensure that, wherever possible, the transfer complies with data protection law, and that your personal data will be secure. For further information please contact our DPO using our contact details set out at section 1.5.
8. How your personal data is retained8.1 Personal data that is processed by us will not be retained for any longer than is necessary for that processing, or for purposes relating to or arising from that processing. Please note, however, that different periods for keeping your personal data will apply depending upon the type of data being retained and the purpose of its retention.
8.2 Where your personal data is retained after we have finished providing our products to you, or where the contract with you has ended in any other way, then this will generally be for one of the following reasons:
8.2.1 so that we can respond to any questions, complaints or claims made by you or on your behalf;
8.2.2 so that we are able to demonstrate that your matter was dealt with adequately; or
8.2.3 in order to comply with legal and regulatory requirements.
8.3 We may also retain, preserve, or release your personal data to a third party in the following limited circumstances:
8.3.1 in response to lawful requests by public authorities, including to meet legitimate national security or law enforcement requirements;
8.3.2 to protect, establish, or exercise our legal rights or defend against legal claims, including to collect a debt;
8.3.3 to comply with a legal summons, court order, legal process, or other legal requirement; or
8.3.4 when we believe in good faith that such disclosure is reasonably necessary to comply with the law, prevent imminent physical harm or financial loss, or investigate, prevent, or take action regarding illegal activities, suspected fraud, or violations of our Terms and Conditions.
8.4 If we receive a lawful, verified request for personal data held by us in one of the limited circumstances described above, we may disclose this personal data and this may include, but will not be limited to, a customer's name, address, phone number and email address.
8.5 We retain contact details so that we can inform you of updates concerning our products, and about relevant developments in relation to you, our products or other related matters which might concern you, or be of interest to you. If you would like to find out more about our retention policies, please contact us using our contact details set out at section 1.5.
8.6 If you no longer want us to use your information, you may close your account through your account settings. We will delete and/or anonymise any personal data which is no longer necessary for us to retain.
9. Your rights in relation to your data9.1 Data protection legislation gives you, the data subject, various rights in relation to your personal data that we hold and process. These rights are exercisable without charge, and we are subject to specific time limits in terms of how quickly we must respond to you. Those rights are, in the main, set out in Articles 12–23 of the UK GDPR. They are as follows:
9.1.1 Right of access — the right to obtain, from us, confirmation as to whether or not personal data concerning you is being processed and, where that is the case, access to that personal data and various other information, including the purpose for the processing, with whom the data is shared, how long the data will be retained, and the existence of various other rights.
9.1.2 Right to rectification — the right, without undue delay, to have inaccurate personal data concerning you put right.
9.1.3 Right to erasure — sometimes referred to as the “right to be forgotten”, this is the right for you to request that, in certain circumstances, we delete data relating to you.
9.1.4 Right to restrict processing — the right to request that, in certain circumstances, we restrict the processing of your data.
9.1.5 Right to data portability — the right, in certain circumstances, to receive the personal data which you have provided to us in a structured, commonly used and machine‐readable format, and the right to have that personal data transmitted to another controller.
9.1.6 Right to object — the right, in certain circumstances, to object to personal data being processed by us where it is in relation to direct marketing, or in relation to processing supported by the argument of legitimate interest.
9.1.7 Right not to be subject to automated decision making — a right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
9.2 Full details of these rights can be found in the UK GDPR or by reference to guidance produced by the Information Commissioner's Office.
9.3 In the event that you wish to exercise any of these rights you may do so:
9.3.1 by contacting us using any medium you wish, including in writing, by telephone, by text, electronically, or using such social media as we employ for communication purposes; or
9.3.2 through a third‐party whom you have authorised for this purpose.
10. Your rights in relation to your account10.1 You may access, correct, change and delete personal data associated with your account by visiting your account settings.
10.2 You can also request the deletion of the personal data in your account by emailing [email protected].
10.3 In additional, you can control the receipt of certain types of communications from us in your account settings. As mentioned above, we may contact you by email, telephone or text message about our products or your activity. Some of these messages are required, such as service‐related messages for customers and legal notices. Other messages are not required, such as newsletters. You can control which optional messages you receive by changing your contact preferences in your account settings.
11. Business reorganisation11.1 In some cases, we may choose to buy or sell assets. Such transactions may be necessary and in our legitimate interests, in particular our interest in making decisions that enable our business to develop over the long term. In these types of transactions (such as a sale, merger, re‐structuring, or transfer of all or substantially all of our assets), customer information is typically one of the business assets that is transferred.
12. Making a complaint12.1 If you have any complaints relating to the acquisition, use, storage or disposal of your personal data, please contact us using our contact details set out at section 1.5.
12.2 Notwithstanding our best efforts, inevitably sometimes things do go wrong. If you are unhappy with any aspect of the use and/or protection of your personal data, you have the right to make a complaint to the Information Commissioner's Office, who may be contacted in writing at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; by telephone on 0303 123 1113; by fax on 01625 524510 or online at www.ico.org.uk. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.