01:00, Wednesday 11th September 2019
As part of our business and the service that we provide, it is necessary to process information about you.
We attach great importance to respect your privacy, the security and the confidentiality of your personal data.
Therefore, we are committed to treating your personal data in compliance with UK and European regulations on the protection of personal data, namely: The Data Protection Act 2018 (DPA) and General Data Protection Regulation (GDPR) (hereafter referred to as "the Regulations”).
We invite you to read these documents carefully.
For the purposes of the Regulations, we, Crystal Tips Beauty Brighton&Hove, of Truleigh Drive, Brighton, United Kingdom, are the data controller and Book In Beautiful Ltd, of 7 Bell Yard, London, England, WC2A 2JR (UK), is the data processor.
The personal data that we may deal with come from:
For example, data that you provide when booking an appointment, purchasing a product or reporting a problem with our Site.
These cookies and other trackers record and transmit information about the pages you visit, the time you spend on our site, the actions you perform there, etc.
This includes the data that we receive from our partners when you use to their services through our Site (for example, when using the payments service through our Site).
We process the following:
We do not handle sensitive personal data concerning or revealing your racial or ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs or trade union membership, nor do we process genetic data or biometric data for the purpose of uniquely identifying a natural person, or process data concerning a natural person's sex life.
We collect and process your personal data for the purpose of:
The processing of your data is based on our legitimate interest to run, improve and optimise our service for you. This is based on the contract between you and our company, through the Terms and Conditions.
However, in the following cases, the processing of your data is based on your specific consent (which will be collected through the checkbox on our registration/account settings page or a positive action on your part):
We will make sure to consider your application as soon as possible and to inform recipients of your data.
We are committed to protecting the privacy of children aged 16 or under. If you are aged 16 or under, please get your parent’s or guardian’s permission beforehand whenever you provide us with personal information.
We are responsible for the processing of your personal data.
The recipients of this data include:
You explicitly agree that your personal data may be transmitted to and processed by our software provider, the company Book In Beautiful Ltd, whose registered office is located at 7 Bell Yard, London, England, WC2A 2JR (UK). This activity will only serve to supply of the software system needed to run the service provided on the Site. We disclose only personal information that is necessary to deliver the service and we have a contract in place that requires them to keep your information secure.
The use of personal data by third parties to our business (including through our online payment service provider) is governed by their own privacy policies. Please be assured we will not release your information to third parties for the use for their own direct marketing purposes, unless you have requested us to do so.
Your data are handled mainly within the European Union.
However, when our relations with partners, our subcontractors or third parties (such as those who provide us with support services) involve cross-border exchanges of your personal data outside the European Union, we ensure that such transfers are made to countries with an adequate level of protection, or that they are supported by legal tools to ensure that such transfers comply with the European Union’s requirements on protection (such as the European Commission's Standard Contractual Clauses, internal company policies and/or by the membership of the recipient entities of these data to the Privacy Shield, when located in the United States).
If you use our services while you are outside the EU, your information may be transferred outside the EU in order to provide you with those services.
In any event, you agree to your personal data being processed under these conditions, outside the European Union.
Security is at the heart of our concerns.
We implement appropriate technical and organisational measures, including physical solutions, hardware and software, in order to preserve the security, integrity and confidentiality of your personal data and protect against unauthorised access, use, misuse, alteration, disclosure or destruction by unauthorised persons.
We demand sufficient guarantees of security and confidentiality from the recipients of data.
Furthermore, we encourage you to notify us of any security breach capable of generating a breach to your rights and freedoms, unless such communication is not necessary in cases referred to in Article 34 of the Regulations.
You are responsible for the confidentiality of the password you select and/or the password assigned to you to access certain features of the Site. You are not allowed to share the password with others.
Regarding data relating to the management of our customers:
The data of our customers will not be retained beyond the time strictly necessary for the management of the business relationship.
However, we will keep your data for analysis and statistics, for longer than the time required for the purpose of contract fulfilment, after having irreversibly anonymised this data.
Your data that is used for marketing purposes will be retained for a maximum period of three (3) years from the end of the business relationship (such as booking appointments, purchasing products and your last contact).
After this period of three (3) years, we are committed to destroying your personal data.
Regarding the measurements of Site activity:
The information stored in your device (e.g. through cookies), or any other item used to identify you and allow your traceability, will not be retained beyond thirteen (13) months.
New visits that you make to our website will not extend the life of such information.
Beyond this time, your data will be deleted or anonymised.
Regarding the data from your account on our site:
Your account will be considered inactive beyond two (2) years after your last use of this account. After this period, the data on your inactive account will be deleted after you have been informed and have had the opportunity to oppose it.
A 'Cookie' is a file sent by a website which is intended to collect and store information about your interaction with that particular website.
These cookies will be stored for a maximum of thirteen (13) months. They will then be deleted.
Under the Regulations, you have, with regard to the processing of your personal data, a right of access, rectification, erasure, restriction, portability and a right to object.
Right of Information and Access
You have the right to obtain from us confirmation as to whether or not your personal data are being processed, where it is, access to the personal data and the following information:
Right to Rectification
As a data subject, you have the right to obtain from us, the data controller, without undue delay, the rectification of inaccurate personal data concerning you.
Subject to the purposes for processing, you have the right to have incomplete data completed, including by means of providing a supplementary statement.
Right to Erasure (‘Right to be Forgotten’)
You have the right to obtain from us the erasure of personal data concerning you without undue delay and we are obliged to erase that data where one of the following grounds applies:
Where we have made the personal data public and are obliged to erase the personal data, we, taking account of available technology and the cost of implementation, must take reasonable steps to inform data controllers processing the personal data that you have requested erasure. Personal data are not required to be erased where processing is necessary:
Right to Restriction of Processing
You have the right to restrict our processing of your personal data where:
Right to Portability
You have the right to receive your personal data (where you have provided it to the us), in a structured, commonly used and machine-readable format and to have the data transmitted to another data controller without hindrance, where:
This right is dependent on the transfer between the us and you being technically feasible.
The right will not apply to processing necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the us.
This right cannot be exercised if it will adversely affect the rights and freedoms of others.
Right to Object
You have the right to object (on grounds relating to your situation) at any time to the processing of your personal data which is based on:
We will have to stop processing the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the establishment, exercise or defence of legal claims.
If personal data are processed for direct marketing purposes, you can object at any time to such processing, including profiling that is related to direct marketing. Where you do object, the personal data can no longer be processed for these purposes.
Automated Processing and Profiling
You have the right to not be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning you, or significantly affects you. This right will not apply if the decision:
We must implement suitable measures to safeguard your rights, freedoms and legitimate interests, or at least the right to obtain human intervention and contest the decision.
In addition, you have the right to provide us with guidelines that define how you want your personal data to be processed after your death (by indicating for example if you want them to be stored, deleted, or sent to a designated third party).
Finally, you can, if necessary, ask for the deletion of your personal data that has been collected when you were a minor.
To exercise these rights you will need to send us your request by email to the following email address: email@example.com
To access your application, we will need to know your identity.
We will therefore require a photocopy of one of your identity documents (such as a passport) with your signature. We will retain this copy for the time required to process your request (subject to periods specifically mentioned in section 8 above).
You will also need to provide us with at least one correspondence address, which the reply should be sent to.
Your application does not need to be justified, except in cases where you are exercising your right to object. In cases where you exercise your right to object, you must provide proof of the existence of a legitimate reason, except in the case where your data are processed for marketing purposes, including commercial.
If you have any questions, please contact us by email at: firstname.lastname@example.org