Ananays Ltd is the owner of the Ananays website.
WHAT DATA DO WE HOLD?
We hold only the data necessary to complete and ship customers’ orders. This is retained in order confirm purchases in so as to fulfil any returns and exchanges as required
- Name – used to address the order to the recipient and used in communications with the customer.
- Email Address – to send confirmation of the order and notification of shipping. We also use these to contact the customer with any issues regarding their order.
- Phone Number – used in case of issues with their order or delivery.
- Billing Address – for verifying payments.
- Shipping Address – for sending the order to the customer.
- Order Items – to ensure the customer received the desired items.
- Order Cost – to process payment for the order.
- Payment Method – to process payment for the order
- Either Last 4 digits of the card to confirm payment method in the event of a query or refund.
- Newsletter email list – to send marketing communications.
WHERE DOES THIS DATA COME FROM?
This data is given, with consent by our customers in order for us to process and ship the orders they place with us.
Newsletter sign up is not automatic, a customer must locate the sign-up box on our website
WHO IS THIS DATA SHARED WITH?
Only the components of data required for processing are shared with the following companies:
Royal Mail, UPS
Book Keeping platform
WHO HAS ACCESS TO THIS DATA?
Staff – Office staff will access data from an order if there is an issue with the order or if the customer would like to make a return, exchange, or has a question about their order.
Shopify – our website is hosted by Shopify who also provide the web app that processes our orders.
The following is an outline the data access requirements to the particular needs of the work being processed.
Internal staff data access for picking and packing
When an order is received we print a hard copy of the order and then physically pick the items they have ordered from our stock. These items and paperwork are then packed, and shipping is booked.
Customers order details remain in Shopify and can be accessed by our Staff at the customer's request. Staff will only access order information if there is an issue with the order or if the customer has contacted us with an enquiry about the order.
External companies processing data on our behalf
Attwoods, Chartered Certified Accounts
19 Eastbourne Terrace
London W2 6LG
Ananays uses Stripe to take payments for goods.
Card details are only stored for the duration of a transaction and we only retain the last 4 digits of any card number on record should a customer require us to identify the card used to pay for an order or confirm the method of payment they used. Our staff have no access to full payment details.
We use the Shopify Web app hosted on the Shopify platform. The following data is stored on the platform:
- User created accounts
- Order history containing:
- Users name
- Users address
- Users contact details (e mail/phone number)
- Items ordered
- Users previous orders
Customer Information flow through the order process:
Customer inputs information into our order form. We need the following information to complete and order: Name /Email /Phone Number /Shipping Address/ Billing Address.
The customer will also enter payment details either via a secure Stripe window or directly on the secure checkout page in store. We hold no card or payment details on our website and have no access to them apart from the last 4 digits used for card identification.
These pages are run over a secure connection.
The order is picked and pack by a member of our staff. Once the order is picked, the order note is packed inside the package with the items and shipped to the customer.
Order information remains within the customer’s account on our website so logged in customers can access their order history. It also allows us to process any returns, exchange or refunds as necessary. Invoice details are uploaded to Xero automatically
Order information is stored in our order archive for 6 years in case of VAT or TAX inspection.
Customers can sign up to receive our marketing email by inputting their email address into a form on our website that is powered by Campaign Manager.
Our customers must consent to receiving our Newsletter by adding their email address to the field in the form.
Our newsletter is sent out Monthly and always features a link to 'unsubscribe'. If a customer no longer wishes to receive communications from us they can follow this link to be removed immediately. It is made clear to our customers that if a customer wishes us to forget their data entirely they should contact us to be deleted from our newsletter list completely, as our unsubscribed emails are kept on a 'do not contact' list.
Data is processed either through contractual necessity or with consent
Details are outlined below.
Data processing necessary for the service to be carried out.
Order completion on our website requires a freely given, specific, informed consent to be given in a clear affirmative action. Customers are asked to consent to our GDPR policy which is linked to in the tick box title text, so they can easily locate the information and give consent by checking a box. Customers have the right to withdraw their consent, and simply need to contact us by phone or email to do so.
To legally give consent the customer must be over the age of 13 years old in the UK customers will be asked on checkout to confirm this or provide a parent or guardian to give consent on their behalf.
Our request for consent is prominent and separate from our terms and conditions. We do not use pre-ticked boxes or any other default method of obtaining consent. When a customer consents to us using their data, they are only consenting to us to process their order and dealing with any returns or order issues they might have surrounding that order. Our newsletter and social pages require separate consent a further opt in.
A record of each customer's consent is kept electronically as their order, because without consent we would not receive the electronic copy of their order on our sites back end. If a customer orders over the phone our staff will ask them for consent before we process their order, and they will manually make a note that verbal consent was given at a particular date and time. We obtain consent from each customer, every time they place an order with us. This means the consent they give is always relevant to our current GDPR policy displayed on our website. The consent a customer gives will be relevant to the GDPR policy displayed on our website on the date you ordered.
Data is collected for each individual order so the data we process is always accurate and up to date. We annually audit and cleanse our newsletter and marketing data to ensure the quality of the data set it kept high. Customers can update their own data in their account or contact us to update their data for them.
We retain order data as long as necessary for Tax and VAT purposes which is a minimum of 7 years and a maximum of 10, after which the data is permanently deleted from our system in our annual data cleanse. During this data cleanse we also remove inactive subscribers from our newsletter list to keep the data set high quality.
Should a customer wish to be 'forgotten' from our system we can manually redact the relevant data from their orders and delete their account from our system. We can also contact any of our 3rd party suppliers that will have their data and ask them to do the same. Customers have the right to delete their own accounts and unsubscribe from any communications manually, however to ensure they are completely gone from all records they should contact us by phone or email expressing their particular concerns.
Our customers can easily copy and move their order data with our easy PDF download option. This feature allows customers to download a PDF version of all the data we hold for them on each order. Customers must log in to their account where their data is stored and view their order history, there they will find a list of their order data and they can choose simply to view it or to download a copy for their own records.
- Data Subjects have the right to information about what personal data we process, how and on what basis as set out in this policy.
- Data Subjects have the right to access their own personal data by way of a subject access request.
- Data Subjects can correct any inaccuracies in their personal data. To do they should contact a member of the customer service team.
- Data Subjects have the right to request that we erase their personal data where we were not entitled under the law to process it or it is no longer necessary to process it for the purpose it was collected. To do so they should contact a member of the customer service team.
- While Data Subjects are requesting that their personal data is corrected or erased or are contesting the lawfulness of our processing, they can apply for its use to be restricted while the application is made. To do so they should contact Laura Harvey.
- Data Subjects have the right to object to data processing where we are relying on a legitimate interest to do so and they think that their rights and interests outweigh our own and they wish us to stop.
- Data Subjects have the right to object if we process their personal data for the purposes of direct marketing.
- Data Subjects have the right to receive a copy of their personal data and to transfer their personal data to another data controller. We will not charge for this and will in most cases aim to do this within one month.
- With some exceptions, Data Subjects have the right not to be subjected to automated decision-making.
- Data Subjects have the right to be notified of a data security breach concerning your personal data.
- In most situations we will not rely on Data Subjects consent as a lawful ground to process their data. If we do however request their consent to the processing of their personal data for a specific purpose, they have the right not to consent or to withdraw their consent later. To withdraw their consent, they should contact Metier Cycling
- Data Subjects have the right to complain to the Information Commissioner. Data Subjects can do this be contacting the Information Commissioner’s Office directly. Full contact details including a helpline number can be found on the Information Commissioner’s Office website (ico.org.uk). This website has further information on their rights and our obligations.
- Data subjects can make a ‘subject access request’ (‘SAR’) to find out the information we hold about them. This request must be made in writing. If we receive such a request, we will forward it immediately to the Data Protection Manager who will coordinate a response.
- If Data Subject's would like to make a SAR in relation to their own personal data, they should make this in writing to Metier Cycling We must respond within one month unless the request is complex or numerous in which case the period in which we must respond can be extended by a further two months.
- There is no fee for making a SAR. However, if their request is manifestly unfounded or excessive we may charge a reasonable administrative fee or refuse to respond to their request.
The business owner is our Data controller. All data contracts are made between the Data Controller and Data Processors. Currently our Data Controller is responsible for the general overseeing of our data security and data practises.
3RD PARTY DATA PROCESSORS
Any 3rd Party Data Processors will be asked to fill in an additional questionnaire when signing our Data Processors Contract, so we can ensure they are GDPR compliant as a company and that our data will be properly secured with them.
All staff receive data security training that is appropriate to their role. They will not have access to our data until they have read and signed our Data Processors Contract that ensures they understand and adhere to our data security rules and processes. This will be refreshed annually
Our Data Controller is a senior member of staff responsible for many aspects of our data processing and security. They are responsible for managing information risks, and coordinating procedures to mitigate them. They also coordinate logging and risk assessing information assets.
Our Data Officer carries out data protection impact assessments (DPIA) when using new technologies
Our Data Officer assesses the risks of a data breach for the data we hold and ensures the appropriate level of security is in place on each of our office terminals, across our internet connection and also on our website.
The Data Controller ensures that the website is patched, maintained and running on a secure https connection. All office terminals have virus and security protection software, and scans are run regularly to test of any risks and search out any malware or viruses.
All our Data Processors are responsible in some way for the security of our data, so they are all trained and well informed on how to avoid data risks.
All computers used for company business are password protected and have up to date antivirus software installed. Avast Full System Virus Scans are conducted monthly, with [antivirus] Scans occurring bi-annually.
Unstructured data such as documents and spreadsheets are hosted on Google Drive. We have exercised the option to request Google host this data within the EU borders.
All data from our website passes through and is stored on the Shopify platform. (Details of its terms and condition, including Data processing agreement are available on request) All interaction between Ananays and Shopify is managed through a single email address, which is managed by Ananays directors team as the administrators.
Payment providers have high levels of security due to the transactional nature of their business, they only deal directly with our business owner and the named accountant. They will not process requests from, or give information to, any other member of staff.
We ship orders using DHL. Once an order is picked we book a collection through the DHL website. This requires us to pass the following information to DHL for each order being shipped:
- Customer name
- Customer address
- Customer e mail address
- Customer phone number (where available)
We use Gmail as our main email provider due to it robust security. Gmail encrypts data while in transit, has great threat detection including spam, malware, viruses and other forms of malicious code, and monitors for security breaches 24/7.
DATA SECURITY -INTERNATIONAL TRANSFERS
At current no customer data is transferred internationally.
We proactively watch for data breaches by investigating any unusual data thoroughly. We take all customer reports of incorrect information on their accounts seriously and always investigate the cause.
We have robust measures in place to minimise and prevent data breaches from taking place. Should a breach of personal data occur then we must take notes and keep evidence of that breach. If the breach is likely to result in a risk to the rights and freedoms of individuals, then we must also notify the Information Commissioner’s Office within 72 hours.
If a customer, supplier or employee becomes aware of a data breach they should contact Ananays immediately and keep any evidence they have in relation to the breach.
The use of this website is governed by the policies, terms and conditions specified below. Please read them carefully. By using the website you have accepted these terms and conditions. Your submission of an order to Ananays indicates acceptance of these terms and conditions. These terms and conditions shall supersede any subsequent terms and conditions included in any purchase order, whether or not such terms and conditions are signed by Ananays
Your electronic receipt or order confirmation does not signify our acceptance of your order, nor does it constitute confirmation of our offer to sell. We will check the information you give us for validity, by verifying your method of payment, billing and shipping details prior to fulfilling the order.
We may require additional verifications or information before accepting any order. Ananays is a reseller to end user customers and does not accept orders from dealers, exporters, wholesalers, or other customers who intend to resell the products offered by Ananays.
Ananays reserves the right at any time after receipt of your order to accept or decline your order for any reason. Ananays reserves the right at any time after receipt of your order, without prior notice to you, to supply less than the quantity you ordered of any item.
Your credit card/debit card or Paypal account will be refunded in the event that your order is not accepted.
Stock levels displayed to you are accurate at the last known update, stock availability is subject to change. If we are unable to fulfil your order we will contact you as soon as possible.
By using this website, you agree that the use of this website is at your sole risk. Ananays is not liable for any losses or damages caused by this website or any website linked to or from this website.
The delivery times provided by Ananays are estimates only. Ananays will not be held accountable for late deliveries or damage relating to late deliveries.
NTERNATIONAL CUSTOM CHARGES
Some international orders may incur a customs or import duty charge. Ananays does not have any control over these charges or unable to advise what they will be, as it is based on your own countries regulations and compliances. For more information please contact your local customs office. Any charges incurred are to be paid by the customer on delivery of the order.
ACCEPTANCE OF ORDERS
The buyer is responsible for inspecting the goods for fault and notifying us within 5 working days of receiving the goods should there be a fault.
Prices are subject to change without notice. Ananays reserves the right to revoke any stated offer and correct any pricing errors including after an order has been submitted and whether or not the order has been confirmed and your credit card charged.
There may be duties and taxes added to your package by the destination country. You will be responsible for these upon delivery and are not included in your order total. All credit cards are charged in UK sterling. Non-UK sterling currency figures are approximations based on an exchange rate.
If notified before the goods have been dispatched, Ananays can accommodate for order cancellations. If items have been shipped Ananays reserves the right to charge a cancellation fee, should we be able to request the return of the package from our delivery service.
In the event a product is listed at an incorrect price or with incorrect information due to typographical error, Ananays reserves the right to refuse or cancel any orders placed for the listed product at the incorrect price. Ananays reserves the right to refuse or cancel such orders whether or not the order has been confirmed and your credit card or Paypal charged. If your credit card or Paypal account has already been charged for the purchase and your order is cancelled, Métier shall immediately issue a credit to your credit card or Paypal account in the amount of the charge.
COPYRIGHT AND TRADEMARK NOTICE
This website is owned and operated by Ananays Ltd. Unless otherwise specified, all materials appearing on this website, including text, web design, logos, graphics, icons and images, as well as the selection, assembly and arrangement thereof, are the sole property of Ananays Ltd. All software used on the website is the sole property of Ananays Ltd those supplying the software. You may use the content of this website only for the purpose of shopping on this website or placing an order on this website and for no other purpose. No materials from this website may be copied, reproduced, modified, republished, uploaded, posted, transmitted or distributed in any forms or by any means without Ananays Ltd prior written consent. All rights expressly granted herein are reserved. Any unauthorised use of the materials appearing on this website may violate copyright, trademark and other applicable laws could result in criminal or civil penalties.
This website may contain links to other websites that are not owned or operated by Ananays Ltd. You acknowledge that Ananays Ltd is not responsible for the operation of or content located on or through any such website.