Contents
- Introduction
- Personal data we collect
- How we collect your personal data
- Purposes for which we use your personal data and the lawful bases
- Sharing your personal data
- International transfers
- How long we keep your personal data
- Security of your personal data
- Your rights and how to complain
- Contacting us and exercising your rights
- What about cookies?
1. Introduction
The purpose of this privacy notice is to explain what Personal Data we collect about you, how we use it, who we share it with, how long we keep it and what your rights are in relation to that Personal Data.
Please read this privacy notice carefully as it provides important information about how we handle your Personal Data and your rights. If you have any questions about any aspect of this privacy notice you can contact us using the information provided below under ‘How to contact us’.
Please revisit this privacy notice regularly, as we may change the content to reflect how we deliver our products and services. We last updated this privacy notice on the date shown above.
Sanderson Design Group Brands Limited, trading as Morris & Co. (“Morris & Co.”, “we, “our”) is committed to protecting the privacy and security of the personal data we collect about website users and users of our services (“you/your”).
The purpose of this privacy notice is to explain what personal data we collect about you when you visit and interact with our websites, correspond with us, sign up to our services or order samples and products. When we do this, we are the controller.
Please read this privacy notice carefully as it provides important information about how we handle your personal information and your rights. If you have any questions about any aspect of this privacy notice you can contact us using the information provided below or by emailing us at [email protected].
Definitions
Certain terms and abbreviations in this privacy notice have the meanings given below.
|
CCPA |
means California Consumer Privacy Act. |
|
CPA |
means the Colorado Privacy Act. |
|
CPRA |
means the California Privacy Rights Act. |
|
CDPA |
means the Consumer Data Protection Act in Virginia. |
|
Controller |
means the natural person or legal entity that decides the means and purposes for processing the Personal Data. |
|
CTDPA |
means the Connecticut Act Concerning Personal Data Privacy and Online Monitoring. |
|
DPA 2018 |
means the Data Protection Act 2018. |
|
EU GDPR |
means the EU General Data Protection Regulation. |
|
ICO |
means the Information Commissioner’s Office, the supervisory authority in the United Kingdom. |
|
Personal Data |
is defined in the UK GDPR and the EU GDPR and means any information from which you can be identified, either directly or indirectly. For example, your name or an online identifier. |
|
Processor |
means the natural person or legal entity that processes Personal Data on behalf of the Controller. |
|
UK GDPR |
means the UK General Data Protection Regulation. |
For clarity, this Privacy Notice covers any processing that takes place pursuant to the CCPA and the CPRA. Therefore, the following references in the CCPA and CPRA have the following meanings in this Privacy Notice:
|
“Business” |
means “Controller” |
|
“Service Provider” |
means “Processor” |
|
“Third Party” |
means “Sub-Processor” |
|
“Personal Information” |
means “Personal Data” |
|
“Consumer” |
means “Data Subject” |
2. Personal data we collect
We collect, use and are responsible for certain personal data about you. When we do so we are subject to the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018 and the General Data Protection Regulation (EU) 2016/679 (EU GDPR). The personal data we collect includes:
System Information (Website Visitors, Account Holders and Customers)
When you visit our websites, we may collect information about our use of the site including details of your browsing and buying habits, pages viewed, and any resources that you access. This information may include website traffic data, IP address, location data, browser and operating system, referral source, length of visit, clickstream data and other communication data.
This information is collected via the use of cookies and similar technologies which will only be used with your consent. For more information about the specific cookies we use on our site, please visit our Cookie Notice.
Identity Information (Account Holders and Customers)
When engaging with our websites or using our services as a customer, we will collect personal data that may include:
- Your full name, title, address, email address, telephone number and payment details.
- Details about your transactions with us.
- Your account details, such as your username, password and contact or other account preferences.
- Information included in your reviews or which you otherwise provide for display on our service.
- Contact or other information which you give us to use for newsletters of other marketing.
Correspondence Information
When corresponding with us the personal data we will collect will include the following:
- Full name, contact details such as email address or telephone number, records of your correspondence via email or telephone conversations and any details contained within these.
- We may record your phone calls with us for training, fraud detection and dispute resolution purposes.
Job Applicants - when you contact us in relation to employment opportunities within the Sanderson Design Group, we collect certain information as part of the recruitment process. You can learn more about this in our separate Job Applicant Privacy Statement.
3. How we collect your personal data
We collect most of this personal data directly from you—by email and/or via our . This includes, but is not limited to, when ordering a sample, a product , when signing up to our newsletters or when making an enquiry/complaint.
In addition to this, we also collect information from third parties who you have given your consent to, such as companies that provide media services or support us with corporate communications.
4. The purpose and lawful basis under which we process your personal data
When providing services to you, we may use your personal data for the following purposes and under the following lawful bases:
To provide our services and products:
As part of the provision of our services, we use the personal information that we collect from you to:
- To carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us.
- Where you have signed up for our newsletter, we will rely on your consent to send this to you. You can withdraw your consent at any time.
Where personal data is processed because it is necessary for the performance of a contract to which you are a party, we will be unable to provide our services without the required information.
Monitoring and administration of services and products:
We also use your personal information to help us to monitor our performance, administer and improve our service by:
- to administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- to improve our site to ensure that content is presented in the most effective manner for you and for your computer / device;
- to allow you to participate in interactive features of our service, when you choose to do so;
- as part of our efforts to keep our site safe and secure;
- to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you; and
- to make suggestions and recommendations to you and other users of our site about goods or services that may interest you or them.
This processing is necessary for our legitimate interests (for running our business, the provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganization or group restructuring exercise). This processing may also be necessary for us to comply with a legal obligation.
5. Sharing your personal data
We will not share your personal information with third parties unless it is with:
- your consent;
- another company in the Sanderson Design Group (which shall include subsidiaries as defined in section 1159 of the UK Companies Act 2006;
- other people who supply us with services, e.g., other companies in our group who provide part of our service (e.g., measurement / installation services), delivery / warehouse companies, website hosting and management, payment providers, customer service providers, telephony providers that help us manage phone call recordings, email distribution, e-commerce, online advertising, analytics, review management, live chat etc.;
- any users who may encounter your reviews, if these contain your personal data;
- law enforcement or government authorities, or if we believe it is necessary for legal or public safety reasons; and
- any new owner of the Sanderson Design Group company (or the company’s assets) in the event of a sale, or proposal of a sale.
6. International Transfers
When we collect your personal data, it may be processed outside the UK. This is because the organisations we use to provide our services to you are located in other countries.
We have taken appropriate steps to ensure that where personal data processed outside the UK, it has an essentially equivalent level of protection as it has within the UK. We do this by ensuring that:
- Your personal data is only processed in a country which the Secretary of State has confirmed has an adequate level of protection (an adequacy regulation), this will also include organisations certified under relevant data privacy frameworks, such as the UK Extension to the EU-US Data Privacy Framework; or
- We enter into either International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) (with the UK Addendum) with the receiving organisations and ensure that supplementary measures are also applied, where necessary.
7. How long we keep your personal data
We will retain your personal data for as long as is necessary to provide you with our services and for a reasonable period thereafter to enable us to meet our contractual and legal obligations and to deal with complaints and claims.
At the end of the retention period, your personal data will be securely deleted or anonymised.
8. Security of your personal data
We have implemented appropriate technical and organisational measures to safeguard your personal data and protect it from accidental or unlawful destruction, loss or alteration and from unauthorised disclosure or access.
9. Your rights and how to complain
You have certain rights in relation to the processing of your personal data. These rights will vary depending on where you are located.
To exercise your rights or to complain to us, please contact us using the details set out in the section entitled ‘Contacting us and exercising your rights’. To complain to your supervisory authority (where applicable) see the details set out below relevant to your location.
If you are in the UK or the EU
If you reside in the UK or the EU you have the following rights under the UK GDPR and the EU GDPR respectively:
- Request access to your personal data (commonly known as a “Subject Access Request”). This enables you to receive a copy of the personal data we hold about you.
- Request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. If you object to us using your personal data for marketing purposes we will stop sending you marketing material.
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal data to another party (data portability).
- Automated decision-making. You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making.
Right to withdraw consent
In the circumstances where you have provided your consent to the processing of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we are permitted by law to do so.
How to exercise your rights
You will not usually need to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances. If you wish to exercise your rights, please contact us at [email protected].
Complaints
You have the right to lodge a complaint with the supervisory authority, if you believe we are infringing the UK data protection laws or you are concerned about the way in which we are handling your personal data. The supervisory authority in the UK is the Information Commissioner’s Office who can be contacted online at:
- Contact us | ICO
- Or by telephone on 0303 123 1113
If you are in Switzerland
If you reside in Switzerland you have the following rights under the UK GDPR and the EU GDPR respectively:
- Right to be informed. You have the right to know details such as what personal data we collect about you, who we share it with, how we use it, for what purpose and how long we keep it. We use our privacy notice to explain this.
- Request access to your Personal Data (commonly known as a “Subject Access Request”). This enables you to receive a copy of the Personal Data we hold about you.
- Request rectification of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing (see below).
- Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. If you object to us using your Personal Data for marketing purposes, we will stop sending you marketing material.
Complaints
If you believe we are infringing the applicable data protection legislation or you are concerned about the way in which we are handling your Personal Data, you can lodge a complaint with the Swiss Federal Data Protection Authority who can be contacted at:
- The Swiss Federal Data Protection and Information Commissioner (the “DPIC”), Feldeggweg 1, CH-3003 Berne, Switzerland
- www.edoeb.admin.ch
If you are in America
If you are in California
If you live in California, you have the following rights under the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”)
This comes into force on 1 Jan 2023
The CCPA (as amended) provides California residents certain rights related to their Personal Data. You have the right to:
- know what Personal Data we collect about you;
- request a copy of the Personal Data we have about you;
- require that we delete your Personal Data;
- request that we correct any inaccurate Personal Data we have about you;
- request that we limit the use and disclosure of Personal Data that we have about you which is sensitive (as defined in the CPRA);
- know whether we sell your Personal Data and whether we disclose your data to anyone;
- object to the sale of your Personal Data; and
- not be discriminated against because you exercised your rights under the CCPA.
We do not sell or disclose your Personal Data for monetary gain or any valuable consideration. We do not use the Personal Data collected by our clients about you for our own purposes. We provide operations software to our clients and they use your Personal Data to provide services to you.
The Personal Data we collect about you is set out above under ‘Personal Data we collect’.
Complaints
If you are concerned about the way in which we are handling your Personal Data, you can submit a complaint to your supervisory authority, the California Privacy Protection Agency who can be contacted online at:
- California Privacy Protection Agency (CPPA)
- Contact Us - California Privacy Protection Agency (CPPA)
If you are in Colorado
If you live in Colorado, from 1st July 2023 you have the following rights under the Colorado Privacy Act (“CPA”):
- Right to be informed. You have the right to know details such as what personal data we collect about you, who we share it with, how we use it, for what purpose and how long we keep it. We use our privacy notice to explain this.
- Right of access (commonly known as a “Subject Access Request”). You have the right to access and receive a copy of the Personal Data we hold about you.
- Right to rectification. You have the right to have any incomplete or inaccurate information we hold about you corrected.
- Right to erasure (commonly known as the right to be forgotten). You have the right to ask us to delete or de-identify your Personal Data.
- Right to opt out. You have the right to opt out of us processing your Personal Data for the purposes of targeted advertising and for the sale of your Personal Data.
- Right to portability. You have the right to ask us to transfer your Personal Data to another party.
- Automated decision-making. You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making.
- Right not to be discriminated against for exercising your rights.
- Right to appeal if we refuse to process your request to exercise your rights.
Complaints
If you are concerned about the way in which we are handling your Personal Data, you can submit a complaint to the Office of the Attorney General for Colorado who can be contacted at:
- https://coag.gov
- Department of Law, Ralph L. Carr Judicial Building, 1300 Broadway, 10th Floor Denver, CO 80203
- Phone: +1 720-508-6000
If you are in Connecticut
If you live in Connecticut, from 1st July 2023 you have the following rights under the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (“CTDPA”):
- Right to be informed. You have the right to know details such as what personal data we collect about you, who we share it with, how we use it, for what purpose and how long we keep it. We use our privacy notice to explain this.
- Right of access (commonly known as a “Subject Access Request”). You have the right to access and receive a copy of the Personal Data we hold about you.
- Right to rectification. You have the right to have any incomplete or inaccurate information we hold about you corrected.
- Right to erasure (commonly known as the right to be forgotten). You have the right to ask us to delete or de-identify your Personal Data.
- Right to opt out. You have the right to opt out of us processing your Personal Data for the purpose of targeted advertising and the sale of your Personal Data.
- Right to portability. You have the right to ask us to transfer your Personal Data to another party.
- Automated decision-making. You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making.
- Right not to be discriminated against for exercising your rights.
- Right to appeal if we refuse to process your request to exercise your rights.
Complaints
If you are concerned about the way in which we are handling your Personal Data, you can submit a complaint to the Office of the Attorney General for Connecticut who can be contacted at:
- Connecticut Office of the Attorney General, 165 Capitol Avenue, Hartford, CT 06106
- Email: [email protected]
- Phone: 860-808-5318.
If you are in Utah
If you live in Utah, from 31st December 2023 you have the following rights under the Utah Consumer Privacy Act (“UCPA”):
- Right to be informed. You have the right to know details such as what personal data we collect about you, who we share it with, how we use it, for what purpose and how long we keep it. We use our privacy notice to explain this.
- Right of access (commonly known as a “Subject Access Request”). You have the right to access and receive a copy of the Personal Data we hold about you.
- Right to erasure (commonly known as the right to be forgotten). You have the right to ask us to delete or de-identify your Personal Data.
- Right to opt out to processing. You have the right to opt out of us processing your Personal Data for the purposes of targeted advertising or sale of Personal Data.
- Right to portability. You have the right to ask us to transfer your Personal Data to another party.
- Automated decision-making. You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making.
- Right not to be discriminated against for exercising your rights.
Complaints
If you are concerned about the way in which we are handling your Personal Data, you can submit a complaint to the Office of the Attorney General for Utah who can be contacted at:
- Consumer Protection (utah.gov)
- Phone: (801) 530-6601
- Toll-Free in UT: (800) 721-7233
- Email: [email protected]
- Mailing Address: PO Box 146704, Salt Lake City, UT 84114-6704
- Physical Address: 160 East 300 South, Salt Lake City, UT 84111
If you are in Virginia
If you live in Virginia, from 1st January 2023 you have the following rights under the Consumer Data Protection Act (“CDPA”):
- Right to be informed. You have the right to know details such as what personal data we collect about you, who we share it with, how we use it, for what purpose and how long we keep it. We use our privacy notice to explain this.
- Right of access (commonly known as a “Subject Access Request”). You have the right to access and receive a copy of the Personal Data we hold about you.
- Right to rectification. You have the right to have any incomplete or inaccurate information we hold about you corrected.
- Right to erasure (commonly known as the right to be forgotten). You have the right to ask us to delete or de-identify your Personal Data.
- Right to opt out. You have the right to opt out of us processing your Personal Data for the purposes of targeted advertising and the sale of your Personal Data.
- Right to portability. You have the right to ask us to transfer your Personal Data to another party.
- Automated decision-making. You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making.
- Right not to be discriminated against for exercising your rights.
- Right to appeal if we refuse to process your request to exercise your rights.
Complaints
If you are concerned about the way in which we are handling your Personal Data, you can submit a complaint to the Office of the Attorney General for Virginia who can be contacted at:
- 202 North Ninth Street, Richmond, VA 23219
- Phone: (804) 786-2071
10. Contacting us and exercising your rights
If you wish to contact us in relation to this privacy notice or if you wish to exercise any of your rights outlined above, then please address your correspondence to:
Data Protection
Sanderson Design Group
Voysey House
Sandersons Lane
London
W4 4DS
Alternatively, you can email us at [email protected].
We have also appointed a Data protection Officer (“DPO”). Our DPO is Evalian Ltd and can be contacted by emailing [email protected] or via our postal address. If sending correspondence to our postal address, please mark the envelope to the ‘Data Protection’.
You will not usually need to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity before we can process a request from you to exercise any of the above rights. This is another appropriate security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.
13. What about cookies?
13.1 We and/or other companies use cookies and other tracking technologies on our website. A cookie is an identifier (a small file of letters and numbers) that is sent to your web browser. Cookies are widely used to make websites work, or work more efficiently, as well as to provide information to the website owner or others. Some are session temporary “session” cookies that remain in the cookie file of your browser only until your browser is closed. Whereas persistent cookies stay for longer (depending on the lifetime of the specific cookie). For further information on cookies, including how to use your browser to block them and how to delete existing cookies, visit: allaboutcookies.org. Our site’s functionality will be limited if you configure your browser to reject cookies.
13.2 We or other companies place the following types of cookies on our website (or may do so in future):
