PRIVACY

The following information is given to you in accordance with

the General Data Protection Regulation (the GDPR).


Data Controller: LA-EVA Limited,12a Fleet Business Park, Sandy Lane, Church Crookham, Fleet, Hampshire, United Kingdom, GU52 8BF (“we”, “our” and “us”)

Under the GDPR, you have a right to be informed about the collection and use of your personal data. This Privacy Notice is intended to set out how we collect and use your personal data in a clear and open manner.

1. WHY DO WE PROCESS YOUR PERSONAL DATA?

We collect and process your personal data to provide you with good customer service, e.g. to update you on orders, and to let you know about offers and new developments in the world of LA-EVA’s units of wellbeing.

2. WHAT IS THE SOURCE OF YOUR PERSONAL DATA?

The source of the data we collect will generally be you; you will have provided us with your personal data when you placed an order with us, chose to subscribe to our emails or made an enquiry in some other form, e.g. through email or by telephone. If you are a wholesale contact or service provider/supplier, we may have found your personal data in the public domain or through a referral.

3. WHAT LAWFUL BASIS DO WE HAVE FOR PROCESSING YOUR PERSONAL DATA?

We process your personal data where:

processing is necessary to comply with a legal obligation on us, for example to make sure we submit accurate company accounts and tax returns; we have a legitimate interest in processing personal data, for example to provide you with news and offers that may be of interest to you; or to make sure we keep you posted about an order you have placed with us.

4. WHAT PERSONAL DATA DO WE PROCESS AND WHO DO WE SHARE IT WITH?

Orders

If you place an order with us, we will process your contact details including your name, email address, postal address (and the address of the recipient if you’d like us to send your order to someone else). We will also process email and/or social media communications with you based on which form of communication you have chosen to contact us with or have asked us to use. Our default communication method to contact you is email and we don’t store copies of social media contact details on our systems.

We share your personal data internally with relevant staff only, and, in the event of an order, with our chosen courier company or fulfilment partner. Our accountancy firm may also have access to your personal data as well as HMRC if they decide to take a closer look at our transactions.

External IT staff may also, very rarely, have access to your personal data for IT purposes only, e.g. to install technological safeguards to protect your data.

Data is stored in a range of different places, including our email system, our shop platform, Stripe, PayPal and iZettle as well as Dropbox.

Mailing List Subscriptions

If you subscribe(d) to our mailing list without having placed an order, we will only store your name and email address until you ask us to delete it. Until your request to delete, this data will only be stored in Squarespace, on our own system and Dropbox backup.

Wholesale Contacts, Customers/Distributors and Suppliers

We store contact details of potential, current and past wholesale customers/distributors and suppliers together with previous order history (where applicable) in a range of different places, including our own systems, our email system (which is provided by a UK-based host that is subject to EU privacy rules), Dropbox, Squarespace (if an order or enquiry was processed through our website) and, depending on how you paid for any orders you placed with us, on PayPal, Stripe, and iZettle. If you are a supplier, we will share data necessary for processing payment with our bank. Our accountant will also have access to the above information.

AT NO TIME WILL WE SELL YOUR PERSONAL DATA TO ANYONE

5. HOW DO WE PROTECT YOUR PERSONAL DATA?

We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by employees in the performance of their duties.

Where we transfer your personal data to third party processors, we ensure there is a contract in place that provides sufficient guarantees that the requirements of the GDPR will be met and your rights protected.

6. PERSONAL DATA TRANSFERS TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS.

We use Dropbox for data storage. Dropbox may store, process, and transmit information in the United States and locations around the world—including those outside your country. When transferring data from the European Union, the European Economic Area, and Switzerland, Dropbox relies upon a variety of legal mechanisms, including contracts with their customers and affiliates. Dropbox complies with the EU-U.S. and Swiss–U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the European Economic Area, and Switzerland to the United States. You can find Dropbox’s Privacy Shield certification here. You can also learn more about Privacy Shield at https://www.privacyshield.gov. Their privacy policy can be found here.

We sometimes use Mailchimp to communicate with you. Mailchimp’s servers and offices are located in the United States, so your information may be transferred to, stored, or processed in the United States. MailChimp participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. To learn more about the Privacy Shield Frameworks, and to view Mailchimp’s certification, visit the U.S. Department of Commerce’s Privacy Shield website, here. Their privacy policy can be found here.

If you place an order with us through our website, your payment will be processed via PayPal, Stripe or iZettle;

PayPal has taken specific steps, in accordance with EEA data protection law, to protect your Personal Data. In particular, for transfers of your Personal Data within PayPal related companies, they rely on Binding Corporate Rules approved by competent Supervisory Authorities (available here). Other transfers may be based on contractual protections. Please contact PayPal directly for more information about this. Their privacy notice can be found here.

Stripe is a global business and personal data may be stored and processed in any country where they have operations or where they engage service providers, but they will take measures to ensure that any such transfers comply with applicable data protection laws and that your personal data remains protected to the standards described in their Privacy Policy which can be found here. If you are located in the EEA or Switzerland, they will comply with applicable laws to provide an adequate level of data protection for the transfer of your Personal Data to the US. Stripe Inc. is certified under the EU-U.S. and the Swiss-U.S. Privacy Shield Framework and adheres to the Privacy Shield Principles. For more, see Stripe’s Privacy Shield Policy. In addition, they have implemented intra-group data transfer agreements which you may view upon request. Where applicable law requires them to ensure that an international data transfer is governed by a data transfer mechanism, they use one or more of the following mechanisms: EU Standard Contractual Clauses with a data recipient outside the EEA, verification that the recipient has implemented Binding Corporate Rules, or verification that the recipient adheres to the EU-US and Swiss-US Privacy Shield Framework.

iZettle’s preferred basis for transfer is the use of Standard Contractual Clauses. You can access a copy of the relevant EU model-clauses used by them for transfers by browsing to www.eur-lex.europa.eu and searching for 32010D0087.

They also transfer your data to service providers in the US and base such transfer on Standard Contractual Clauses and Privacy Shield. To learn more about Privacy Shield; and to service providers in Australia (this processing is based on Standard Contractual Clauses). iZettle’s privacy policy can be found here.

If you placed an order with us through our website or are on our mailing list, your data will have been shared with Squarespace who may in turn transfer it to countries other than where you live, such as, for example, to their servers in the U.S. Squarespace rely on a number of means to transfer personal information which is subject to the GDPR including Privacy Shield, standard data protection clauses, and the European Commission or an adequacy decision by the European data protection supervisory authority, pursuant to an approved certification mechanism or code of conduct, together with binding enforcement commitments from the recipient to apply the appropriate safeguards. Squarespace’s full privacy notice can be found here.

Our email provider is 1&1 Ltd. They may share your data with Open-Xchange who are located in Nürnberg, Germany. 1&1’s privacy notice can be found here.


We may, rarely and for short amounts of time, process your data whilst travelling outside the EEA in order to provide you with timely customer service. If we do so, we will ensure data continues to be processed in accordance with this privacy notice and our usual privacy practices.


Where we share your personal data with third party service providers outside of those mentioned above who transfer your data outside the EEA we will ensure they have implemented appropriate safeguards to protect your information.


7. HOW LONG DO WE KEEP PERSONAL DATA FOR?

We will keep your personal data for as long as is necessary to fulfil the purposes for which we collected it:


If you have placed an order with us, we will keep your personal data for 7 years after the date of the order, primarily for accounting purposes, and also to keep you posted about LA-EVA news and special offers we would like to offer you (although you can of course unsubscribe from our mailing list any time you like).

If you subscribed to our mailing list (but haven’t placed an order with us), we will keep your details until you ask us to delete them. If that’s the case, we will delete your details as quickly as possible (normally within a week), but please allow one month in case we’re not able to action your request straight away.

8. WHAT ARE YOUR RIGHTS IN RESPECT OF THE PROCESSING?

You have the right to be informed about the collection and use of your personal data, as provided for in this privacy notice. At the time we collect your personal data, you are entitled to know our purposes for processing it, our retention periods, who it will be shared with and other information, which is all set out in this privacy notice (there are a few circumstances when we do not need to provide you with privacy information, such as if you already have the information or if it would involve a disproportionate effort to provide it to you). If we obtain personal data from other sources, you are entitled to receive privacy information within a reasonable period of obtaining the data and no later than one month. The information we provide to you must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language – if you feel this is not the case, then please let us know.

You can also (verbally or in writing):

ask us to give you access to the personal data we hold about you;

ask us to correct or complete incorrect or incomplete data; and

ask us to erase or restrict/stop processing your personal data (although this right is not absolute and only applies in certain circumstances)

Finally, you have the right to object to the processing of your data where we are relying on legitimate interests as the legal ground for processing. However, we may be able to continue processing if we have a compelling reason for doing so.

If you would like to exercise any of these rights or have any queries or concerns about them, please contact us by emailing life@la-eva.com.

You also have the right to lodge a complaint with the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF (Tel. 0303 123 1113).

Because the processing of your personal data is not carried out by automated means and consent/contract, the right to data portability does not apply.

9. CAN WE OBLIGE YOU TO PROVIDE PERSONAL DATA, AND WHAT HAPPENS IF YOU DON’T?

If you would prefer not to provide us with your personal details but still want to receive marketing information from us, you can follow us on social media instead. Whilst – depending on your username - this may reveal personal data about you, we do not store this information.

If you would prefer not to provide us with your personal data for the purpose of purchasing our products, you can buy from our stockists instead.

Automated decision-making

No decisions are based on automated decision-making.

Questions and Comments

If you have any questions or comments at all, please don’t hesitate to email us via louisa@la-eva.com.

Privacy Notice version 1 (17 September 2018).

There are no previous versions.