WHO WE ARE
We are Heathcote & Ivory Limited (“we/our/us”). We are a company incorporated in
England and Wales with registered company number 03749171. Our registered office
address is Acre House, 11-15 William Road, London, NW1 3ER. Our registered VAT number is
735 676 696.
For the purpose of the Data Protection Act 1998, the General Data Protection Regulation
(Regulation (EU) 2016/679) and any amended, updated or subsequently implemented
legislation in the UK and/or EU relating to the controlling and processing personal data
(“Data Protection Legislation”) we are a data controller of personal data provided by you to
us through use of our Website (as defined below). Where we consider it appropriate (and as
further described in this policy) we may also provide third party data processors with such
personal data for the purposes set out in this policy.
We are registered as a data controller with the UK Information Commissioner’s Office with
registration number ZA357236.
The Data Protection Office is responsible for ensuring compliance with the Data Protection
Legislation and with this policy. That post is held by Esther Meyer who may be contacted by
telephone on 0207 483 8383 or by email at email@example.com. Any questions about
the operation of this policy or any concerns that the policy has not been followed should be
referred in the first instance to the Data Protection Compliance Manager.
ABOUT THIS POLICY
This policy sets out how, when and why we may collect, control, store, process and transfer
personal data that you provide to us, or that we collect from you, when you correspond with
us directly and/or enquire or place orders for products with us and/or provide personal data
to us through using the www.heathcote-ivory.com website (the “Website”).
This policy also sets out your rights and our obligations in relation to collecting, controlling
and processing such personal data.
Our main objective is for you to have absolute trust and confidence in us when we collect,
control and process your personal data. The Data Protection Legislation is not intended to
prevent processing of personal data, however, but to ensure that such processing is done
fairly and without adverse impact on your fundamental rights and freedoms.
Any third party data processors are obliged to comply with this policy when processing
personal data on our behalf. Any breach of this policy by that third party may result in
disciplinary action being taken against them.
This policy is drafted in English. If there is a conflict between a translated version and the
English version of these terms then, to the extent permitted under applicable law, the
English version shall prevail.
WHAT IS PERSONAL DATA?
Personal data is information relating to an “identified” or “identifiable” living individual. An
“identifiable” individual is one who can be identified, directly or indirectly, in particular
reference to an identifier such as a name, an email address, a postal address, date of birth,
an identification number, location data, online identifier or to one or more factors specific to
the physical, physiological, genetic, mental, economic, cultural or social identity of that
Sensitive personal data includes, but is not limited to, personal data which reveals racial or
ethnic origin, and data concerning health or sex life and sexual orientation.
Further detail as to the specific types of personal data and sensitive personal data we may
control and process is set out at paragraph 6, below.
For personal data to be processed lawfully by us they must be processed on the basis of one
or more of the lawful processing bases set out in the Data Protection Legislation. The lawful
bases include, but are not limited to:
- your freely given, specific, informed and unambiguous consent to the processing, given by a clear statement or affirmative action;
- that the processing is necessary for the performance of a contract to which you are a party;
- that the processing is necessary in order for us to take steps at your request prior to entering into a contract with you;
- that processing is necessary for compliance with a legal obligation to which you are subject; or
- where processing is in the legitimate interest of the data controller or the party to whom the data is disclosed.
As such, we do not always require consent from you in order to lawfully process your
personal data – we will only obtain consent to processing where we are unable to rely on
one of the other lawful bases for processing. However, if we collect sensitive personal data
from you we will generally ask for explicit consent in order to process such sensitive personal
INTEGRITY AND SECURITY MEASURES
Taking into account the state of the art, the cost of implementation and the nature, scope,
context and purposes of processing as well as the risks of varying likelihood and severity for
rights and freedoms of natural persons posed by the processing, we must, both at the time
of the determination of the means for processing and at the time of the processing itself,
implement appropriate technical and organisational measures, which are designed to
implement data-protection principles in an effective manner and to integrate the necessary
safeguards into the processing in order to meet the requirements of the Data Protection
Legislation and to protect your rights as a data subject.
In order to ensure data protection by design and by default, we will:
take appropriate security measures against unlawful or unauthorised processing of personal
data, and against the accidental loss of, or damage to, personal data.
put in place procedures and technologies to maintain the security of all personal data from
the point of collection to the point of destruction. Personal data will only be
transferred to a data processor if he agrees to comply with those procedures and
policies, or if he puts in place adequate measures himself.
maintain data security by protecting the confidentiality, integrity and availability of the
personal data, defined as follows:
Confidentiality means that only people who are authorised to use the data can access it.
Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
Availability means that authorised users should be able to access the data if they need it for authorised purposes.
PERSONAL DATA WE MAY CONTROL AND PROCESS
We may collect and process various types of personal data and other information from you
when you correspondence with us, when you use our Website, and when you correspond
with us by phone, email or otherwise. The type of data collected, and the manner in which
such data is collected, will vary depending on how you correspond with us, how you use our
Website, and whether or not we have a lawful basis for processing data in that way. Further
details of the type of data we collect and the manner in which such data may be processed is
set out below in paragraph 6 under the heading “How we collect and use Personal Data”.
Personal data will only be collected to the extent that it is required for the specific purposes
HOW WE COLLECT AND USE PERSONAL DATA
Personal data may be collected by us actively and passively. The specific types of personal
data we may collect from you, and the manner in which such personal data may be
This is personal data that we collect from you when you register to use, or purchase goods
(either as a registered user or as a guest) through, our Website.
We will collect your name, email address, postcode, postal address, phone number, credit
card details and the password you choose for your account, at the time of you setting up an
account to use our Website. We may also collect other information, including your company
name, if you choose to provide it to us at the time of setting up an account to use our
How we will use Registration Data
We will use Registration Data for the purpose of reviewing, accepting, confirming,
processing, taking payment for, and arranging delivery to you of, orders for goods you place
through the Website. In particular, we will use your name and email address to identify you
from other customers so that we can process your order properly. We will also use your
email address in order to send communications to you relating to the progress of your order
(including for the purpose of confirming that we have accepted your order).
We may also use Registration Data for the purpose of sending direct marketing emails to you
relating to the goods and services we offer, as well as for the purpose of sending our
newsletter to you. You may unsubscribe from receiving such direct marketing emails at any
time by following the “unsubscribe” link in such marketing emails.
Why we may lawfully process Registration Data
We may lawfully process Registration Data for the purpose of reviewing, accepting,
confirming, processing, taking payment for, and arranging delivery to you of, orders for
goods you place through the Website on the basis that doing so is necessary for the
performance of a contract to which you are a party, or is necessary in order to take steps at
your request prior to entering into a contract.
We may also lawfully process your name and email address for the purpose of sending direct
marketing and newsletter emails to you on the basis that we have a legitimate interest in
doing so. We consider ourselves to have a legitimate interest as:
- we are pursuing a lawful business interest in sending marketing materials to our
existing contacts and customers;
- sending such marketing materials to you via email is the quickest and easiest way for
us to pursue and manage this lawful business interest, so such processing is
therefore necessary; and
- given that you may unsubscribe to such emails at any time, and that we make you
aware at the time of collecting your data as to how, when, where and why we will
use Registration Data, we consider your fundamental rights and freedoms to be
balanced with our interest in sending such direct marketing emails to you.
How we will store Registration Data:
Registration Data is stored on secure servers based in the UK hosted by Coreix Limited.
This is personal data we collect from you when you correspond with us, and or place orders
with us for the goods and/or services we offer, as a retail reseller.
We may collect your name, email address, postcode, postal address, phone number, credit
card details, bank account details and the password you choose for your account (if
applicable), at the time of you liaising with us in respect of (and/or placing an order for) the
goods and/or services we offer. We may also collect other information, including your
company name, if you provide it to us.
How we will use Reseller Data
We will use Reseller Data for the purpose of reviewing, accepting, confirming, processing,
taking payment for, and arranging delivery to you of, orders for goods you place. In
particular, we will use your name and email address to identify you from other retail
resellers so that we can process your order properly. We will also use your email address in
order to send communications to you relating to your order for goods (including for the
purpose of confirming that we have accepted your order).
We may also use Reseller Data for the purpose of sending our newsletter to you if you have
subscribed to receive such communication, as well as for the purpose of sending direct
marketing emails to you relating to similar goods and services we offer which we consider
may be of interest to you. You may unsubscribe from receiving such direct marketing emails
at any time by following the “unsubscribe” link in such marketing emails.
How we will store Reseller Data:
Reseller Data is stored on secure servers based in the UK hosted by Coreix Limited. Reseller
Data may also be stored on secure servers hosted by Magento, Inc.
This is data we may collect passively when you use our Website.
Website Data includes, but is not limited to, your device’s location at the time of using the
Website, as well as information relating to when, where and how the Website is used by
you, and how many times the Website is accessed by you.
Website Data may also include your device’s Internet Protocol (IP) address, cookies, device
type and version, the areas of the Website you visit, the amount of time spent within
particular areas of our Website, time zone settings, the time and date of your use of the
Website and the operating system and version you use to access the Website, information
about your use of the Website including (if applicable) the full Uniform Resource Locators
(URL), clickstream to, through and from our Website (including date and time), any goods or
services you have viewed or searched for, the Website response times, download errors,
page interaction information (such as scrolling, clicks, and mouse-overs), and methods used
to browse away from the page.
How we will use Website Data
We will use Website Data for the purpose of tracking and analysing the popularity and
performance of the Website, how it is used by users and for other purposes so that we can
tailor, develop and improve the Website and performance of the Website for the benefit of
Website users and our clients.
Why we may lawfully process Website Data for these purposes
We will lawfully process Website Data for such purposes on the basis that we consider
ourselves to have a legitimate interest in doing so as:
- we have lawful business interest in developing and improving the Website for the
benefit of our users;
we may only pursue this interest by obtaining and analysing Website Data in this
way, so our activities are necessary in pursuing our lawful business interest; and
- we also consider this interest to be balance with your fundamental rights and
freedoms given that we have informed you as to how, when, where and why such
Website Data will be collected and processed in this manner, as well as given that us
processing the Website Data in this manner will positively impact upon your user
experience of the Website.
Where is Website Data stored?
Website Data is passively collected and stored on secure servers operated by Heathcote &
Ivory and 3rd party IT support(as well as its group companies), a third party processor who
will collect Website Data as and when it arises through your use of the Website. This
processor may subsequently provide the Website Data to us once they have collated and
processed the Website Data.
If you are an employee of ours we will collect your name, personal email address, date of
birth, national insurance number, postal address, telephone number, a photocopy of your
passport, passport number and information relating to your next of kind.
How we will use Employee Data:
We will use Employee Data for the purpose of us identifying you from other employees and
carrying out general activities required of a reasonable employer. Such activities will include,
but are not necessarily limited to, contacting you or your next of kin in the case of
emergency, corresponding with you in connection with your role as an employee and
making payment to you in connection with your employment.
Why we may lawfully process Employee Data for these purposes
We may lawfully process Employee Data for these purposes on the lawful basis that such use
is necessary either:
- in order for us to perform our obligations under your contract of employment; or
in order for us to take steps at your request prior to entering into a contract of
employment with you.
How Employee Data is stored:
Employee Data will be stored on secure internal servers located at our trading address. This
sever is firewall and password protected and Employee Data stored on such servers is
We will only retain your personal data for as long as necessary to fulfil the purposes we
collected it for, including for the purposes of satisfying any legal, accounting, or reporting
To determine the appropriate retention period for personal data, we consider the amount,
nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use
or disclosure of your personal data, the purposes for which we process your personal data
and whether we can achieve those purposes through other means, and the applicable legal
By law we have to keep basic information about our customers (including Contact, Identity,
Financial and Transaction Data) for at least six years after they cease being customers for tax
Details of other retention periods for different aspects of your personal data are contained
in our retention policy which you can request from us by contacting us at firstname.lastname@example.org.
In some circumstances you can ask us to delete your data and in some circumstances we
may anonymise your personal data (so that it can no longer be associated with you) for
research or statistical purposes in which case we may use this information indefinitely
without further notice to you.
YOUR RIGHTS AND OUR OBLIGATIONS
In some circumstances we may require explicit consent from you in order to process your
personal data for a particular purpose or purposes. We will generally only obtain consent
from you if we do not have another lawful basis for doing so, for example if we do not have
a legitimate interest in doing so or such processing is not necessary to perform a contract to
which you are a party.
We do not require consent in order to obtain and process your personal data for the
purposes set out in section 6 above (“How We Collect and Use Personal Data”)
However, if we are controlling and processing your personal data on the sole basis of
consent, we will ensure that such consent:
is presented in a manner which is clearly distinguishable from the other matters, in an
intelligible and easily accessible form, using clear and plain language. Any part of
such a declaration which constitutes an infringement of the Data Protection
Legislation will not be binding.
can be easily withdrawn by you at any time. The withdrawal of consent shall not affect
the lawfulness of processing based on consent before its withdrawal. Prior to giving
consent, you shall be informed accordingly. It shall be as easy to withdraw as to
is freely given. When assessing whether consent is freely given, we shall take account of
whether the performance of a contract, including the provision of a service, is
conditional on consent to the processing of personal data that is not necessary for
the performance of that contract.
is lawful where we intend to collect and process personal data children. Where the child
is below the age of 16 years, such processing shall be lawful only if and to the
extent that consent is given or authorised by the holder of parental responsibility
over the child (and we shall make reasonable efforts to verify in such cases that
consent is given or authorised by the holder of parental responsibility over the
child, taking into consideration available technology).
You may exercise your right to withdraw consent to processing at any time by contacting us
via email to email@example.com. However, such withdrawal of consent will not
retrospectively render processing prior to withdrawal of consent as unlawful.
The Right to Erasure (also known as the “Right to be Forgotten”)
You also benefit from the right to erasure. This means that you have the right to request us
to erase personal data we hold about you, and that we should erase such data without
undue delay, provided that you are able to demonstrate one of the following to us:
- (a) that our processing of the personal data is no longer necessary in relation to the purpose for which it was collected;
- (b) that you withdraw your consent to the processing and there is no other legal ground for us to continue to process the data;
- (c) that you object to the processing under the Data Protection Legislation and there are no overriding legitimate grounds for processing;
- (d) that the personal data must be erased in order to comply with a national legal obligation; or
- (e) the personal data in question belongs to a child under the age of 16 and no consent is given or authorised by the holder of parental responsibility over the child.
You also benefit from the right to rectify inaccurate personal data we hold which relates to
you (also known as the “right to rectification”). This means that, taking into account the
subject of the processing, you shall have the right to have incomplete personal data
completed. You can exercise your right to rectification by contacting us via email to
You also have the right to receive the personal data concerning you in a structured,
commonly used and machine-readable format. You have the right to transmit such data to
other data controllers without hindrance from us where we are processing that data on the
basis of having your consent to do so, or where it is necessary for the performance of a
contract, and the processing is carried out by automated means.
Subject Access Requests
You as a data subject are entitled to make a formal request for information we hold about
you. We must provide you with a copy of this information, the reasons it is being processed
and whether it will be given to any other organisations or people provided that you make
this request in writing.
Our Website is not marketed to (and should not be used by) anybody under the age of 16.
We do not knowingly collect personal data from children under the age of 16. In the event
that we discover that a child under the age of 16 has provided us with personal data, we will
delete such data from our servers unless consent is given or authorised by the holder of
parental responsibility over the child.
SHARING AND TRANSFERRING PERSONAL DATA
We use industry standard encryption for transmission of data to our systems. Although we
cannot guarantee the absolute safety of transmission of data via the internet, we adhere to
industry standards to give your data the most appropriate protection possible.
We may provide your personal data to internal and external third parties in order for us to
conduct our business services sufficiently. These may include:
External Third Parties
Service providers who may act as processors based inside or outside the EU and who provide
IT, system administration and other services.
Professional advisers who may act as processors including lawyers, bankers, auditors and
insurers based inside or outside the EU who provide consultancy, banking, legal, insurance
and accounting services.
HM Revenue & Customs, regulators and other authorities who may act as processors based
inside or outside the EU who require reporting of processing activities in certain
Other sharing of Personal Data
We may share personal data we hold with any member of our group, which means our
subsidiaries, our ultimate holding company and its subsidiaries.
We may also disclose personal data we hold to third parties, with your consent, or on the
basis of us an otherwise lawful basis under the Data Protection Legislation. For example, we
may do so:
- (a) in order to facilitate, provide and improve the Website and the goods and/or services we provide to you;
- (b) in order to improve the functionality of the Website;
in order to analyse the manner in which our Website and goods/services are used by users;
in the event that we sell or buy any business or assets, in which case we may disclose
personal data we hold to the prospective seller or buyer of such business or assets;
if we or substantially all of our assets are acquired by a third party, in which case personal
data we hold will be one of the transferred assets; and
if we are under a duty to disclose or share your personal data in order to comply with any
legal obligation, or in order to enforce or apply any contract with the data subject or
other agreements; or to protect our rights, property, or safety of our employees,
customers, or others. This includes exchanging information with other companies
and organisations for the purposes of fraud protection and credit risk reduction.
Transfers outside the EEA
We may also transfer any personal data we hold to a country outside the European
Economic Area (EEA), provided that one of the following conditions applies:
(a) the country to which the personal data is transferred ensures an adequate level of
protection for the data subjects' rights and freedoms;
you have given your consent to such transfer;
the transfer is necessary for one of the reasons set out in Data Protection Legislation,
including the protection of your vital interests;
the transfer is legally required on important public interest grounds or for the establishment,
exercise or defence of legal claims; or
the transfer is authorised by the relevant data protection authority where we have adduced
adequate safeguards with respect to the protection of the data subjects' privacy, their
fundamental rights and freedoms, and the exercise of their rights.
CHANGES TO THIS POLICY
We reserve the right to change this policy at any time. Where appropriate, we will notify
you, as a data subject, of those changes by email.
CONCERNS OR COMPLAINTS
If you have any concerns or complaints relating to this policy, its subject matter, or the
manner in which we collect, control and/or process your personal data, please do let us
know by sending an email to firstname.lastname@example.org.
You also have the right to lodge a complaint with a supervisory authority if you consider that
the processing of your personal data has infringed the Data Protection Legislation. In the UK,
the relevant supervisory authority is the Information Commissioner’s Office.