THE EU GENERAL DATA PROTECTION REGULATION (GDPR)
The General Data Protection Regulation (GDPR) is a new EU regulation aimed at helping to strengthen data protection for EU citizens and residents both within the EU and the wider world and will be effective from 25 May 2018. This new legislation will replace current data privacy law, giving more rights to you as an individual and more obligations to organisations holding your personal data. It replaces the existing Data Protection Directive (1995).
WHO WE ARE
Hopscotch is the trading name of Hopscotch London Limited, a UK based limited company (registered number 11282788). Hopscotch is the “data controller” (contact details below). This means it decides how your personal data is processed and for what purposes. In general, you can visit hopscotchlondon.com and its related sites and services without telling us who you are and without revealing any information about yourself. If, however, you contact us, or place an order with us, you will be asked to provide certain information such as your contact details and this data will be stored.
HOW WE USE YOUR DATA
To fulfil your order, you must provide us with certain information, such as your name, email address, billing and delivery addresses, payment information, and the details of the product(s) that you’re ordering. You may also choose to provide us with additional personal information (for a custom order, for example), if you contact us directly.
We use your personal data for the following purposes:
• to respond to your enquiries, requests, and comments;
• as needed to provide our services, such as when we use your information to fulfil your order, to settle disputes, or to provide customer support;
• when you have provided your affirmative consent, which you may revoke at any time, such as by signing up for our mailing list that we use to send you newsletters and information about products, services, promotions and administrative messages relating to our business;
• if you use our website to purchase or send gifts, we use the contact information (eg. email address) that you provide us with to send the gift to your requested recipients and provide other communications relating to these transactions;
• to comply with a legal obligation or court order or in connection with a legal claim, such as retaining information about your purchases if required by tax law;
• to maintain our own tax accounts and records as required by law;
• to improve the usability of the Hopscotch website;
• to prevent fraud or potentially illegal activities (including copyright infringement) on our online services
VISITORS TO OUR WEBSITE
When someone visits the Hopscotch London website we use a third-party service, Google Analytics. They gather anonymous standard internet log information and details of visitor behaviour patterns, for example, data of how people are using our site and then provide us with the visitor statistics, details of page views etc.
INFORMATION WE ASK FOR AT CHECKOUT
To fulfil your order, you must provide us with certain information. This can includes some or all of the following:
• Name (used to verify your payment and for delivery)
• Email address (used to send transactional emails)
• Phone number (we’ll only share this with selected third-party delivery services if necessary)
• Billing address (used to verify your payment)
• Shipping address (used for delivery)
• Whether you’d like to receive offers and updates via email (you must opt-in to receive emails)
• If you’d like to add a gift note (used to write a gift note included in deliveries)
• Instagram handle (used to connect with you on Instagram)
• Birthday (used to send you a birthday wish email once a year, only if you also opt-in to receive offers and updates via email)
• Card payment details (used to process your payment with Stripe, see below)
INFORMATION SHARING AND DISCLOSURE
Information about our customers is important to our business. We only share your personal information for very limited reasons and in limited circumstances, as follows:
• Service providers. We engage certain trusted third parties to perform functions and provide services to our shop, such as delivery companies. We will share your personal information with these third parties, but only to the extent necessary to perform these services. See below for more information.
• Business transfers. If we sell or merge our business, we may disclose your information as part of that transaction, only to the extent permitted by law.
• Compliance with laws. We may collect, use, retain, and share your information if we have a good faith belief that it is reasonably necessary to: (a) respond to legal process or to government requests; (b) enforce our agreements, terms and policies; (c) prevent, investigate, and address fraud and other illegal activity, security, or technical issues; or (d) protect the rights, property, and safety of our customers, or others.
PAYMENTS USING PAYPAL
Hopscotch uses PayPal as a secure payment processor. At checkout, after choosing PayPal as your payment method and confirming your order, you are taken to a secure payment page hosted by PayPal. PayPal uses Transport Layer Security (TLS) protocol to encrypt these communications.
PAYMENTS USING STRIPE
Hopscotch uses PayPal as a secure payment processor. At checkout, after choosing credit or debit card as your payment method, you’ll be asked to provide details of your payment card. These details are not seen or stored by us at anytime, and are securely encrypted and sent to Stripe to process your payment. Stripe forces HTTPS for all services using TLS (SSL).
All card numbers are encrypted on disk with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons are able to obtain plaintext card numbers; instead, they can just request that cards be sent to a service provider on a static whitelist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in separate hosting infrastructure, and doesn’t share any credentials with Stripe’s primary services (API, website, etc.).
Stripe has been audited by an independent PCI Qualified Security Assessor (QSA) and is certified as a PCI Level 1 Service Provider. This is the most stringent level of certification available in the payments industry.
Other notable rigorous compliance includes:
• SSAE18/SOC 1 type 1 and 2 reports
• Money Transmitter Licenses across the US
• PSD2 and Secure Customer Authentication compliant
• AFSL in Australia, E-Money License in Europe, and registered MSB in Canada
OUR THIRD-PARTY SERVICES (DATA PROCESSORS)
We do not sell your information to any third-party providers. However, we do use third-party services to deliver our products and operate our business. In general, the third-party providers will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us.
Each provider has information on their GDPR:
When you place an order using our website, we’ll send you transactional emails to the email address you provide at checkout. These transactional emails are only used to give you information about your order, such as:
• to confirm your order;
• to let you know your order has been dispatched;
• to let you know your order has been cancelled;
• to let your know your order has been refunded;
• to add a note to your order.
Transactional emails are facilitated via WordPress and SendGrid. Your email address and other personal information included in these emails is not shared with any other third-party companies, and is only used to ensure you receive order updates.
Sometimes we’ll need to contact you regarding an order you’ve placed, for clarification, stock information and so on. We’ll use the email address you provided at checkout to get in touch under these circumstances.
This website is built on WordPress, a website content management system (CMS). This service may collect anonymous information about users’ activity on the website, for example, the number of users viewing pages on the site, to monitor and report on the effectiveness of the site and help us improve it. WordPress requires visitors that want to post a comment, to enter a name and email address. If you submit a comment to a blog post published on this website or if you submit a contact form, some personal information will be stored in this website’s database. These are currently the only occasions where personal data will be stored on this website. For more information about how WordPress processes data, please see Automattic’s privacy notice.
SECURITY AND HOSTING
At Hopscotch, we endeavour to take security seriously and have taken extra steps to protect your personal information. We use a third party service, iThemes Security, to help maintain the security, backups, and performance of the website. The domain and hosting for Hopscotch are provided by GoDaddy within a secure EU data centre.
Our website has been issued with a SSL Certificate, which uses advanced encryption to prevent hackers from reading any data that passes to or from the site. SSL Certificates protect our customers’ sensitive information by encrypting the data you send us, then decrypting it once we’ve received it. Word-class SHA2 & 2048-bit encryption is used to keep your data safe.
IF YOU EMAIL US
Our primary email address (firstname.lastname@example.org) is hosted by GoDaddy and is accessed via a third-party application, Apple Mail. You should be aware that any emails we send or receive may not be protected in transit. We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
IF YOU MAKE A COMPLAINT TO US
When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint. We will only use the personal information we collect to process the complaint and to check on the level of service we provide.
TRANSFERS OF PERSONAL INFORMATION OUTSIDE THE EU
We may store and process your information through third-party hosting services in the US and other jurisdictions. As a result, we may transfer your personal information to a jurisdiction with different data protection and government surveillance laws than your jurisdiction. If we are deemed to transfer information about you outside of the EU, we rely on Privacy Shield as the legal basis for the transfer, as Google Cloud is Privacy Shield certified.
YOUR RIGHTS AND PERSONAL DATA
Under the GDPR, individuals have the right to obtain:
• The right to request a copy of your personal data that Hopscotch holds about you;
• The right to request that Hopscotch corrects any personal data if it is found to be inaccurate or out of date;
• The right to request your personal data is erased where it is no longer necessary for Hopscotch to retain such data;
• The right to withdraw your consent to the processing at any time;
• The right to request that the data controller (Hopscotch) provides the data subject (you) with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability). (This only applies where the processing is based on consent or is necessary for the performance of a contract with the data subject and in either case, the data controller processes the data by automated means);
• The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on the further processing.
HOW TO CONTACT US
For purposes of EU data protection law, the data controller of your personal information is Hopscotch (Trading Name of Hopscotch London Limited, a UK Private Limited Company) whose registered office is: 7/9 Wagg Street, Congleton, Cheshire, CW11 1EN, United Kingdom. To exercise all relevant rights, queries or complaints please in the first instance contact: info(at)hopscotchlondon.com
We will report any unlawful data breach of our database or the database(s) of any of our third party data processors to any and all relevant persons and authorities within 72 hours of the breach if it is apparent that personal data stored in an identifiable manner has been stolen.
INFORMATION COMMISSIONER’S OFFICE
You can contact the Information Commissioner’s Office on 0303 123 1113 or via email or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.
Hopscotch may update this policy and you should check this page from time to time to ensure that you are happy with any changes.
Hopscotch London Limited: Last Updated 17 May 2018