Last Updated: 24.01.2023
Contents
Introduction
Who we are
What personal data is
Personal data we collect
How we collect your personal data
How we use your personal data, how long we keep it and what our lawful bases are
Sharing your personal data
International transfers
Security of your personal data
Your rights
Third party websites
Children
How to complain
How to contact us
Our EU Representative
2. Introduction
Our Privacy Notice is a way for us to explain how we’re looking after your personal data. Please don’t be put off by how formal it sounds (we did it for the lawyers).
We explain below how TouchNote Limited, (“TouchNote”, “we”, “us”, “our”) process the personal data we collect about you, when you visit our website, use the TouchNote mobile App or make use of any of our products or services.
If you’ve got questions about anything we’ve written here, please get in touch with us using the contact details set out below (in Section 14), so we can shed some light on it for you.
At TouchNote, we believe that as our valued customer, you have a fundamental right to privacy and to have control over your personal data. We are grateful that you have chosen to be our customer and we take responsibility for, not only printing and posting your cards, but also for the protection of your personal data, which we take very seriously. We therefore comply with all relevant data protection legislation, including the UK General Data Protection Regulation and the EU General Data Protection Regulation (together referred to throughout this document as the “GDPR”) and the Data Protection Act 2018.
Please read the following carefully, so you understand how we process your personal data.
It’s a good idea to revisit this privacy notice regularly, as we may need to amend it from time to time. It was last updated on the date shown above.
2. Who we are
Our full name is TouchNote Limited.
Companies House Registration
We are a limited company registered with Companies House in England and Wales under registration number 06235264 and we have our registered office at:
Ground and Basement Floors,
17 & 18 Clere Street
London
England
EC2A 4LJ
Supervisory Authority Registration
We are the Controller of the personal data we collect and are registered in the UK with the Information Commissioner’s Office (“ICO”), registration number ZA148678.
3. What is personal data?
‘Personal data’ is any information from which you can be identified, either directly or indirectly. For example, your name or an online identifier.
4. Personal data we collect
The personal data we collect about you includes:
contact details such as your name, address, email address and phone number;
information about which products and/or services you purchase and/or are interested in;
financial data, such as card details (when you make a purchase). Your full card details are not recorded or stored in our database. We only collect and store the final four numbers of your credit or debit card, together with the expiry date and cardholder name, in order for you to be able to select that card when making a future purchase. The details are encrypted and transferred securely to our third-party payment service providers;
information about your online engagement with us, using cookies or similar technologies to track your IP address and geographical location (see our cookie policy for more information https://touchnote.com/us/cookie-policy/); and
any other information you may provide to us.
To use some of our services, you will need to supply us with the personal data of others. For example, if you wish to send cards or gifts to friends, family or colleagues, you will need to tell us their names and addresses. We will only use this personal data for the purpose for which it is supplied i.e.: fulfilling your order.
We also operate CCTV at our premises for the purposes of prevention and detection of crime. Therefore, if you attend our premises, images of you may be captured by CCTV.
5. How we collect your personal data
We collect your personal data directly from you via our website or our mobile App. This includes registering to use our services, placing an order, entering a competition or responding to a survey. We will also collect personal data from you when you contact us by phone or by email, or when you visit our premises.
6. How we use your personal data, how long we keep it and what our lawful bases are
We will use and keep your personal data in accordance with the purposes, retention periods and lawful bases set out in the table below. Once the retention period has expired, we will permanently and securely destroy any personal data that is no longer required. We may process some of your personal information for specific business purposes which are in our interests and enable us to enhance our services, but which we also believe benefit our customers.
Type of Individual | Type of Personal Data | Purpose of Processing | Lawful Basis | Retention Period |
---|---|---|---|---|
Customers (subscribers) | Name, email address and Customer User ID | To administer your account and keep you informed of updates and changes to our terms and conditions | Contract | 7 years following the end of your subscription |
Customers (purchasers) | Name, email address, Customer User ID | To deliver the goods and/or services you have ordered | Contract | 7 years following your last purchase |
Customers (purchasers and subscribers) | Name and financial data, such as credit card information and billing address | To process your payment or refund for your purchases / subscription | Contract | 7 years following the end of your subscription or the date of your last purchase |
Customers (purchasers and subscribers) | Name and email address | To send you emails and/or push notifications to remind you of orders you have prepared but not completed | Legitimate interests | 7 years following your last purchase or the end of your subscription |
Customers (subscribers) | To send you newsletters, special offers, discounts, promotions, surveys and other marketing material via email and push notifications | Consent | 7 years following your last purchase or the end of your subscription | |
Customers (purchasers) | Name and email address | To send you newsletters, special offers, discounts, promotions and other marketing material via email and push notifications | Consent | 3 years following your last meaningful contact with us |
Customers (purchasers and subscribers) | Name, email address | To share with Facebook and Instagram for the purpose of targeted marketing i.e.: If you are an existing customer, we will share your name and email address with Facebook and Instagram so that they can show our adverts to you. | Consent | 6 years following your last purchase or the end of your subscription |
Customers (purchasers and subscribers) | The demographics (i.e.: age, sex, family status etc) of our existing customers | These key characteristics are processed to ascertain the key characteristics of our ideal customers and then shared with Facebook and Instagram for the purpose of targeted marketing to potential new customers i.e.: Facebook and Instagram will find people with the same characteristics as our ideal customers and show them our adverts. (No personal data is shared with Facebook or Instagram for this purpose). | Legitimate interests | 7 years following your last purchase or the end of your subscription |
Customers (purchasers and subscribers) | Name and email address | To answer your enquiry or complaint | Legitimate interests | 1 year following the date of the enquiry / complaint |
Third parties associated with customers such as the friends, family or colleagues of purchasers and subscribers | Name, address and nature of relationship between the customer and third party such as mother, father, friend etc | To fulfil the orders placed by the customer and deliver the cards and/or gifts ordered | Contract | 7 years from the end of the contract |
Customers and third parties associated with customers, such as friends, family or colleagues of purchasers and subscribers | Name and email address | The provision and operation of referral marketing programmes | Legitimate interests | 6 months from date of last contact |
Customers (purchasers and subscribers) | Name, email address, Customer User ID, financial data, such as credit card information and billing address, nature of relationship between the customer and third party such as mother, father, friend etc | To enforce or apply our terms of use and other agreements or to protect the rights, property, or safety of Touchnote Limited, our customers, or others or to comply with a court order and includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction. | Legal obligation, or legitimate interests, depending on the circumstances | 7 years following your last purchase or the end of your subscription |
People attending our premises | CCTV footage | To ensure the safety and security of staff, protect our property and for the prevention and detection of crime. | Legitimate interests | 24 hours from the date of the recording |
Website visitors | Using Google Analytics tracking code, we collect the following information. Customer number, subscription ID, IP address, time of visit, pages visited, time spent on each webpage, referring site details (URL), Type of web browser, Type of operating system (OS), screen resolution, screen colour processing ability, network location, document downloads, clicks on links leading to external websites, scrolling, mouse-overs, errors from forms and interest categories. | To analyse your use of our website to improve your experience and develop new services | Consent | Varies per cookie. See our Cookie Notice - https://touchnote.com/cookies/ |
Website visitors | Using Google Analytics tracking data, we collect the following information. Customer number, subscription ID, IP address, Time of visit, pages visited, time spent on each webpage, referring site details (URL), Type of web browser, Type of operating system (OS), screen resolution, screen colour processing ability, network location, document downloads, clicks on links leading to external websites, scrolling, mouse-overs, errors from forms, interactions with site-specific widgets, age, gender and interest categories. | We may use your personal data to create anonymised information and aggregated information, such as de-identified demographic information, de-identified location information, information about the computer or device from which you access the services, or other analyses, for a number of purposes, including the measurement of website visitors’ interest in and use of various portions or features of the website. Anonymised or aggregated information is not personal data, and we may use such information in a number of ways, including research, internal analysis, analytics and any other legally permissible purposes. | Consent | Varies per cookie. See our Cookie Notice - https://touchnote.com/cookies/ |
7. Sharing your personal data
If you consent to receiving marketing material from us, we will share your information with the service providers who will conduct the marketing services for us. For example, we may instruct another organisation to send emails to you on our behalf to tell you about forthcoming special offers, discounts and competitions which you may be interested in. We will ensure that we have entered into appropriate Data Processing Agreements with the service providers which means that they can only process your personal data in accordance with our instructions and they will not be able to use it for their own purposes.
We will also share your personal data in the following circumstances:
In the event that we sell our business or assets, we will disclose your personal data to the prospective buyer.
If all, or substantially all, of our assets are acquired by a third party, we will transfer the personal data of our customers to that third party.
If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use (https://www.touchnote.com/us/terms-and-conditions/) and other agreements; or to protect the rights, property, or safety of Touchnote Limited, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
We may process your personal information for our legitimate business interests. ‘Legitimate Interests’ means the interests of our company in conducting and managing our business, to enable us to give you the best service/products and the best and most secure experience. It can and
does also apply to processing which is in your interests too. Processing for our legitimate interests may include processing for the purposes of (i) fraud prevention and compliance; (ii) certain direct marketing and promotional activities; (iii) the provision and operation of referral marketing programmes; (iv) network and information systems security; (v) data analytics; (vi) enhancing, modifying or improving our service; (vii) identifying usage trends; or (viii) determining the effectiveness of promotional campaigns or advertising. In connection with the above activities, we may share your personal information with suppliers who assist us in our data processing activities. When we process your personal information for our legitimate interests, we make sure to consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. Our legitimate business interests do not automatically override your interests - we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted by law). You have the right to object to this processing if you wish and if you wish to do so, please reach out to us using the contact details set out below (in Section 14).
8. International transfers
Personal data collected within the UK and the EEA must be processed to the standards required by the GDPR. Whilst we collect personal data from within the UK and the EEA, we may process it outside this area because some of the service providers we use are based outside the UK and the EEA.
We have taken appropriate steps to ensure that the personal data processed outside the UK and EEA has an essentially equivalent level of protection as it has within the UK and EEA. We do this by ensuring that:
Your personal data is only processed in a country which has an adequate level of protection (an adequacy regulation or decision has been issued)
or
We enter into EU-approved Standard Contractual Clauses (SCCs) or a UK International Data Transfer Agreement (IDTA) with the providers and ensure that supplementary measures are also applied, where necessary.
9. How we protect your personal data
We have implemented appropriate technical and organisational measures to safeguard your personal data and protect it from accidental or unlawful destruction, loss or alteration and from unauthorised disclosure or access.
10. Your rights
You have certain rights in relation to the processing of your personal data. These rights will vary depending on where you are located.
UK/EU General Data Protection Regulation (“GDPR”)
If you reside in the UK or the EU, you have the following rights:
Request access to your personal data (commonly known as a “Subject Access Request”). This enables you to receive a copy of the personal data we hold about you.
Request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. If you object to us using your personal data for marketing purposes, we will stop sending you marketing material.
Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data, for example if you want us to establish its accuracy or the reason for processing it.
Request the transfer of your personal data to another party (data portability).
Automated decision-making. You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making.
California Consumer Privacy Act (“CCPA”)
If you reside in California, you have the following rights:
know what personal data we collect about you;
request a copy of the personal data we have about you;
require that we delete your personal data;
know whether we sell your personal data and whether we disclose your data to anyone;
object to the sale of your personal data; and
not be discriminated against because you exercised your rights under the CCPA.
We do not sell or disclose your personal data for monetary gain or any valuable consideration. The personal data we collect about you is set out above in Section 4 under ‘Personal data we collect’.
Personal Information Protection Law (“PIPL”)
If you reside in the People’s Republic of China, you have the following rights:
You have the right to know and decide upon personal data processing;
You have the right of access to your personal data and can request copies of it and information about our processing of it;
If the personal data we hold about you is incorrect or incomplete, you can ask us to rectify or add to it;
You have the right to request that your personal data is deleted, in certain circumstances;
You have the right to object and have the right to restrict the use of your personal data in certain circumstances;
You have the right not to be subject to a decision based solely on automated processing;
You have the right to portability, subject to conditions stipulated by the Cyberspace Administration of China;
Where we are processing your personal data with your consent you can withdraw your consent at any time. If you withdraw your consent, we may not be able to provide you with access to certain parts of the service;
You have the right to ask Entrusted Parties to explain their processing rules on data subjects’ requests;
The close relatives of a deceased data subject also have certain rights; and
You can also raise a complaint with the data protection supervisory authority in the country in which you reside.
Personal Information Protection and Electronic Documents Act (“PIPEDA”)
If you reside in Canada, you have the following rights:
You have the right to access your personal data (subject to limited exceptions);
You have the right to correct inaccuracies in/update your personal data; and
You have the right to withdraw consent in certain circumstances.
The Privacy Act
If you reside in Australia, you have the following rights:
You have the right to request access to your personal data;
You have the right to correct inaccuracies in your personal data; and
You have the right to stop receiving unwanted direct marketing.
You can also make a complaint about us to the Office of the Australian Information Commissioner if you think we have mishandled your personal data.
Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais)(“LGPD”)
If you reside in Brazil, you have the following rights:
You have the right of access to your personal data and can request copies of it and information about our processing of it;
If the personal data we hold about you is incorrect or incomplete, you can ask us to rectify or add to it;
Where we are not relying on consent, you have the right to oppose the processing we are carrying out on your personal data where we have not complied with the LGPD;
You can ask us to block, anonymise or delete the use of your personal data if:
It has been used unlawfully
It is unnecessary
It is excessive
In some circumstances you can request a machine-readable copy of your personal data and request us to transfer it to another service provider.
You have the right to review a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.
Where we are processing your personal data with your consent you can withdraw your consent at any time. If you withdraw your consent, we may not be able to provide you with access to certain specific functionalities of the Service.
You can also raise a complaint with the data protection supervisory authority in the country in which you reside.
Personal Data Protection Law (No. 29733) and its Regulation (No. 003-2013-JUS-Regulation of the PDPL) (“PDPL”)
If you reside in Peru, you have the following rights:
You have the right to be informed about the collection and use of your personal data;
You have the right of access to your personal data and can request copies of it and information about our processing of it;
You have the right to request that your personal data is deleted, subject to certain exceptions;
You have the right to object to our processing of your personal data in certain circumstances, for example, where you have legitimate and grounded reasons, due to a specific personal situation
If the personal data we hold about you is incorrect or incomplete, you can ask us to rectify or add to it;
In some circumstances, you have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you;
Where we are processing your personal data with your consent you can withdraw your consent at any time. If you withdraw your consent, we may not be able to provide you with access to certain parts of our service; and
You can also raise a complaint with the data protection supervisory authority in the country in which you reside.
If you have provided your consent to the processing of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we are permitted by law.
If you wish to exercise your rights, please contact us using the contact details provided within the ‘Contact Us’ section below. If you are in the EU, please contact our EU representative, whose contact details are shown within the ‘EU Representative’ section below.
You will not usually need to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity before we can process a request from you to exercise any of the above rights. This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
11. Third-Party Websites
This website contains links to other websites. If you follow a link, please note these websites will have their own privacy notices. We do not accept responsibility or liability for the privacy notices on third-party websites. Please check their privacy notices before submitting any personal data to these websites.
12. Children
We do not knowingly solicit or collect any information about users who may be under the age of 16 and will delete any information provided by such individuals as soon as possible. Please do not provide us with any personal data if you are under the age of 16. Any users under the age of 18 should discuss the use of our services with their parents before they share any personal data with us.
13. How to complain
You have the right to lodge a complaint with the relevant supervisory authority, if you believe we are infringing the applicable data protection laws or you are concerned about the way in which we are handling your personal data. The supervisory authority in the UK is the Information Commissioner’s Office who can be contacted online at:
Or by telephone on 0303 123 1113
If you are outside the UK but within the EU, you can find the contact details of the supervisory authorities for countries within the EU by visiting the following link:
https://edpb.europa.eu/about-edpb/about-edpb/members_en
14. Contact us
If you’ve got questions about anything we’ve written here, please get in touch with us, so we can shed some light on it for you.
If you wish to exercise any of your rights outlined above, please let us know and we will respond without undue delay and in any event within one month, unless your request is complicated, in which case, it may take longer. If this is the case, we will let you know as soon as we can and in any event within one month.
You can contact us by post or email. The details you need are as follows:
TouchNote Limited
Ground and Basement Floors
17 & 18 Clere Street
London
England
EC2A 4LJ
email: [email protected]
Please feel free to use this form to detail your query: [LINK TO PDF]
Our Data Protection Officer is Evalian Limited, who can be contacted at [email protected].
15. Our EU Representative
We are based in the UK but, as we offer goods and services to people in the EU, we are required to appoint an EU representative, in accordance with the EU GDPR. The purpose of an EU representative is to make it easy for individuals located in the EU to contact us should they wish to exercise their rights or make a complaint or enquiry in relation to how we are processing their personal data. It is also a contact point for the supervisory authorities located in the EU.
If you are in the EU/EEA and wish to contact us via our GDPR Representative, DataRep, you may do so at:
Writing to our representative by post, using the most convenient address from the list below. PLEASE NOTE: when mailing inquiries, it is ESSENTIAL that you mark your letters for ‘DataRep’ (EU Subjects) and not ‘TouchNote’, or your inquiry may not reach DataRep.
DataRep Postal Address List:
Country - Address
Austria - DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria
Belgium - DataRep, Place de L'Université 16, Louvain-La-Neuve, Waals Brabant, 1348, Belgium
Bulgaria - DataRep, 132 Mimi Balkanska Str., Sofia, 1540, Bulgaria
Croatia - DataRep, Ground & 9th Floor, Hoto Tower, Savska cesta 32, Zagreb, 10000, Croatia
Cyprus - DataRep, Victory House, 205 Archbishop Makarios Avenue, Limassol, 3030, Cyprus
Czech Republic - DataRep, IQ Ostrava Ground floor, 28. rijna 3346/91, Ostrava-mesto, Moravska, Ostrava, Czech Republic
Denmark - DataRep, Lautruphøj 1-3, Ballerup, 2750, Denmark
Estonia - DataRep, 2nd Floor, Tornimae 5, Tallinn, 10145, Estonia
Finland - DataRep, Luna House, 5.krs, Mannerheimintie 12 B, Helsinki, 00100, Finland
France - DataRep, 72 rue de Lessard, Rouen, 76100, France
Germany - DataRep, 3rd and 4th floor, Altmarkt 10 B/D, Dresden, 01067, Germany
Greece - DataRep, 24 Lagoumitzi str, Athens, 17671, Greece
Hungary - DataRep, President Centre, Kálmán Imre utca 1, Budapest, 1054, Hungary
Iceland - DataRep, Kalkofnsvegur 2, 101 Reykjavík, Iceland
Ireland - DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland
Italy - DataRep, Viale Giorgio Ribotta 11, Piano 1, Rome, Lazio, 00144, Italy
Latvia - DataRep, 4th & 5th floors, 14 Terbatas Street, Riga, LV-1011, Latvia
Liechtenstein - DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria
Lithuania - DataRep, 44A Gedimino Avenue, 01110 Vilnius, Lithuania
Luxembourg - DataRep, BPM 335368, Banzelt 4 A, 6921, Roodt-sur-Syre, Luxembourg
Malta - DataRep, Tower Business Centre, 2nd floor, Tower Street, Swatar, BKR4013, Malta
Netherlands - DataRep, Cuserstraat 93, Floor 2 and 3, Amsterdam, 1081 CN, Netherlands
Norway - DataRep, C.J. Hambros Plass 2c, Oslo, 0164, Norway
Poland - DataRep, Budynek Fronton ul Kamienna 21, Krakow, 31-403, Poland
Portugal - DataRep, Torre de Monsanto, Rua Afonso Praça 30, 7th floor, Algès, Lisbon, 1495-061, Portugal
Romania - DataRep, 15 Piaţa Charles de Gaulle, nr. 1-T, Bucureşti, Sectorul 1, 011857,
Romania
Slovakia - DataRep, Apollo Business Centre II, Block E / 9th floor, 4D Prievozska, Bratislava, 821 09, Slovakia
Slovenia - DataRep, Trg. Republike 3, Floor 3, Ljubljana, 1000, Slovenia
Spain - DataRep, Calle de Manzanares 4, Madrid, 28005, Spain
Sweden - DataRep, S:t Johannesgatan 2, 4th floor, Malmo, SE - 211 46, Sweden