Findlays Wines & Spirits LTD (company number 13939944 and registered office address Unit 2, Dotton Farm Business Units, Newton Poppleford, Devon, EX10 0JY) is committed to respecting and protecting our customers' privacy and treats it with the same respect as our wine selection.
This policy applies where we are acting as a data controller with respect to your personal data, in other words, where we determine the purposes and means of the processing of such personal data. It captures personal data entered across all channels: through our website, app, in store or via our contact centre. This policy also provides certain information that is legally required and lists some of your rights in relation to your personal data.
Please read this policy carefully to understand our views regarding your personal data and how we will treat it.
This policy relates to personal information that identifies “you” meaning customers or potential customers, suppliers, individuals who browse our website and other individuals outside our organisation with whom we interact. If you are an employee, contractor or otherwise engaged in work for us or applying to work for us, a separate privacy notice applies to you instead.
This policy is not intended for children and we do not knowingly collect personal data relating to children.
Marketing Preferences
By using the marketing preferences functionality in your online account, you can specify whether you would like to receive direct marketing communications and limit the use of your information. You can access and update your marketing preferences by clicking here.
How to contact us
If you need to contact us in connection with our use or processing of your personal data, or gain access to it, then our contact details are here.
Categories of personal data
In this section we outline the categories of personal data which we may collect, use, store, share and transfer. Usually the personal data we process falls into one or more of the following categories:
Order, Account and Billing Data – this includes information relating to your account and transactions (including payment) with us and information which we need to fulfil your order, such as your name, date of birth, bank account or card details, information which we collect for the purposes of the prevention of fraud billing address, delivery address, phone number, email address and purchase history, some of which we may not receive directly as it may be collected by payment processors;
Internal Social Data – this includes information that you post for publication on our website or app, such as wall posts or product ratings and reviews;
Usage Data – this includes information about your use of our website or app, and reaction to our emails and services, such as your device ID, IP address, geographical location, browser type and version, operating system, length of visit, page views and website pages viewed, as well as information about the timing, frequency and pattern of your use;
Communication Data – this includes information contained in any communication, enquiry or complaint you submit to us regarding goods and/or services and personal data we create about you in relation to the same (such as where we make a written record of a complaint made in our store so that we can take steps to address the complaint) as well as any information in any survey you complete for us;
Marketing Data – this includes your advertising preferences, such as your preferences in receiving marketing materials from us and/or our third parties (such as our media and marketing agencies), your name, email address, billing address, phone number, date of birth, gender, and the user ID of any social platforms you have connected with us on;
Audio and Visual Data – this includes personal data which is gathered using our CCTV (which is in operation in all our stores, at our head office and delivery depot) or other recording systems in the form of images, video footage and sound recordings that is taken at any of our locations or otherwise by us (or our staff) for promotional or security purposes; and
Aggregated Data – we also obtain and use aggregated data such as statistical or demographic data. Aggregated Data may be derived from your personal data but does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific feature on our website. However, if we re-combine or re-connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this policy.
How we use your personal data
We collect personal data about you in order to:
perform our contractual obligations to you. This would include:
• delivering your orders to you;
• making or receiving payments (including speedy checkout);
• collecting and recovering money owed;
• supplying the purchased goods or services and keeping proper records of those transactions; and
• updating you on the progress of your order;
comply with our own legal and industry obligations. This would include processing your date of birth data for the purposes of confirming you are 18 or over and therefore legally able to purchase alcohol;
administer and run our business. This would include processing your Internal Social Data:
• for the purposes of publishing on our website or app (or social media channels such as Facebook, Twitter, Instagram etc); and
• in our marketing materials to help us tell other customers about our products and services;
use data analytics (including Google Analytics and e-mail services providers), to identify usage trends, determine and measure the effectiveness of promotional campaigns and advertising and to improve our website, products/services, marketing, customer relationships and experiences. This would include processing your Usage Data for the purposes of analysing the use of the website, emails and services;
manage our relationship with you including:
• to notify you if you have asked us to let you know when an item is back in stock;
• where you have paid with a gift card and there is a balance remaining, to remind you that the balance will be available as a credit to use on further purchases;
• if you have opened an account with us, to confirm your registration;
• contacting you if you have asked us to contact you by completing a Contact Form via our website;
• contacting you if you have asked for a password reminder or reset;
• to send you important notices such as communications about changes to our terms and conditions and policies (including this policy);
• to send you information you have requested;
• to e-mail you when you have placed items in your shopping basket but not proceeded to payment;
• to ask you to leave a review or feedback on us; and
• to respond to, provide clarification on, resolve issues in relation to, or otherwise communicate with you in relation to, any enquiry you may have.
make suggestions and recommendations to you about goods or services that may be of interest to you, deliver relevant website content and advertisements to you and to measure or understand the effectiveness of our advertising. This would include, for example, telling you about your local pubs, bars and restaurants who stock our wines, advertising our products and services to you on social media sites such as Facebook, Twitter, Instagram etc. We may also use Marketing Data to exclude you from seeing advertisements from such third party websites;
communicate with you about, and administer your participation in, special events, programs, promotions, any prize draws or competitions;
protect our business including to deal with any misuse of our website and to comply with our security policies at our locations;
enforce or apply our terms of use, terms and conditions of supply and other agreements with third parties;
to detect and prevent fraud and other illegal activities (and to assist regulators, trade bodies and law enforcement agencies in relation to the same); and
finance, restructure, sell, make ready for sale or dispose of our business in whole or in part including to any potential buyer or their advisers.
We may process any of your personal data identified in this policy where necessary for the establishment, investigation, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
We may process any of your personal data identified in this policy where necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, or obtaining professional advice.
Personal data about other people which you provide to us
Please do not supply any other person’s personal data to us, unless we prompt you to do so. If you do share personal data about someone else (such as the recipient of a gift, one of your directors or employees, or someone with whom you have business dealings) with us, you must ensure you have their authorisation, that you are entitled to disclose that personal data to us and that, without our taking any further steps, we may collect, use and disclose that personal data as described in this policy.
Where you do share personal data about someone else with us, you must ensure the individual concerned is aware of the various matters detailed in this policy, as those matters relate to that individual, including our identity, how to contact us, the way in which we collect and use personal data and our personal data disclosure practices, that individual's right to obtain access to the personal data and make complaints about the handling of the personal data, and the consequences if the personal data is not provided.
The sources from which we obtain your personal data
We obtain your personal data from the following sources:
Directly from you, either in person (at our stores, other locations or otherwise), via e-mail, our website or by telephone or via hand held PDAs;
Via automated technologies, such as CCTV or other recording systems, cookies, server logs and other similar technologies;
From someone else, such as analytics providers (e.g. Google Analytics), our provider of customer feedback, advertising networks, search information providers, providers of technical, payment and delivery services, providers of social media platforms (such as Facebook, Twitter and Instagram) (for example where you share our content through social media, for example by liking us on Facebook, following or tweeting about us on Twitter).
Accuracy of personal data
It is important that the personal data we hold about you is accurate and current and we take all reasonable precautions to ensure that this is the case but we do not undertake to check or verify the accuracy of personal data provided by you. Please keep us informed if your personal data changes during your relationship with us either by logging onto your account on the website or by contacting us. We will not be responsible for any losses arising from any inaccurate, inauthentic, deficient or incomplete personal data that you provide to us.
Providing your personal data to others
We do not, and will not, sell any of your personal data to any third party. We want to earn and maintain your trust, and we believe this is absolutely essential in order to do that.
We may disclose your personal data with the following categories of companies as an essential part of being able to provide our goods and services to you, as set out in this policy:
to any member of our group of companies who may process data on our behalf to enable us to carry out our usual business practices for the purposes, and on the legal bases, set out in this policy;
to our insurers and professional advisers (such as accountants, bankers, insurers, auditors and lawyers) insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks or obtaining professional advice;
to companies such as Facebook, Twitter, Instagram and other companies which you choose to interact with, including where those companies operate plugins or content on our website;
to companies that do things to get your orders to you, such as warehouses, order packers and delivery companies;
to our PR and marketing research agencies;
to third parties where necessary for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;
to HMRC, legal and other regulators or authorities, including those who request your personal data or to report any potential or actual breach of applicable law or regulation;
to third parties which are considering or have decided to acquire some or all of our assets or shares, merge with us or to whom we may transfer our business (including in the event of a reorganisation, dissolution or liquidation);
to law enforcement agencies, courts or other relevant party, to the extent necessary for the establishment, exercise or defence of legal rights;
If applicable, to postal printing and mailing companies in order to deliver news and offers to you, as well as email service & marketing tool providers that help us to enable our marketing; and
to our card payment service providers to the extent necessary for the purposes of processing your payments, refunding such payments and dealing with complaints and queries relating to such payments and refunds.
Our lawful basis for processing your personal data
We are required by law to have a lawful basis to process your personal data for the purposes set out in this policy.
Where we are relying on a basis other than your consent, the lawful basis for processing personal data will be one of the following:
the processing is necessary in order for us to comply with our legal obligations (such as alcohol legislation);
the processing is necessary for the performance of a contract you are party to or in order to take steps at your request prior to you entering into a contract;
processing is necessary for the establishment, exercise or defence of legal claims; or
the processing is necessary for the pursuit of our legitimate business interests. In particular, our legitimate interests include:
• the provision of goods and services;
• the recovery of debt;
• the provision of administration and / or IT services;
• the security of our IT network;
• the prevention of fraud;
• marketing of goods and services and promotion of our business;
• the reorganisation or sale or refinancing of the business or a group restructure;
• the study in how to develop and the update of our products and services;
• the development of our business strategy;
• protecting our business and property.
the processing is necessary in order to protect the vital interests of an individual e.g. where there is a medical emergency at one of our premises; or
the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
For certain purposes it may be appropriate for us to obtain your prior consent. The legal basis of consent is only used by us in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way.
In the event that we rely on your consent, you may at any time withdraw the specific consent you give to our processing your personal data. Please contact us using the contact details set out in paragraph 3 of this policy to do so. Please note even if you withdraw consent for us to use your personal data for a particular purpose we may continue to rely on other lawful bases to process your personal data for other purposes.
Transfers outside the European Economic Area (EEA)
It is possible that personal data we collect from you may be transferred, stored and/or processed outside the United Kingdom, including the European Economic Area and the United States of America. In connection with such storage, processing and transfers we will seek to ensure that:
the transfer is to a country that the United Kingdom has decided provides an adequate level of protection such as to a country approved by the United Kingdom or to certain organisations with the US pursuant to the Privacy Shield (where valid);
there are appropriate safeguards in place such as ensuring that all our group companies follow the same rules when processing your personal data (called binding corporate rules) or putting in place standard data protection contractual clauses between us and the recipient (often called the model contractual clauses). A copy of the appropriate safeguard can be obtained by contacting us using the contact details set out in this policy; or
one of the derogations for specific situations under the law applies, examples could include where you have explicitly consented to the transfer or the transfer is necessary for the performance of a contract or exercise or defence of legal claims.
We will take all reasonable steps to ensure your information is treated securely and in line with this policy. You acknowledge that personal data that you submit for publication through our website, for example product reviews, may be available, via the internet, around the world. We cannot prevent the use (or misuse) of such personal data by others.
How long we retain your data
Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
As a general rule, we will not keep your personal data for longer than seven years. For more information on how long we keep your personal data, please see our data retention policy, a copy of which can be obtained by contacting us using the contact details in section 3 of this policy.
We will however retain your personal data whilst you are an active customer (in other words, you purchase products from us) for as long as is needed to give you the best possible service.
Where you have not placed an order (sale, refund or other payment) with us for seven years, we will anonymise your personal data provided you have not otherwise interacted with us for two years. For the purposes of this policy, an interaction is defined as an identifiable website or app session, contacting our contact centre or contacting us in store or via telephone or e-mail. We will inform you before we anonymise your data and give you the option for us to retain your details in order to continue to serve you.
In all instances outlined above, the process of anonymising your data may take up to one calendar month.
In certain circumstances we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, to resolve disputes and enforce our agreements.
Any anonymised Internal Social Data which is stored in an unstructured format (such as free text reviews and wall posts) will not be deleted under these data retention rules unless requested by you.
Your rights
You have a number of rights in respect to your personal data, some of which we have summarised in this section. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights. You may exercise any of your rights in relation to your personal data by either emailing us on findlaywines@gmail.com, calling our Customer Contact Centre, or coming into store.
Right of access – you may have the right to confirm as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information.
Right to rectification – you may have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed.
Right to erasure – in certain circumstances you may have the right to request the erasure of your personal data on legitimate grounds as specified in law.
Right to restriction on processing – in some circumstances you may have the right to request the restriction of the processing of your personal data on legitimate grounds as specified in law.
Right to objection to processing – you may have the right to object, on legitimate grounds as specified in law, to our processing of your personal data on grounds relating to your particular situation.
Right to data portability – in certain circumstances, you may have the right to receive your personal information in a structured, commonly used and machine-readable format and to transmit that information to another controller to enable it to use the data, to the extent applicable in law.
Right to stop marketing messages – at any time you can amend your marketing preferences to reduce, remove or increase the amount we contact you with special offers. You can do this by accessing your account here.
Right to withdraw consent – to the extent that the legal basis for our processing of your personal data is consent, you have the right to withdraw that consent at any time.
Right to complain – in the event that you wish to make a complaint to us about how we process your personal data, please contact us at findlaywines@gmail.com and we will endeavour to deal with your request as soon as possible. You may have a legal right to lodge a complaint with the Information Commissioner’s Authority or other supervisory authority responsible for data protection. Please see https://ico.org.uk/concerns/ for how to do this.
Automated decision making
We use automated decision-making tools in our processing of your personal data. This includes (but is not limited to) the application of profiling techniques to your personal data.
The logic we employ in relation to such automated decision-making is designed to analyse your personal data in order to establish characteristics about you, such as what types of wines you like (or might like). For example if you have ordered a full-bodied red wine from us then we may use automated decision making in order to recommend wines you might like based on this.
The logic we use in our automated decision-making tools is designed to ensure that you have the best possible experience when you shop with us. The consequences of us using such automated decision making are as follows:
You may see more of the drinks you like when you browse our website because we may review your previous purchases;
Where you have opted in to our marketing e-mails, you may start receiving some types of marketing materials based on your previous spend with us (e.g. if you buy a lot of fine wine);
You may be assigned to your nearest store and receive updates specific to that store (such as events, opening hours etc).
Cookies
We use cookies on our website. For more information on cookies, please see our Cookies policy here.
Amendments
We may update this policy from time to time by publishing a new version on our website. You should check this page occasionally to ensure you are happy with any changes to this policy.
Data Protection Team
We have a team trained to help with any data protection query. If you have any concerns or questions about how we protect your privacy, please contact the team on findlaywines@gmail.com
Links to other websites
This policy only applies to us. If you link to another website from our website, you should remember to read and understand that website’s privacy policy as well. We do not control unconnected third-party websites and are not responsible for any use of your personal data that is made by unconnected third party websites.
Technical and security measures
All information you provide to us is stored on secure servers and we use strict procedures and security features to try to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way.
We ensure that any third parties with whom your personal information is shared in accordance with this policy are also subject to agreements which impose on them equally stringent procedures and security features to help keep your personal data secure.
Procedures are in place to deal with any suspected personal data breach and to notify you and any applicable regulator when legally required to do so.