1. About this policy. Kathryn Tilly Limited is committed to protecting and respecting your privacy. This policy sets out who we are and how and why we collect, store, use and share your personal information. It also explains your rights in relation to your personal information, so please read it carefully. This policy applies to your use of http://kathryntilly.com/  (the “Site”) or any services offered through or associated with the Site (the “Services”).

2. What is “personal data”? “Personal data” means any information that identifies an individual person. It does not include data about a company or anonymous data (i.e. data where the personal identity has been removed). 

3. About us. The Site is owned and operated by Kathryn Tilly Limited, a limited company registered in England and Wales under company number 11112135 with registered address at 11 Wheatsheaf Close, Ripon, North Yorkshire,  HG4 2SH, United Kingdom. When we process personal data, we are responsible as a “controller” of that personal data for the purposes of the General Data Protection Regulation and the Data Protection Act 2018 (the “data protection laws”). In this policy, “we”, “us” or “our” refers to Kathryn Tilly Limited.

4. How we collect data. Most of the data we collect is collected directly from you—you give us personal data when you visit our Site or when you communicate with us in person or by phone, text or email. This includes data you provide when you fill out forms on our Site (like registering to use the Site, subscribing to our mailing list, placing an order, leaving a comment or review, or using other interactive features). We may also receive information from third parties, like analytics providers, payment service providers, social media accounts and other third parties we use to help us deliver our Services. For more information on how these companies handle your personal data, please refer to their privacy policies.

5. Data we collect about you. The personal data we collect about you includes your name and contact information (like email address, phone number, mailing address), billing information, payment card information, purchase and donation information, profile picture (if you choose to set one) and behavioural data (like information about past orders and how you use our Site, including your IP address). 

6. How and why we use your data. Under data protection laws, we can only use your personal information if we have a proper reason for doing so, such as complying with our legal and regulatory obligations, fulfilling contractual obligations to you (or taking any steps at your request before entering into a contract), where you have given consent or for our (or a third party’s) legitimate interest. (A “legitimate interest” is when we have a business or commercial reason to use your information, which is a proper reason for using your personal data as long as it’s not overridden by your own rights and interests.) This section explains what we use your personal information for and our reasons for doing so.

1.  Providing our Site to you. We use your personal data to administer the Site, to ensure content from the Site is presented in the most effective manner for you and for your device, as part of our efforts to keep the Site safe and secure and to allow you to participate in interactive features of our Site (when you choose to do so). We use your personal data this way for our legitimate interests in maintaining our Site.
2. Providing Services to you. We use your personal data for internal operations, to administer and manage your account, respond to communications from you and provide you with information you request from us, notify you about changes to the Services and carry out any other obligations arising from any contracts entered into between you and us. We use your personal data this way to fulfil contractual obligations to you (or take steps at your request before entering into a contract).
3. Improving our Site and Services. We use your personal data to make our Site and Services better, including troubleshooting, data analysis, testing, research, statistical and survey purposes.
4. Improving our marketing. We use your personal data to measure and understand the effectiveness of our marketing efforts, deliver relevant marketing to you and make relevant suggestions and recommendations to you. We use your personal data this way for our legitimate interests in promoting our business and Services.
5. Complying with legal obligations. We also use your personal data to comply with legal obligations like mandatory reporting and record retention, ensuring confidentiality of commercially sensitive information and responding to any requests from regulatory or legal authorities.

7. Marketing and promotional communications. We have a legitimate interest in processing your personal information for promotional purposes, which means we do not usually need your consent to send you these types of communications. However, we will only send you updates about Services you have used or that we think you might be interested in, including exclusive offers, promotions or new Services. We will not subscribe you to our mailing list without your explicit consent. You can ask us to stop sending you marketing messages at any time by the following opt-out links or by contacting us.

8.Who we share your data with

1. We routinely share personal information with third parties we use to help run our business and deliver and promote our Services (like Shopify to host our website and facilitate orders and payments, Impact for affiliate marketing, Yotpo to facilitate reviews,  Criteo and Google Analytics to help us understand how users interact with our Site, and Klaviyo for email and SMS marketing). We only allow these service providers to handle your personal data if we are satisfied they take appropriate measures to protect your personal data.
2. We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations, enforce any of our rights or protect ourselves and others.
3. We may also need to share some personal information with other parties, such as potential buyers of some or all of our business or during a restructuring. The recipient will only be permitted to use the data for the purposes we originally collected it for, and they will be bound by confidentiality obligations.

9. How long we keep your data. We will keep your personal data while you have an account with us or we are providing Services to you. You can tell us to stop providing Services to you by deleting your account or contacting us. After that, we will keep your personal information for as long as is necessary to respond to any questions, complaints or claims made by you or on your behalf, to show that we treated you fairly and to keep records required by law. We will not retain your personal data for longer than necessary for the purposes set out in this policy. However, please note that different retention periods apply for different types of personal data.

10. How we secure your data.

1. We have appropriate security measures to prevent personal information from being accidentally lost, or used or accessed unlawfully. We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
2. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
3. Unfortunately, sending personal data via the internet is not completely secure. Although we do our best to protect your personal data, we can’t guarantee the security of data sent to our Site and you send personal data to us at your own risk.

11. Where your data is stored.

To deliver our Services to you, it’s sometimes necessary for us to share your personal information outside the UK and/or the European Economic Area (EEA), such as with service providers located outside the UK/EEA or if you are based outside the UK/EEA. These transfers are subject to special rules under data protection laws. Although non-UK/EEA countries do not have the same data protection laws as the UK/EEA, We will, however, ensure the transfer complies with data protection laws and that all personal data will be secure. If you’d like more information about what happens to your personal data when it’s transferred outside the UK/EEA, please contact us.

12. Your rights

  12.1 Under data protection laws you have the right to:

1. Be informed: the right to be informed of what  personal data we have about you and our purpose for processing it.
2. Access: the right to be provided with a copy of your personal data.
3. Rectification: the right to require us to correct any mistakes in your personal data.
4. Be forgotten: the right to require us to delete your personal data—in certain situations.
5. Restriction: the right to require us to restrict processing of your personal data—in certain circumstances.
6. Portability: the right to receive the personal data you provided to us in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations.
7. Object: the right to object to your personal data being processed for direct marketing (including profiling) and, in certain circumstances, the right to object to our continued processing of your personal data.
8. Not to be subject to automated decision-making: the right not to be subject to a decision that has legal effects on you or significantly affects you based solely on automated processing (including profiling).
9. Complain: the right to complain to a supervisory authority if you think any of your rights have been infringed by us. In the UK, this is the Information Commissioner’s Office (ICO).

 12.2    If you would like to exercise any of these rights, please contact us.

13. Cookies (and other similar technologies)

What are cookies? A cookie is a small (ordinarily, text) file of letters and numbers that we store on your browser. Cookies contain information that is transferred to your computer's hard drive (or the hard drive of another relevant device). We use cookies to distinguish you from other users on the Site, to tailor your experience to your preferences, and to help us improve the Site.

13.2 Cookies we use

1. Strictly necessary cookies. These cookies are required to save your session and to carry out other activities that are strictly necessary for the operation of the Site. They include, by way of general example, cookies that enable you to log into secure areas of the Site, use a shopping cart, or make use of e-billing services. These cookies are session cookies, which means they’re temporary and will usually expire when you close your browser.
2. Analytical/performance cookies. These cookies allow us to recognise and count the number of visitors and to see how visitors move around the Site when they’re using it.  These cookies help us improve the way the Site works by, for example, ensuring that users are finding what they’re looking for easily.
3. Functionality cookies. These cookies are used to recognise you when you return to the Site. They enable us to personalise our content for you, greet you by name and remember your preferences.
4. Targeting cookies. These cookies record your visit to the Site, the pages you visit, and the links you follow.  We use this information to make the Site and the advertising displayed on it more relevant to your interests. We also share this information with third parties for the same purpose.
5. Social Media cookies. These cookies work together with social media plug-ins. For example, when we embed photos, video and other content from social media websites, the embedded pages contain cookies from these websites. Similarly, if you choose to share our content on social media, a cookie may be set by the service you have chosen to share content through.
6. Third party cookies. Please note that some of the above cookies are placed by third parties (such as Shopify, which we use to help our Site function, and Google Analytics which we use to help us understand how users interact with our Site) and that the Site does not block third party cookies.

13.3 Consenting to cookies. You will be shown a pop-up message requesting your consent to setting non-essential cookies before any are placed on your device. When you give your consent, a unique token is generated to show that you have consented and you won’t receive the pop-up message again when you return to our Site.

13.4 Disabling cookies

1. By default, most internet browsers accept cookies, but you can choose to enable or disable some or all cookies via the settings on your internet browser. Most internet browsers also enable you to choose whether you wish to disable all cookies or only third party cookies. For further details, please consult the help menu in your internet browser.
2. Some of the cookies we use are essential for the Site to operate. If you use your browser settings to block essential cookies, you may not be able to access all or parts of our Site. 
3. You have the right to opt out of social media cookies and third-party cookies. To enforce this right, please contact us.

13.5 Sessions. Sessions are a mechanism that enable a webpage to remember information from a previous webpage. By default, a webpage forgets information from a previous webpage—sessions are used to help a website function when it needs to remember certain information from one webpage to the next (for example, to help you fill out forms or make payments). Sessions ordinarily work with cookie files, but they can also work without cookies. Information from sessions is deleted when you close your window or tab. We use sessions in addition to cookies to help our Site function.

13.6 Local storage. Local storage is a mechanism that enables us to store information locally on your device. Like sessions, local storage is used to help a website function when it needs to remember certain information, but local storage is used to continue remembering information after you close your window or tab. We also use local storage to help our Site function.

13.7 Hidden fields. Hidden fields are a mechanism used to store information on a webpage. Users can’t typically see hidden fields or submit information through them. We use hidden fields to help present our Site in the best way for you and your device (for example, to retain information about what language you’re viewing the Site in).

14. Changes to this policy. Any changes we may make to this policy will be posted on this page (and, where appropriate, notified to you by email). Please check back frequently for updates and changes.

15. Contact us. Questions, comments and requests regarding this policy are welcomed. You can contact us by post at our registered address (above) or by email at help@kathryntilly.com.