Privacy Policy
Nature of Data Held by Nana Fanny’s (Enquiries)
In order to respond to enquiries from this web site, we ask only for your email address. Optionally, you can add your name , address and your phone number, which gives us the opportunity to personalise your reply, or contact you by phone / post if you find that more convenient. If orders are placed, a full name and address plus email and phone number is required to fulfil the order
This information is kept solely for the purpose of answering your original question and once the enquiry has been satisfactorily dealt with, your personal data are deleted permanently from the online database.
If we are unable to contact you and your enquiry remains incomplete for one year, the information is deleted, regardless of there having been no satisfactory conclusion to the enquiry
Nature of Data Held by Nana Fanny’s (Customers)
Our legal obligation to HMRC is that we hold all VAT records and invoices for seven years. Once this term has passed, records are destroyed.
In order to protect the commercial interest of our customers, sufficient information is held to enable us to ensure that they receive the full protection of guarantee and warranty schemes put in place by manufacturers and insurance companies. These periods vary, please refer to your guarantee documentation for details.
Nana Fanny’s Legal Basis for Processing Data -Consent (Web Enquiries)
Making the reasonable assumption that having asked a question via our web site enquiry page, that you are entitled to and expect an answer, we claim your consent to reply by your chosen means, e.g. email or phone. Once your enquiry has been dealt with, we assume no further consent to use your personal data, which are then removed from the online database. The due date for deleting data is one year from receipt of an enquiry. When this due date approaches, we will contact the originator to ascertain whether they need more time to complete the enquiry process.
Invoice details will be retained in accordance with our legal obligation in respect of tax regulations.
Nana Fanny’s Data Protection Policy
Scope
This document defines the policy for managing data throughout Nana Fanny’s web site, hosted by the Village Websmith and Shopify on dedicated servers located in the data centre belonging to Easyspace Ltd & Shopify. Data submitted through the web site is only stored on the server for a maximum of one year, being deleted either as soon as the enquiry is dealt with, or at the end of the period. Data storage for longer term processing, such as our obligation to retain VAT records for seven years is on the servers of Nana Fanny’s.
Risks
Data held by the organisation for the purposes of carrying on its day to day business may be at risk of leakage or loss through the following means:
Data Theft through hacking (Cyber Crime)
Data Theft from the Cloud
Data Theft through embezzlement
Data Theft through hardware loss
Fire
Flood
Physical damage to equipment
End of equipment life risks
General Considerations
In order to minimise risks, the number of copies of data held is minimised, commensurate with protection against data loss. In this case, this means that no portable device is ever used as a data repository. All data relating to customers, prospects and enquirers is held on one of the dedicated web servers in either the Easyspace data centre in Glasgow or Shopify servers. For day to day use, this is accessed via a single account that does not have root privileges. Only one person has the login credentials for this account.
Ref Nana Fannys – your data on the remote server is backed up to a NAS unit in our main office in Tintern, This can be accessed via a personal cloud for the purpose of remote disaster recovery. Only one person has login credentials for this unit. Other than those backup files, the only data on the NAS unit that could identify a person is the folder of invoice copies. By default, our invoice copies carry no personal names, being addressed solely to the organisation. However, in a small number of cases where the client is a sole trader without a business name, their name does appear in the business name field. As part of our contract with self employed people trading in their own name, we will be seeking permission to retain invoice records for the length of time required by tax authorities.
The servers that we use are all protected by firewalls, and all security patches or updates are applied as soon as they become available by the one person responsible for security.
Root and account passwords are changed twice a year, with only one person being aware of what they are. That person commits them to memory and no physical record of the root password is kept anywhere in the organisation. The account password is recorded for the sake of business continuity, should the main keeper become ill or injured.
When changed, passwords are generated at random between 8 and 16 characters, drawn from a list of upper case, lower case, numerals and punctuation marks/symbols.
Data Theft Through Hacking
All personally identifiable data are held on a web server based in the Easyspace data centre in Glasgow. This is protected by a firewall, which is updated regularly as is the OS kernel. Furthermore, root access to the server is achieved via two-stage authentication, with a unique code being transmitted to the Data Protection Officer, via mobile phone at each login attempt.
Access to the database that holds such data is also restricted by a separate login with different credentials to the root user, connection being made via https web pages. See General Considerations for the policy regarding password generation, which is applied to all systems used by Nana Fanny’s, both on line and internally.
For disaster recovery purposes, the contents of the web server are backed up to a NAS unit in the main office. The backup is a snapshot of only the latest data and only the most recent backup file is retained in between weekly backup sessions, so that no obsolete data can be accessed or restored once removed from the main database (allowing a week of latency added to our regular data review cycle, as laid out in our Data Retention Term document).
Data Theft Through The Cloud
As a matter of policy, Nana Fanny’s does not entrust any data to the Cloud. This has always been viewed by us as inherently secure with the faceless owners and uncertain location of data being too risky to contemplate.
All data held by Nana Fanny’s is housed on dedicated servers rented from out hosting provider, or on machines that we have control over at all times. Data Theft Through Embezzlement To protect data from theft by trusted individuals, nobody outside the organisation is entrusted with any of the data held for the purposes of carrying on the business of Nana Fanny’s. Neither are login credentials granted to anyone outside the organisation.
Data access for employees is granted at a level where they can carry out the necessary procedures for their work through https web pages. These pages do not allow download of the database contents and nobody other than the responsible person has access to the database as root user.
Access to backup files on the local NAS unit is restricted to the responsible person.
Data Theft Through Equipment Loss
To prevent loss of data with equipment, no device that is used outside the office carries any sensitive data relating to the business or to the people that it deals with. No mobile phone, tablet or computer belonging to Nana Fanny’s holds such data, all information is secure on the web server, with access being restricted to staff alone.
Damaged and End of Life Equipment
In the event of damage to equipment rendering it no longer serviceable, the hard drive will be removed and physically destroyed before disposal of the remaining hardware.
Where equipment has reached the end of its service life and is to be sold as used, the internal hard drive will either be replaced before sale, or zero-filled seven times using military strength erasure option.
Nana Fanny’s Cookies Policy
Use of Cookies on this Web Site
Nana Fanny’s site uses only one cookie. It is a session cookie, which is deleted at the end of your browser session. It holds no personally identifiable data relating to our site visitors, other than the broad geographical location. This serves to ensure the site delivers the correct information in terms of local contacts, currency and taxes.
No personal data is ever held in a cookie on our web site.
However, a number of social media sites and search engines use practically every web site for tracking cookies and so called Interest Based Advertising. They do this without our consent or co-operation. While we make strenuous efforts to prevent them from doing this, their evolution is such that they can generate new ones faster than we can block the old ones.
We strongly recommend that if you do not want every moment of your web browsing catalogued and analysed, you should use the controls available in your browser to prevent tracking and to block third party cookies.
To get more information and help on how to use these blocking tools, here are some links:
privacy.net
Privacy Badger Disconnect
AdBlock Plus
Firefox Tracking Blocker Instructions
Firefox Cookie Manager Ghostery Tracking Blocker for Chrome
Managing Cookies in Chrome
Tracking Blocker Advice for Vivaldi The only cookies that our site will place are for strictly functional purposes like identifying your broad geographical area to ensure accurate local information, and to retain the contents of a shopping basket if one is used.
Nana Fanny’s Privacy Policy
Your Privacy
Nana Fanny’s takes the privacy of all its visitors and customers very seriously. Any personal data you choose to share with us will be used only in the context of your enquiry, or the transaction in question.
Our hosting providers have a very strict policy of not sharing any data with any third party whatsoever, either by automated means, or by personal contact. Any employee of theirs found to be a potential data hazard faces instant dismissal and possible legal proceedings for breach of contract.
To find out how long and for what purpose your data will be retained and processed, see our policies on Necessary Data, Data Purpose and Data Retention Term. Once data has expired or removal has been demanded, it is securely and permanently deleted from our database to ensure complete privacy when you choose it.
You are able to review, modify or remove the data held in relation to yourself through this page, using the Right to Access and Right to be Forgotten links. There are no admin fees associated with any of your rights, and everything can be achieved through this page. Please bookmark the link for future use.
Good practice dictates that in order to review, modify or remove data, we ascertain that your identity is as stated. Assuming your email address to be a unique identifier of you as an individual, the first stage in the process is to send a secure link to your email address, which will bring you back to this page, with the relevant options enabled. This is in the interests of keeping your data private and preventing malicious deletions or modifications.
Nana Fanny’s Data Access Policy
Data Access Policy
Under the provision of the General Data Protection Regulation, you have the right to access any data held by any organisation relating to you as a natural person.
By following the relevant link, our policy is to make your information freely available to you to view or amend as necessary.
Naturally, we have to ensure that the identity of the person requesting the information is valid, so when you make a request, an email will be generated to the address held on file for yourself. This will contain a secure link to this page, which will then display your information in editable fields.
Once you have finished amending any information that you want to update, click on the submit button to apply changes. The new information will then be presented for you to review.
Nana Fanny’s Right to be Forgotten
Policy Your Right to be Forgotten
Under the provisions of the General Data Protection Regulation, you have the right for all data held relating to yourself to be completely and permanently erased.
In pursuance of this policy, Nana Fanny’s provides a link that will completely delete all information relating to an individual, identified by their email address from the current database. That request sends an email to the responsible individual informing that the records relating to a record, identified by sequential number have been removed.
To ensure that only you can remove your records, your RTBF request will generate an email to the address held on file for you, with a secure link back to this page, with the RTBF confirmation button showing. Confirming removal will delete all information held in association with your email address from Nana Fanny’s database. If you have made enquiries on more than one occasion, using different email addresses, you will need to repeat the process for each address used.
The Regulation also provides for this information being removed from all backup copies and other repositories in the organisation. To ensure that this requirement is followed, Nana Fanny’s adopts the following practices:
Only one copy of the database exists, held on a remote server in a secure data centre
For disaster recovery, a backup is held on a local NAS unit
The backup is a snapshot of the most recent data and only the latest version is retained
Every week that backup file is overwritten with the latest data
In case of a backup being restored, the responsible individual is required to manually reconcile any RTBF requests that may have been overridden by the restoration
Please note that the server is backed up weekly, so there will be a latency of seven days between removal from the active database and removal from the backup copy.
For instant removal from the backup copy as well as the active database, contact the responsible individual who will manually destroy your record in the backup copy on the day of request.
Nana Fanny’s Complaints Procedure
Complaints Procedure
Complaints about the management, security or handling of personal data should be addressed to the responsible individual using the link on this page. In the event of receiving a complaint, the responsible individual will:
Investigate via the database within three working days Consult relevant customer or team member within five working days Respond with intial findings within seven working days Take appropriate remedial action within three working days of your reply Report on outcome of remedial action on the same day Follow up within a further three working days to ensure satisfaction In the unlikely event of the outcome being unsuccessful or unsatisfactory, your rights as an individual allow for complaints to be escalated to the Office of the Information Commissioner, who may proceed on your behalf if a serious data breech is suspected. Their contact details are:
Web site: ico.org.uk
Phone: 0303 123 1113
Through the web site or phone line, you can express concerns to the ICO relating to:
Nuisance Calls or messages
Accessing or Re-using
Information Information Handling
Internet Search Results
Web Site Cookies
EU-US Privacy Shield
Comments Relating to ICO Services
Nana Fanny’s Data Retention Policy
Until satisfactory conclusion of your enquiry, or one year or data removal by enquirer, whichever is the sooner.