- Who we are
- What data we collect from you
- Why we need it
- How we use it
- Who we share it with
- How you can see the data, amend the data or have it deleted.
Who we are
Smyth & Gibson is a business at web address https://smythandgibson.com, with a physical address in Ballymena, Northern Ireland.
What personal data we collect and why we collect it
Smyth & Gibson collects data from you when you contact us, sign up to our mailing list or place an order. When we process an order we require your name, shipping address, phone number and email address. If your billing address is different to your shipping address, you will also be asked to provide it. To make shopping easier, you can easily make an account with us. To create an account we require a first name, last name, e-mail and password.
This data ensures we can send your order to the right address, in an acceptable time frame. We also collect your contact details incase we have a problem with your order, or to contact you with confirmation and dispatch notices. If your order is delivered by a courier, we provide your phone number to the courier company, to help with delivery (Fastway and UPS).
When we process a payment we require your card number, cardholder name, expiry date and your CVC code. This enables Shopify (our payment processor) to process your payment. We use a secure HTTP protocol called HTTPS to transfer your payment details over the internet. This is the industry standard for sending encrypted data over the internet. When you place a payment, your card information is encrypted and sent to the Shopify’s servers, where it is decrypted and the payment is processed. Smyth & Gibson never sees your payment data and we cannot access your payment details. You can read Shopify’s privacy report at https://www.shopify.com/legal/privacy.
Who we share your data with
Smyth & Gibson uses Royal Mail to deliver products. Your name and delivery information is sent directly to Royal Mail in order to get your order to you. You can find their privacy report at https://www.royalmail.com/privacy-notice.
Other than the above companies, Smyth & Gibson will not share your order details with anyone outside of Smyth & Gibson and we are committed to only working with companies who have a strict GDPR policy.
How long we retain your data
We are committed to not holding your data longer than necessary. Your order data such as your name, address and contact details along with the details of what you ordered are held for 6 years in accordance with UK law. If you have not requested your data be deleted before then, it will be deleted after 6 years.
We never keep nor see your payment card details.
If you sign up to our mailing list, your email will remain on the list until you unsubscribe.
If you contact us by email or by writing, we will keep the information you supply for as long as necessary to deal with your request.
What rights you have over your data
If you have an account on this site, you can request to receive an exported file of the personal data we hold about you, including all data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
As someone who provides us data, your rights over your data include:
- Right of access
- Right to challenge accuracy of data held on you
- Right to object to the use of your personal information
- Right to object to direct marketing
- Right to restrict use of your personal information
- Right to erasure of your data
- Right to withdraw your consent for us to use your data
If you have a data protection question or would like to assert any of your rights over your data, please email the Smyth & Gibson data protection officer at andrew@smyth&gibson.com and we will reply promptly. Alternatively you can write to us at:
Smyth & Gibson
5 Millennium Park,
Data breach procedures
In the case of a data breach, it is now the law that we contact those affected as soon as possible. In the unlikely event of a data breach we will contact users within one working day to inform them that their data may have been accessed by someone else. We do everything possible to stop this from happening.