This policy (together with our Terms and Conditions of Use, Terms and Conditions of Sale and any other documents referred to within these documents) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting https://www.onlineartschool.com you are accepting and consenting to the practices described in this policy.
When we use your personal data, we are regulated under the General Data Protection Regulation (GDPR) which applies across the European Union (including in the United Kingdom) and we are responsible as ‘controller’ of that personal data for the purposes of the GDPR. Our use of your personal data is subject to your instructions, the GDPR, other relevant UK and EU legislation and our professional duty of confidentiality. The data controller is Michael James Smith Ltd. of 1 The Spinney, 121 Main Road, Danbury, Essex, England, CM3 4DL.
References to a ‘third party’ in this policy relate to our service providers and business partners only, who are necessary for the provision of our services to you. We do not share your data with anyone else.
PERSONAL INFORMATION WE COLLECT FROM YOU
We will collect and process the following data about you.
Information you give us
This is information about you that you give us by filling in forms on our site https://www.onlineartschool.com or by corresponding with us by phone, e-mail or otherwise. It includes information you provide when you subscribe to our services, search for a product, place an order on our site, participate in discussion forums or other social media functions on our site, use the site’s messaging facility, login to your member account and when you report a problem with our site.
For each newsletter/prize draw subscriber we hold: your name and e-mail address.
For each on-line art school subscriber we hold: your name, address, e-mail address, phone number(s), username and password.
We may also hold, depending on the information you have shared and the services that you have used: profile information from the art school community that you have voluntarily chosen to share which may include a personal description, gender, date of birth, location and your website; photographs that you have uploaded; comments you have made in the forum and details of products you have purchased.
If you make a purchase on our site, the credit or debit card numbers are collected directly by one of our secure card processors: Stripe or PayPal. Michael James Smith Ltd. does not hold any credit or debit card details in our database.
Information we collect about you
With regard to each of your visits to our site we will automatically collect the following information:
Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform.
Information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs), methods used to browse away from the page, browsing history and any other phone number used to contact us. This includes tracking information from our social media sites such as, but not limited to, YouTube, Facebook and Instagram.
Information we receive from other sources
This is information we receive about you if you use any of the other websites we operate or the other services we provide. In this case we will have informed you when we collected that data if we intend to share those data internally and combine it with data collected on this site. We will also have told you for what purpose we will share and combine your data. We are working closely with third parties (including, for example, business partners, service providers in technical, payment and delivery services, advertising networks, analytics providers, search information providers). We will notify you when we receive information about you from them and the purposes for which we intend to use that information.
Cookies make it possible for our checkout process to function. To keep track of cart data, we use 3 cookies:
The first two cookies contain information about the cart as a whole and helps us know when the cart data changes. The final cookie (_session_) contains a unique code for each customer so that it knows where to find the cart data in the database for each customer. No personal information is stored within these cookies.
Google Analytics Cookies
We use Google Analytics on our website to improve customer experience and make future improvements on our website. They are as follows:
- collect Used to send data to Google Analytics about the visitor’s device and behaviour. Tracks the visitor across devices and marketing channels.
- NID Registers a unique ID that identifies a returning user’s device. The ID is used for targeted ads.
- _ga 2 years Used to distinguish users.
- _gid 24 hours Used to distinguish users.
- _gat 1 minute Used to throttle request rate.
- AMP_TOKEN 30 seconds to 1 year Contains a token that can be used to retrieve a Client ID from AMP Client ID service. Other possible values indicate opt-out, inflight request or an error retrieving a Client ID from AMP Client ID service.
- _gac_ 90 days Contains campaign related information for the user.
- Determine which domain to measure
- Distinguish unique users
- Throttle the request rate
- Remember the number and time of previous visits
- Remember traffic source information
- Determine the start and end of a session
- Remember the value of visitor-level custom variables
Specific ga.js cookies are as follows:
- __utmt 10 minutes Used to throttle request rate.
- __utmc End of browser session Not used in ga.js. Set for interoperability with urchin.js. Historically, this cookie operated in conjunction with the __utmb cookie to determine whether the user was in a new session/visit.
- __utmv 2 years from set/update Used to store visitor-level custom variable data. This cookie is created when a developer uses the _setCustomVar method with a visitor level custom variable. This cookie was also used for the deprecated _setVar method. The cookie is updated every time data is sent to Google Analytics.
wfvt_# Remembers the user’s submitted data when a comment is submitted in a blog post. The purpose is to auto-populate form fields for subsequent comments, in order to save time for the user.
THIRD PARTY SITES
HOW AND WHY WE USE YOUR PERSONAL DATA
Under data protection law, we can only use your personal data if we have a proper reason for doing so, e.g.
- To comply with our legal and regulatory obligations
- For the performance of our contract with you or to take steps at your request before entering into a contract
- For our legitimate interests or those of a third party
- Or where you have given consent.
A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.
The table below explains what we use (process) your personal data for and our reasons for doing so:
|What we use your data for||Our reasons|
|To register you as a customer and provide on-line art school services to you.
To allow you to participate in interactive features of our service when you choose to do so.
|For the performance of our contract with you or to take steps at your request before entering into a contract.
To provide you with the information, products and services that you request from us.
|To enable us to contact you with regard to new products or services, changes to our services or changes to our terms and conditions.
To make suggestions and recommendations to you about goods or services that may interest you.
|To provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about.
To provide you with information about goods or services we feel may interest you. You will only be contacted by us, via e-mail.
|Operational reasons for the day to day business administration of the website and services such as: troubleshooting, data analysis, testing, research, statistical and survey purposes, improving efficiency, training and quality control.||For our legitimate interests or those of a third party, i.e. to be as efficient as we can when delivering the service to you.
To improve our site to ensure that content is presented in the most effective manner for you and your computer.
|Statistical analysis to help us manage our business, e.g. in relation to our financial performance, customer base, work type or other efficiency measures; to measure or understand the effectiveness of advertising we serve to you and others and to deliver relevant advertising to you.||For our legitimate interests or those of a third party, i.e. to be as efficient as we can when delivering this service to you.|
|Updating customer records.||For the performance of our contract with you or to take steps at your request before entering into a contract.
To comply with our legal and regulatory obligations.
For our legitimate interests or those of a third party, e.g. making sure that we can keep in touch with our clients about existing and new services.
|We may combine information we receive from other sources with information you give to us and information we collect about you.||We will use this information to perform our contract with you; improve the service that we provide to you; for statistical analysis.|
|Gathering and providing information required by or relating to audits, enquiries or investigations by regulatory bodies.||To comply with our legal and regulatory obligations.|
|Preventing unauthorised access and modifications to systems as part of our efforts to keep our site safe and secure.||For our legitimate interests or those of a third party, i.e. to prevent and detect criminal activity that could be damaging for us and for you.
To comply with our legal and regulatory obligations.
|Ensuring business policies are adhered to, e.g. policies covering security and internet use.||For our legitimate interests or those of a third party, i.e. to make sure we are following our own internal procedures when delivering the service to you.|
|Ensuring the confidentiality of commercially sensitive information.||For our legitimate interests or those of a third party, i.e. to protect our intellectual property and other commercially valuable information.
To comply with our legal and regulatory obligations.
|Statutory returns.||To comply with our legal and regulatory obligations.|
We have a legitimate interest in processing your personal data for promotional purposes (see above ‘How and why we use your personal data’). This means we do not usually need your consent to send you promotional communications. However, where consent is needed, we will ask for this consent separately and clearly.
We will always treat your personal data with the utmost respect and never share it with other organisations for marketing purposes.
You have the right to opt out of receiving promotional communications at any time by:
- Contacting us by email at firstname.lastname@example.org
- Using the ‘unsubscribe’ link in emails you have received from us
We may ask you to confirm or update your marketing preferences if you instruct us to provide further services in the future, or if there are changes in the law, regulation, or the structure of our business.
WHO WE SHARE YOUR PERSONAL DATA WITH
We routinely share personal data with:
- Other third parties where necessary to carry out our contract with you, e.g. PayPal and Stripe for processing on-line payments; WooCommerce who provide our e-commerce services for the website; PeepSo who provide the Forum software; MailChimp who provide email marketing services; delivery company(s) for purchased products.
- External service suppliers for the operation of our business such as our accountant and solicitor.
We only allow our service providers to handle your personal data if we are satisfied they take appropriate measures to protect your personal data and that they are compliant with the GDPR regulations.
We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.
We will not share your personal data with any other third party.
KEEPING YOUR PERSONAL DATA SECURE
Information may be held at our offices and service providers as described above (see ‘Who we share your personal data with’). Some of these third parties may be based outside the European Economic Area. For more information, including on how we safeguard your personal data when this occurs, see below: ‘Transferring your personal data out of the EEA’.
We have appropriate security measures to prevent personal data from being accidentally lost, used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
Our website is hosted on Digital Ocean’s servers and your data is stored on a secure server behind a firewall. Any payment transactions are encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
The transmission of information via the internet is not completely secure and we cannot guarantee the security of your data transmitted to our site. Any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to prevent unauthorised access.
We have procedures in place to deal with any suspected data security breach. We will notify you and the regulator of a suspected data security breach where we are legally required to do so.
If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.
HOW LONG YOUR PERSONAL DATA WILL BE KEPT
We will keep your personal data after you have unsubscribed or closed your user account. We will do so for one of these reasons:
- To respond to any questions, complaints or claims made by you or on your behalf
- To keep records required by law
- To enable your account to be re-opened if requested by you
- To analyse our customer base for the purposes of improving our business
We will not retain your data for longer than necessary for the purposes set out in this policy. When it is no longer necessary to retain your personal data, we will delete or anonymise it. You can request that your data be deleted – refer to ‘Your Rights’ below.
TRANSFERRING YOUR PERSONAL DATA OUT OF THE EEA
To deliver services to you, it is sometimes necessary for us to share your personal data outside the European Economic Area (EEA), e.g.
- With our service providers located outside the EEA
- If you are based outside the EEA
These transfers are subject to special rules under European and UK data protection law.
You have the following rights, which you can exercise free of charge:
|Access||The right to be provided with a copy of your personal data|
|Rectification||The right to require us to correct any mistakes in your personal data|
|To be forgotten||The right to require us to delete your personal data|
|Restriction of processing||The right to require us to restrict processing of your personal data|
|Data portability||The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party|
|To object||The right to object:
· At any time to your personal data being processed for direct marketing (including profiling)
· In certain other situations to our continued processing of your personal data, e.g. processing carried out for the purpose of our legitimate interests.
|Not to be subject to automated individual decision-making||The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you|
For further information on each of those rights, including the circumstances in which they apply, please contact us: by email at email@example.com; in writing to 1 The Spinney, 121 Main Road, Danbury, Essex, England, CM3 4DL; or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.
If you would like to exercise any of those rights, please do the following:
- Contact us by email at firstname.lastname@example.org or make the request in writing to 1 The Spinney, 121 Main Road, Danbury, Essex, England, CM3 4DL
- Let us have enough information to identify you (e.g. your full name, address and subscription or order reference number)
- Let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill)
- Let us know what right you want to exercise and the information to which your request relates.
HOW TO COMPLAIN
We hope that we can resolve any query or concern you may raise about our use of your information.
The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns or by telephone: 0303 123 1113.
HOW TO CONTACT US