Verve Graphic Design and Marketing Ltd is a UK limited company; registered address, Unit 1 Darwin Court, Oxon Business Park, Shrewsbury, Shropshire, SY3 5AL (Company Number 07594248).
Verve (collectively referred to in this policy as ‘we’, ‘us’ or ‘our’) is committed to upholding the privacy and security of individuals’ personal data and we recognise our responsibilities as Data Controller in respect of the information we collect from, and manage on behalf of our clients (hereby including prospective clients).
- Personal data we collect
We collect information about you when you visit our site, register with us or engage with us in respect of products or services we provide. We also collect information when you voluntarily complete customer surveys, provide feedback and participate in competitions or similar promotions. Website usage information is collected using cookies.
We will only collect and retain personal data in the provision and promotion of our business services. Records are deleted upon conclusion of our commercial engagement, unless we are legally or contractually obliged to retain them. See here for more information on our data retention policies.
The personal information that we collect about you will be recorded, used and protected by us in accordance with applicable data protection legislation (the GDPR).
We only collect the information we need to ensure premium service delivery, contractual obligations and enhanced user experience.
Your personal details
When you sign up for our services, you may provide us with personal data for the delivery of business services
- Your contact details, including postal and billing addresses, email addresses, phone numbers, gender, date of birth and title
- Communication and marketing preferences
Using our services
When you shop with us, browse our website, use our mobile apps or contact us our we may collect data across a variety of means and channels
- Information about your purchases or interest in our services
- For example, what you have bought, when, where you bought it and how you paid
- Transactional information (including payment card details) required and regulated as such to fulfil orders and customer service obligations
- Details of correspondence with customer service teams
- Browsing behaviour
- For marketing intelligence, promotions and site functionality
- Devices you have used to access our services (including the make, model and operating system, IP address, browser type and mobile device identifiers)
When we offer, or you take part in marketing promotions, competitions, surveys or questionnaires about our services we may collect data in accordance with these activities
- Your feedback and contributions
- Personal data you provide about yourself (as per personal details listed above and additional details for the requirements of the services and promotions)
- Details of the emails and other digital communications we send to you that you open (including any links that you click)
- See here for how your data may be used in our promotions
We may supplement use of personal data from other sources
- For example, data cleansing and profiling services
- Helping maintain the accuracy of the data we hold
- Improving and measuring the effectiveness of our marketing communications
- Other publicly available personal data, including any which you have shared via a public platform (such as a Twitter feed or public Facebook page)
- Click here for more details on third parties
- To enable website functionality and accessibility
- For personalised tracking and insight, bespoke targeting and communications
We do not know of or envisage any requirements to collect sensitive information about you (known as ‘special categories of data’)
- For example, your racial or ethnic origin, or data relating to your health
- In the unlikely event of requirements to request this information we will provide you with separate details and data protection protocol at that time
Children (also referred to as ‘vulnerable individuals’)
If you are under 13 when registering on our site, we require authorisation of consent from an adult of ‘parental responsibility’
Consent can be provided by a parent or guardian by contacting us directly. This must be fully verifiable as evidence of responsibility and age. We reserve the right to ensure all appropriate measures are taken to authenticate the identity of individuals in the authorisation of consent for minors
- For so long as individuals are under 13 yrs we only send information and updates about products or services whereby guardian or parental consent is confirmed
- For individuals aged 13-16 we will only provide information and updates on products or services if these are relevant promotions based on previous purchase history
Individuals under the age of 16 are accorded equal rights as adults under the GDPR and we uphold these rights across all levels of privacy, security and accountability.
Retaining your data
The GDPR requires us to retain personal data only for so long as it is required
- For customers completing transactions we will retain records for no longer than two years after the last purchase date
- This allows accounts to be active for two calendar years giving customers simple access to regular or annual purchases
- For prospects yet to purchase we will assume accounts to be inactive after 1 year
Maintaining your data
We will sporadically ask you to view, update and confirm your data
- We need to do this to conform to Article 7 of the General Data Protection Regulation
- It is also beneficial for you to help us provide optimal customer service and targeted recommendations, offers and services
- How personal data is used
Your data is used to fulfil service requirements and enhance your customer experience.
We will use your data in accordance with the delivery of our commercial agreements
- Fulfilment, administration and service delivery
- Communications with you in respect of business services
- Management of third party suppliers for fulfilment purposes,
- For example, payment processing partners and data hosting services
- See here for a list of current third party suppliers
- Web site performance
We aim to provide you with a premium experience, promoting our services with a personalised approach, meeting your needs as a client and avoiding unnecessary, unwarranted or intrusive communications.
We may inform our understanding of your requirements and preferences through interpretation of your engagement with us and the data you have provided
- Email, SMS, phone and or any other digital communications engagement. For example
- Analysing email opens and clicks for marketing promotions
- Personalising marketing based on your responses to our offers and services
- Information offered through social media channels
- Identification of services we believe to be of interest
This allows us to deliver bespoke marketing that is relevant to you.
The GDPR refers to automated processing used to make decisions and categorisations about individuals without human information. For example, credit rating or demographic/business profiling.
We do not and do not envisage such processing of your data and would inform you in the highly unlikely event of any Automated Decision-Making requirement.
We may deliver direct marketing promotions to you based on our understanding of your interests and provide you with appropriate business updates
- Email or SMS newsletters featuring industry news, relevant products, discounts and offers
- Bespoke email, SMS or telephone communications with personalised offerings
We will not promote additional services and products unless there is a clearly stated Lawful Basis for such communications
- Consent – you may opt in to receive our marketing communications by ticking the relevant box(es) on our web site or following directions on our digital communications
- Our Legitimate Interests – it may be in our legitimate commercial interests to promote related products and services to existing customers based on purchase history and ongoing engagement
You can opt out or object to our marketing activity at any time. Either using the unsubscribe links on our emails and SMS messages or by contacting us.
Understanding your browsing activity when you visit our site will allow us to provide bespoke, automated information, offers and services
- Relevant online advertisements for personal interests
- Tailored and marketing communications that you consent to receive from us
At times, we may invite you to participate in market research
- To further understand your requirements, experience and maintain the most appropriate ways in which we communicate with you
- To help develop and improve our product range, services, information technology systems and customer service delivery
Protecting your data
Your data may be used to help protect against data breaches
- Verifying identity for fraud detection and prevention
- Unauthorised account usage
- Managing password and user access measures
- For more information on our security policy see here
Maintaining your data usage preferences
You are at all times requested to inform us of any amendments to your preferences in the way in which we process your data
- How we administer your account
- Any promotional activity you may wish to receive from us
For more information on your individual rights and our processing of your data see here
If you no longer wish to receive information from us, or wish to amend your data processing preferences please contact us or click the unsubscribe option on any of our digital communications.
- Fulfilment, administration and service delivery
- Your individual rights
Rights to individuals’ data privacy, security and confidentiality are at the forefront of every interaction with our clients, employees and third parties. We are committed to the practical and ethical preservation of the personal privacy and security rights accorded to individuals under the GDPR.
The GDPR accords individuals clearly specified rights over the data they provide and their expectations of organisations using their personal information.
The right to be informed
- Organisations must be fully transparent in the ways in which they are using personal data
- ‘Individuals have the right to be informed about the collection and use of their personal data…including purposes for processing their personal data, retention periods for that personal data, and who it will be shared with.
- Personal data refers to ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
- This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people’
The right of access
- Individuals have the right to know the information organisations hold about them and how it is processed. Exercising this right is referred to as a ‘Subject Access Request’
- This can be made by individuals, (in respect of their own personal data), via any digital, hard-copy or verbal channel
- A Subject Access Request can cover a range of criteria
- What personal data is being processed
- The purposes for which the data is processed
- Who, if anyone, data is disclosed to (including copied parties on email threads)
- The extent to which data is used for the purpose of making automated decisions relating to the data subject
- If so, the requirement for this processing
- The Lawful Basis for processing
- How long the data will be stored by the controller
The right of rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete
- In most cases this must be undertaken within 1 month
The right to erasure
Also referred to as ‘the right to be forgotten’, individuals have the right to request their personal data be deleted or removed without the need for a specific reason as to why they wish to discontinue. This applies whereby…
- The personal data is no longer necessary in relation to the purpose for which it was collected/processed
- The data subject withdraws their consent or objects to the processing and there are no overriding legitimate interests to continue processing
- The personal data was unlawfully processed or has to be erased in order to comply with a legal obligation
- The personal data is processed in relation to the offer of information society services to a child
The right to restrict processing
- Entitlement to block or suppress processing of personal data. This applies where individuals…
- Contest the accuracy of information processed
- Object to an organisation’s legitimate grounds for the processing
- Processing is unlawful
The right to data portability
- Individuals are entitled to request their data be copied or transferred to alternative sources, organisations and recipients. This applies where…
- Data has been provided by an individual to a controller
- Processing is based on consent or performance of a contract
- Processing is carried out by automated means
- Controllers or Processors must provide the data securely
- In a consistent, commonly used and machine readable format (e.g. CSV files)
The right to object
Individuals have the right to object to processing of their data whereby processing is…
- Based on legitimate interests, the performance of a task in the public interest or the exercise of official authority (including profiling)
- Used for direct marketing (including profiling)
- Intended for scientific and or historic research or statistics
Rights of automated decision making and profiling
Individuals have the right not to be subject to automated decision making when it has a legal or personal effect on them
- Including any form of automated processing intended to evaluate personal aspects of a data subject, in particular to analyse or predict their performance at work, economic situation, health, personal preferences, reliability, behaviour and location
Exercising your rights
Verve’s commitment to individuals’ rights applies to the personal data provided by clients in the negotiation and delivery of business services
- Any data stored on behalf of clients on our servers will meet the stringent security measures outlined in this privacy statement
- We are not responsible for the content, provision maintenance of data stored on our servers in the delivery of data hosting services
You can contact us at any time in respect of your individual rights, your personal data, its security, your processing activities and your rights in respect of this.
- Our Lawful Basis for processing your data
We will only process your personal data if there is a clear necessity to do this in relation to the services we are providing and in accordance with your individual rights.
In delivery of business services, our lawful basis for processing personal data is that we have a contractual obligation to clients who are in agreement (or negotiation) with the terms and conditions of these services.
We also exercise our legitimate interests to promote relevant commercial services we provide to existing clients in respect of related products, updates and services. We deliver this through email communications and opportunities to be excluded from promotions are available at all times.
Where users opt-in to our mailing list, they will receive emails that may include industry news, service or product updates and relevant marketing promotions based on the lawful basis of consent. If at any time users would like to unsubscribe from receiving emails, we include clear instructions at the bottom of each email or users may contact us directly.
You can contact us in respect of our lawful basis for processing your personal data at any time.
Under GDPR there are six ‘Lawful Basis’ for processing personal data
If there is no basis for processing we cannot and will not store or process your data.
- Personal data may be processed on the basis that the data subject has ‘actively and freely’ consented to such processing
- Contractual necessity
- Necessary in order to enter into or perform a contract with the data subject
- Compliance with legal obligations
- The controller has a legal obligation to perform such processing
- Vital interests
- In protection of the ‘vital interests’ of the data subject (this essentially applies in ‘life‑or-death’ scenarios
- Public interest
- Processing is necessary for the performance of tasks carried out by a public authority or private organisation acting in the public interest
- Legitimate interests
- Processed on the basis that the controller has a legitimate interest in processing those data, provided that such legitimate interest is not overridden by the rights or freedoms of the affected data subjects
Our Legitimate interests in more detail
Our consideration of data processing under the lawful basis of Legitimate Interest of our commercial activities is deemed necessary for the pursuit of our Legitimate interests –
- Selling and supplying goods and services to our customers
- Promoting, marketing and advertising our products and services
- Sending promotional communications which are relevant and tailored to individual clients
- Understanding our clients’ behaviour, activities, preferences, and needs
- Improving existing products and services and developing new products and services
- Complying with our legal and regulatory obligations
- Preventing, investigating and detecting crime, fraud or anti-social behaviour and prosecuting offenders, including working with law enforcement agencies
- Handling customer service queries, complaints or disputes
- Protecting ourselves, our employees and customers, by taking appropriate legal action against third parties who have committed criminal acts or are in breach of legal obligations
- Handling any legal claims or regulatory enforcement actions taken against us
- Fulfilling our duties to our clients, colleagues, shareholders and other stakeholders
Our security policy is designed to safeguard the confidentiality and privacy of all personal data we handle.
This covers all areas of data collection, management, processing and payments, ensuring against unauthorised access, alteration, disclosure or destruction
- Where appropriate data is stored on secured servers
- Where relevant, data is encrypted and password protected
- Access to data is limited to authorised personnel
- Where data transfer is necessary for third party agreements, data is passed through secure portals managed and bound by our vetted suppliers
- For the security policies of our hosting partners please see our third party suppliers
We encourage individuals to work with us to ensure appropriate measures are in place to maintain security.
In the unlikely event of a security breach we will report this to the ICO within 72 hours and inform you immediately, describing the nature of the breach and our response to it.
See here for more information on our Security policies
We take the security of your personal information seriously and ensure that all of our staff are up to date with the latest Cyber Awareness Training, which enables us to provide you with better security, confidence knowing our employees are prepared and acting with a focus on data security and peace of mind that our business is doing everything possible to prevent data breaches.
We maintain an active information security policy designed to protect the confidentiality and privacy of all personal data. Our security measures address all areas of data management, processing and payments. This applies to the digital and physical processing of data.
- Systems, procedures and IT facilities are continually monitored and reviewed for protection against damage, loss and misuse
- Systems are backed up daily and copies retained temporarily, until no longer required
- It is a breach of company policy to process data outside of secure servers when necessary
- Systems are backed up daily and copies retained temporarily, until no longer required
- Any non-digital collection of personal data is stored only as and when required and archived as per GDPR directives in securely contained locations
- Access to servers and non-digital data is limited to authorised personnel only
- Only authorised personnel have user rights, id’s and passwords
- Awareness of the importance of data security is continually promoted among employees
- It is company policy for employees to maintain data security and protection protocol at all times
- Data sharing between employees and departments is only permitted within the context of necessary business activities
- This may be for the purposes of order processing, accounts and payments, marketing and any other legitimate activity in the necessary operation of the business
- No data sharing is permitted outside of the outlined security parameters outlined in this statement
- See here for more details on our data sharing policy
When you submit your credit card details to us, we use industry standard Secure Sockets Layer (SSL) encryption technology to guard your information
- Your credit or debit card details, along with your personal information, are encrypted during transactions to ensure payments are processed securely
- We will reveal only the last four digits of your credit card number when confirming an order
- Your browser will show when you are in a secure environment by displaying either a locked padlock or an image of a key in the grey bar at the bottom of the page
- The web site address should begin with https – the’ s’ meaning ‘secure’
- Your browser may warn you when you are entering a secured environment as you go to place your order
Third party supplier security
- Data sharing
We do not sell, trade, or rent clients’ personal information to others.
However, in order to deliver a premium service we may use selected third party organisations in the delivery and administration of business services to you.
We will only share your information with these parties for the purposes stated in this privacy statement
You can contact us in respect of data sharing at any time.
Our website and other digital platforms may contain links to third party websites or digital platforms which are provided for your convenience. We are only responsible for the privacy practices and security of our own digital platforms. We recommend that you check the privacy and security policies and procedures of each and every other digital platform that you visit.
Purposes for which we may use third parties in the provision of businesses services
- Payment processing organisations
- Delivery organisations
- Fraud prevention, screening and credit risk management companies
- Mailing houses (including email and/or SMS disseminators)
- Data cleansing providers
- Data management services
- Analytical consultants
For a list of key suppliers see here
Lawful requirements to share your data
We may also share your data with third parties in the following circumstances
- If we are under a legal or regulatory duty to do so
- To lawfully assist the police or security services with the prevention and detection of crime or terrorist activity
- Where such disclosure is necessary to protect the safety or security of any persons
- Where we are otherwise permitted under applicable legislation
International Data transfers
Our websites are hosted in the United Kingdom.
We may, however, use outsourced services in countries outside the European Union from time to time in other aspects of our business.
Accordingly data obtained within the UK or any other country could be processed outside the European Union.
For example, some of the software our website uses may have been developed in the United States of America or in Australia.
We use the following safeguards with respect to data transferred outside the European Union:
- the processor abides by the same binding corporate rules regarding data processing.
- the data protection clauses in our contracts with data processors include transfer clauses written by or approved by a supervisory authority in the European Union
- we comply with a code of conduct approved by a supervisory authority in the European Union
- both our organisation and the processor are public authorities between whom there is either a legally binding agreement or administrative arrangements approved by a supervisory authority in the European Union relating to protection of your information
Third party websites
Users may find content on our site that links to the sites and services of our partners, suppliers, advertisers, sponsors, licensors, clients and other third parties. We do not control the content or links that appear on these sites and are not responsible for the practices employed by websites linked to or from our Site.
In addition, these sites or services, including their content and links, may be constantly changing. These sites and services may have their own privacy policies and customer service policies. Browsing and interaction on any other website, including websites which have a link to our Site, is subject to that website’s own terms and policies.
Third party suppliers
We only work with trusted suppliers with a commitment to data security, privacy, transparency and accordance the General Data Protection Regulation
- We reserve the right to change our suppliers in the delivery of best services
We use two trusted datacentres to host our websites. Both based in the uk. Should you want to know, please contact us to see which of our datacentres your site is hosted with.
- Iomart – https://www.iomart.com/privacy-policy/
- UK Fast – https://www.ukfast.co.uk/terms/privacy-policy.html
You can contact us at any time in respect of third party suppliers and for a list of third party suppliers we use.
We aim to meet high standards, so our policies and procedures are constantly under review.
This Privacy Notice was last amended May 2018.
- Contact us
If you feel you have been mistreated or your personal data privacy and security has been mismanaged by us you can report this to the UK regulatory authority The Independent Commissioners Office here www.ico.gov.uk
We recognise our role as Controllers under the GDPR and our responsibility for the strategic direction of the processing of individuals’ personal data.
We aim to be fully transparent and accountable in our data processing and will always explain our procedures, safeguards and policies in respect of your data and the GDPR protocols.
Contacting us, accessing and managing your data
firstname.lastname@example.orgVerve Graphic Design & Marketing Ltd,
01743 260 000
1 Darwin Court
Oxon Business Park
We will respond at the earliest opportunity, at the latest this will be within 30 days (unless extenuating circumstances apply).
Please include your name, address, email address and any account details when you contact us. This helps us identify you and deal with your inquiry quickly.
UK GDPR Regulatory Authority
If at any point in our dealings with your personal data you feel we are not fully respecting and maintaining your privacy and data security rights you can register this complaint with the Independent Commissioner’s Office here www.ico.org.uk