This Policy, in conjunction with our Terms and Conditions, explains how NAH Foods may use the information we collect about you, as well as the rights you have over any personal information we hold about you.
Information we collect
We collect information about you (such as your name, email address, phone number shipping address, card details, order details) when you:
- visit the Website;
- register on or buy products on the Website;
- take part in our promotions, competitions, customer surveys and questionnaires; or
- contact us via e-mail, phone or letter.
Where we keep your information
We store your information in the following places:
- Shopify – Shopify own encrypted secured server stores your personal and credit card details.
- Paypal – Paypal own encrypted secured server stores your personal and credit card details.
- Braintree – Braintree, part of Paypal own encrypted secured server stores your personal and credit card details (subscription orders only)
- Amazon – Amazon Pay Services own encrypted secured server stores your personal and credit card details
- Warehouse – Data transferred from Website to warehouse via encrypted API stores and processes your personal details for order fulfilment and customer service
How we use your information
We collect your personal information to help NAH Foods better understand you and to enable us to personalise your experience with NAH Foods, including offers, promotions and services to meet your needs.
We use your information to:
- offers and promotions to you;
- operate your online account;
- process your online orders;
- tell you about important changes to NAH Foods;
- develop and improve our products and services;
- manage promotions, competitions, customer surveys and questionnaires; and
- check and verify your identity, and prevent or detect crime.
- to process and arrange the delivery of your order
We never share your information with 3rd party companies for their own use.
This specification describes the responsibilities and rights of NAH Foods Ltd of 274 Ampthill Road, Bedford, MK42 9QJ, the Data Controller and Codestorm Limited, Codestorm House, Walton Road, Farlington, Hampshire, PO6 1TR, the Data Processor.
The Data Controller and the Data Processor have entered into a contract for the Data Processor to carry out data processing on behalf of the Data Controller. This specification sets out the responsibilities of the parties to the contract in respect of the data processing that is to be carried out. The Data Controller has determined that the purpose of the processing is to:
1. Collate and API or upload orders into encrypted order management system that is generated by the Data Controller to a mailing list of Data Subjects provided by the Data Controller.
The Data Processor will carry out some or all the following services: –
a. Upload data file to encrypted order management system
b. Process orders in a secured working environment
c. Ensure data is deleted within agreed timescales as disclosed by the data controller
And is to be carried out during the period of 2018
The type of personal data to be processed is restricted to the name and postal address of data subjects. All extraneous personal data provided by the Data Controller to the Data Processor must be extracted from the data being processed by the Data Processor.
The Data Processor must: –
1. Only act upon written instructions provided by the Data Controller.
2. Ensure that anyone processing the data is subject to a duty to maintain the confidentiality of the data.
3. Ensure that the data is processed in accordance with its certified ISO27001 Information Security Management System.
4. Obtain the prior consent of the Data Controller to use a subcontractor to process the data
5. Where consent is given to use a subcontractor ensure that a written contract is in place before processing commences.
6. Assist the Data Controller to provide Data Subject access and allow them to exercise their rights under the GDPR (General Data Protection Regulations).
7. Assist the Data Controller to meet its GDPR obligations in relation to
a. the security of processing
b. the notification of personal data breaches
c. completion of data protection impact assessment
8. Return all personal data to the Data controller and delete the personal data from its systems 365 days after complete use or when requested by the Data Controller.
9. Submit to audits and inspections, provide the Data Controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations and tell the Data Controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
10. Co-operate with supervisory authorities such as the ICO.
If you want to get in touch with us with regards to your personal details then please click here to contact us or call us on +44 (0) 203 3842668.