Privacy Policy

 In this policy, "we", "us" and "our" refer to Wild Heart Boutique

Wild Heart Boutique only stores customer data for as long as it’s needed, which means once an order is complete the messages are deleted. We will only use your Address & contact information to communicate with you about your order and to fulfil your order. Wild Heart Boutique does not print any information on any customers.

Wild Heart Boutique does not share or screenshot any messages. Personal information is only shared with selected third parties, for example Royal Mail for the purpose of fulfilling & completing your order and never for marketing purposes.

**The General Data Protection Regulation (GDPR)**

The General Data Protection Regulation (GDPR) will apply from 25 May 2018, the new law brings a 21st century approach to data protection. It expands the rights of individuals to control how their personal data is collected and processed, and places a range of new obligations on organisations and business’ to be more accountable for data protection.

The business benefits of the GDPR;

•Build customer trust
•Improve brand image and reputation
•Improve data governance
•Improve information security
•Improve competitive advantage

Personal data

Data protection principles;

Personal data must be processed according to the six data protection principles:

•Processed lawfully, fairly and transparently.
•Collected only for specific legitimate purposes.
•Adequate, relevant and limited to what is necessary.
•Must be accurate and kept up to date.
•Stored only as long as is necessary.
•Ensure appropriate security, integrity and confidentiality.

Information I Collect

•Name
•Address
•Email address
•Customisation details for personalisation such as name or photo
•IP address
•Location data
•Online behaviour (cookies)
•Profiling and analytics data

To fulfil your order, you must provide me with certain information (which you authorised Etsy to provide to me), such as your name, email address, postal address, payment information, and the details of the product that you’re ordering. You may also choose to provide me with additional personal information, for example a name for personalisation or details for a custom order.

Why I Need Your Information and How I Use It

I rely on a number of legal bases to collect, use, and share your information, including:

•as needed to provide my services, such as when I use your information to fulfil your order, to settle disputes, or to provide customer support;
•when you have provided your affirmative consent, which you may revoke at any time, such as by signing up for my mailing list;
•if necessary to comply with a legal obligation or court order or in connection with a legal claim, such as retaining information about your purchases if required by tax law; and
•as necessary for the purpose of my legitimate interests, if those legitimate interests are not overridden by your rights or interests, such as 1) providing and improving my services. I use your information to provide the services you requested and in my legitimate interest to improve my services; and 2) Compliance with the Shopify, PayPal and Stripe. I use your information as necessary to comply with my obligations under the Etsy Seller Policy and Terms of Use.

Lawful processing

•Identify and document the lawful basis for any processing of personal data. The lawful bases are:

•Direct consent from the individual;
•The necessity to perform a contract;
Protecting the vital interests of the individual;
•The legal obligations of the organisation;
•Necessity for the public interest
•The legitimate interests of the organisation.

Information Sharing and Disclosure

Information about my customers is important to my business. I share your personal information for very limited reasons and in limited circumstances, as follows:

•Shopify. I share information with Shopify as necessary to provide you my services and comply with my obligations under both the Shopify Seller Policy and Shopify Terms of Use.
•Service providers. I engage certain trusted third parties to perform functions and provide services to my shop, such as Shopify payments, PayPal and Stripe for payment processing and delivery companies for posting your orders to you. I will share your personal information with these third parties, but only to the extent necessary to perform these services.
•Business transfers. If I sell or merge my business, I may disclose your information as part of that transaction, only to the extent permitted by law.
•Compliance with laws. I may collect, use, retain, and share your information if I have a good faith belief that it is reasonably necessary to: (a) respond to legal process or to government requests; (b) enforce my agreements, terms and policies; (c) prevent, investigate, and address fraud and other illegal activity, security, or technical issues; or (d) protect the rights, property, and safety of my customers, or others.

Customers paying via Shopify Payments, PayPal or Stripe

Shopify, PayPal & Stripe have assured all business users they too are GDPR compliant and storage of customer data is kept to a minimum and not shared with any other third party.

PCI compliance
What is PCI DSS and who needs to comply? (Payment Card Industry Data Security Standard)

Consumers are becoming increasingly aware of the dangers of identity theft and PCI compliance shows that a business has secure procedures in place that keeps customer payment information safe and secure.
•Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements that all businesses who handle credit or debit card payments must comply with. It provides a "minimum security standard".

As a merchant (business) accepting card payments, the business are required to comply with PCI DSS. As a service provider, Shopify, PayPal & Stripe are also required to comply with PCI DSS. Wild Heart Boutique does not take payments direct from customers, Wild Heart Boutique uses a service provider. (Shopify, PayPal & Stripe, whom are PCI DSS compliant).

Data Retention

I retain your personal information only for as long as necessary to provide you with my services and as described in my Privacy Policy. However, I may also be required to retain this information to comply with my legal and regulatory obligations, to resolve disputes, and to enforce my agreements. I generally keep your data for the following time period: 4 years.

Transfers of Personal Information Outside the UK

I may store and process your information through third-party hosting services in the US and other jurisdictions. As a result, I may transfer your personal information to a jurisdiction with different data protection and government surveillance laws than your jurisdiction. If I am deemed to transfer information about you outside of the UK, I rely on Privacy Shield as the legal basis for the transfer, as Google Cloud is Privacy Shield certified.

Your Rights

If you reside in certain territories, including the UK, you have a number of rights in relation to your personal information. While some of these rights apply generally, certain rights apply only in certain limited cases. I describe these rights below:

•Access. You may have the right to access and receive a copy of the personal information I hold about you by contacting me using the contact information below.
•Change, restrict, delete. You may also have rights to change, restrict my use of, or delete your personal information. Absent exceptional circumstances (like where I am required to store data for legal reasons) I will generally delete your personal information upon request.
•Object. You can object to (i) my processing of some of your information based on my legitimate interests and (ii) receiving marketing messages from me after providing your express consent to receive them. In such cases, I will delete your personal information unless I have compelling and legitimate grounds to continue using that information or if it is needed for legal reasons.
•Complain. If you reside in the UK and wish to raise a concern about my use of your information (and without prejudice to any other rights you may have), you have the right to do so with your local data protection authority.

How to Contact Me

For purposes of UK data protection law, I, Eden Cavalli, am the data controller of your personal information. If you have any questions or concerns, you may contact me via the contact page of my website.

By contacting or purchasing from Wild Heart Boutique you are giving direct consent that Wild Heart Boutique can store your personal data until the order is complete. If a customer just wants to ask a question, please be assured once the conversation is finished all messages will be deleted. Wild Heart Boutique does not store any messages that are not active.