1. Who We Are
2. How to Contact Us
In respect of data protection related questions, to exercise your rights or file a complaint, please either email us at email@example.com or post a letter to PO Box 2707, Stafford VA 22555, United States.
3. Why We Collect Personal Data
We collect and use your personal data for the following purposes:
- In order to process your order. For this purpose we collect the following data: names, postal addresses, telephone numbers, emails, IP addresses, credit/debit card or other payment details, device data, as well as preferences, specifications and instructions for custom orders.
- To send you reminders on unfinished orders. For this purpose we collect the following data: shopping cart contents, including items, quantity, and pricing.
- To send you newsletters and product retargeting emails. For this purpose we collect the following data: names, emails, cart contents, and order details.
- To provide offers tailored to your preferences. For this purpose we collect the following data: names, emails, search and order details.
- To communicate with you to carry out customer satisfaction surveys for analytical purposes, for quality improvements, for service developments, to improve the performance of the website, or to tailor services to your needs. For this purpose we collect the following data: names, emails, and order details.
- To support administrative and legal purposes (e.g. anti-fraud screening, for safety and security purposes). For this purpose we collect the following data: names, postal addresses, telephone numbers, IP addresses, geolocation data, transaction history, credit/debit card details.
- To comply with the mandatory provisions of the applicable laws. For this purpose we collect the following data: personal data related to invoicing.
4. Legal Basis of Data Processing
The legal basis of data processing activity indicated in points 5-6 of Section 3 of this Privacy Notice lies in Article 6 (1) (f) of the GDPR, i.e. such processing activity will be based on our legitimate interests. We will carefully consider your interests and fundamental rights and freedoms, and whether these override our legitimate interests.
The legal basis of data processing activity indicated in point 7 of Section 3 of this Privacy Notice lies in Article 6 (1) (c) of the GDPR, i.e. such processing activity is necessary for compliance with legal obligation(s).
Consequences of refusal/failure to provide personal data
Please be aware that we require the personal data listed in Section 3.1 in order to provide you with our services. If you do not provide us with the requested personal data, we will not be able to provide you with all or parts of the services you have requested.
4. Data Retention
We retain your personal information only for as long as your account is active or as necessary to provide you with our services. However, we may also be required to retain such information to comply with our legal and regulatory obligations, to resolve disputes, and to enforce our agreements.
5. Your Data Protection Rights
- Right to access. You have the right to obtain from us confirmation as to whether or not personal data concerning you is processed, and, where that is the case, to request access to the personal data. You have the right to obtain a copy of the personal data undergoing processing. We may request additional information from you for identification or for further copies requested by you, we may charge a reasonable fee based on administrative costs.
- Right to rectification. You have the right to ask us to rectify inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- Right to erasure. Under certain circumstances, you may have the right to ask us to erase your personal data and we may be obliged to erase such personal data. In such cases we will not be able to further provide you with our services.
- Right to restrict processing. Under certain circumstances, you may have the right to ask us to restrict processing of your personal data. In this case the respective data will be marked and may only be processed by us for certain purposes.
- Right to object and rights relating to automated decision-making. Under certain circumstances, you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data by us and we can be required to no longer process your personal data. Moreover, if your personal data is processed based on our legitimate interest, you have the right to object at any time to the processing of personal data concerning you for such purpose.
- Right to data portability. Under certain circumstances, you may have the right to receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format (i.e. in digital form) and you may have the right to request the transmission of such data to another entity without hindrance from us, if such transmission is technically feasible.
- Right to withdraw consent. When the processing of your personal data is based on your consent, you may withdraw your consent at any time without giving any reason to us by clicking the link provided in each newsletter, or by changing preferences in your account. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
- Right to lodge a complaint with a supervisory authority. If you feel that your personal data rights have been breached, you may contact and lodge a complaint with the local data protection authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.
Citizens of the European Union may exercise rights indicated in points 1-3, 6-7 of Section 5 of this Privacy Notice at any time using the relevant links in their accounts or newsletter emails.
6. Data Security
We follow generally accepted industry standards to protect the information submitted to us, both during transmission and once we receive it. We maintain appropriate administrative, technical and physical safeguards to protect personal data against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse, and any other unlawful form of processing of the Personal Data in our possession. This includes firewalls, password protection, and other access and authentication controls.
We pay special attention to the safe transmission of personal and financial data. Such data is transmitted from your computer to our server and from our server to third-party processors through encrypted channels with the support of the state-of-the-art Transport Layer Security (TLS) cryptographic protocol.
Moreover, we are compliant with the Payment Card Industry Data Security Standard, which is a set of technical and operational requirements for entities that store, process, or transmit payment card data. Among other things, the standard requires us to maintain a secure network, protect cardholder data, and undergo quarterly vulnerability scans. Please note that we do not store any payment card data.
It is important to remember that no method of electronic transmission or storage is perfect. We cannot ensure or warrant the security of any information you transmit to us or store on our website. We also cannot guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. If you believe your personal data has been compromised, please contact us as set forth in Section 2. If we learn of a security systems breach, we will inform you and the authorities of the occurrence of the breach in accordance with applicable law.
7. Data Sharing
We, in the course of our operation, may utilize the services of various data processors and external service providers to handle and process your personal data for specific purposes, on behalf of and in accordance with the instructions of Russian Legacy.
The data processors shall process the personal data as long as the term of the data processing contract concluded with them is valid and in force, or until they are required to keep your data under the applicable data retention laws.
We may disclose your personal data to the following categories of third parties for the purposes described below:
- credit card companies, payment service providers in order to process payments initiated on our website or by phone;
- courier and postal services in order to ship, track, and deliver goods;
- newsletter and customer survey services in order to manage such activities on our behalf;
- affiliate networks in order to manage our performance marketing programs;
- hosting services in order to maintain correct functioning of our website;
- law firms, courts, other bodies or service providers in order to enforce or apply any contract with you;
- government authorities or enforcement bodies such as the police and regulatory authorities, upon their request and only as required by the applicable law or to protect our rights or the safety of our customers, staff and assets.
8. Transfers of Data to Third Countries
The transfer of your personal data outside of the European Economic Area may be necessary in order to provide you with a service that you have requested, and your personal data may be accessed by our data processors and service providers from countries that do not provide the same level of data protection as provided in the European Economic Area. In such circumstances, we will enter into model contractual clauses as adopted by the European Commission, or rely on alternative legal bases such as the Privacy Shield, where applicable, or binding corporate rules where our partners or service providers have adopted such internal policies approved by European data protection authorities.
9. Change of Ownership
Some browsers include the ability to transmit "Do Not Track" ("DNT") signals. Since uniform standards for such signals have not been adopted, our website does not currently process or respond to them. We take privacy and meaningful choice seriously and will make efforts to continue to monitor developments around the DNT browser technology and the implementation of a standard.
- Essential. These cookies are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website. Without these cookies services you may be interested in cannot be provided. These cookies do not collect information that identifies a visitor.
- Performance. These cookies collect information about how visitors use our website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies do not collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works.
- Functional. These cookies allow our website to remember choices you make (such as shopping cart contents and order history) and provide enhanced, more personal features. The information these cookies collect may be anonymised. Such cookies cannot track your browsing activity on other websites.
- Behavioural. These cookies and web beacons are used to track clicks to and on our website for the purpose of general analytics, monitoring traffic patterns, product retargeting, and remunerating referring websites. They are placed by relevant service providers with our permission. They record email and website interactions, and this information is only available to us and our service providers.
11. Children's Privacy
Protecting the privacy of children is especially important. Our website is not aimed at children under the age of 18, and we do not knowingly collect personal data from children under the age of 18 without obtaining parental consent. If you are under 18 years of age, please do not use or access our website at any time or in any manner. If we learn that personal data has been collected on our website from persons under 18 years of age and without verifiable parental consent, then we will take the appropriate steps to delete this information. If you are a parent or guardian and discover that your child under 18 years of age has obtained an account on our website, you may alert us at firstname.lastname@example.org and request that we delete that child's personal data from our systems.
12. Changes to This Policy
13. Third Party Websites
Our website may contain links to other websites of interest. However, please note that any such websites are beyond our control. Therefore, we cannot be held responsible for the protection and privacy of any information which you provide while visiting such websites. You should exercise caution and examine privacy statements applicable to websites in question.
July 16, 2018