Privacy Policy

Last Updated: 08.02.2022

Contents

  1. Introduction
  2. Who we are
  3. What personal data is
  4. Personal data we collect
  5. How we collect your personal data
  6. How we use your personal data, how long we keep it and what our lawful bases are
  7. Sharing your personal data
  8. International transfers
  9. Security of your personal data
  10. Your rights
  11. Third party websites
  12. Children
  13. How to complain
  14. How to contact us
  15. Our EU Representative

1. Introduction

Our Privacy Notice is a way for us to explain how we’re looking after your personal data. Please don’t be put off by how formal it sounds (we did it for the lawyers).

We explain below how Touchnote Limited, (“us”, “we”, “our”) process the personal data we collect about you, when you visit our website, use the TouchNote mobile App or make use of any of our products or services.

If you’ve got questions about anything we’ve written here, please get in touch with us using the contact details set out below (in paragraph 14), so we can shed some light on it.

At Touchnote, we believe that, as our valued customer, you have a fundamental right to privacy and to have control over your personal data. We are grateful that you have chosen to be our customer and we take the responsibility of, not only printing and posting your cards, but also of being guardians of the personal data we collect about you, extremely seriously. We, therefore, comply with all relevant data protection legislation, including the UK General Data Protection Regulation (“UK GDPR”), the EU General Data Protection Regulation (“EU GDPR”) (whichever is applicable) and the Data Protection Act 2018 (DPA 2018”).

Please read the following carefully, so you understand how we process your personal data.

It’s a good idea to revisit this Privacy Notice regularly, as we may need to amend it from time to time. We last updated this Privacy Notice on the date shown above.

2. Who we are

Our full name is TouchNote Limited.

Companies House Registration 

We are a limited company registered with Companies House in England and Wales under registration number 06235264 and we have our registered office at:

Ground and Basement Floors,

17 & 18 Clere Street

London

England EC2A 4LJ

Supervisory Authority Registration 

We are the controller of the personal data we collect and we are registered with the Information Commissioner’s Office (ICO), which is the Supervisory Authority for the UK. Our registration number with the ICO is ZA148678.

3. What personal data is

‘Personal data’ is any information from which you can be identified, either directly or indirectly. For example, your name or an online identifier.

4. Personal data we collect

The personal data we collect about you includes:

  • contact details such as your name, address, email address and phone number
  • information about which products and/or services you purchase and/or are interested in
  • financial data, such as credit card details (when you make a purchase). Your full card details are not recorded or stored in our database. We only collect and store the final four numbers of your credit or debit card, together with the expiry date and cardholder name in order for you to be able to select that card when making a future purchase. The details are encrypted and transferred securely to our third-party payment service providers
  • information about your engagement with us online via our cookies and similar technologies such as your IP address and geographical location (see our cookie policy for more information https://touchnote.com/cookies
  • any other information you may provide to us.

To use some of our services, you will need to supply us with the personal data of others. For example, if you wish to send cards or gifts to friends or family or colleagues, you will need to tell us their names and addresses, so that we can make the deliveries.  We will only use this personal data for the purpose for which it was supplied ie: fulfilling your order.

We operate CCTV at our premises for the purposes of prevention and detection of crime. Therefore, if you attend our premises, images of you may be captured by the CCTV.

5. How we collect your personal data

We collect your personal data directly from you via our website or our mobile App, such as when you register to use our services, place an order, enter a competition or respond to a survey. We will also collect personal data from you when you contact us by phone or by email or visit our premises.

6. How we use your personal data, how long we keep it and what our lawful bases are

We will use and keep your personal data in accordance with the purposes, retention periods and lawful bases set out in the table below.  Once the retention period has expired, we will permanently and securely destroy any personal data that is no longer required.

Type of Individual

Type of Personal Data

Purpose of Processing

Lawful Basis

Retention Period

Customers (subscribers)

Name, email address and Customer User ID

To administer your account and keep you informed of updates and changes to our terms and conditions

Contract

7 years following the end of your subscription

Customers (purchasers)

Name, email address, Customer User ID

To deliver the goods and/or services you have ordered

Contract

7 years following your last purchase

Customers

(purchasers and subscribers)

Name and financial data, such as credit card information and billing address

To process your payment or refund for your purchases / subscription

Contract

7 years following the end of your subscription or the date of your last purchase

Customers

(purchasers and subscribers)

Name and email address

To send you emails and/or push notifications to remind you of orders you have prepared but not completed

Legitimate interests

7 years following your last purchase or the end of your subscription

Customers

(subscribers)

To send you newsletters, special offers, discounts, promotions, surveys and other marketing material via email and push notifications

Consent

7 years  following your last purchase or the end of your subscription

Customers

(purchasers)

Name and email address

To send you newsletters, special offers, discounts, promotions and other marketing material via email and push notifications

Consent

3 years following your last meaningful contact with us

Customers

(purchasers and subscribers)

Name, email address

To share with Facebook and Instagram for the purpose of targeted marketing ie: If you are an existing customer, we will share your name and email address with Facebook and Instagram so that they can show our adverts to you.

Consent

6 years following your last purchase or the end of your subscription

Customers

(purchasers and subscribers)

The demographics (ie: age, sex, family status etc) of our existing customers

These key characteristics are processed to ascertain the key characteristics of our ideal customers and then shared with Facebook and Instagram for the purpose of targeted marketing to potential new customers ie: Facebook and Instagram will find people with the same characteristics as our ideal customers and show them our adverts. (No personal data is shared with Facebook or Instagram for this purpose).

Legitimate interests

7 years following your last purchase or the end of your subscription

Customers

 (purchasers and subscribers)

Name and email address

To answer your enquiry or complaint

Legitimate interests

1 year following the date of the enquiry / complaint

Third parties associated with customers such as the friends, family or colleagues of purchasers and subscribers

Name, address and nature of relationship between the customer and third party such as mother, father, friend etc

To fulfil the orders placed by the customer and deliver the cards and/or gifts ordered

Contract

7 years from the end of the contract

Customers

(purchasers and subscribers)

Name, email address, Customer User ID, financial data, such as credit card information and billing address, nature of relationship between the customer and third party such as mother, father, friend etc

To enforce or apply our terms of use and other agreements or to protect the rights, property, or safety of Touchnote Limited, our customers, or others or to comply with a court order and includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

Legal obligation, or legitimate interests, depending on the circumstances

7 years following your last purchase or the end of your subscription

People attending our premises

CCTV footage

To protection our property and for the prevention and detection of crime

Legitimate interests

24 hours from the date of the recording

Website visitors

Using Google Analytics tracking code, we collect the following information.

Customer number, subscription ID, IP address, time of visit, pages visited, time spent on each webpage, referring site details (URL), Type of web browser, Type of operating system (OS), screen resolution, screen colour processing ability, network location, document downloads,

clicks on links leading to external websites, scrolling, mouse-overs, errors from forms and interest categories.

To analyse your use of our website to improve your experience and develop new services

Consent

Varies per cookie.  See our Cookie Notice – https://touchnote.com/cookies/

Website visitors

Using Google Analytics tracking data, we collect the following information.

Customer number, subscription ID, IP address, Time of visit, pages visited, time spent on each webpage, referring site details (URL), Type of web browser, Type of operating system (OS), screen resolution, screen colour processing ability, network location, document downloads,

clicks on links leading to external websites, scrolling, mouse-overs, errors from forms,

interactions with site-specific widgets, age, gender and interest categories.

We may use your personal data to create anonymised information

and aggregated information, such as de-identified demographic information, de-identified location information, information about the computer or device from which you access the services, or other analyses, for a number of purposes, including the measurement of website visitors’ interest in and use of various portions or features of the website. Anonymised or aggregated information is not personal data, and we may use such information in a number of ways, including research, internal analysis, analytics and any other legally permissible purposes.

Consent

Varies per cookie.  See our Cookie Notice – https://touchnote.com/cookies/

7. Sharing your personal data

If you consent to receiving marketing material from us, we will share your information with the service providers who will conduct the marketing services for us. For example, we may instruct another organisation to send emails to you on our behalf to tell you about forthcoming special offers, discounts and competitions which you may be interested in. We will ensure that we have entered into appropriate Data Processing Agreements with the service providers which means that they can only process your personal data in accordance with our instructions and they will not be able to use it for their own purposes.

We will also share your personal data in the following circumstances:

  • In the event that we sell our business or assets, we will disclose your personal data to the prospective buyer.
  • If all, or substantially all, of our assets are acquired by a third party, we will transfer the personal data of our customers to that third party.
  • If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use (https://www.touchnote.com/terms/) and other agreements; or to protect the rights, property, or safety of Touchnote Limited, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

8. International transfers

Personal data collected within the UK and the EEA must be processed to the standards required by the UK GDPR and the EU GDPR. Whilst we collect personal data from within the UK and the EEA, we may process it outside this area because some of the service providers we use are based outside the UK and the EEA.

We have taken appropriate steps to ensure that the personal data processed outside the UK and EEA has an essentially equivalent level of protection as it has within the UK and EEA. We do this by ensuring that:

  • Your personal data is only processed in a country which has an adequate level of protection (an adequacy regulation or decision has been issued)

or

9. How we protect your personal data

We have implemented appropriate technical and organisational measures to safeguard your personal data and protect it from accidental or unlawful destruction, loss or alteration and from unauthorised disclosure or access.

10. Your rights

You have certain rights in relation to the processing of your personal data. These rights will vary depending on where you are located.

If you are in the UK or the EU

If you reside in the UK or the EU you have the following rights:

  • Request access to your personal data (commonly known as a “Subject Access Request”). This enables you to receive a copy of the personal data we hold about you.
  • Request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. If you object to us using your personal data for marketing purposes, we will stop sending you marketing material.
  • Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal data to another party (data portability).
  • Automated decision-making. You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making.

If you are in California

California Consumer Privacy Act (“CCPA”)

The CCPA provides California residents certain rights related to their personal data. You have the right to:

  • know what personal data we collect about you
  • request a copy of the personal data we have about you
  • require that we delete your personal data
  • know whether we sell your personal data and whether we disclose your data to anyone
  • object to the sale of your personal data
  • not be discriminated against because you exercised your rights under the CCPA.

We do not sell or disclose your personal data for monetary gain or any valuable consideration. We do not use the personal data collected by our clients about you for our own purposes. We provide operations software to our clients and they use your personal data to provide services to you.

The personal data we collect about you is set out above under ‘Personal data we collect’.

If you are in China

Personal Information Protection Law (“PIPL”)

If you reside in the People’s Republic of China, you have the following rights:

  • You have the right to know and decide upon personal data processing.
  • You have the right of access to your personal data and can request copies of it and information about our processing of it.
  • If the personal data we hold about you is incorrect or incomplete, you can ask us to rectify or add to it.
  • You have the right to request that your personal data is deleted, in certain circumstances.
  • You have the right to object and have the right to restrict the use of your personal data in certain circumstances.
  • You have the right not to be subject to a decision based solely on automated processing.
  • You have the right to portability, subject to conditions stipulated by the Cyberspace Administration of China
  • Where we are processing your personal data with your consent you can withdraw your consent at any time. If you withdraw your consent, we may not be able to provide you with access to certain parts of the service.
  • You have the right to ask Entrusted Parties to explain their processing rules on data subjects’ requests.
  • The close relatives of a deceased data subject also have certain rights.
  • You can also raise a complaint with the data protection supervisory authority in the country in which you reside.

If you are in Canada

Personal Information Protection and Electronic Documents Act (“PIPEDA”)

If you reside in Canada, you have the following rights:

  • You have the right to access your personal data (subject to limited exceptions)
  • You have the right to correct inaccuracies in/update your personal data.
  • You have the right to withdraw consent in certain circumstances.
  • If you are in Australia

Privacy Act

If you reside in Australia, you have the following rights:

  • You have the right to request access to your personal data
  • You have the right to correct inaccuracies in your personal data
  • You have the right to stop receiving unwanted direct marketing

You can also make a complaint about us to the Office of the Australian Information Commissioner if you think we have mishandled your personal data.

If you are in Brazil

LGPD – the Brazilian General Data Protection Law (the Lei Geral de Proteção de Dados Pessoais).

  • If you reside in Brazil, you have the following rights:
  • You have the right of access to your personal data and can request copies of it and information about our processing of it.
  • If the personal data we hold about you is incorrect or incomplete, you can ask us to rectify or add to it.
  • Where we are not relying on consent, you have the right to oppose the processing we are carrying out on your personal data where we have not complied with the LGPD.
  • You can ask us to block, anonymise or delete the use of your personal data if:
  • It has been used unlawfully
  • It is unnecessary
  • It is excessive
  • In some circumstances you can request a machine-readable copy of your personal data and request us to transfer it to another service provider.
  • You have the right to review a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.
  • Where we are processing your personal data with your consent you can withdraw your consent at any time. If you withdraw your consent, we may not be able to provide you with access to certain specific functionalities of the Service.
  • You can also raise a complaint with the data protection supervisory authority in the country in which you reside.

If you are in Peru

PDPL – Peru’s Personal Data Protection Law (N° 29733 (PDPL)) and its Regulation (N° 003-2013-JUS-Regulation of the PDPL)

If you are in Peru, you have the following rights:

  • You have the right to be informed about the collection and use of your personal data.
  • You have the right of access to your personal data and can request copies of it and information about our processing of it.
  • You have the right to request that your personal data is deleted, subject to certain exceptions.
  • You have the right to object to our processing of your personal data in certain circumstances, for example, where you have legitimate and grounded reasons, due to a specific personal situation.
  • If the personal data we hold about you is incorrect or incomplete, you can ask us to rectify or add to it.
  • In some circumstances, you have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.
  • Where we are processing your personal data with your consent you can withdraw your consent at any time. If you withdraw your consent, we may not be able to provide you with access to certain parts of our service.
  • You can also raise a complaint with the data protection supervisory authority in the country in which you reside.
  • Right to withdraw consent

If you have provided your consent to the processing of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we are permitted by law.

How to exercise your rights

If you wish to exercise your rights, please contact us using the contact details provided within the ‘Contact Us’ section below. If you are in the EU, please contact our EU representative, whose contact details are shown within the ‘EU Representative’ section below.

You will not usually need to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity before we can process a request from you to exercise any of the above rights.  This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

11. Third-Party Websites

This website contains links to other websites. If you follow a link, please note these websites will have their own privacy notices. We do not accept responsibility or liability for the privacy notices on third-party websites. Please check their privacy notices before submitting any personal data to these websites.

12. Children

We do not knowingly solicit or collect any information about users who may be under the age of 16 and will delete any information provided by such individuals as soon as possible. Please do not provide us with any personal data if you are under the age of 16.  Any users under the age of 18 should discuss the use of our services with their parents before they share any personal data with us.

13. How to complain

You have the right to lodge a complaint with the supervisory authority, if you believe we are infringing the applicable data protection laws or you are concerned about the way in which we are handling your personal data. The supervisory authority in the UK is the Information Commissioner’s Office who can be contacted online at:

Contact us | ICO

Or by telephone on 0303 123 1113

If you are outside the UK but within the EU, you can find the contact details of the supervisory authorities for countries within the EU by visiting the following link:

https://edpb.europa.eu/about-edpb/about-edpb/members_en

14. Contact us

If you’ve got questions about anything we’ve written here, please get in touch with us, so we can shed some light on it.

If you wish to exercise any of your rights outlined above, then please let us know and we will respond as soon as we can and within one month, unless your request is complicated, in which case, it may take longer. If this is the case, we will let you know as soon as we can and within one month.

You can contact us by post or email. The details you need are as follows:

TouchNote Limited

Ground and Basement Floors

17 & 18 Clere Street

London

England

EC2A 4LJ

email: GDPR@TouchNote.com

Please feel free to use this form to detail your query: Data Subject Rights Request Form

Our Data Protection Officer is Evalian who can be contacted at dpo@evalian.co.uk

15. Our EU Representative

We are based in the UK but, as we offer goods and services to people in the EU, we are required to appoint an EU representative, in accordance with the EU GDPR.  The purpose of an EU representative is to make it easy for individuals located in the EU to contact us should they wish to exercise their rights or make a complaint or enquiry in relation to how we are processing their personal data. It is also a contact point for the supervisory authorities located in the EU.

If you are in the EU/EEA and wish to contact us via our GDPR Representative, DataRep, you may do so at:

  • https://www.datarep.com/data-request/

  • Writing to our representative by post, using the most convenient address from the list below. PLEASE NOTE: when mailing inquiries, it is ESSENTIAL that you mark your letters for ‘DataRep’ (EU Subjects) and not ‘TouchNote’, or your inquiry may not reach DataRep.

DataRep Postal Address List:

Country

Address

Austria

DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria

Belgium

DataRep, Place de L’Université 16, Louvain-La-Neuve, Waals Brabant, 1348, Belgium

Bulgaria

DataRep, 132 Mimi Balkanska Str., Sofia, 1540, Bulgaria

Croatia

DataRep, Ground & 9th Floor, Hoto Tower, Savska cesta 32, Zagreb, 10000, Croatia

Cyprus

DataRep, Victory House, 205 Archbishop Makarios Avenue, Limassol, 3030, Cyprus

Czech Republic

DataRep, IQ Ostrava Ground floor, 28. rijna 3346/91, Ostrava-mesto, Moravska, Ostrava, Czech Republic

Denmark

DataRep, Lautruphøj 1-3, Ballerup, 2750, Denmark

Estonia

DataRep, 2nd Floor, Tornimae 5, Tallinn, 10145, Estonia

Finland

DataRep, Luna House, 5.krs, Mannerheimintie 12 B, Helsinki, 00100, Finland

France

DataRep, 72 rue de Lessard, Rouen, 76100, France

Germany

DataRep, 3rd and 4th floor, Altmarkt 10 B/D, Dresden, 01067, Germany

Greece

DataRep, 24 Lagoumitzi str, Athens, 17671, Greece

Hungary

DataRep, President Centre, Kálmán Imre utca 1, Budapest, 1054, Hungary

Iceland

DataRep, Kalkofnsvegur 2, 101 Reykjavík, Iceland

Ireland

DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland

Italy

DataRep, Viale Giorgio Ribotta 11, Piano 1, Rome, Lazio, 00144, Italy

Latvia

DataRep, 4th & 5th floors, 14 Terbatas Street, Riga, LV-1011, Latvia

Liechtenstein

DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria

Lithuania

DataRep, 44A Gedimino Avenue, 01110 Vilnius, Lithuania

Luxembourg

DataRep, BPM 335368, Banzelt 4 A, 6921, Roodt-sur-Syre, Luxembourg

Malta

DataRep, Tower Business Centre, 2nd floor, Tower Street, Swatar, BKR4013, Malta

Netherlands

DataRep, Cuserstraat 93, Floor 2 and 3, Amsterdam, 1081 CN, Netherlands

Norway

DataRep, C.J. Hambros Plass 2c, Oslo, 0164, Norway

Poland

DataRep, Budynek Fronton ul Kamienna 21, Krakow, 31-403, Poland

Portugal

DataRep, Torre de Monsanto, Rua Afonso Praça 30, 7th floor, Algès, Lisbon, 1495-061, Portugal

Romania

DataRep, 15 Piaţa Charles de Gaulle, nr. 1-T, Bucureşti, Sectorul 1, 011857,

Romania

Slovakia

DataRep, Apollo Business Centre II, Block E / 9th floor, 4D Prievozska, Bratislava, 821 09, Slovakia

Slovenia

DataRep, Trg. Republike 3, Floor 3, Ljubljana, 1000, Slovenia

Spain

DataRep, Calle de Manzanares 4, Madrid, 28005, Spain

Sweden

DataRep, S:t Johannesgatan 2, 4th floor, Malmo, SE – 211 46, Sweden

 

Advertisement