Effective Date: 06 April 2021
1. WHO ARE WE?
We are Colart International Holdings Limited, a company registered in England and Wales under number 03659130 and our principal place of business is at The Studio Building, 21 Evesham Street, London, W11 4AJ. We trade as “Colart” (“we”, “us”, “our”). We own and operate this website (the “Site”). Our contact details are on the Site. Please contact us if you have any questions or feedback about this policy.
2. WHAT’S THE POINT OF THIS POLICY?
2.1 This policy tells you how we deal with your personal data. Personal data is any information relating to an identified or identifiable natural person. It does not include data where the identity has been removed (anonymous data). For the purposes of the General Data Protection Regulation ((EU) 2016/679), we are the data controller in relation to personal data collected by us. Please read on to find out about the personal data we collect, how we use and protect it, to whom we disclose it and how you can access and rectify it or request that we stop processing it.
3. MIGHT THE POLICY CHANGE?
4. WHAT PERSONAL OR OTHER DATA DO WE COLLECT AND HOW DO WE COLLECT IT?
INFORMATION YOU GIVE US
4.1 We collect and store the information which you give us: (i) through forms you fill in on the Site, such as your name, address, email address, phone number, artist type, art media preferences; or (ii) when communicating with us by phone, email or in some other way. You can choose what information to give to us, but some of this information may be required to provide you with certain services or goods, for example, the billing or delivery address if you order from us. If you choose not to provide certain information, we may not be able to provide you with our goods and services. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
INFORMATION WE COLLECT ABOUT YOU
4.2 We receive and store certain information automatically when you interact with us. Examples include connection information such as country and city, browser type and version, your operating system and platform, a unique reference number linked to the data you enter on our system, login details, the full URL clickstream to, through and from our Site (including date and time), cookie number, activity on the Site including the pages you visited, searches you made, products purchased, likes, comments and uploads.
INFORMATION WE RECEIVE FROM OTHER SOURCES
4.3 We may receive information about you if you use any of the other websites and touchpoints we operate or the other services we provide. We are also working closely with third parties including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies etc and may receive information about you from them.
INFORMATION WE DO NOT COLLECT ABOUT YOU
4.4 This Site is not intended for children and we do not knowingly collect personal data relating to children.
5. WHAT ABOUT COOKIES?
6. WHAT IS OUR LEGAL BASIS FOR PROCESSING PERSONAL DATA?
6.1 In line with the General Data Protection Regulation, we rely on the following legal bases/grounds to process your personal data:
a. Performance of a contract with you: in order to provide you with the goods or services you want (which you will see as mandatory fields in any order or sign up process);
b. Consent: where you have provided consent, for example, by agreeing that we can contact you with offers and events you might be interested in, we will process the data on the basis of that consent; and/or
c. Legitimate interests: for the remaining data we collect, we process it in the legitimate interests of operating our business; or
d. Legal interest: where we need to comply with a legal obligation.
6.2 We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your personal data.
6.3 We may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
7. HOW DO WE USE YOUR PERSONAL DATA?
7.1 We use your personal data to provide our products and services arising from any contracts entered into between you and us and to provide you with the information, products and ancillary services which you may request from us. These include send service/transactional messages, process payments and/or fulfil orders.
7.2 We use your personal data to help us communicate with you effectively should you try to contact us through the Site.
7.3 We only want to send you marketing-related communications (including by email, post, phone, SMS or social media) that we feel may interest you and if you have given permission on the Site. You can change your privacy settings and preferences within ‘Your Account’. Please note that even if you choose not to receive marketing emails from us, you will still receive our transactional emails, such as messages related to your orders, updates on products and services you have purchased from us, or information about your account. You will also continue to receive emails about other programmes you have enrolled in such as The Fine Art Collective and Artists Outreach Programmes.
7.6 We may use your personal data to contact you through a touchpoint other than the one through which you originally contacted us. For example, we may use your email address from: (i) a purchase you have made with us; or (ii) from an account you have registered with us on our Site; or (iii) an email newsletter you may have subscribed to, to show you adverts on your social media platforms or contact you by phone, SMS or some other touchpoint. This is known as ‘re-targeting’.
7.7 We may use your personal data to ensure that content from our Site is presented in the most effective manner for you and for your device to achieve the most user-friendly navigation experience.
7.8 We may use your personal data to notify you about changes to the Site and our products and services.
7.9 If you supply us with a third-party email address to refer someone to us, we will use that email address only to transmit the referral message and we will then immediately delete it. You must get the consent of the person whose details you provide before you give us those details.
7.10 We retain personal data from closed accounts in order to comply with legal obligations, enforce our terms and conditions, prevent fraud, collect any fees owed, resolve disputes, troubleshoot problems, assist with any investigations and take other actions as permitted by law.
7.11 We may access, remove, alter, store or otherwise use any personal data if we have reason to believe that it breaches our terms and conditions, or that such steps are necessary to protect us or others, or that a criminal act has been committed, or if we are required to do so by law or an appropriate authority.
CHANGE OF PURPOSE
7.12 We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
7.13 If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
HOW LONG WILL YOU RETAIN MY PERSONAL DATA FOR?
7.14 We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
7.15 To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
8. HOW DO WE PROTECT PERSONAL DATA?
8.1 We have put in place appropriate technical and organisational measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
8.2 All information you provide to us is stored on servers owned and operated by:
1. Amazon Web Services, Inc. (further information available at https://aws.amazon.com);
2. M3 based in France (further information available at https://www.infor.com/about/privacy);
3. Google Big Query Data Warehouse (further information available at https://cloud.google.com/bigquery)
4. Exponea (further information available at https://exponea.com/legal/privacy-policy/
5. Sage based in UK (further information available at https://www.sage.com/en-gb/legal/privacy-and-cookies/
8.3 Email and other electronic communications are not secure if they have not been encrypted. Your communications may pass through servers in a number of countries, including countries outside the European Economic Area (“EEA”) before they reach us. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to the Site; any transmission is at your own risk. We do not accept responsibility for any unauthorised access to or loss of personal data that stems from a cause beyond our control. Nor can we be held responsible for the actions or omissions of other users or third parties who may misuse your personal data which they collect from the Site.
9. TO WHOM DO WE DISCLOSE PERSONAL DATA?
9.1 Payment details including credit card numbers are supplied direct to our banking partner. We do not receive such information. To ensure your details are not being used without consent, your personal data may be supplied to relevant third parties including credit reference and fraud prevention agencies, who may keep a record of that information in line with their own privacy policies.
9.2 We may allow access to your personal data to third parties who supply us with a service. Examples include e-commerce platform providers, couriers (to enable delivery of goods), website hosts and businesses which assist us in undertaking communications or businesses which assist us in monitoring our Site such as Google Analytics for re-targeting, Facebook, LinkedIn, Twitter, Whatsapp. We require all such third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
9.3 If you have given permission on our Site, we may provide your personal data to our other group companies within the Colart group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006 or selected third parties so that they can send you emails (or other communications) with details of goods or services which may be of interest to you including information about our special offers or promotions. You can change your privacy settings and preferences within the subscription management page, accessible via a link in every marketing email we send.
9.4 Your activity on the Site:
a. If you register for our community, your display name (which you can change to a different name from your real name if you wish), photo, profile/biography and artwork (including any artwork titles/descriptions) will always be viewable and searchable by users of the Site. Your followers will be notified when you upload new artwork;
b. Subject to your privacy preference settings, the following information about you may also be viewable and searchable by other users: likes, recent activity, reviews, videos watched, artwork uploaded, comments and connections (i.e. users you follow and those who follow you); and/or
c. If you post a review or comment on the Site, your display name will be shown and the user who is the subject of the review/comment will be notified.
9.5 We may disclose personal data so far as reasonably necessary:
a. If we have reason to believe you have breached our terms and conditions, or that such steps are necessary to protect us or others, or that a criminal act has been committed, or if we are required to do so by law or an appropriate authority;
b. In the case of an actual or proposed sale or merger or business combination involving all or the relevant part of our business so that the new owner can continue to provide you with our products and services. The new owner will be obliged to comply with this policy; and/or
c. If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms and conditions and other agreements; or to protect the rights, property, or safety of us, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
9.6 We may store or transfer personal data outside the EEA for the purposes stated in this policy. If so, we will comply with the applicable laws relating to data transfer outside the EEA. Whenever we transfer your personal data out of the UK, we aim to ensure a similar degree of protection is afforded to it by ensuring we transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data or we may use specific contracts which give personal data the same protection it has in the UK.
9.7 Except as otherwise specifically included in this policy, this policy addresses only the use and disclosure of information we collect from you. If you disclose your information to third parties, whether they are other users of our Site or other websites, different rules may apply to their use or disclosure of your information.
10. WHAT ARE YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA?
10.1 You can get in touch with us at any time using the ‘contact us’ link on our Site to:
a. request access to, or a copy of, the personal data we hold about you either to review for yourself or to provide to another data controller;
b. request the deletion or correction of personal data we hold about you;
c. object to our use of your personal data and/or request that we restrict or stop our use of that data; and/or
d. withdraw your consent to processing of your personal data, where we process data on the basis of consent provided that you are able to prove who you are with two documents of verifiable identification. This is to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
10.2 If you wish, you can permanently delete your account with us by the means explained above.
10.3 If you wish to complain about the processing of your personal information then you should contact us first, but if we do not satisfactorily deal with your complaint, then you may contact the UK Information Commissioner’s Office or the equivalent data protection authority in your country.
10.4 For further information about your rights under data protection laws in the European Union, see: https://ec.europa.eu/info/law/law-topic/data-protection_en. You can also obtain information and guidance through the UK Information Commissioner’s Office or the equivalent data protection authority.