Privacy Policy for Patch Potatoes Effective Date: 1st November 2024 At Patch Potatoes (the "Company," "we," "us," or "our"), we value your privacy and are committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website https://www.patchseedpotatoes.co.uk/ (the "Site") or make a purchase from us or use one of our services. Data Controller’s Contact Details Patch Potatoes is the Data Controller for the personal information we process, unless otherwise stated. There are several ways you can contact us, including post, email and phone Patch Potatoes, 93 Crossan Road, Rathfriland, Newry. BT34 5BE patch@mccreightpotatoes.com +44 (0) 28 3085 1661 1. Data Protection Officer's Contact Details Our Data Protection Officer is Alex McCreight. You can contact him at mailto:alex@mccreightpotatoes.com or via our postal address. Please mark the envelope ‘Data Protection Officer’. 2. Information We Collect Directly Most of the personal information we process is provided to us directly by you. It is provided freely and with your permission to use it. You can withdraw your permission to process your data at any time. We may collect the following types of information: Personal Information : When you: create an account, place an order, contact us, visit our shop register, attend, participate in an event respond to an offer, advertisement, or promotion of ours enter a competition, sponsored activity or other activity of which we are part as providers, co-hosts or supporters 1 open, read, download, print off or in any other way engage with our growing guides, website advice or comments, or recipes recommend someone to our website or company participate in a survey, research or other information activity freely provide personal information in any other way subscribe to our newsletter submit or appear in a photograph, video, online format in connection with us and or our products post on, contribute or participate in any of our online formats apply for a job 3. Personal Information We Do Not Collect Automatically We do not automatically collect personal data in 7 categories defined as 'sensitive data' within the GDPR. Those categories are: 1. racial or ethnic origin 2. political opinions 3. religious or philosophical beliefs 4. trade-union membership 5. genetic data 6. biometric data processed solely to identify a human being and health- related data 7. data concerning a person's sex life or sexual orientation. we may be obliged to collect data where we are required to do so so, for example, to fulfil health control and reporting under food and health legal legislation to comply with court orders we must obtain your permission - in each instance - when asked to provide sensitive data by an organisation legally competent to do so. you have rights concerning amending and managing this information and they are referenced in Section 11 below 4. Personal Information We Collect Indirectly Some of the personal information we process is provided to us indirectly when: we require recovery funds not paid in a transaction or order we verify refunds or replacements or substitutes we have used a third-party, bank or credit referencing agency to process an order we have contacted an organisation about a complaint you have made and it gives us your personal information in its response your personal information is contained in reports of breaches of data protection law given to us by organisations a complainant refers to you in their complaint correspondence 2 you have entered a promotion or competition or event in which we have participated a potential employee of ours gives your contact details as an emergency contact or a reference an employee of ours gives your contact details as an emergency contact or a referee 5. What Information Do We Collect? First, we only collect information which we consider proportionate to fulfil the tasks, orders, responsibilities and similar that you have requested. Secondly, we then only collect information which we consider relevant to us, our commercial and marketing activities and our legitimate interests within the scope of the data protection law in force at the time of collection and processing We may collect personal information that could include: your title, given and surname or other preference you may have your postal, email, delivery, billing or other addresses social media identifiers, names and titles landline and mobile phone numbers payment information including credit and debit card numbers, related security codes and expiry dates returns, complaints and enquiries related information and action. 6. What Non-Personal Information Do We Collect? We may also collect non-personal information automatically when you visit our Site, including your IP address, your browser your operating system the pages you visit, the time and date of your visit, the length of your engagement and interaction with our Site where the Internet may have directed you from to visit our Site and where you may go afterwards any backlink or referral sites that directed you to our Site QR codes, advertising or other promotional sources that directed you to our Site reference numbers and codes for cash, credit note or refund vouchers that may have been issued to you, their redemption criteria and dates our instructions, guarantees and warranties and related, the associated products and activities 3 third-party instructions, guarantees and warranties and related material, for any products and activities provided by us as part of the supply of goods and services we have contracted to supply to you 7. How We Use Your Information? We may use the information we collect for various purposes, including: processing and fulfilling your orders, responding to requests for information, resolving complaints managing the provision of information when it is necessary to engage with a third-party concerning an order, complaint or legitimate interest reason directly communicating with you about your account, orders, and promotions improving our Site and customer service undertaking marketing research and analysis of prospect and customers social and commercial behaviours, purchase trends, engagement and usage analysing existing and new products and markets analysing marketing campaign performances enhancing online and retail shopping experiences complying with legal obligations. 8. Do We Disclose, Sell, Or Rent Your Information To Others we do not sell or rent your personal information to third parties should we decide to rent your personal information to third parties we will get your permission in advance to do so should Pack Potatoes be sold as a commercial concern then all data will be transferred to the new owners who must re-establish the permissions held subject to their legitimate interests we may share your information with: Service Providers: Third-party vendors who assist us in operating our Site, processing payments, and delivering products. for Legal compliance reasons: If required by law, we will disclose your information to comply with legal obligations or respond to valid requests from law enforcement. We strive to use commercially acceptable means to protect your information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee its absolute security, therefore. 10. What Are Our Data Security Standards? We implement a variety of security measures to protect your personal information. 4 In the event of a data breach as a consequence of an error, systems breakdown, illegal activity or external attack we will notify you and the ICO of this situation immediately it becomes known to us. We will remedy the breach as quickly as is appropriate, to attempt to ensure that there is no re-occurrence, We will always act in compliance with both the letter and spirit of the GDPR. We are mindful of the advice given by the ICO in he light of the case law, interpretations of the Act and what becomes defined as 'best practice'. We will implement such understandings as benefits you and your personal information and our legitimate interests. 11. Your Data Protection Rights Under data protection law, you have various rights concerning much more than the granting, holding and processing of your information by us. What those rights are depends on our reason for processing your information. Your right of access You have the right to ask us for copies of your personal. We will endeavour to provide this information within the 31-day period allowed by law in a written or digital format. If those formats are not acceptable to you, for example, if output in braille, then we may exceed the 31-day limit. Your right to rectification You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to add to information you think is incomplete. Your right to erasure You have the right to ask us to erase your personal information in certain circumstances. Your right to restriction of processing You have the right to ask us to restrict the processing of your information in certain circumstances. You can ask organisations to temporarily limit the use of your data when they are considering a challenge you have made to the accuracy of your data, or an objection you have made to the use of your data. You may also ask an organisation to limit the use of your data rather than delete it if: the organisation processed your data unlawfully, but you do not want it deleted, or the organisation no longer needs your data but you want the organisation to keep it in order to create, exercise or defend legal claims. Your right to object to processing 5 You have the right to object to processing if we are able to process your information because the process forms part of our public tasks or is in our legitimate interests. Your right to data portability This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. 12. In Summary, You Have The Right To: Access, correct, or delete your personal information. Withdraw your consent for us to process your personal information. Opt-out of marketing communications. To exercise these rights and to know what data we hold on you please send a Subject Access Request (SAR) to our Data Protection Officer: Alex McCreight, Patch Potatoes, Data Protection Officer 93, Crossan Road, Rathfriland, Newry. BT34 5BE We will endeavour to provide this information within the 31-day period allowed by law in a written or digital format. If those formats are not acceptable to you, for example, if output in braille, then we may exceed the 31-day limit. In the event that you are not satisfied with our holding, managing or responding to you with respect to your data or for our handling of any request or complaint then you may want to contact the Information Commissioner's Office: Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF 6 Telephone: 0303 123 1113 13. How Long Will We Keep Your Data? The reason(s) for retaining your data is everything. When we have considered all the Data Protection Principles, and once we have set the purpose(s) for processing, we will store your data collected for that purpose until the purpose is exhausted Personal data changes each time there is an interaction b etween us. That may affect both what we hold and for how long we retain it. We are required to refresh your permissions allowing us to use your data regularly. This will happen in two ways: informally as a consequence of interactions between us annually by us as part of our Autumn/Winter new season campigns. 14. How Long Can We Keep Staff Records? Personal data, performance appraisals and employment contracts for six years after an employee leaves. This means that once the successful candidate has been selected, there is no longer a need to retain the candidate's data. 15. Do We Share Your Information With Third-Parties? We will not share your information with any third parties for the purposes of direct marketing unless. We use data processors - third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct. It is necessary for us to transfer your personal information outside of the UK This will only be done in accordance with the UK 's GDPR. In any circumstance, we will satisfy ourselves that we have a lawful basis on which to share the information and document our decision making and satisfy ourselves we have a legal basis on which to share the information 16, Third-Party Links Our Site may contain links to third-party websites. We do not control these websites and are not responsible for their content or privacy practices. We encourage you to review the privacy policies of any third-party sites you visit. 17. Changing This Privacy Policy We may update this Privacy Policy from time to time. We will notify you of any ider We encourage you to review this Privacy Policy periodically. 7 18. Social Media Management We may use a third-party provider to manage our social-media interactions, for example, when you send us a private or direct message via social media We see all this information and decide how we manage it. Your Personal Information will not be shared with any other organisations unless it is required as part of activities described elsewhere in this Privacy Policy. Personal Information may be stored by that provider on our behalf for as long as it is deemed necessary by us. Personal Information will be deleted once the requirement has been fulfilled and will always be deleted when your personal data on our Site is deleted entirely, modified, rectified or otherwise removed in accordance with the terms described elsewhere in this Privacy Policy When contacting us through a social media platform, we suggest you also familiarise yourself with the privacy information of that platform. 19. What Are Your Rights As A Visitors To Our Website? When collect personal data through our website, we will inform you immediately we do so and we’ll later explain what we intend to do with it. Analytics When you visit our Site, we use a third-party service to collect standard internet log information and details of visitor behaviour patterns, for example, the number of visitors to the various parts of the site. This information is only processed in a way that does not directly identify you individually. We do not make, and do not allow any third-party to make, any attempt to find out the identities of those visiting our website. We use the information to report on visitor numbers, and to make improvements to our service. This information is collected only if visitors opt in . The information collected is classed as personal data because a unique identifier will be assigned to each visitor. We do not make, and do not allow any third-party to make, or attempt to make any attempt find out the identities of those visiting our website. We have measures to protect the information collected, which include: limiting the amount of data collected including not collecting full IP addresses, setting a retention schedule, restricting access to our Analytics data, and regularly reviewing our use of analytics. We keep individual analytics data for 15 months from a visitor’s last visit. 8 Analytics data may be aggregated into datasets that may themselves be reconfigured into new datasets for management and marketing purposes. Your personal information cannot be derived from these aggregated data sets. 20. How Do We Manage Cookies? Cookies are small files of information that a web server generates and sends to a web browser. Neither you nor we have any direct c ontrol over this activity. Different browsers have different protocols. You will have to go to their Privacy Policies to establish what they do and whether you agree with them. This may requite you to change the browser you use. Web browsers store the cookies they receive for a predetermined period of time, or for the length of a user's session on a website. Cookies that are necessary for providing functionality, security and accessibility they are set and are not deleted by the tool. We may also use a Cookies tool on our website to get consent for the optional Cookies we use. You can refuse permission for these Cookies to collect personal data. If you don't give permission for these Cookies to collect personal data you may find that: you only get restricted access to the information on our Site you may not get the functionality that you expect, for example, you may not be able to go back to pages you have visited with one click 21. How Do We Manage Search Engine Activity? Our website search and decision notice search is powered by a third-party provider. Queries and results are logged anonymously to help us improve our website and search functionality. No identifiable personal information is collected by our third-party provider. 23. What Is Our HR Privacy Policy There are elements of our HR Privacy Policy within this general Privacy Policy. We hold Personal Information about our employees so that we can fulfil our legal obligations towards them, their interactions with suppliers, the public and the Company. 9 In addition to the Personal Information we collect elsewhere and mentioned above, we will hold data concerning your: application for employment. education and skills training both before being employed by us as well when you joined competency qualifications for materials handling, driving licenses and other licenses held, any related accidents both before and during employment with us plus any suspensions of those licenses for whatever reasons. records detailing wages and salaries, government benefits, absences for whatever reasons. disciplinary processes and procedures customer complaints, related data you have provided, management's observations, disciplinary events you have been involved with and all disciplinary outcomes. we will hold all this HR related Personal Information for the whole of your employment with us plus another 10 years. We will not share this information with a third party other than to confirm such details as you specifically request, for example, to confirm your earnings for a bank loan application. We will share your personal information when legally obliged to do so. We will share elements of your personal information when providing a reference providing you give us permission to do so. You have the right to see any information held about you, including emails, CCTV footage. Your have a right to a private life which also means you have the right to some privacy in the workplace. A more detailed HR Privacy Policy is being prepared.. There are elements of our HR Privacy Policy within this general Privacy Policy. 24. Contact Us If you have any questions or concerns about this Privacy Policy, please contact us at: Patch Potatoes, 93 Crossan Road, Rathfriland, 10 Newry. BT34 5BE patch@mccreightpotatoes.com +44 (0) 28 3085 1661 11