Privacy policies can be heavy going and full of jargon. We value clear, concise messages. And we value your time and privacy.
Spamming, stalking covertly, misleading people or sharing their data without consent is 100% unacceptable.
We collect and use the following types of data:
Basic mailing list information (opted-in email addresses)
Passive data e.g. cookies/analytics via visits our website and social media channels, which help us to improve our digital marketing.
Business info relating to contracts, day-to-day legal obligations and legitimate business operations e.g. transactions, invoicing/payment, tax, diary management, business development, client relationships and communications.
Our data protection lead has over 20 years experience of data-handling and data protection issues and is trained in GDPR issues.
We maintain two mailing lists: one for shoppers / members of the public who wish to keep informed about Crystal Palace high streets. We use Mailchimp and a transparent opt-in and unsubscribe process for this.
We also have a business mailing list for high street shop-fronted businesses open to the public in Crystal Palace (and registation form where you can sign-up). We run this via G-Suite/Google Workspace.
Our website is light touch. We use HTTPS/SSL security. Our host is Wix based in the US. We don’t proactively collect any data via our website at the moment. We do not publish comments or use online contact forms. You can reach us using publicly available platforms where we maintain an active business presence e.g. Facebook, Twitter and Instagram.
We work alongside skilled specialists: graphic designers, digital marketers, photographers, videographers, other marketing and research agencies / partners.
In the course or our businesse and marketing activities, we sometimes need to share data and access to our website and social media channels with partners and they need to share data with us. We are transparent in situations where data is shared or transferred; or if we need to work with a partner to deliver a specialist service.
We want to work with partners who share our values, ethics and commitment to data protection and privacy. We always ensure the appropriate legal grounds for processing personal data are in place. If we need additional consent from any party involved, we’ll ask you for it.
Third party platforms
We have listed the main platforms we use for our own business operations and we are satisfied that their level of compliance on data protection issues match our own high standards. Where data is transferred outside EU/EEA, we select providers bound by the EU/US privacy shield or equivalent safeguards.
We like to experiment with different platforms, so this will never be an exhaustive list. Also, we need to be flexible and work with the platforms that our client and third-party supplier teams choose too.
Where consent or sharing of contact information is required, we will always act with full transparency and seek consent where required.
This platform hosts our opt-in mailing list for members of the public.
Like many businesses, a premium Google back office powers our company email and day-to-day document storage and sharing. This provides a short summary of Google Cloud’s approach on GDPR. Sensitive documents and special category information, where held, are not kept on Google Drive, they are stored in encrypted format using secure digital storage and back-ups.
There are a small number of third-party platforms and services we use occasionally for more minor aspects of our normal business operations. They will have their own user-privacy policies that you may need to sign-up to. If we are not satisfied that they can deliver a privacy compliant service, we will cease our activity, withdraw data, close accounts and seek alternative platforms.
Where we use third-party platforms with separate consent and sign-up protocols (including social media and competition platforms), participation is always at the discretion of the user. We cannot be held responsible for third-party content or processes. You should inform yourself about their privacy policies to check that you are comfortable with them before participating.
We have an active presence on Twitter, Facebook, Instagram and LinkedIn. Any user interacting with these channels does so by their own choice and needs to familiarise themselves with the privacy policies of those platforms.
We don't currently use Facebook pixel to track interractions.
We have reviewed our data security and implemented robust plans and regular back-ups to ensure business continuity and data security. Our business devices are fully encrypted. We generally do not collect or store sensitive or special category data in a way that can be attributed back to an individual. In situations where we do collect this type of data, with unambiguous consent, we ensure that this information is stored securely: encrypted and using GDPR compliant services.
Thank you for reading.
Please refer any further questions concerning this policy to firstname.lastname@example.org.