Last Updated - 16 December 2022
Gardening Express and its associated companies are totally committed to protecting the privacy of our site visitors, suppliers and customers with how we use personal information collected on our website.
This policy may change from time to time, so please check this page as required to check for changes. By using the Gardening Express website you are agreeing to this policy.
Data Controller Identity and Contact Details
Gardening Express, 1386 London Road, Leigh On Sea, SS9 2UJ
Purpose and Legal Basis for Data Processing
We process your data when you place any orders with us. This is so that:
- We can fulfil your order(s)
- Provide you with customer support (if required)
- Notify you of service changes
- Enable you to provide feedback on your experience with us
This legal basis is contractual obligation. The information that you supply us with when ordering is kept for a maximum of 7 years for HMRC reporting and audit purposes.
You may have also subscribed to one of our mailing lists which you can unsubscribe from at any time you wish to which will remove you from the mailing list concerned.
The marketing and cookie data processing are for our legitimate interest to help us grow the business.
What information we do collect
- Customer name
- Billing address
- Email address
- Phone number
- Recipient name (if different from the customer name in the example of order being a gift)
- Recipient shipping address (if different from the customer name in the example of order being a gift)
- Limited payment details confirming that payment has been successful (I.e. system does not hold the actual full payment details)
- Order details
- Site usage
- IP address
- Statistics such as whether our newsletters are being opened
Data collection and sharing
Your data is collected by us and in some cases shared with third-parties usually in the following order:
- Website Checkout – Contact details provided by you directly (name, address, telephone number, email address) when purchasing from our website. Your IP address is also collected at this time. We use these details only for the processing of your order and contacting you with information regarding your order. The only details contained within our website are your contact details. All encrypted financial details are entered directly into our payment provider 'Stripe' (https://stripe.com/en-gb) secure system directly using iframe technology.
- Website Checkout & on each page of the site – Main mailing list sign-up. The mailing list facility is provided by MailChimp (www.mailchimp.com). Your name and email address are sent through if you are not logged into your Gardening Express account. If you are logged into your Gardening Express account and you have not signed up for the main mailing list already then your demographic details, and order details are also sent to MailChimp.
- Website Product pages when a product is out of stock – You have the option of adding your email address so that the system notifies you when that product is back in stock. Our website framework 'Magento' send these notifications using a 'Follow up Email' extension provided by Mirasvit (www.mirasvit.com). It is only your email address which is collected for this process and your email address isn't shared with Mirasvit.
- Website when you abandon your shopping cart – If for whatever reason you do not proceed with checking out, and you are a logged in Gardening Express account holder then the system will send out a one-off prompter email to you asking if you still want to checkout. It is only your email address and name which is collected for this process. As above this is done by Magento and Mirasvit.
- Processing of Orders – Your order details are passed through securely to Scurri (www.scurri.co.uk) which in turn is connected to the couriers that we use. These are 'Yodel' www.yodel.co.uk , 'Hermes' www.hermesworld.com and 'DX' www.dxdelivery.com. The labels which are added to your shipping boxes are produced using Scurri. Tracking references for your orders are sent back from Scurri to Magento.
- Processing of Orders – A further shipping solution we sometimes use is with GFS (Global Freight Solutions) – www.gfsdeliver.com
- Website in general – Cookies – this is a small information file that is sent to your computer, and is stored on your hard drive. If you continue to browse through our website then your computer or device will store various identifying cookies in order to enhance your experience interacting with our website. You can change the settings on your browser to prevent cookies being stored on your computer without your explicit consent. By continuing to browse our website, you are consenting to our use of these cookies. It is only your IP address, device manufacturer and internet browser used which this process uses.
- Website in general – Google Analytics – 'Google Analytics' analytics.google.com/analytics/web collect anonymised demographics data based on your IP address and device id.
- Website in general – Demographics Data – We collect additional to Google Analytics data which is then used to present targeted online advertising. These solutions are supplied at times by third-parties such as www.criteo.com and www.quantcast.com.
- Customer Support – We use third-party solutions FreshDesk and FreshChat for customer support these are supplied by 'Freshworks' https://www.freshworks.com/. If you raise an enquiry then your details are also contained within our FreshDesk account. The personal details which you supplied at checkout are supplied to FreshDesk. Your financial details are not supplied FreshDesk. FreshDesk does use session recording technology which assists us when investigating specific (and reported by customer technical issues). Again the only information that is seen by us only is the the personal information (excluding financial details) which you shared with us when checking out of our website, and is viewable by us if you raise a support ticket with us.
Where do we store and process personal data?
Our eCommerce website is on a framework called Magento which is stored on Amazon Web Services (AWS) servers: https://aws.amazon.com/ . The servers and processing are located in Ireland and we use a 24 hour a day dedicated hosting provider 'Akoova' who manage and monitor the site performance and security: https://akoova.com/
Our payment provider https://stripe.com/en-gb process payment and store data within the EU (Dublin, Ireland).
Our shipping solutions provider https://despatchcloud.com/ who process and store data in UK based data centres.
How do we secure personal data?
We take data security very seriously which is why we use a 24 hour dedicated server / hosting support solution. Our website and database are regularly backed up throughout each day.
Our eCommerce website uses a permissions based system which means that any administrators only have the exact permissions needed to fulfil their role.
We use a secure password control system www.lastpass.com which means staff are unable to share or know system passwords.
Our data processing systems and processes are regularly reviewed throughout every year.
Use of automated decision-making and profiling
The closest we come to profiling is analytics of the website.
We collect additional to Google Analytics data which is then used to present targeted online advertising.
These solutions are supplied at times by third-parties such as www.criteo.com and www.quantcast.com.
Communication & Marketing
The newsletters which you receive (if you've opted-in) can be opted-out of receiving at anytime. This is done by clicking the 'unsubscribe' link at the bottom of any newsletter received. Please note this will permanently remove your email address and it cannot be re-added again.
Sharing of your information
We never pass on your details to any other third-parties separate to who we directly use for processing your order(s), and sending you information (if you have opted-in to receive). This also includes sending you newsletters for any mailing lists you may have opted-in to. Anonymised / Non-specific to you data is gathered using cookies (as mentioned above).
Gardening Express does fulfil orders sent to them by various voucher sites. Customers of these voucher sites are covered by the Gardening Express Terms & Conditions.
Accessing and updating your personal information
You can access the personal information which we hold for you at any time by logging into your Gardening Express account. Where you can edit the information held by us.
Personal data are only held for as long as they need to be held for the original purpose for which they were collected. We have to keep financial records for 7 years to comply with legal obligations. Other customer data is deleted when requested by customers or when customers close their accounts. Data may be held longer than 7 years if a customer's account is still active.
International transfers of personal data
Some of the third parties we work with are based in the EU which we are no longer part of. When we transfer data to the EU, we do so as they have an adequacy decision. This means that their data protection status is essentially equivalent to our own.
We also work with third parties who are based in the US. Our partners there keep your data secure, but US law gives US security services rights to access data which does not give essentially equivalent protection to UK or EEA. We have risk assessed this and there isn't a significant risk to our data subjects. We process these international transfers using Standard Contractual Clauses (SCCs).
Your rights in relation to personal data
Under the GDPR we respect the right of our data subjects to access and control their personal data as follows:
- Access to personal information
- Correction and deletion
- Withdrawal of consent (if processing data on condition of consent)
- Data portability
- Restriction of processing and objection
- Lodging a complaint with the Information Commissioners Office
You can exercise the above rights by sending an email FOR LEGAL ENQUIRIES ONLY to firstname.lastname@example.org. Please refer to the 'Checking your details' section below.
Please be aware that your rights may be limited if either:
- Your request exposes personal data of another person
- You have asked for data to be deleted which we are required to keep by law
Note regarding fees: In most cases we cannot charge a fee to comply with a subject access request. However we may charge a 'reasonable fee' for the administration costs of complying with a request if it is manifestly unfounded or excessive, or if an individual requests further copies of data.
Checking your details
If you wish to verify the details you have submitted to Gardening Express you may do so by contacting us via the e-mail address, telephone number or address given below. Our security procedures mean that we will request proof of identity before we reveal information.
This proof of identity will take the form of:
- Either of your e-mail address and telephone number submitted upon registration.
- A recent utility bill / council tax bill (i.e. from the last 3 months).
We would strongly recommend that you do not use the browser's password memory function as that would permit other people using your terminal to access your personal information - write it down and keep it somewhere safe.
We are an internet only based company and are contactable by email FOR LEGAL ENQUIRIES ONLY at email@example.com.
If you need to contact our DPO, they can be reached at firstname.lastname@example.org
Our registered office is located at: Gardening Express, 1386 London Road, Leigh On Sea, SS9 2UJ
If you have a data protection issue that we have been unable to resolve with you, you have the right to contact the Information Commissioners' Office (ICO) and lodge a complaint with them.
Their address is:Information Commissioner's Office