Leafie.org is committed to protecting the personal privacy of all of its customers and supporters.
The data controller for data collected and processed in accordance with this Policy is Shifu Ltd. Registered company no. 08057599.
Leafie.org’s address is 63 Birdhill Road, Woodhouse Eaves, Loughborough, LE12 8RP, United Kingdom.
Any questions regarding this Policy or any other data protection issue related to Leafie should be submitted in writing to the above address or by email to firstname.lastname@example.org.
Why Leafie processes personal data
Shifu Ltd. collects and processes some personal data for the following specific purposes:
- to operate its website and customer services
- to receive, fulfil and deal with inquiries about customer orders
- to provide information about its products by email and social media
- to run occasional competitions
- to improve its services
- to keep records of its business activities
- to comply with legal obligations including consumer protection and accounting requirements
All data processing is done in conformity with UK and EU Data Protection law in accordance with the legitimate interests of Shifu Ltd, UK legal requirements and, in the case of marketing emails and social media, the informed consent of its customers.
The data that Leafie collects
Shifu Ltd. collects as little personal data as is possible to meet the specific purposes described above.
To process orders from its website and store, the data that Shifu Ltd. collects includes customer names, addresses, emails and phone numbers.
The Leafie.org website also uses “cookies” which enable the further processing of personal data in limited circumstances (see further below).
Information security at Leafie
Shifu Ltd. takes all reasonable steps to ensure that personal data is held securely and in accordance with this Policy. Unfortunately, the transmission of information via the internet is not completely secure. Although Shifu Ltd. does its best to protect personal data, it cannot guarantee the security of personal data transmitted to any of its websites. Any such transmission is therefore at the data subject’s own risk.
For personal data in its possession, Shifu Ltd. implements various technical and organisational measures in order to prevent unauthorised access. Wherever possible it encrypts the data it collects, transmits and stores. Access controls within the organisation limit the number of people with has access to personal information to those that need it in connection with their job responsibilities or contractual obligations.
Leafie.org’s partners and service providers
In order to provide customer services and meet its business objectives, Shifu Ltd. works with a carefully chosen group of third party service providers to perform tasks on its behalf. This includes the following service providers, who perform the following tasks.
- Google forms to collect process data about people who sign-up to receive email updates or enter competitions
- Mailchimp and its subsidiary Mandrill to process order data and send email updates
- Paypal and Chuffed.org to process payment information
- Facebook, Twitter and Instagram to reach users of those platforms
- One Smart Host Ltd to host the Leafie.org website
- Google analytics to provide statistical information about the use of Leafie.org website
Shifu Ltd. only uses the above mentioned service providers to perform the specific tasks listed above. However, these service providers may also use and retain personal data in accordance with their own policies, practices and legitimate interests.
While Shifu Ltd. has taken reasonable steps to ensure that these data processors comply with this policy and EU data protection regulations, users are advised to consult the privacy policies of these companies for further information about their practices.
Leafiehealth social media accounts and pages are managed by Shifu Ltd. staff members. Shifu Ltd. does not import or export any information on its followers or subscribers from or to the aforementioned platforms. Shifu Ltd. may however communicate through direct messaging over social media if it is contacted this way by its customers.
Shifu Ltd. will never sell its customer data.
Shifu Ltd. may also engage additional third-party service providers to provide services such as information technology support. These activities may involve the access to the personal data held by Shifu Ltd. In these instances Shifu Ltd. will seek to ensure as far as possible that any such data processing is carried out in accordance with this Policy. This includes conscientiously selecting service providers and only working with trusted partners.
As far as possible, the personal data that Shifu Ltd. collects is stored within the European Economic Area and therefore processed in accordance with EU data protection law. However, because Shifu Ltd. works globally, there may be occasions where personal data is processed outside of this jurisdiction, for example by staff or contractors working for Shifu Ltd. from other parts of the world. In these rare instances Shifu Ltd. takes appropriate steps to ensure that the recipients of personal data are bound by a duty of confidentiality.
How long Leafie.org keeps personal data
Shifu Ltd. retains personal data only for as long as necessary in accordance with the above purposes and applicable laws. When personal data is no longer necessary for these purposes it is securely deleted.
Where order data and financial information is concerned, Shifu Ltd. may be required to retain some personal data for up to seven years in order to satisfy legal or contractual obligations, or in order to establish, exercise or defend legal claims.
For consent-based services from which the data subject can opt-out at any time such as email updates, Shifu Ltd. keeps personal data until its receives instructions to the contrary.
Like most websites, Leafie.org. uses “cookies” to enhance the user experience of visitors to https://leafie.org. Cookies are small files which are placed on web users’ computer devices to administer content to visitors to a website. Cookies also enable Leafie to understand how its websites are used in order to improve its services. For more information about cookies see all about cookies.
Cookies facilitate the processing of personal data such as device IDs but Shifu Ltd. does not collect or retain this information itself.
Leafie’s use of Google analytics enables the collection of traffic data but does not allow Shifu Ltd. to identify individual users or link web usage to other personal data.
Users of leafie.org can choose whether to accept or decline cookies. Leafie.org also honours “do not track” requests.
In accordance with UK and EU data protection law, persons whose data is held by Shifu Ltd. enjoy the following rights:
- to be informed as to whether Shifu Ltd. holds data about them;
- to get access to that information;
- to have inaccurate data corrected;
- to have their data deleted;
- to opt-out of particular data processing operations;
- to receive their data in a form that makes it “portable”;
- to object to data processing;
- to receive an explanation about any automated decision making and/or profiling, and to challenge those decisions where appropriate.
To make a subject access request or data protection-related complaint contact email@example.com or write to the address above. Requests can be submitted at any time. Shifu Ltd. will provide a response to any such requests in accordance with UK data protection law.
Data subjects covered by EU law may also be entitled to lodge complaints in regard to data processing or the handling of subject access requests with data protection supervisory authority in their country of residence. Relevant supervisory authority names and contact details are listed here. In the UK the relevant supervisory authority is the UK Information Commissioner’s Office.
Changes to the Policy
In the event that the Policy is changed at any time, the date and nature of the change will be clearly indicated in this document.
In the event that the change has a material impact on the handling of personal data, Shifu Ltd. will contact the data subjects to inform of the changes and where appropriate seek their consent.
Last update 9 July 2018.