Mi Hub Limited Privacy Notice
This notice describes how we collect, store, use and share your personal information. It also explains the rights you have in relation to the personal information that we hold about you and it applies to personal information provided to us, both by you or by others on your behalf.
Who We Are When we say ‘we’ or ‘us’ in this notice we are referring to Mi Hub Limited (England & Wales registration number: 00454264) and this may refer to our brand names or subsidiary companies. When we use “you” or “your”, we refer to you as an individual. This policy covers the following (collectively called Mi Hub): Name & Brand
Address/Contact Information
Mi Hub Limited (for all UK locations): • Dimensions • Alexandra • Yaffy
Data Privacy Office 3 Long Acres, Willows Farm, Castle Donington, Derbyshire, DE74 2UG
Alexandra IRL Limited
12a Balloo Avenue, Bangor, Northern Ireland, BT19 7QT 01332 697227 dpo@mi-hub.com Sterrekroos 7 4941 VZ Raamsdonksveer Nederland 01332 697227 dpo@mi-hub.com
Alexandra Corporate Fashion BV
Registration Number 00454264
01332 697227 dpo@mi-hub.com NI607956
50728474
You can also use the above information to contact us, with any aspects of your data protection legal rights under EU GDPR or the UK DPA 2018/UK GDPR. Mi Hub uses multiple brands across our own websites,
3 Long Acre, Willow Farm Business Park, Castle D
Our USA brands (Twinhill and Affinity) are out of scope of this privacy notice. As they are predominantly operating for customers in the USA, they will have their own privacy notice.
Document Ref: DPO-03 – Mi Hub Limited Group Privacy Notice / Issue: 1 / Date: 31st December 2020
Mi Hub Limited Privacy Notice
What Information We Collect In our business activities, like all businesses, we collect personal information from you. It is possible that you may have multiple types of interactions with us. Mostly this is used to execute orders for products you buy, and sometimes used to market products that may be applicable to you. Who we collect from Prospective employment candidates. Employees
Individual Customers or prospective customers (also Corporate Buyers on behalf of companies) Website Visitors
Corporate Customer employees (wearers)
What personal data we collect Applicant details as included within a curriculum vitae (CV), including name, contact number and email, previous employment history. Name, address, next of kin, nationality, age, gender, previous employment details, curriculum vitae (CV), drivers license, passport, employment references, pensions beneficiaries, tax code and national insurance details, health or disability conditions, bank account or other relevant financial details. Login information, names, shipping address, product sizing or modifications to products, delivery contact name if different, payment (credit card for example) details etc., telephone call recording for customer services or complaint procedures, online “Live Chat” messages, catalogue requests, Technical information, for example cookies, browser type, and IP address (your computer’s internet address), if you use our websites. If you order a product, you also become an Individual Customer. Catalogue or other marketing information requests & newsletter requests. Only if your personal data is provided to us by your employer, do we use that data for sizing, shipping, or order confirmations.
Where We Store Your Personal Data We have several UK locations (including Northern Ireland) and an office in the Netherlands (EU). Access to data is available from any of our office locations as needed for staff to perform their duties. These staff may need to execute activities such as, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services. By submitting your personal data, you agree to this data processing to execute these tasks. We will take reasonable steps to secure and protect your data in accordance with this privacy policy. As a normal part of data security, we also use Microsoft’s cloud services, based in the UK, to hold copies of all our data. This helps us provide a more reliable service to you and provides a safe backup of all our business data.
Document Ref: DPO-03 – Mi Hub Limited Group Privacy Notice / Issue: 1 / Date: 31st December 2020
Mi Hub Limited Privacy Notice
How We Use Your Information Depending on your role (visitor, customer, wearer etc.) we will collect and use the data differently, these are summarised below: Category Account creation, order processing, invoicing/billing, contract obligations from your employer, order information status & updates, customer service. Promotion of Goods similar/connected to your browsing or orders. Technical information to ensure that the websites perform as needed and technical issues are resolved. Provision of marketing information (catalogues, newsletters, promotions etc.) Anonymised data. Using general and statistical data to identify trends or market research. Regulator requests, government requests etc.
Lawful Purpose Execution or performance of a contract Legitimate interest. Legitimate interest. Opt-in consent. Legitimate interest. Legal or Regulatory requirement.
Marketing Preferences If you choose to opt-in to receive marketing information, we will provide you with information about goods or services we feel may interest you. If your preferences change, you can request that we stop sending you marketing information. Your marketing webpage also allows you to change your preferences. This process usually takes 48 hours to complete as the preferences are used in multiple systems. Telephone Call Recording policy We have a telephone system that is capable of recording conversations. This is a standard industry practice that allows the recording of telephone calls for the fulfilment of our contractual obligations, for quality monitoring, training, compliance, and security purposes. Inbound and Outbound calls for the following departments (such as Customer Services, Sales and Credit Control) may be recorded and retained in accordance with pre-defined retention periods. These recordings will only be used for the purposes specified in our Telephone Call Recording policy which is available at our web site or upon request. If calls are transferred from Sales, Customer Services or Credit Control to a member of staff outside of these departments, the call recording will cease once the call is successfully transferred. Credit References In cases where credit is offered, in order to process your application we will then supply your personal information to credit reference agencies and they will give us information about you, such as your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity. We will also continue to exchange information about you with those agencies on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at http://www.experian.co.uk/crain/index.html Document Ref: DPO-03 – Mi Hub Limited Group Privacy Notice / Issue: 1 / Date: 31st December 2020
Mi Hub Limited Privacy Notice
CRAIN (Credit Reference Agency Information Notice) is a document produced by the three Credit Reference Agencies- Experian, Equifax and TransUnion that explains the use of personal data they receive from third parties about individuals and/or their businesses in relation to credit activity. CRAIN has been produced in conjunction with the UK Information Commissioner’s Office (ICO). Security We take on-line data security very seriously. We know how much data security matters to all our customers, employees and visitors. We will take all appropriate steps to protect it. We do this in the following ways: Employee access to data To protect your data we have employed specific individuals, who oversee compliance with legislation and specialist individuals for our technical infrastructure, applications, data stores and access controls. Those employees that do have access to your personal information are restricted by their specific roles and general access to all data is not permitted. Browser & Web Server We use Transport Layer Security (TLS) to encrypt data transmissions between your browser and our web server, to ensure that all personal and transactional information is protected from eavesdropping, tampering or alteration. Payments, PCI/DSS Also, protection and security of the payment system itself is important. We safely process your card payment(s) through your bank and complete the transaction(s) securely behind protected firewalls and encrypted connections between the bank and us. PCI / DSS is the worldwide payment card industry data security standard that was set up to help businesses process card payment securely and reduce card fraud. We are PCI / DSS compliant. Technology We regularly monitor our system for possible vulnerabilities and attacks, and we carry out penetration testing to identify ways to further strengthen security. We also use hard disk encryption, firewalls, password protections, anti-virus and access checks for our employees. The security measures described above ensure that all reasonable steps are taken to protect your personal information. However, the nature of the Internet means that an absolute guarantee of security cannot be offered, and you should be aware that there may be a small security risk in exceptional circumstances when disclosing information online. ISO 27001 We take additional steps and are officially certified and approved against the global standard ISO 27001:2013. This is a world class official ISO standard to protect technology systems, data and the management of those environments. This ensures we have a robust set of policies, processes and procedures to prevent data problems and to maintain our level of protection for your personal data. It also provides us a controlled mechanism by which to examine future ways of improving the protection of your personal data and how we handle it. Document Ref: DPO-03 – Mi Hub Limited Group Privacy Notice / Issue: 1 / Date: 31st December 2020
Mi Hub Limited Privacy Notice
Do We Sell Your Information To Third Parties? Other divisions/brand/entities within our group We do allow transfers of personal data within the group in the normal business process, such as filling an order, performing a credit check if needed, processing payment details, or servicing a customer request. We also transfer personal data to our vendors, if they are required to perform activities such as personalisation of products, or direct shipping from our supplier to yourself. The circumstances under which this is allowed are limited. External Organisations In some circumstances, it may be necessary to cooperate with authorities in relevant countries in the case of fraud, regulatory or legal actions. We abide by those actions based on our legal review. If you have provided consent to marketing information, you may also receive marketing information from external companies related to the products or services you are interested in. We sometimes share personal data with trusted partners that provide optional services. An example of this is product and service surveys that are important to us to gather customer feedback. You are not obligated to enter any information, as they are optional. Under no circumstances do we permit the selling of your personal data to other organisations. International Data Transfers In cases where we transfer data as part of our normal business activities we will have the appropriate contractual safeguards in place, including those with our suppliers.
Document Ref: DPO-03 – Mi Hub Limited Group Privacy Notice / Issue: 1 / Date: 31st December 2020
Mi Hub Limited Privacy Notice
How Long Do We Keep Your Data? In order to provide a high-quality of service, it is necessary that we keep some data to continue to service your customer needs. As such, the following retention periods apply: Types of data Prospective Customer/Recruitment Candidate Data Employee data Customer data
Purpose(s) For potential employment within the Mi Hub companies. Employment. Legal Obligation Execution or performance of a contract (corporate).
•
Retention Period 13 months, live 12 months, 1 month in archive.
•
7 years after the employee leaves us.
•
Either 10 years after the last transaction takes place, or Indefinitely if any illegal or fraud activity is detected, or it is additionally required for legal or regulatory purposes.
•
Telephone Recordings Accounts and legal data.
To monitor customer service performance, to prevent fraud etc. Execution or performance of a contract (corporate).
•
13 months in total. 12 months accessible, 1 month in an archive.
As required by UK laws. Normally 7 years.
Your Rights When We Act as a Data Controller or as a Data Processor If you are an employee and we have a contract with your employer, we may only be a processor of your personal data. In these cases, we forward any requests to your employer. When we sell products through a reseller or online marketplace, again we may only be a data processor and the seller will be the actual data controller. They will respond with respect to your data rights. Any requests made though us will be forwarded to the relevant data controller and they will manage all communications with you. If the purchase is directly through us (phone, post, website) then we are the data controller and we will respond to your request. Under EU GDPR and UK DPA 2018 (UK GDPR), you have certain data protection rights. Right to Information/Notification This right provides you to ask us for information about what personal data we hold about you, how it is being processed and the reasons for that processing. Where you have bought a product or service from any of our resellers, or on their online stores, they will have your customer details, so any notifications or access to data will be managed by them. Document Ref: DPO-03 – Mi Hub Limited Group Privacy Notice / Issue: 1 / Date: 31st December 2020
Mi Hub Limited Privacy Notice
If we ever experience a data leak that could have significant negative consequences for your personal privacy rights and freedoms, then you as a customer will be personally informed of the circumstances and actions we are currently taking and will take in the future. Right to access This right provides you with the ability to get access to your personal data that is being processed. You can request to see or view your own personal data, as well as to request copies of the personal data if you do not already have a copy, or you do not know it. You may also use a third party to make the request, and we will ask for authorisation proof (power of attorney etc.) if needed. Right to rectification This right provides you with the ability to ask for modifications to your personal data in case you believe that the personal data is inaccurate. We are happy to do this via our customer services team or via the Data Privacy Office contact information. Right to withdraw consent This right provides you with the ability to withdraw a previously given consent for processing of your personal data. The request requires us to stop the processing of that data for that specific purpose in the future. Mainly, for us, this applies to marketing activities and if you ask us to stop sending you particular or all product or services information, we will do so. Right of Erasure/Right to be forgotten This right allows you the ability to ask for the deletion of your data. This will generally apply to situations where we no longer have a customer relationship with you and the data has not been deleted already. In some cases, we have a legal obligation to keep certain data (invoices, financial records etc.) .and therefore this right is not an absolute right. Right to object This right provides you with the ability to object to the processing of your personal data. For example; you can also ask for your data not to be processed for scientific or historical research purposes (if relevant) unless it is necessary for public interest reasons. However, this is also not an absolute right, as we may have legal, regulatory, contractual, or legitimate interest processing reasons to consider also. Right to object to automated processing/automated decision You can also object to a decision that is made automatically, and to have that decision reviewed by a person. This is usually used for credit agreements if you believe that the decision does not account for unique personal circumstances.
Document Ref: DPO-03 – Mi Hub Limited Group Privacy Notice / Issue: 1 / Date: 31st December 2020
Mi Hub Limited Privacy Notice
Right to Data Portability If you have consented or contracted to provide us personal information and our processing is automated, then you can ask for that data to be made portable. However, at present there is no standard on which this portability occurs to allow easy transfer and we do not have partners that would use that data in this way.
Escalation to Your Supervisory Authority In the event that you are unhappy with our processing of your personal data, you also have the right to lodge a complaint, at any time, with the relevant supervisory authority in the country where you live, or as below: UK: NL:
Information Commissioner’s Office (ICO) Autoriteit Persoonsgegevens
https://ico.org.uk/concerns/ https://autoriteitpersoonsgegevens.nl/en/contact-dutchdpa/contact-us
If you live outside the Netherlands or the United Kingdom, your complaint will remain on file within your country, but will be addressed by one of the data authorities listed above.
Changes to this Privacy Notice Any changes we may make to our Privacy Notice in the future will be posted on this webpage and, where appropriate, notified to you. The new terms may be displayed on-screen and you may be required to read and accept them to continue your use of our Website.
Document Ref: DPO-03 – Mi Hub Limited Group Privacy Notice / Issue: 1 / Date: 31st December 2020
Mi Hub Limited Privacy Notice
Cookies What is a cookie? Our Website uses cookies to distinguish you from other users of our Website. This helps us to provide you with a good experience when you browse our Website and also allows us to improve our site. Cookies are small text files that are stored on your computer, phone or other web enabled device. Cookies can allow a website to recognise a user’s device and help your browser navigate through the website by allowing you to log in automatically or remembering settings you selected during earlier visits. Cookies cannot harm your computer. We use the following cookies: Strictly necessary cookies. These are cookies that are required for the operation of our Website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services. Analytical or performance cookies. These allow us to recognise and count the number of visitors and to see how visitors move around our Website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. Functionality cookies. These are used to recognise you when you return to our Website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region). Targeting cookies. These cookies record your visit to our Website, the pages you have visited and the links you have followed. We will use this information to make our Website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose. Cookies can either be first party, which are associated with the host domain e.g. Alexandra.co.uk, or third-party cookies from any other domain including web analytics and advertising services. We do not accept any liability for a third party’s compliance with its legal obligations. We will obtain your active and unambiguous consent to any cookies, other than those which are strictly necessary for the operation of our Website, before placing those cookies. You are able to turn off cookies using your browser settings, however, please be aware that you will not benefit from the full online shopping experience on alexandra.co.uk. Follow the relevant link below to be taken to the cookies page of your browsers support website for more information.
Document Ref: DPO-03 – Mi Hub Limited Group Privacy Notice / Issue: 1 / Date: 31st December 2020
Mi Hub Limited Privacy Notice
• Internet Explorer • Google Chrome • Firefox • Safari • Safari (iPhone/iPad) • Android
The table below lists the cookies we and collect what information they store. Cookie
Description
CART
The association with your shopping cart
CATEGORY_INFO
Stores the category info on the page, that allows to display pages more quickly
COMPARE
The items that you have in the Compare Products list
CURRENCY
Your preferred currency
CUSTOMER
An encrypted version of your customer id with the store
CUSTOMER_AUTH
An indicator if you are currently logged into the store
CUSTOMER_INFO
An encrypted version of the customer group you belong to
CUSTOMER_SEGMENT_IDS
Stores the Customer Segment ID
EXTERNAL_NO_CACHE
A flag, which indicates whether caching is disabled or not
FRONTEND
You session ID on the server
GUEST-VIEW
Allows guests to edit their orders
LAST_CATEGORY
The last category you visited
LAST_PRODUCT
The most recent product you have viewed
NEWMESSAGE
Indicates whether a new message has been received
NO_CACHE
Indicates whether it is allowed to use cache
PERSISTENT_SHOPPING_CART
A link to information about your cart and viewing history if you have asked the site
Document Ref: DPO-03 – Mi Hub Limited Group Privacy Notice / Issue: 1 / Date: 31st December 2020
Mi Hub Limited Privacy Notice POLL
The ID of any polls you have recently voted in
POLLN
Information on what polls you have voted on
RECENTLYCOMPARED
The items that you have recently compared
STF
Information on products you have emailed to friends
STORE
The store view or language you have selected
USER_ALLOWED_SAVE_COOKIE
Indicates whether a customer allowed to use cookies
VIEWED_PRODUCT_IDS
The products that you have recently viewed
WISHLIST
An encrypted list of products added to your Wish list
WISHLIST_CNT
The number of items in your Wish list
Uses made of the information We may use information processed about you in the following ways: Type of Data Purpose for Processing Legal Basis for Processing Submitted To process your order and for billing Necessary for the Information purposes. performance of a contract. Submitted To provide goods and services to you or Necessary for the Information your organisation. performance of a contract. Submitted To maintain your account Legitimate Interests – in order Information for us to manage our relationship with you. Submitted For research purposes to enable us to: Legitimate Interests- in order Information and for us to ensure any • Send relevant communications to Technical you (where you have consented to communications you receive Information are relevant to you and to receive those communications); improve our website and experience. • To see how individuals’ purchase from our website to enable us to improve our website experience. Submitted Information Submitted Information
Submitted Information Submitted Information
For billing purposes To provide existing customers with information about goods or services we feel may be of interest (email or SMS only with information about goods and services similar to those which were the subject of a previous sale or negotiations of a sale to you). To provide new customers with information about goods or services we feel may be of interest (via electronic means only). To inform you about changes and improvements to this website.
Necessary for the performance of a contract. Legitimate Interests – in order for us to promote our goods and services which you may be interested in.
Consent. Legitimate interests– in order for us to keep you updated with website improvements and functionality.
Document Ref: DPO-03 – Mi Hub Limited Group Privacy Notice / Issue: 1 / Date: 31st December 2020
Mi Hub Limited Privacy Notice
Submitted Information
To carry out our obligations arising from any contracts entered into between you and us. To provide you with the information, products and services that you request from us. To provide you with our fit advisor service.
Submitted Information Submitted Information
Submitted Information
For the purposes of inputting into “profiling models” in order to enable us to compile aggregated and anonymised data for research purposes. Any use of the data following that will be anonymised.
Technical Information
To provide you with a better, faster, and safer user experience on our Website. This includes maintaining our Website, data analysis, testing, research, statistical and survey purposes.
Credit information Telephone call recording information
To enable us to determine whether we are able to offer you credit. To enable us to ensure that we perform our contractual obligations, provide you with a quality services, train our staff appropriately, and comply with our legal obligations.
Necessary for the performance of a contract. Necessary for the performance of a contract. Consent. The service cannot be provided unless the relevant information is provided. Consent is therefore necessary for the fit advisor service. Legitimate Interests- to enable us to undertake research to improve our products, services, customer service, website or our business. Legitimate interests – this information is necessary for the functioning of our Website and it helps us to improve our performance and the users’ website experience. Necessary for the performance of a contract. Legitimate interests – this information is critical to our quality assurance and assessing our compliance with legal obligations.
We may also use anonymised aggregated data for profiling purposes. We will not use information about identifiable individuals for that purpose and this data is not therefore considered personal data in law. We will use that aggregate information for market research purposes. If we indicate that your personal information may be used for general (including direct) marketing purposes, we will give you the opportunity to withhold your permission for that use and respect your wishes. If you decide that you do not want us to contact you, you can request that we stop using your information and that we stop sending information to you by using the opt-out function on the marketing communications we send, or you can manage your preferences in My Account. Similarly, at the point of becoming a registered user of our Website, you can choose to opt-out of receiving telephone, email or written marketing communications by checking the relevant boxes where prompted.
Document Ref: DPO-03 – Mi Hub Limited Group Privacy Notice / Issue: 1 / Date: 31st December 2020
Mi Hub Limited Privacy Notice
To whom might we disclose your personal information? We may disclose the data we collect from you to the following third parties: Category of data
Recipient
Purpose
Submitted Information
Suppliers
Fulfillment of orders for goods and services.
Submitted Information
Credit reference agencies (Experian, Equifax and TransUnion) (“CRAs”). CRAIN (Credit Reference Agency Information Notice) is a document produced by the “CRAs” that explains the use of personal data they receive from third parties (including us) about individuals and/or their businesses in relation to credit activity. CRAIN has been produced in conjunction with the Information Commissioner’s Office (ICO) – please refer to it for further information on what CRAs do with your information. Other Data Processors
Assess your creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity (all on an ongoing basis).
Technical information
Facilitating our Website
Document Ref: DPO-03 – Mi Hub Limited Group Privacy Notice / Issue: 1 / Date: 31st December 2020