- Privacy Centre & GDPR Compliance
Rotolight Group Ltd takes your privacy concerns very seriously and is committed to keeping customer information confidential and is used solely for the purpose of serving you better, we strive to provide you with all of the information and tools which you need to make good decisions.
We are a registered company in the United Kingdom and will only use the information that we collect about you lawfully in accordance with the regulation and this policy. We undertake the following measures to ensure a high level of privacy for all of our customers. When transacting with our company you are dealing with Rotolight Group Ltd and a number of contracted distributors we use for foreign distribution who will fulfil the orders in their territory. These distributors are responsible for local shipping and order completion, any data that has been passed on to them from Rotolight Group Ltd is deleted.
In all cases however, your details will only be kept to fulfil the order. We have an actioned policy with our foreign distributors to ensure that they too follow required data protection procedures. If you wish to be kept informed of new promotions, you will need to actively consent after the purchase.
We completely comply with European GDPR legislation and guidelines and will never sell your data. However, in order to function as an online retailer and UK distributor, Rotolight Group Ltd needs to store some information about you and this part of our website is devoted to explaining how we capture and store data, how this is used and how you can control it.
This is arranged into 8 sections to enable you to take charge of your digital identity.
- Privacy centre policy statement & GDPR compliance
- Privacy definition & GDPR basics
- How we use your data
- Your choice about data we collect – marketing
- Your choice about data we collect – employee and prospective employee data
- Do we share your data?
- Security policy
- Privacy Statement
- Privacy Definition & GDPR Basics
What is GDPR?
The General Data Protection Regulation (GDPR) is an important new legislation in the area of data protection. Developed by the European Union, it is designed to strengthen individuals’ rights regarding the collection, use and storage of their personal data.
The law applies to businesses or organisations in the European Union. Those outside the EU who offer goods and services (whether paid or not) to people living within the EU, or monitor their behaviour, must also comply.
In effect, GDPR has become the global standard for data protection.
So what counts as Personal Data?
Any data that can be used to identify a living person directly or indirectly is classed as personal data.
- Physical address or email Address
- Phone Number
- Last four credit card digits
- Shipping tracking numbers (these are unique to an order, and thus to a person)
- Location data
- IP address
Rotolight Group Ltd only stores the minimum amount of data necessary for business operations and in-depth data is only kept for internal staff.
What is Sensitive Personal Data?
Sensitive personal data is a special class of personal data that has to be even more carefully handled. It includes factors such as:
- Health status
- Sexual orientation
- Religious beliefs
- Political beliefs
Rotolight Group Ltd never stores this type of data.
What rights do data subjects have under GDPR?
As explained by the ICO, data subjects have the following rights concerning their personal data:
- Restrictions on processing
- Data portability
- Revision of automated decisions or profiling
The GDPR refers a lot to data processing. This simply refers to any operation that is performed on personal data – collection, storage, amendment, deletion etc.
Rotolight Group Ltd commitment to GDPR
- Rotolight Group Ltd has assigned the Financial Director as the official Data Protection Officer (DPO), who is contactable using firstname.lastname@example.org
- Rotolight Group Ltd is clear to establish a legal justification for all data that it keeps.
- Rotolight Group Ltd commits to re-contacting all subscribed members of the electronic marketing cloud-based database of constant contact before 25 May 2018 to expressly request their permission to continue to receive regular electronic communications.
- Any personal data breaches which harm individuals would significantly be reported within 72 hours to the “relevant supervisory authority”, which in the UK is the ICO.
- If the breach is serious enough, we commit to informing the individuals affected.
- We will commit to keeping your data safe by using the latest encryption, anonymization and access control systems and techniques.
- We shall provide individuals with the capability to request access to and updating/delete of their personal data. We shall ensure that we verify their identity effectively in order to fulfil their request.
- We shall document all data policies, techniques and systems to ensure GDPR compliance and ensure that we have a GDPR data destruction log, which we shall commit to keeping up to date.
- We shall provide clear signage in our building and create risk assessments for each part of the business which contains personal data.
- We shall check all third-party processing and ensure that privacy policies and supplier agreements of all third parties comply with current GDPR legislation.
- How we use your data
What information does Rotolight Group Ltd collect about me?
Rotolight Group Ltd collects basic information from you when you order your goods such as name, address, email address and phone number, then more data pertinent to ID via Barclaycard Merchant Payment Solutions – all with your permission, otherwise we cannot identify you and sell the products to you. Afterwards, specific order notes relating to individual orders are also kept, as well as electronic data concerning the financial details of your orders as required to be checked from time to time by HMRC or UK VAT dept.
- Payment Gateways
- Shipping Extensions
- Marketing & Analytic extensions (Survey Monkey, Campaign Monitor, Eventbrite, Google Analytics)
Further to the above, we also collect other information which is detailed below:
- Internal Systems: this is data collected and used by Rotolight Group Ltd using our internal database which we use for conducting business from our UK offices.
- rotolight.staging.wpengine.com this is data collected and used by the Rotolight Group Ltd website.
- Cloud-based email marketing: this is data collected and used by our external cloud-based email marketing system.
Data collected through our accounting software when creating an invoice or quote at the point of purchase and used by Rotolight Group Ltd using our internal database which we use for conducting business from our UK offices only.
In order to function as a retailer / distributor to both B2C and B2B business and to provide an adequate level of service, Rotolight Group Ltd will store the following information against an account:
- Contact Name
- Company Name
- Billing Address
- Shipping Address
- Phone number
- Company VAT number (VAT registered businesses)
For B2B business and as part of the account set-up for new business clients, Rotolight Group Ltd requires, for due diligence, the potential client to supply the names and addresses and phone and email of two trade referees that will be checked by our Rotolight Group Ltd FD and our external credit reference agency for the following information:
- Regular Customer
- Trading Record
- Monthly Credit Limit
- Payment within 30 days
For individuals applying for credit terms, further ID is taken through the lender directly and not through Rotolight Group Ltd. Individuals are contacted directly by the proposed lender. Private information is not shared with Rotolight Group Ltd only contact and address details for delivery of the goods. On the Rotolight website, credit for items are processed and approved by V12 finance which is an external credit application company.
- Consent – The user explicitly gives their consent to a specific kind of processing of their personal data (e.g., consent to participate in market research performed by a third party).
- Contractual necessity – The processing of the personal data is required to fulfil a contract (e.g., ship their order).
- Compliance with legal obligations – The processing of the personal data is required for legal reasons (e.g., a VAT Tax ID).
- Legitimate interests – The processing of the personal data is a legitimate, expected behaviour of a business (e.g., follow up emails after they’ve placed their order with other products they may be interested in).
Why is this data capture necessary?
This processing of data is necessary for the performance of contract and part of a legal obligation to keep company financial records for five years after a tax return date.
The client consent to store this data is required/implicit at the point of founding the account as the first transaction cannot function without it and will be removed subsequently at the client’s request (i.e. closing the account for new business) or altered (such as an address or phone number change).
To send periodic emails. The email address you provide for order processing will be used to send you information, updates pertaining to your order, warranty information and special offers if you have opted in.
Electronic Data Security
B2B customer. This information is stored under the same electronic security criteria as detailed below.
This data is kept in data format only and this information is deleted when the relevant account is closed at the client’s request as the third party data for the trade references is supplied by the client, Rotolight Group Ltd cannot attest to the GDPR compliance or data security of that third party as any interaction between Rotolight Group Ltd and the third party is restricted to the above information only.
Rotolight Group Ltd (rotolight.staging.wpengine.com) websites
The website(s) contain their own internal databases used for generating website enquiries so that we can provide quotations for you without you having to enter your data repeatedly in order to save you time.When you choose to make an order through the website, the system will collect basic information from you, such as name, address, email address and phone number.
You can also choose to store multiple addresses if you choose to and the system will allow you to save your shopping cart orders for referring to at a later date and also multiple delivery addresses. The system also permits you to share shopping cart orders with other email addresses if you choose to.
Protection and Security of Information
We protect the privacy of your information using highly secure, password-protected servers. Please see our security policy for further information about the online and offline security measures we adopt to protect your information against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data.
What are cookies?
Cookies assign a unique identification to your computer and store the details on your hard drive via a facility in your web browser. The cookie does not contain any personally identifying information but does permit our website to recognise you each time you return to the Rotolight Group Ltd (rotolight.staging.wpengine.com) website. On arrival, your cookie then ‘handshakes’ with our system. If you do not want to use “cookies”, most Internet browser programs will permit you to turn them off. If you should do this, you will still be able to access our website as normal.
Rotolight Group Ltd Policies
- Your choice about data we collect
Being in control – set your preferences within the marketing
You can opt-in using our opt-in function at the end of your purchase. Once subscribed, you will receive our regular mailings via email. Should you decide that you no longer wish to receive these emails, you can unsubscribe at any time by clicking on the unsubscribe link on any mailing received. Alternatively, you can amend your preferences at the bottom of the marketing emails keeping you always in control.
Once unsubscribed, we cannot re-subscribe you – only you are able to do this
When you unsubscribe via our external mailing platform this deletes all information that we hold about you as an individual. To re-subscribe you would need to re-enter your details on our website subscribe button or opt-in by ticking the box allocated on the order checkout process when you place an order.
Cloud-based email marketing
This is data collected and used by our external cloud-based email marketing system
Campaign Monitor is an independently run, cloud-based email marketing system, which hosts email marketing for Rotolight Group Ltd.
Rotolight Group Ltd only enters client information of name and email address into Campaign Monitor, if clients have specifically requested us to. This permission is kept in electronic or written form until the client requests that this is removed. See your choice about the data that we collect.
You can also opt-in using the opt-in function on the rotolight.staging.wpengine.com website
Note: If at any time you would like to unsubscribe from receiving future emails, we include detailed unsubscribe instructions at the bottom of each email. You have the right to opt into or out of receiving promotional materials at any time. You also have the right to access and correct your personal information at any time.
Security of my data
The security of our site is managed on multiple levels, including Physical, Network, Host, Software, and User Account Security. Campaign Monitor maintains internal security policies and procedures in support of its ongoing operations. Access to resources is granted only to those who reasonably require access, based on their responsibilities.
Rotolight Group Ltd is committed to our users security and have in place a number of solutions to the below requirements.
- Physical Security
- Network Security
- Host Security
- Software Security
- User Account Security
Secure Socket Layer (SSL) Protection
The purchase area of our website is secure.
We use a SSL encrypted server.
Rotolight Group Ltd Security Policy
Credit Card and Personal Information
Any personally identifying information divulged to Rotolight Group Ltd via our website or any other database will be stored on secure servers and never released to any other party without your explicit written authorisation unless as expressly provided in the Rotolight Group Ltd policy.
- Your choice about data we collect
Rotolight Group Ltd Employee and prospective employee data processing policy
Rotolight Group Ltd is committed to maintaining the accuracy, confidentiality and security of your personal information. This Employee Fair Processing Notice describes the personal information that Rotolight Group Ltd collects from or about you, and how we use and to whom we disclose that information.
What personal information do we collect?
We collect and maintain different types of personal information in respect of those individuals who seek to be, are, or were employed by us, including the personal information contained in:
- CVs and applications;
- References and interview notes;
- Photographs and video;
- Letters of offer and acceptance of employment;
- Policy acknowledgement sign-off sheets;
- Training and personal development records;
- Payroll information; including but not limited to national insurance number, banking and deposit information, pensions;
- Wage and benefit information;
- Forms relating to the application for, or in respect of changes to, employee health and welfare benefits; including, short and long-term disability, medical and dental care; and
- Beneficiary and emergency contact information.
In addition to the examples listed above, personal information also includes information such as name, home address, telephone, personal email address, date of birth, and any other information necessary to Rotolight Group Ltd business purposes, which is disclosed in the course of an employee’s application for employment with Rotolight Group Ltd.
As a general rule, Rotolight Group Ltd collects personal information directly from you. In most circumstances where the personal information that we collect about you is held by a third party, we will obtain your permission before we seek out this information from such sources (such permission may be given directly by you, or implied from your actions). An example of this would be an employment reference.
From time to time, we may use the services of third parties and may also receive personal information collected by those third parties in the course of the performance of their services for us. In that case, we will take reasonable steps to ensure that such third parties have represented to us that they have the right to disclose your personal information to us.
Where permitted or required by applicable law or regulatory requirements, we may collect information about you without your knowledge or consent.
Why do we collect personal information?
The personal information collected is used and disclosed for our business purposes, including establishing, managing or terminating your employment relationship with Rotolight Group Ltd. Such uses include:
- Determining eligibility for initial employment, including the verification of references and qualifications;
- Administering pay and benefits;
- Processing employee work-related claims (e.g. worker compensation, insurance claims, etc.)
- Establishing training and/or development requirements;
- Conducting performance reviews and determining performance requirements;
- Assessing qualifications for a particular job or task;
- Gathering evidence for disciplinary action, or termination;
- Establishing a contact point in the event of an emergency (such as next of kin);
- Complying with applicable labour or employment statutes;
- Compiling directories;
- Ensuring the security of company-held information; and
- Such other purposes as are reasonably required by Rotolight Group Ltd
The work output of Rotolight Group Ltd employees, whether in the paper record, computer files, or in any other storage format belongs to us, and that work output, and the tools used to generate that work output, are always subject to review and monitoring by Rotolight Group Ltd.
In the course of conducting our business, we may monitor employee activities and our premises and property. For example, some areas of our premises are equipped with CCTV. Where in use, CCTV cameras are there for the protection of employees and third parties, and to protect against theft, vandalism and damage to Rotolight Group Ltd goods and property.
Generally, recorded images are routinely destroyed and not shared with third parties unless there is suspicion of a crime, in which case they may be turned over to the police or other appropriate government agency or authority. Pursuant to the Rotolight Group Ltd IT Policy and your contract of employment, we have the capability to monitor all employees’ computer and e-mail use.
This section is not meant to suggest that all employees will, in fact, be monitored or their actions subject to constant surveillance. It is meant to bring to your attention the fact that such monitoring may occur and may result in the collection of personal information from employees (e.g. through their use of our resources). When using Rotolight Group Ltd equipment or resources employees should not have any expectation of privacy with respect to their use of such equipment or resources.
How do we use your personal information?
We may use your personal information for the purposes described in this Policy, or for any additional purposes that we advise you of and where your consent is required by law we have obtained your consent in respect of the use or disclosure of your personal information.
We may use your personal information without your knowledge or consent where we are permitted or required by applicable law or regulatory requirements to do so.
When do we disclose your personal information?
We may share your personal information with our employees, members, contractors, consultants and other parties who require such information to assist us with establishing, managing or terminating our employment relationship with you, including: parties that provide products or services to us or on our behalf and parties that collaborate with us in the provision of products or services to you. An example of this is the provision of payroll services by a third-party organisation providing processing services to Rotolight Group Ltd.
Your personal information may have to be disclosed as directed:
- As permitted or required by applicable law or regulatory requirements. In such a case, we will not disclose more personal information than is required under the circumstances;
- To comply with valid legal processes such as search warrants, subpoenas or Court orders;
- As part of Rotolight Group Ltd regular reporting activities;
- To protect the rights and property of Rotolight Group Ltd
- During emergency situations or where necessary to protect the safety of a person or group of persons;
- Where the personal information is publicly available; or
- With your consent where such consent is required by law.
Notification and Consent
Privacy and employment laws do not generally require Rotolight Group Ltd to obtain your consent for the collection, use or disclosure of personal information for the purpose of establishing, managing or terminating your employment relationship. In addition, we may collect, use or disclose your personal information without your knowledge or consent where we are permitted or required by applicable law or regulatory requirements to do so.
Where your consent was required for our collection, use or disclosure of your personal information, you may, at any time, subject to legal or contractual restrictions and reasonable notice, withdraw your consent.
All communications with respect to such withdrawal or variation of consent should be in writing and addressed to the Managing Director.
How is your personal information protected?
Rotolight Group Ltd endeavours to maintain physical, technical and procedural safeguards that are appropriate to the sensitivity of the personal information in question. These safeguards are designed to protect your personal information from loss and unauthorised access, copying, use, modification or disclosure.
How long is your personal information retained?
Except as otherwise permitted or required by applicable law or regulatory requirements, Rotolight Group Ltd will retain your personal information only for as long as it believes is necessary to fulfil the purposes for which the personal information was collected (including, for the purpose of meeting any legal, accounting or other reporting requirements or obligations).
We may, instead of destroying or erasing your personal information, make it anonymous such that it cannot be associated with or tracked back to you. In most cases, your data will be deleted 6 years after you have left the company. If you have applied to work for Rotolight Group Ltd and have been unsuccessful, we will retain your data for six months.
Updating your personal information
It is important that the information contained in our records is both accurate and current. If your personal information happens to change during the course of your employment, please keep us informed of such changes.
In some circumstances, we may not agree with your request to change your personal information and will instead append an alternative text to the record in question.
Access to your personal information
You can ask to see the personal information that we hold about you. If you want to review, verify or correct your personal information, please contact the Managing Director. Please note that any such communication may be required in writing.
When requesting access to your personal information, please note that we may request specific information from you to enable us to confirm your identity and right to access, as well as to search for and provide you with the personal information that we hold about you.
Your right to access the personal information that we hold about you is not absolute. There are instances where applicable law or regulatory requirements allow or require us to refuse to provide some or all of the personal information that we hold about you. In addition, the personal information may have been destroyed, erased or made anonymous in accordance with our record retention obligations and practices.
If we cannot provide you with access to your personal information, we will try to inform you of the reasons why subject to any legal or regulatory restrictions.
Your other legal rights
Data protection legislation also provides you with certain other rights. These are not always absolute rights and must be considered in the wider scope of the legislation.
These rights are:
- Right to erasure, also known as the right to be forgotten. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. In some circumstances this is not an absolute right;
- Right to restrict processing. You have the right to ‘block’ or suppress processing of personal data. Again, this is not an absolute right and will depend on the circumstances and any other legal/statutory obligations Rotolight Group Ltd may have;
- Right to data portability. This is unlikely to apply in the circumstances of employment;
- Right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling). This is unlikely to apply in the circumstances of employment;
- Rights related to automated decision making including profiling. This is unlikely to apply in the circumstances of employment;
- Any questions you may have regarding the processing of your personal data should be directed to the Managing Director of Rotolight Group Ltd
- Does Rotolight Group Ltd share my data with third parties?
In order to provide you with a service, fulfil a transaction you have requested or in connection with legal process, we may share your personal data with our agents (such as credit card processing companies, credit reference agencies, outside suppliers, distributors and delivery companies), and group companies for such purpose, relevant authorities or otherwise with your permission and also communicating with you through surveys and interest-based advertising, where you have expressly provided your permission.
Where appropriate, we share user experience information or other customer levels personally identifiable information with companies within our group as well as our trusted third parties, agents and business partners for the purpose of accomplishing our objectives of customer personalisation and improvement of site design and user experience.
We only share the minimum information necessary, and third parties are prohibited from using your information for any other purpose as indicated in our ‘privacy centre policy’
We do not share personally identifiable data with any other companies except as provided in this policy or permitted by law. We may provide such aggregate statistics about our sales, traffic patterns, and related website information to trustworthy third parties, but these statistics will include no personally identifying information.
- Other Data Provision
CCTV, data stored – all Pinewood Studios buildings where Rotolight Group Ltd is based have CCTV systems which record data. This data is deleted after three months.
- Privacy Statement
- There is a compliance or responsible officer who deals with security of information and personal data.
- All employees are briefed on the importance of personal data and security and confidentiality of information obtained.
- We control physical security in relation to the information and personal data that is contained at our facilities and restrict access to the computer rooms, technology areas, equipment and other facilities where unauthorised access by people could compromise our security.
- All proprietary or confidential information, including personal data, is contained on a computer and any that is contained and stored in manual files are locked up and secure.
- We seek to control access to the information and personal data, including existing procedures for authorising and authenticating users as well as software controls for restricting access and techniques for protecting data such as encryption. We monitor and log access so as to assist in detection and investigation of security breaches and any attempted breaches where they occur.
- We endeavour to maintain a business continuity plan as a contingency plan, which identifies our business functions and assets (including personal data) which would need to be maintained in the event of a disaster and set out the procedures for protecting and restoring them if necessary.
- We train our staff on security systems and have relevant procedures in place. Accordingly, Rotolight Group Ltd staff are aware of information security issues and they can go to the relevant officer with any issues relating to the Data Protection Act/Privacy or personal data.
If you wish to write to the compliance officer you can use the following address below:
In order to be able to offer you Klarna’s payment options, we will pass to Klarna certain aspects of your personal information, such as contact and order details, in order for Klarna to assess whether you qualify for their payment options and to tailor the payment options for you.
Rotolight Group Ltd,
Wooburn Industrial Park
Thomas Road, High Wycombe