PRIVACY POLICY
INTRODUCTION
ATLAS Gallery Limited (“we”, “our”, “us”) are committed to protecting and respecting your privacy. We are a company established in England with a registered office at 49 Dorset Street, London, W1U 7NF and for the purpose of data protection law, we are the data controller.
This policy sets out the basis on which we will process any personal data or usage information we collect from you, or that you provide to us, in connection with your use of our website at www.atlasgallery.com (the “Website”).
Data protection law says that the personal data we hold about you must be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely
WHAT TYPES OF INFORMATION DO WE COLLECT AND HOW DO WE USE IT?
Information you give us:
You may provide information by contacting us via our Website or email, telephone, social media or signing up for our newsletters. We will use your information in the following ways in order to exercise or fulfil our legal or contractual rights and obligations or to pursue our legitimate interests:
- communicate with you;
- contact you via telephone or email other than for marketing purposes which is dealt with in accordance with the Marketing section below;
- identify our users;
- administer and provide products and services and customer support per your request;
- personalise our services for you;
- enforce our Website terms and conditions;
- bring and / or defend legal claims; and
- provide third parties with statistical information about our users (but those third parties will not be able to identify any individual user from that information).
Technical usage information:
When you visit the Website, we automatically collect the information sent to us by your computer, mobile phone, or other access device. This information includes:
- your IP address;
- device information including, but not limited to, identifier, name, and type of operating system;
- mobile network information; and
- standard web information, such as your browser type and the pages you access on our Website.
As it is in our legitimate interests to process your data to provide effective services and useful content to you we collect this information in order to:
- personalise our Website to ensure content from the Website is presented in the most effective manner for you and your device;
- monitor and analyse trends, usage and activity in connection with our Website and services to improve the Website;
- administer the Website, and for internal operations, in order to conduct troubleshooting, data analysis, testing, research, statistical and survey analysis;
- keep the Website safe and secure; or
- measure and understand the effectiveness of the content we serve to you and others.
Marketing:
We may collect your name and contact details (such as your email address, phone number or address) in order to send you information about our products and services which you might be interested in. You always have the right to “opt out” of receiving our marketing. You can exercise the right at any time by contacting us. If we send you any marketing emails, we will always provide an unsubscribe option to allow you to opt out of any further marketing emails. If you “opt-out” of our marketing materials you will be added to our suppression list to ensure we do not accidentally send you further marketing. We may still need to contact you for administrative or operational purposes, but we will make sure that those communications don’t include direct marketing. Where you unsubscribe from any postal marketing, you may initially still receive some content which has already been printed or sent, but we will remove you from any future campaigns.
If you are an existing customer or are acting in a professional capacity as part of a company or LLP we use your contact details as necessary for our legitimate interests in marketing to you and maintaining a list of potential customers.
If you are not an existing customer, and are not acting in a professional capacity as part of a company or LLP, we will only contact you for marketing purposes with your consent (whether we have collected your details directly from you, or through a third party).
We never share your name or contact details with third parties for marketing purposes unless we have your “opt-in” consent to share your details with a specific third party for them to send you marketing. We do use third party service providers to send out our marketing, but we only allow them to use that information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We retain your details on our marketing list until you “opt-out” at which point we add you to our suppression list. We keep that suppression list indefinitely to comply with our legal obligations to ensure we don’t accidentally send you any more marketing.
Information we receive from third parties:
We may receive information about you from the following sources:
- Our service providers. We work closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers and credit reference agencies) who may provide us with information about you, to be used as set out in this privacy policy.
- Businesses we have bought. If we have acquired another business, or substantially all of its assets, which originally held your information, we will hold and use the information you provided to them, or which they otherwise held about you, in accordance with this privacy policy. If we are reviewing whether to acquire a business, or substantially all of its assets, which holds your personal data (whether you are a customer or employee of that business or otherwise) we may receive limited personal data about you from that business or professional advisors involved in the transaction, as necessary for our legitimate interests in making decisions about that acquisition. If we do not acquire that business, any information we receive about you will be deleted as soon as practicable following the decision not to acquire.
Change of purpose:
We will only use your personal information for the purposes for which we collected it as set out in this privacy policy, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
How do we share your personal data?
We do not sell, rent or lease your personal information to others except as described in this Privacy Policy.
We share your information with selected recipients. These categories of recipients include:
- cloud storage provides located in England, to store personal data and for disaster recovery services, as well as for the performance of any contract we enter into with you;
- IT Services providers that provide us with SaaS services, including Mailchimp and Dropbox, which we use to store our customer relationship management information, etc.;
- other third-party service providers (including contractors and designated agents) so that they can carry out their services. Activities which are carried out by third-party service providers include contract administration, order fulfilment, delivery, administration, legal advice, IT services and payment processing;
- provided you have consented, advertisers and advertising networks that require the data to select and serve relevant adverts to you and others; and
- analytics and search engine providers that assist us in the improvement and optimisation of the Website.
We will share your information with law enforcement agencies, public authorities or other organisations if legally required to do so, or if we have a good faith belief that such use is reasonably necessary to:
- comply with a legal obligation, process or request;
- enforce our terms and conditions and other agreements, including investigation of any potential violation thereof;
- detect, prevent or otherwise address security, fraud or technical issues; or
- protect the rights, property or safety of us, our users, a third party or the public as required or permitted by law (exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction).
We will also disclose your information to third parties:
- in the event that we sell any business or assets, in which case we will disclose your data to the prospective buyer of such business or assets; or
- if we or substantially all of our assets are acquired by a third party, in which case information held by us about our users will be one of the transferred assets.
The security of your personal data:
Unfortunately, the transmission of information via the internet or email is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your information transmitted through the Website or over email; any transmission is at your own risk. Once we have received your information, we will take appropriate technical and organisational measures to safeguard your personal data against loss, theft and unauthorised use, access or modification.
Where we share your information with our third-party service providers, they are required to take appropriate security measures to protect your personal information. Where third parties process your personal information on our behalf as “data processors” they must do so only on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where necessary.
We will, from time to time, host links to and from the websites of our affiliates or third parties. If you follow a link to any of these websites, these websites will have their own privacy policies and we do not accept any responsibility or liability for these policies. Please check these policies before you submit any information to those websites.
How long do we store your personal data?
Where your personal data relates to a contract, we will keep it for period of up to six years after the date of the order to enable us to deal with any after sales enquiries or claims and as required for tax purposes.
Payment information which is collected by our payment card processing provider is retained for a period of up to six years after the date of the order.
Any other personal data which does not relate to a particular order will be kept for a period of up to six years. To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Where we store your information
Our registered office is in London, England and our main data centre is located in England. However, where required to perform our contract with you or for our wider business purposes, the information that we hold about you may be transferred to, and stored at, a destination outside the UK and the EU. It may also be processed by staff operating outside the UK and EU who work for us or for one of our service providers.
We will take all steps reasonably necessary to ensure that your personal information is treated securely and in accordance with this privacy policy.
Some countries or organisations outside of the UK and the EU which we may transfer your information to will have an “adequacy decision” in place, meaning the EU considers them to have an adequate data protection regime in place. These are set out on the European Commission website: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en.
If we transfer data to countries or organisations outside of the UK and the EU which the EU does not consider to have an adequate data protection regime in place, we will ensure that appropriate safeguards (for example, model clauses approved by the EU or a data protection authority) are put in place where required. To obtain more details of these safeguards, please contact us.
Your rights:
Data protection law gives you a number of rights when it comes to personal information we hold about you. The key rights are set out below. More information about your rights can be obtained from the Information Commissioner’s Office (ICO). Under certain circumstances, by law you have the right to:
- Be informed in a clear, transparent and easily understandable way about how we use your personal information and about your rights. This is why we are providing you with the information in this privacy policy. If you require any further information about how we use your personal information, please let us know.
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it (for instance, we may need to continue using your personal data to comply with our legal obligations). You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to us using your information on this basis and we do not have a compelling legitimate basis for doing so which overrides your rights, interests and freedoms (for instance, we may need it to defend a legal claim). You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party where you provided it to us and we are using it based on your consent, or to carry out a contract with you, and we process it using automated means.
- Withdraw consent. In the limited circumstances where we are relying on your consent (as opposed to the other bases set out above) to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another compelling legitimate interest in doing so.
- Lodge a complaint. If you think that we are using your information in a way which breaches data protection law, you have the right to lodge a complaint with your national data protection supervisory authority (if you are in the UK, this will be the ICO).
- No fee usually required. You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
- What we may need from you. We may need to request specific information from you to help us understand the nature of your request, to confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
- Timescale. Please consider your request responsibly before submitting it. We will respond to your request as soon as we can. Generally, this will be within one month from when we receive your request but, if the request is going to take longer to deal with, we will let you know.
Changes to this privacy policy:
Any changes we will make to this policy in the future will be posted on this page and, where we consider necessary, notified to you by e-mail. Please check back frequently to see any updates or changes to this policy.