Effective Date: 01 JUNE, 2013
Privacy Notice Table Of Contents:
- Our Commitment To Privacy
- The Information We Collect
- How We Use Information
- Our Commitment To Data Security
- Our Commitment To Children’s Privacy
- How To Access Or Correct Your Information
- How To Contact Us
Our Commitment To Privacy:
Your privacy is important to us. To better protect your privacy we provide this notice explaining our online information practices and the choices you can make about the way your information is collected and used. To make this notice easy to find, we make it available on our homepage and at every point where personally identifiable information may be requested.
The Information We Collect:
This notice applies to all information collected or submitted on the [company name] website. On some pages, you can order products, make requests, and register to receive materials. The types of personal information collected at these pages are:
- Email address
- Phone number
- Credit/Debit Card Information
On some pages, you can submit information about other people. For example, if you order a gift online and want it sent directly to the recipient, you will need to submit the recipient’s address. In this circumstance, the types of personal information collected are:
- Phone number
The Way We Use Information:
We use the information you provide about yourself when placing an order only to complete that order. We do not share this information with outside parties except to the extent necessary to complete that order.
We use the information you provide about someone else when placing an order only to ship the product and to confirm delivery. We do not share this information with outside parties except to the extent necessary to complete that order.
We offer gift-cards by which you can personalize a product you order for another person. Information you provide to us to create a gift-card is only used for that purpose, and it is only disclosed to the person receiving the gift.
We use return email addresses to answer the email we receive. Such addresses are not used for any other purpose and are not shared with outside parties.
You can register with our website if you would like to receive our catalog as well as updates on our new products and services. Information you submit on our website will not be used for this purpose unless you fill out the registration form.
We use non-identifying and aggregate information to better design our website and to share with advertisers. For example, we may tell an advertiser that X number of individuals visited a certain area on our website, or that Y number of men and Z number of women filled out our registration form, but we would not disclose anything that could be used to identify those individuals.
Finally, we never use or share the personally identifiable information provided to us online in ways unrelated to the ones described above without also providing you an opportunity to opt-out or otherwise prohibit such unrelated uses.
Our Commitment To Data Security:
To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect online.
Our Commitment To Children’s Privacy:
Protecting the privacy of the very young is especially important. For that reason, we never collect or maintain information at our website from those we actually know are under 13, and no part of our website is structured to attract anyone under 13.
How You Can Access Or Correct Your Information:
You can access all your personally identifiable information that we collect online and maintain by calling us on 0800 4 CYLINDERS or emailing us at Contact Us . We use this procedure to better safeguard your information.
You can correct factual errors in your personally identifiable information by sending us a request that credibly shows error.
To protect your privacy and security, we will also take reasonable steps to verify your identity before granting access or making corrections.
How To Contact Us:
Should you have other questions or concerns about these privacy policies, please call us at 0800 4 CYLINDERS or send us an email at Contact Us.
When you provide us with personal information to complete a transaction, verify your credit card, place an order, arrange for a delivery or return a purchase, we imply that you consent to our collecting it and using it for that specific reason only.
If we ask for your personal information for a secondary reason, like marketing, we will either ask you directly for your expressed consent, or provide you with an opportunity to say no.
How do I withdraw my consent? If after you opt-in, you change your mind, you may withdraw your consent for us to contact you, for the continued collection, use or disclosure of your information, at anytime, by contacting us at firstname.lastname@example.org or using our contact page.
Credit Card Policy:
To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed. If you provide us with your credit card information, the information is transmitted using Transport Layer Security technology (TLS). All data is encrypted and stored using industry standard AES encryption. All our systems are fully compliant with PCI-DSS requirements.
When a good or service is purchased using a payment card and a refund is necessary, the refund must be credited back to the account that was originally charged. Refunds in excess of the original sale amount or cash refunds are prohibited.
Departments and administrative areas accepting payment cards on behalf of Hot Water Cylinders Ltd are subject to the Payment Card Industry Data Security Standards (PCI DSS).
Hot Water Cylinders Ltd prohibits the transmission of cardholder data or sensitive authentication data via email or unsealed envelopes through campus mail as these are not secure.
Hot Water Cylinders Ltd restricts access to cardholder data to those with a business “need to know.”
For electronic media, cardholder data shall not be stored on servers, local hard drives, or external (removable) media including floppy discs, CDs or thumb (flash) drives unless encrypted and otherwise in full compliance with PCI DSS.
For paper media, cardholder data shall not be stored unless approved for legitimate business purposes.
Merchant Department Responsible Persons (MDRPs) are responsible for:
Executing on behalf of the relevant Merchant Department, Payment Card Account Acquisition or Change Procedures.
Ensuring that all employees (including the MDRP), contractors and agents with access to payment card data within the relative Merchant Department acknowledge on an annual basis and in writing that they have read and understood this Policy.
Ensuring that all payment card data collected by the relevant Merchant Department in the course of performing business, regardless of whether the data is stored physically or electronically is secured. Data is considered to be secured only if all of the following criteria are met:
Only those with a “need-to-know” are granted access to payment card and electronic payment data;
Email should not be used to transmit credit card or personal payment information. If it should be necessary to transmit credit card information via email only the last four digits of the credit card number can be displayed;
Credit card or personal information is never downloaded onto any portable devices or media such as USB flash drives, compact disks, laptop computers or personal digital assistants;
Fax transmissions (both sending and receiving) of credit card and electronic payment information occurs using only fax machines which are attended by those individuals who must have contact with payment card data to do their jobs;
The processing and storage of personally identifiable credit card or payment information on computers and servers is prohibited;
Only secure communication protocols and/or encrypted connections to the authorized vendor are used during the processing of eCommerce transactions;
The three or four digit validation code printed on the payment card is never stored in any form;
The full contents of any track data from the magnetic stripe are never stored in any form;
The personal identification number (PIN) or encrypted PIN block are never stored in any form;
The primary account number (PAN) is rendered unreadable anywhere it is stored;
All but the last four digits of any credit card account number are masked when it is necessary to display credit card data;
All media containing payment card or personal payment data is retained no longer than a maximum of six (6) months and then destroyed or rendered unreadable.
The Director, Information Security Management and Compliance shall maintain currency with the requirements of the PCI DSS and related requirements to ensure that this policy remains current and shall coordinate and lead any response to a security breach involving cardholder data.
The Manager and Accounts Department shall:
Provide training to ensure that merchants are trained in accepting and processing payment cards in compliance with this policy;
Work with external vendors and coordinate payment card policies, standards, and procedures;
Serve as liaison between Financial Management Services, Information Technology Services, and the merchant for Payment Card account acquisition or change procedures;
Review and modify the Application for Payment Card Account Acquisition or Change as necessary.
Internal Auditing Services shall:
Periodically review merchant compliance with this policy and the Payment Card Industry (PCI) Data Security Standards (DSS);
Identify unapproved payment applications or external vendors that collect payment card data on behalf of Hot Water Cylinders Ltd and notify the Company.
Hot Water Cylinders Ltd currently accepts VISA and MasterCard and has negotiated contracts for processing payment card transactions
Hot Water Cylinders Ltd discourages the use of wireless technology to process or transmit cardholder data.Requests for Payment Card Account Acquisition or Change that include the use of wireless technology will be reviewed on a case by case basis and shall carefully consider the need for the technology against the risk of a non-secure payment environment.
If the use of wireless technology is approved, the storage of cardholder data on local hard drives, floppy disks or other external media is prohibited. It is also prohibited to use cut-and-paste and print functions during remote access. Activation of modems for vendors will be permitted only when no other alternative is available and will be immediately deactivated after use.
Employees who are expected to be given access to cardholder data shall be required to complete upon hire, and at least annually thereafter, security awareness training focused on cardholder data security.
Employees shall be required to acknowledge at least annually that they have received training, understand cardholder security requirements, and agree to comply with these requirements.
Selling goods and services online
The Personal Data collected are used to provide the User with services or to sell goods, including payment and possible delivery.
The Personal Data collected to complete the payment may include the credit card, the bank account used for the transfer, or any other means of payment envisaged. The kind of Data collected by this Application depends on the payment system used.