Privacy Policy

Nails by M.K

Last Updated: March 2021

1. Introduction

At Nails by M.K (“I” “my”), I take your privacy seriously. The following privacy policy outlines who I am as a data controller, what data I collect, how and why I collect it, and your rights to control that data.

As a responsible trader, I have implemented numerous technical measures to ensure the most complete protection of any personal data (e.g. name, address, email, phone number) processed through this website, in order to meet the General Data Protection Regulation (“GDPR”), and in accordance with any country-specific data protection regulations. However, Internet-based data transmissions may in principle have security gaps, so absolute protection may not be guaranteed. For this reason, every data subject is free to transfer personal data to us via alternative means, e.g. by telephone.

2. Name and Address of the Data Controller

The data controller for the purposes of the GDPR, other data protection laws applicable in Member states of the European Union and other provisions related to data protection is:

Nails by M.K

25 Morgan Drive,

Berryfields,

Aylesbury,

HP18 0HZ

United Kingdom
Phone: 07754 904850

Email: michelle@nailsbymk.co.uk

Website: www.nailsbymk.co.uk

As a data controller I am responsible for deciding how I hold, use and keep personal data secure. It also means I am responsible for responding to requests you make in relation to how your personal data is used. If you have any questions about the way your personal data is processed, you can contact me. 

1. Collection of personal data and general information

I will collect personal data when you make your first appointment and arrive for the first time.

I will collect the following types of personal data from you:

Contact details: information that allows me to contact you such as your name, email address, telephone number and address. 

Purchase history: records relating to the services you have purchased.

Sensitive Personal data: information regarding medical history, allergies etc.

How you use my website: My website collects a series of general data and information when a user or automated system calls up the website. This general data is stored in the server log files. We may collect (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches my website (so-called referrers), (4) the sub-websites, (5) the date and time of access to the Internet site, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system, and (8) any other similar data and information that may be used in the event of attacks on my information technology systems.

I do not draw any conclusions about the user from the website data. Rather, this information is needed to (1) deliver the content of my website correctly, (2) optimize the content of my website as well as its advertisements, (3) ensure the long-term viability of my information technology systems and website technology, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. Therefore, the controller analyses anonymously collected data and information statistically, with the aim of increasing the data protection and data security of my enterprise, and to ensure an optimal level of protection for the personal data I process. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.

1. Legal basis for the processing

I limit the collection of personal data to only that which is absolutely necessary to carry out my legal obligations. The non-provision of the personal data would have the consequence that the contract or service with the data subject could not be provided or concluded, therefore is considered Legitimate Interest for processing.

Below, I describe:

• the purposes I collect your personal data for;
• the categories of personal data I process for that purpose;
• the legal basis that allows me to process your personal data; and
• how long I will keep your personal data for.

Purpose of processing:

· Provide my services to you and maintain your account

· Deliver a service and products to you

· Answer your queries or complaints

· Investigating misuse of your account, fraud and debt collection

· Maintain and improve my services and products

· Direct marketing 

Categories of data processed

· All personal information I collect

· Contact details

· Contact details for any products and services that I have determined may be of interest to you.

Legal basis of processing

· Fulfilment of a contract between us

· Legitimate interest

· Legal Obligation

· Consent

Data storage period

· All personal data will be stored correctly (paper-based in a locked cabinet or electronically password protected) for 7 years of your last appointment with myself. After this period all personal data will be destroyed correctly.

Before you provide personal data, you can contact me to clarify whether the provision of the personal data is required, whether there is any obligation to provide the personal data, and the consequences of non-provision.

1. Your consent

Where the legal basis for me to process your personal data is that you have provided your consent, you may withdraw your consent at any time. You will not suffer any detriment for withdrawing your consent. If you withdraw your consent, this will not make processing which I undertook before you withdrew your consent unlawful.

You can withdraw your consent by contacting me on the details provided in section 2.

1. Who has access to your personal data

I do not share any of your personal information unless it is required by the following:

The government or my regulators: Where I am required to do so by law or to assist with their investigations or initiatives, including the Information Commissioner’s Office.

Police and law enforcement: To assist with investigation and prevention of crime.

I do not disclose personal information except as set out above. I may provide other third parties with statistical information and analytics but I will make sure that the information is aggregated and no one can be identified from this information before I disclose it.

1. Transfer of personal data

To ensure that your personal data is secure, I will only transfer your information to any Countries outside of the EU or EEA with your permission, where I do so in accordance with the GDPR. This requires that one of the following conditions applies:

• the European Commission has decided that the country provides an adequate level of protection for your personal data;
• the transfer is subject to a legally binding and enforceable commitment on the recipient to protect the personal data;
• the transfer is made subject to binding corporate rules; or
• the transfer is based on a derogation from the GDPR restrictions on transferring personal data outside of the EU.

I do not currently transfer data outside of the EU and European Economic Area (“EEA”).

1. Cookies

My webpages use “cookies”. Cookies are text files that are stored in a computer system via an Internet browser.

Many Internet sites and servers use cookies. These contain a so-called cookie ID, which is a unique identifier of the cookie. It consists of a character string through which Internet pages and servers can be assigned to the specific Internet browser in which the cookie was stored. This allows visited Internet sites and servers to differentiate the individual browser of the user from other Internet browsers that contain other cookies. A specific Internet browser can be recognized and identified using the unique cookie ID.

Through the use of cookies, I can provide my website users with more relevant services and content that would not be possible without the cookie setting. 

1. Profiling

Profiling involves the analysis of personal data (e.g. digital behaviour such as pages visited, links clicked, downloads) in an automated way, to identify or predict behaviour in website users.

I do not currently use profiling on my website. If I start any profiling activity I will notify you specifically that I am using profiling.

1. Registration and Website Enquiry Forms

Clients can make appointments on my website with personal data via a registration form. This personal data (e.g. name, email address, date and time of appointment) is captured. 

Additionally, consent can sometimes also be given on the forms for other forms of communication e.g. marketing. This consent is freely given via an opt-in mechanism (see Section 10 below).

1. Sales and Marketing Communications

As a Nails by M.K website user you also have the opportunity to provide personal data to register for specific marketing programmes, for example to express interest in a product or service, subscribe to email newsletters, or register for events. I inform my clients regularly about my products, services and promotions through sales and marketing communications. Users are given the option to consent to receiving these communications via various channels, and are given the option to opt-out of these communications at every practical opportunity. Service communications for existing clients (such as billing) is considered Legitimate Interest and as such these communications form part of providing the service. In the case of marketing communications they may only be received by the data subject if (1) they have a valid e-mail address, phone number or postal address and (2) they register for the marketing communication.

During registration for marketing communications, I also store the IP address of the computer system assigned by the Internet service provider (ISP) and used by the data subject at the time of the registration, as well as the date and time of the registration. The collection of this data is necessary in order to understand the (possible) misuse of the e-mail address of a data subject at a later date, and it therefore serves the aim of the legal protection of the controller.

The personal data collected as part of a registration for a marketing communications programme will only be used to send my specific communication, unless otherwise stated in the consent form. I use third party platforms such as marketing automation providers and Sales CRM systems to process this data in some cases. All third party providers have GDPR compliant Data Protection Agreements with Nails by M.K and the data is fully controlled and owned by Nails by M.K. The consent to the marketing communications programme or storage may be terminated by the data subject at any time. Each communication I send contains a link to remove consent (in the case of electronic communications), alternatively you can remove consent by contacting me using the details set out in section 2.

1. Tracking & Analytics

Google Analytics

I use Google Analytics to track, report and optimise my website performance (e.g. number of visitors, where they came from, what pages they visited). This is tracked by me at an aggregate level and not on an individual level.

The operator of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, United States.

I use Google Analytics with the anonymizer function (the application “_gat. _anonymizeIp”). This means the IP address of the user is abridged by Google and anonymised when accessing my websites from a Member State of the European Union or another Contracting State to the Agreement on the European Economic Area.

When a user accesses my site from a Google search (whether through an organic search listing or a paid-for digital advertisement), Google Analytics places a cookie on the user’s computer/ device. This enables Google to track what happens after they click on the link and hit my website. In the case of paid-for digital advertising, I pay Google based upon the number of clicks or impressions, so this also ensures accurate reporting and billing, and helps with the prevention of click-fraud. Google gathers personal information from the user, such as the IP address, access time and location. With each visit to my site, such personal data will be transmitted to Google in the United States of America. This personal data may be stored by Google in the United States of America, and they may pass this on to third parties.

Section C) Your Rights to Control Your Data

Rights of the data subject (“you”).

You have the following rights to control your data according to GDPR principles:

Right of confirmation – this means the ability to find out from me if I am processing data about you.
Right of access – this means the ability to see what data is being held about you (also called Subject Access Request). This enables you to receive a copy of the personal information I hold about you and to check that I am lawfully processing it.
Right of rectification – this means the ability to change or alter any incomplete or inaccurate data I hold about you.
Right to erasure – this means the ability to be removed from my databases/ systems where: there is no good reason for me continuing to process it, you withdraw your consent, I am unlawfully holding your personal data or I should erase your data to comply with applicable EU law. You have a right to ask me to delete or remove your personal information where you have exercised your right to object to processing.
Right to restriction of processing – this means the ability to limit or suspend what personal data is processed.
Right to data portability – this means the ability to move the data to another supplier
Right to object – this means the ability to prevent your personal data being processed in a certain way or remove consent. There is a specific provision to be able to object separately to data profiling.

To exercise your rights to any of the above, please contact me using the details in section 2. 

Alternatively, there are other actions you can take as a user of my websites to limit the amount of personal data I may process:

Do not consent or remove consent:

• Where I capture personal data on forms, I will be introducing opt-in boxes so that you can tell me if you want to hear from me for marketing purposes. If you don’t consent, you won’t hear from me, unless it’s related to the service I provide you.
• Most marketing communications, especially electronic communications, where practical will provide the ability to opt-out of further marketing communications.

Prevent or remove web tracking:

• Access my website using an anonymous/incognito browser window
• Deny the setting of cookies by adjusting your web browser settings:

o  Cookie settings in Internet Explorer
o  Cookie settings in Firefox
o  Cookie settings in Chrome
o  Cookie settings in Safari web and iOS.

• Object to the collection of data by Google Analytics

o  Download and install a browser add-on: https://tools.google.com/dlpage/gaoptout
o  This tells Google Analytics (through JavaScript), that any data may not be transmitted to Google Analytics.
o  More information: https://www.google.com/intl/en/policies/privacy/  http://www.google.com/analytics/terms/us.html
o  https://www.google.com/analytics/

• I will always aim to help you when you wish to exercise your rights but in some instances I may have lawful grounds to reject your request.
• I will investigate any request you make without undue delay and in any event within one month of receipt of your request. That period may be extended by two further months where necessary, taking into account the complexity and number of requests. I shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.
• In the event that I decide to not take action on the request, I will inform you of the reasons for not taking action.

1. Lodging a complaint with the supervisory authority: if you do not agree with a decision I make in relation to a rights request or believe that I am in breach of applicable data      protection laws, then you can lodge a complaint with a data protection supervisory authority in the EU. You can contact the data protection supervisory authority for The United kingdom.
2. Updates to this Policy

I may update this privacy policy from time to time to reflect changes in the way I process personal data (e.g. if I implement new systems or processes that involve the new uses of personal data) or to clarify information I have provided in this notice. My changes will be in accordance with applicable data protection laws.

I recommend that you check for updates to this notice from time to time but I will notify you directly about changes to this notice or the way I use your personal data when I am legally required to do so.