Our goal is that you have a safe shopping experience on-line and we protect the personal data you entrust with us to the highest standard. For all our services we act as the Data Controller for you and we are responsible for keeping your data safe.
Security and privacy of your personal data is our commitment to you.
We will store all the personal information you provide on the secure servers of our web service provider. All electronic transactions you make to or receive from us will be encrypted using SSL technology and we will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information while it is in our care. We cannot guarantee the safety of data transferred by you over the Internet. You personally are responsible for keeping your personal access details safe.
Aim at all times to be clear about how we use your data.
Personal data submitted on this website will be used for the purposes specified below; data will not be passed used for or passed on to third parties for direct marketing unless we have your expressed consent.
Lawful Basis for Processing
As per Article 6 of the GDPR the Lawful Bases for Processing are:
- Consent – we have been given clear consent/permission for processing your personal data. .
- Contract – it is necessary for us to process your personal data as part of a contract or following specific steps before entering a contract. .
- Legal Obligation – we need to process your personal data to comply with the law. .
- Vital Interests – it is necessary to process personal data to protect someone’s life. .
- Public Task – it is in the public interest for us to process your personal data and the processing has a clear basis in law.
- Legitimate Interests – the processing is necessary for our legitimate interests as a company or a third party unless there is a good reason to protect your personal data that overrides these legitimate interests.
How we use your name, address, email address and telephone number to contact you.
We need your contact details so that we can provide our services to you for the purposes below:
|To send you goods purchased via the website.||We need your name and contact details to fulfil our contract with you and so we can send you goods.|
|To send order confirmations and invoices to you.||We need your name and contact details to fulfil our contract with you so that you have the correct information about your order.|
|For internal record keeping.||We need to keep records of your orders so that we can fulfill your orders and provide you with customer service as part of our contract.|
|To improve our products and services.||So that you can provide on-line reviews on items you buy on the website in order to improve our service and products either directly with ourselves or a third party review site, but you only if you want to!|
|To send you commercial communications.||Our newsletter includes discounts, special offers and product launches. You can give us your email address for this but only if you're interested and give us permission to do this!|
|To deal with enquiries and complaints made by you relating to our service and website.||We need your name and contact details in order to communicate with you if you have any enquiries or complaints, so that we can give you good customer service as part of our contract.|
|To deal with any other enquiries or complaints made by you as a prospective customer or any other interested party.||We need your name and contact details in order to communicate with you if you have any enquiries and complaints as part of our interests as a business and to protect your interests.|
|To send you marketing information with your express permission via email, post and SMS and select any or all of these channels. You have the right to terminate marketing communications at any point.||We need your name and contact details to send you marketing information but only if you give us permission to do this. If you have consented to marketing we will promote discounted brands that you have expressed an interest in within your basket selection.|
|To fulfil Subject Access Requests made by you.||We need your name and contact details in order to fulfil any Subject Access Requests made by you as part of our legal obligations under Data Protection Law.|
|To follow up if you have purchased products from our website as part of our customer care procedures.||We need your contact details to follow up on purchases as it is in our interest is to see you get a great service.|
|To provide a search of your town and postcode to enable quicker entry of your address details during purchasing.||This data is provided to a postcode and address matching service to enable quicker entry of address during checkout process as it is in our interests to provide you with a quick checkout service and save you time. Customers also have the option to enter the address manually.|
How we use your payment information.
We do not retain your full payment card data after the transaction and only collect your payment information for the purposes below:
|Take payment and give refunds.||So that you can pay for your goods and fulfill your contract with us. For card payments we take your card details and billing address.|
|To detect and prevent fraud.||To protect yourself and Footasylum against fraud. In both our interests to have a safe shopping experience and prevent crime!|
How we use information about your use of our website.
|Improve your personal experience by personalising the website.||Making it easier for you to look at products you are interested in based on your previous use of the website. It is in our interest to see that you have a great shopping experience!|
|To provide third parties with statistical information about our users.||So that we can get information about browser types, device types, number of pages viewed, geographical location, products and categories viewed in visit, channel that sent the visit, previous visitor information, landing page URL, last page viewed URL, time on site, time of last interaction, referral source from our affiliate program and length of stay and pages visited as it is in our interest that you find it easy to use and improve our web service. This is a form of profiling our customers as part of legitimate interests as a company. For more information on why we do this see our section titled: Profiling and Automated Decision Making.|
|To track shopping basket use so that we can offer you discounts.||We track selections in your basket that may be eligible for discounts during your purchasing journey. It is in our interest that you get the best deal!|
How we use your personal data for Promotions and Competitions.
In order to provide competitions, we would need to process all or some of the following (depending on the media that the competition is delivered): full name, postcode, email address, date or birth, sneaker size, social handle, image and town or county of residence.
Any personal information provided by you as part of the competition entry may be used by our company (as the Promoter) or our agents and suppliers to administer the competition prizes.
|Process full name, postcode, email address, date of birth, sneaker size, county of residence to enter competition.||To enable entry to competitions that you may wish to participate in, to ensure the competition is held fairly and we can deliver rewards to winners. Contact details are taken in order to enable us to contact you, date of birth is taken to verify that you are above the minimum age to enter competitions (16 years), sneaker size as may form part of a prize. We process this data as part of our legitimate interests of our business.|
|We may disclose full name or name and county of residence of the winner of competitions on request or via publication (this does not cover direct marketing for which we separately ask for consent).||In order to comply with the UK Code of Non-broadcast Advertising and Direct & Promotional Marketing (CAP Code) which is enforced by the Advertising Standards Agency and supporting Consumer Law, we are required to make available on request details of winners. We may also announce the winner via Footasylum social media channels. This is balanced with your privacy rights and only the minimal information (as described opposite) would be available under a lawful basis of legal obligation. This will be reviewed in line with any legislative changes or codes of practice supporting the CAP Code and to maintain your privacy rights under GDPR.|
How we use your information when sending marketing communications under consent.
We use this information in order to provide targeted marketing to you.
|Your email address provided to us when providing consent for direct marketing.
Each email contains a tracking pixel which will track email opens (if the receiver has images enabled in their email client/ mailbox). This is the standard approach for measuring open and click rates and is used by all email platforms in the market. This is processed on our behalf by our third-party data processor based in the UK.
All links in the emails records data for each link clicked as follows:
|To send direct marketing communications by email but only under your consent.
This is to ensure that where you have given us permission to send you marketing communications, we can provide you with products that you are likely to have an interest in. This is performed under your consent only and you can choose to withdraw your consent at any time.
You can also object to the processing of your personal data where it is used for profiling for direct marketing. For more about profiling see our Glossary or section on Profiling and Automated Decision Making.
How we may use your personal data for security purposes.
|We may process your personal data for security purposes.||In order to protect your privacy and the security of your data on occasion we may need to process your personal data as part of security checks. This may be incidental contact with your data when conducting a check of our systems or to use your contact details to inform you of any security issues. This will only be restricted to authorised security personnel. This processing is necessary in order for the company to fulfil its requirements to have suitable technical and organisational security measures in place to protect the company's legitimate interests and to protect your privacy and security.|
How we use your personal data to protect against crime and prevent fraud.
|The use of CCTV within our stores and CCTV footage captured during incidents.||Fraud monitoring and sharing with fraud prevention agencies and law enforcement where necessary.|
|To keep you and our customers safe and to prevent and protect against fraud and crime as part of the legitimate interests of our business.||For the prevention of fraud and crime as part of the legitimate interests of our business.|
Focused on your rights to keep control of your data.
- We will keep you up to date in how we process your information through Privacy Notices like this one.
- You can access your information and receive information about how we use your information and the lawful basis for its use. You can also receive your information in an electronic portable format such as a CSV or PDF file.
- You can request correction of your information if it is found to be inaccurate, where possible we will enable you to do this for yourself to give you greater control. For example, if you have an account with us you can probably sign in under your account and correct some of this for yourself.
- You can request that your information is removed or for us to stop processing or collecting your information in some circumstances.
- You have the right to object to the processing of your personal data for the purposes of direct marketing or profiling connected to direct marketing.
- Where you have given us permission to use your information you can change your mind at any time to either restrict the use of the information or remove the information. Particularly if you no longer wish us to send you marketing updates. See Stop Marketing Updates and Updating your Marketing Preferences.
- The right to complain to the Information Commissioner’s Office (the ICO) if you feel your information has been misused: https://ico.org.uk/concerns/handling/ or telephone the ICO on 0303 123 1113. Please raise any concern with us in the first instance, as they will usually ask you to get in touch with us first.
To contact us on any of the above, please contact our customer service team.
Our contact details are within the Data Access Requests and Raising Concerns section of this policy.
Profiling and Automated Decision Making.
We use a third party data processor to help us analyse sets of data to determine common patterns in behaviour which allows us to provide you with a more personalised, individual experience on our website, in our digital advertising and in our electronic marketing communications. For example, if we recognise that you browse several products with a common feature over a period of time, we are able to recommend similar products that you may also be interested in.
You have a right to object to this kind of processing.
Automated Decision Making
We do not use automated decision-making processes that could be considered to have a significant impact or legal effect on our customers.
Examples of this are performed by other companies who use profiling and the results of the profiling to make automated decisions regarding credit worthiness or to deny or permit a service.
Our profiling data process is used to ensure we can more accurately target direct marketing to you and direct marketing is always sent to you only with your consent which can be withdrawn at any time (for guidance in how to do this, see Stop Marketing Updates).
Ensure that we do not keep your data any longer than we need to.
We only keep your personal information for as long as we need it, either for the lifetime of your account or for the purposes of providing customer service to you. We may also retain some personal information after the lifetime of your account for legal and regulatory purposes, for the purposes of recording disputes, fraud prevention or for terms and conditions we have agreed with you. In these cases, we will seek to minimise the amount of personal information we hold to ensure that we only retain the personal information we require to meet these obligations.
Data Access Requests and Raising Concerns.
Data Access Requests
You are entitled to request a copy of personal data held about you, the reasons why we process your personal data and the lawful basis for processing your personal data see Your Rights above. This is known as a Subject Access Request (SAR). To obtain a copy please either write to us:
DROME Customer Services, Sandbrook House, Sandbrook Park, Sandbrook Way, Rochdale, OL11 1RY
Or phone Customer Services on: 01706 714229
Or email: Customer Services at: email@example.com
In the subject line of your email please entitle it: Data Access Request
You are entitled to receive this information in a portable format such as a CSV or PDF file. We will respond within 1 calendar month.
Exceptions - If the request is complex then we will be in touch with you to agree an extension to fulfil your request in full. If the request is deemed to be ‘excessive’ or ‘unfounded’ as defined within GDPR we can refuse to process the SAR or charge a reasonable admin fee. We will inform you of any exceptions if this is the case and you have the right to appeal to the ICO.
The Information Commissioner’s contact details are:
The ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF. They can also be contacted via their helpline on 0303 123 1113 or via their website at https://ico.org.uk/make-a-complaint
If you have any concerns about how DROMEs are processing your personal data then please contact the customer services team with the contact details above. If using email, please entitle the subject line: Information Rights Concern
Additional Processing and Sharing with Third Parties.
We use third parties to provide supporting services for Footasylum ltd. These enable us to provide the web and ecommerce service so that you can purchase goods.
- Web Hosting Service Provider providing web hosting service for this website.
- Web Developers.
- Network Service Providers.
- IT Service Providers.
- Email Service Providers.
- On-line review sites (these act as Joint Data Controllers). Please read the privacy and cookie policies of these sites.
We use third parties who act as data processors for DROME. We share some aspects of your personal data with these organisations.
- Courier companies who need your name and address details so that we can deliver our goods to your address, these also provide a tracking service where you can keep track of your deliveries.
- A Business intelligence and Data Profiling Agency who provide a service for us to improve, optimise and analyse the personal data that we process under marketing consent.
- Postcode and address finder service company who will enable quicker completion of the order checkout process.
- Payment Service Providers who need to process credit/debit card payments in order for you to purchase goods and services from DROME.
- Credit Reference, Law Enforcement and Fraud Prevention agencies for the purposes of preventing fraud and cyber crime.
- See Other Parties for linked sites below.
Transfers of your personal data.
We share some or all of your personal data, depending on the requirement of the service provided by third parties listed above in Additional Processing and Sharing with Third Parties. We do not sell your personal data to third parties.
Cross border data transfers
Your personal data may on rare occasions be shared with other controllers or processors within the EU/EEA area.
Transfers outside the EU/EEA
We do not, as standard practice, seek to use services outside the EU/EEA.
If we seek to transfer personal data or use services which host personal data outside the EU/EEA, we will only transfer to entities that provide contractual guarantees such as Standard Contractual Clauses (SCCs) (until such time the European Commission approves new SCCs) or who are located in countries who have an adequacy arrangement with the EU to protect your data with the same level of privacy as entities within the EU/EEA. We will perform the necessary due diligence to safeguard your personal data with these organisations. Either one or all of these approaches will be reviewed in line with CJEU rulings to ensure compliance with GDPR if necessary. We will continue update our Privacy Notice to ensure that you are kept informed of data sharing practices.
We will update our Privacy Notice in this event to ensure that you are kept informed.
Keeping you up to date.
We will make changes to the Privacy Notice from time to time, in line with any new legal requirements or any changes we make within the business regarding the processing of your personal data. This version of the Privacy Notice includes processing of your personal data for security purposes and was published in November 2019.
Cookies (collection of Anonymous Data).
A cookie is a small text file stored by your web browser on your computer or mobile phone's hard drive. Some cookies are essential for the website to work for example to remember what you have added to your basket while you browse the site. They are useful because they help us to provide you with relevant information, such as remembering what you have in your wish list or basket when you return to our site. They also allow us to recognise your computer (but not specifically who is using it) when you access our website and to improve the usability and performance of our website.
Stop Marketing Updates.
You can stop your marketing updates by selecting the Unsubscribe link at the bottom of each email as illustrated below:
Or by Updating Your Preferences here:
Or by contacting our Customer Service Team in writing:
DROME Customer Services, Sandbrook House, Sandbrook Park, Sandbrook Way, Rochdale, OL11 1RY
Please be aware that you may receive one or two emails between the time we receive your request and the time we stop the marketing updates.
Updating your Marketing Preferences.
You can control your marketing preferences via your Account page and choose whether you wish to receive updates via email, SMS or direct mail (post).
We also give you control over your marketing preferences during the checkout process as follows:
[ ] By Email [ ] By SMS [ ] By Post [ ] All
Automated Decision Making – A decision-making process that is totally automated and excludes any human influence on the outcome. A process might still be considered solely automated if a human inputs the data to be processed, and then the decision-making is carried out by an automated system. A process won’t be considered solely automated if someone weighs up and interprets the result of an automated decision before applying it to the individual.
Consent – One of the Lawful Basis for Processing personal data. You (the Data Subject) should be provided with the opportunity to give informed and explicit consent for data processing which is deemed to have a high impact.
CJEU – Court of Justice of the European Union.
CSV File – Comma Separated Values file. This is a portable format for electronic data which can be transferred to different computing platforms.
Data Controller – Usually the company who you directly provide your personal data to.
Data Processor – A company that the Data Controller passes personal data to for processing under the instructions of the Data Controller. Data Controllers can also be Data Processors.
Data Subject – You. The individual which personal data identifies.
Data Transfers – Sharing or moving personal data to a third party. As a Data Controller we must ensure that your personal data is transferred securely and is provided by the same level of privacy as our own controls and in compliance with GDPR.
GDPR – The General Data Protection Regulation enforced from 25th May 2018 which replaces the Data Protection Act 1998, bringing Data Protection up to date and strengthening Data Subject’s rights.
Information Commissioner’s Office – The ICO is the supervisory authority for the United Kingdom and enforce data protection law.
Joint Data Controllers – A relationship where two or more Data Controllers may collect information from you and process personal data for their own purposes. You are advised to read the Privacy Policies of these sites.
Lawful Basis – Companies require a lawful basis to process your personal data. You (Data Subject) have the right to know what lawful basis a company is using to process your personal data.
Personal Data – Information that can uniquely identify an individual. Loss of this can have an impact to an individual which is the reason why it must be protected.
PDF File – Portable Document Format file. This is a portable and easily readable format for electronic data which can be transferred to different computing platforms.
Profiling – Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviours, location or motives.
Provider – An external company who provide a service to the company who is processing your personal data, these may also be data processors.
SSL Technology – A form of encryption over public networks such as the Internet. This protects the data sent between your browser and our web server. Although known as SSL technology this has been largely superseded by TLS (Transport Layer Security).
Subject Access Request – A request from a Data Subject to provide information on the personal data processed by the Data Controller and Data Processor (if applicable).
Third Party – An external company or party who we may transfer data to or who may have an impact on the privacy of your data. As a Data Controller we must take appropriate technical and organisational measures to protect the privacy of your data.
Web Developers – An internal or external team who write and maintain the code for the web application.
Web Hosting – A service provider who provides a web server or environment for a web server as a service to a company.