Introduction
Grapey UK is committed to respecting and protecting our customers' privacy and treats it with the same
respect as our wine selection. This policy applies where we are acting as a data controller with respect to your
personal data, in other words, where we determine the purposes and means of the processing of such personal
data. It captures personal data entered across all channels: through our website, app, or via our Member Services Team.
We incorporate marketing preferences in your online account, which affect how we will process your personal
data. By using the marketing preferences functionality, you can specify whether you would like to receive direct marketing communications and limit the use of your information.
Please read this policy carefully to understand our views and practices regarding your personal data and how we
will treat it.
How we use personal data
In this section we outline how we may process your personal data. All personal data we process falls into one or more of the following categories:
- Order data;
- Transaction data;
- Financial data;
- Internal social data;
- Usage data;
- Communication data;
- Enquiry data;
- Digital marketing data; and
- CCTV.
We may process your order data ("order data"). The order data may include your name, billing address, delivery
address, phone number and email address. The order data will be processed for the purposes of delivering your
wine orders to you. The legal basis for this processing is the performance of a contract between you and us.
We may process your date of birth (“date of birth data”). Your date of birth will be processed for the purposes
of confirming you are 18 or over and therefore legally able to purchase alcohol. The legal basis for this
processing is compliance with legal obligations, namely the Licensing Act 2003.
We may process your transaction data (“transaction data”). The transaction data may include information relating
to your previous transactions, including purchases of goods or services. The transaction data
may include your name, billing address, delivery address, telephone number, email address and purchase history.
It may be processed for the purposes of supplying the purchased goods or services and keeping proper records of
those transactions. The legal basis for this processing is the performance of a contract between you and us.
Your transaction data may also be used to personalise offers and messages based on the products you order. The
legal basis for this processing is our legitimate interests, namely providing better services to you including
marketing based on your preferences. If you do not wish to receive personalised offers, you can exercise your
right to object.
We may process financial information (“financial data”) you share with us. The financial data may include your
encrypted card details, name and billing address. The financial data may be processed for the purposes of
processing your payments, speedy check-out, easy refunds and to prevent fraud. The legal basis for this
processing is the performance of a contract between you and us.
We may process information that you post for publication on our website or app, such as wall posts, images
(including but not limited to profile pictures, wall posts, and label images), videos, or product ratings and
reviews ("internal social data"). This internal social data is public, and may be processed for the purposes of
enabling interaction on the website or app between customers, winemakers and staff, and providing feedback to
our winemakers on their products. We may also use your posts or reviews in our marketing materials to help us
tell other customers about our products and services. In instances where internal social data is stored in an
unstructured format (such as free text reviews and wall posts) it is exempt from our data retention rules,
however may be deleted upon request. We may also access your contact list for purposes of facilitating
invitations from you to your contacts to join Grapey and connecting you on our website with your contacts
who are already using Grapey (e.g., a “Find Friends” feature”). We do not collect or store your contact
list data. The legal basis for processing internal social data is consent.
We may process data about your use of our website or app, and reaction to our emails and services ("usage
data"). The usage data may include your geographical location, browser type and version, operating system,
referral source, length of visit, page views and website navigation paths, as well as information about the
timing, frequency and pattern of your service use and your ratings. The sources of the usage data are our
analytics packages (including, but not limited to Google Analytics) and email service providers. This usage data
may be processed for the purposes of analysing the use of the website, emails and services. The legal basis for
this processing is our legitimate interests, namely monitoring and improving our website and services. Your
usage data may also be used to personalise offers and messages to you. The legal basis for this processing is
our legitimate interests, namely providing better services to you including marketing based on your preferences.
If you do not wish to receive personalised offers, you can exercise your right to object.
We may process information that you provide to us for the purpose of subscribing to our direct marketing
communications ("communication data"). The communication data may include your name, email address, postal
address, phone number or marketing preferences. This communication data may be processed for the purposes
of contacting you with service notifications, such as that your order has been processed, or contacting you with
relevant offers and messages. The legal basis
for this processing is performance of a contract for service notifications and legitimate interests for direct
marketing communications.
We may process information contained in any enquiry you submit to us regarding goods and/or services ("enquiry
data"). This enquiry data may be processed for the purposes of providing clarification, resolving issues or
marketing relevant goods and/or services to you. The legal basis for this processing is the performance of a
contract between you and us and to ensure we are responding to your enquiry.
We may process information that you provide to us for the purpose of improving our marketing ("marketing data").
We may use marketing data in a number of different ways: either to advertise our products and services to you on
third party websites such as Facebook or via post, or to advertise our products and services to similar
customers (lookalikes) on third party websites such as Facebook. We may also use marketing data to exclude you
from seeing advertisements from third party websites such as Facebook or from receiving our advertisements via
post. The marketing data may include your name, email address, billing address, phone number, date of birth,
gender, and the user ID of any social platforms you have connected with us on. The legal basis for this
processing is our legitimate interests, namely providing better services and enhancing our customer base.
Please be aware that CCTV is in operation in our head office and delivery depot.
We may process any of your personal data identified in this policy where necessary for the establishment,
exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court
procedure. The legal basis for this processing is our legitimate interests, namely the protection and assertion
of our legal rights, your legal rights and the legal rights of others.
We may process any of your personal data identified in this policy where necessary for the purposes of obtaining
or maintaining insurance coverage, managing risks, or obtaining professional advice. The legal basis for this
processing is our legitimate interests, namely the proper protection of our business against risks.
Please do not supply any other person's personal data to us, unless we prompt you to do so. If you do share your
friends’ details with us, please ensure you have their authorisation
Providing Your Personal Data To Others
We do not, and will not, sell any of your personal data to any third party – including your name, address, email address or credit card information. We want to earn and maintain your trust, and we believe this is absolutely essential in order do that.
However, we may disclose your personal data with the following categories of companies as an essential part of being able to provide our services to you, as set out in this policy:
- to any member of our group of companies (this means our subsidiaries, our ultimate holding company and all its subsidiaries) insofar as reasonably necessary for the purposes, and on the legal bases, set out in this policy;
- to our insurers and professional advisers insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice;
- to companies approved by you, such as Facebook and other social media sites (if you choose to link your accounts to us);
- to companies that we engage to provide database profiling and de-duping services to give us insights about our existing and potential customers;
- to companies that do things to get your wine orders to you, such as customs, warehouses, order packers and delivery companies; and
- to deliver exciting news and offers to you we will use postal printing and mailing, as well as email, mobile application push notifications, and third party marketing service providers.
Financial transactions relating to our website, app and stores are handled by our card payment service providers. We will share transaction data with our payment service providers only to the extent necessary for the purposes of processing your payments, refunding such payments and dealing with complaints and queries relating to such payments and refunds.
Payment processing will be carried out by Stripe, which will process such data as an independent data controller pursuant to its privacy statement.
We will also disclose your information to third parties:
- in the event that we take steps to sell or merge any of our business or assets (including by way of merger, share or asset sale), in which case we will disclose your data to the prospective buyer or merged entity; or
- if we or substantially all of our assets are acquired by a third party, in which case information held by us about you will be one of the transferred assets.
In addition to the specific disclosures of personal data set out in this Section 3, we may disclose your personal data with law enforcement and fraud prevention agencies, so we can help tackle fraud or where such disclosure is necessary for compliance with a legal obligation to which we are subject, in order to protect your vital interests or the vital interests of another natural person, or in connection with the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative out-of-court procedure.
Transfers Outside of the United Kingdom
Sometimes we will need to share your personal data with third parties and suppliers outside the European Economic Area (EEA), such as Australia or the USA. For example, this might be required in order to fulfil your order, process your payment details or provide support services.
We will only send data to third-party data processors outside of the EEA or who also use sub-processors outside of the EEA if there is sufficient contractual provisions and protective measures in place. Any transfer of your personal data will follow applicable laws and we will treat the information under the guiding principles of this Privacy Notice.
How long we retain your data
Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
If you have registered on our website but not purchased from us, the length of time we will retain your data is dependent upon whether you have opted into our marketing communications. If you have opted in, we will retain your data for 2 years since your last interaction; if you have not opted in, we will retain your data for 30 days from registration.
Whilst you are an active customer (which, for the avoidance of doubt, means you have purchased from us) we will retain your data for as long as needed to give you the best possible customer service. We will anonymise your personal data 7 years after your last transaction (sale, refund) provided you have not interacted with us for 2 years. For the purposes of this policy, an interaction is defined as an identifiable website or app session, or contacting our Member Service Team.
If you have submitted somebody else’s data (with their authorisation) as part of our “invite a friend” promotion, we will retain their data for 30 days to give them sufficient time to claim the offer, and to enable us to reward you for the referral.
In all instances outlined above, the process of anonymising your data may take up to one calendar month.
In certain circumstances we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, to resolve disputes and enforce our agreements.
Your Rights
You have a number of rights in respect to your personal data. We have summarised the rights that you have under data protection law. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.
A. Right of access
You have the right to access all your personal data at any time.
B. Right of rectification
You have the right to rectify inaccurate, incomplete or outdated personal data at any time.
C. Right to restrict
You have the right to request the restriction of processing of your personal data in certain cases specified in article18 of the UK GDPR.
D. Right to portability
You have the right to receive your personal data in a readable format and to request that it be transferred to the recipient of your choice.
E. Right to be forgotten
You have the right to request that your personal data be deleted and to prohibit any future collection of your personal data.
F. Right to lodge a complaint
With a competent supervisory authority (in the UK, the ICO), if you consider that the processing of your personal data constitutes a violation of the applicable regulations.
G. Right of objection
You have the right to object to the processing of your personal data. Please note, however, that we may continue to process it despite this objection, for legitimate reasons or to defend legal rights. You can opt out of this at any time via the unsubscribe link at the bottom of each of our marketing emails.
Recruitment Data Retention
As part of the recruitment process Grapey Ltd will process any personal data you have provided for the purposes of considering you for suitable employment vacancies, communicating with you at various stages in the selection process, for on-boarding successful applicants and for retaining the applications of unsuccessful applicants in the form of a “talent pool” database. Grapey Ltd will be acting as Data Controller for these purposes.
The legal basis for our processing your information is the pursuit of our legitimate interests which are seeking job applicants in order to further the interests of our organisation and maintaining a database of unsuccessful candidates and speculative enquiries known as a talent pool. We will not process the information you have provided for any other purposes incompatible with those referred to above.
We will not share or disclose your personal data to anyone else.
The information you provide to us through this form and subsequently during the application process will be stored in our computer systems for a period of 365 days. You have the right to request access to, rectification or erasure of personal data that we hold about you as well as a right to object to and to a restriction of our processing of your personal data for the purposes described above. You may also lodge a complaint about us with the supervisory authority responsible for data protection.
Amendments
We may update this policy from time to time by publishing a new version on our website. You should check this page occasionally to ensure you are happy with any changes to this policy.
Questions and queries
If you have any questions that haven’t been covered, email us at info@grapey.co.uk, or contact our Member Service Team.