Privacy and cookie notice

We are committed to protecting the privacy and security of our site visitors and clients. This policy sets out how we collect, use and store personal and other data for visitors and users of this website. 

Who we are

The data controller in respect of our website is Bananadesign Limited, a registered company in England and Wales, number 6119615. If you wish to get in touch please see our contact page.

What information we may collect about you and why

Your name and contact details

How we collect itHow we use it
When you fill out a contact form on our website or if you call or email us.To deal with your query.
Lawful basis: legitimate interests
When you complete a registration form on our website.To register you as a user of this website, or to register you for a course we run.
Lawful basis: contract

Information about your device, and how you use our website

How we collect itHow we use it
When you visit this website, information about your device, operating system, browser and your IP address are automatically saved in log files on the web serverThis helps us ensure the security of our site by monitoring normal and malicious use of our site
Lawful basis: legitimate interests
If you login to our site we also collect details of your IP address and the time of your loginThis helps us ensure the security of restricted content for logged-in users or members
Lawful basis: legitimate interests
We collect details of your visits to our site, including which pages you visit and actions you take. This helps us to see what parts of our site are being used and to improve our site for our visitors and users
Lawful basis: legitimate interests

Ecommerce

How we collect itHow we use it
If you make a purchase from our website we may collect your contact details, your purchase details and transaction references.To fulfil your purchase and keep a record for tax purposes. We never receive or store your card details.
Lawful basis: contract

Marketing

We do not currently collect information for marketing purposes.

Special category data

We do not currently collect any special category data.

Minors under 16

This website is intended for visitors and users over the age 16 and as such we do not knowingly collect any information about children.

Data retention

We will only keep your data for as long as necessary. For data that we have identified as being covered under the legitimate interests lawful basis, this will be for no more than two years. For data identified as being covered under the contract lawful basis, this will be kept for a minimum of six years and no longer than ten years. This includes keeping records as required by law for tax and auditing purposes. 

Data storage

We store your data on our password protected, encrypted computers and server in our UK office. Your data may also be shared with third parties as detailed below.

Sharing your personal information

We take your privacy seriously and will only use your personal information to respond to your queries, to provide the services you have requested from us, provide administration notices, or for the normal functioning of this website. Your personal information will never be shared with third parties for marketing purposes and will not be used by us for marketing purposes without your explicit consent.

We do use some third party companies who act as data processors, to provide services in order to run our website and in order to run our business. Your data may be shared or stored with them as follows.

ReasonLocation
We use a specialist server company called Layershift to host our website.A secure datacentre in the UK. Data is permanently held unless changed or deleted. Onsite backups are kept for 7 days.
We use a specialist server company called Hetzner to store additional backups of our website.A secure datacentre in Germany. Backup data is encrypted. Data is kept for 30 days.
We use a specialist email service provider called Mailgun (covered by the EU-US Privacy Shield Framework) to improve deliverability of email sent from this website.Secure datacentres in the USA. Data is retained only for the purposes of sending email and providing us with information about its delivery.
We use PayPal as our payment gateway provider to process card payments.Secure datacentres in the EEA.
We use Crashplan for backups of our computers which may contain personal information in emails or local copies of website backups.A secure datacentre in the USA. Backup data is encrypted.
We use accountancy software called FreeAgent which our accountant has access to as well. This is only applicable if you have a made a purchase through our website.A secure datacentre in the UK.

Cookies

Like most websites we set cookies to enable features on our website. You can find out more about cookies and how to manage them on the All About Cookies website.

We set strictly necessary cookies for security and to enable you to do things like login to our site.

Cookie nameReason
wordpress_[hash]
wordpress_sec_[hash]
wordpress_logged_in_[hash]
Set by WordPress if you login to our site to store your authentication details.
wordpress_test_cookieTests whether or not your browser has cookies enabled.
wp-settings-{time}-[UID] Set by WordPress and used to customize your view of admin area interface (if applicable), and possibly also the main site interface.

We use third parties for some services such as website analytics, embedded maps, embedded videos and web fonts amongst others. Some of these may set non-essential performance cookies and some services such as Google Maps, Google Fonts and Youtube may collect IP addresses and/or set cookies. We ask for consent to set Google Analytics but do not control what cookies are set for the other services. For more information on all of Google’s services please see Google’s privacy policy.

Cookie nameReason
_gidSet by Google Analytics to distinguish users. We have enabled IP masking which ensures IPs are anonymised before being sent to Google.
_gaSet by Google Analytics to distinguish users. We have enabled IP masking which ensures IPs are anonymised before being sent to Google.
SID, SAPISID, APISID, SSID, HSID, NID, PREFSet by Google Maps to measure the number and behaviour of Google Maps users. Google may collect some data including search terms, IP addresses, and latitude/longitude coordinates.
PREF, VSC, VISITOR_INFO1_LIVE, remote_sidSet by YouTube using YouTube’s privacy-enhanced mode. This mode may set cookies on your computer once you click on the YouTube video player.

Security

We take security very seriously and have taken appropriate measures to secure our website and your data. However please be aware that the internet is a public network and it is not possible to guarantee absolute security.

MeasureWhy
CloudflareA website application firewall that increases security by blocking known hackers, abusive bots and malicious IP addresses.
SSLEncryption to ensure secure transmission of your personal information when you submit a form on our website.
Firewalls and IP banningPrevent unauthorised access to our server and block malicious users or bots.
Activity loggingKeeps records of actions taken on our site to help identify security issues or breaches.
Uptime monitoringWe receive notifications if our website is offline or unreachable for more than 3 minutes. This helps us to ensure our website stays online and to alert us to any potential threats which may take the site down.
Two factor authentication logins for website administratorsThis adds an extra layer of security to prevent unauthorised access to our website administration area.
Security pluginsWe make use of several security plugins that scan for malware and infected files and block access to suspicious activities and notify us of any unusual activity patterns, or administrator logins.
Virtual Private Network (VPN)We use software to encrypt our traffic over the internet which ensures that data such as login information cannot be read by hackers.

Breach notifications

The ICO define a data breach as “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. We are required under law to tell the data protection regulator of data breaches within 72 hours. We are also required to notify individuals in certain circumstances and we will do so as required.

We have specialist insurance cover for professional liability and gives us access to a range of experts in the event of a data breach. 

Your rights

  • Right to confirmation – you have the right to know if we hold personal data that concerns you
  • Right to access – you have the right to view and to obtain a copy of any personal data we hold that concerns you
  • Right to rectification – you have the right to the correction of any inaccuracies within the personal data we hold that concerns you
  • Right to erasure – you have the right to have your personal data removed from our systems
  • Right to complain – you have the right to complain to the data protection regulator (the ICO in the UK) but we would appreciate it if you would contact us in the first instance so that we can help with any issues!

If you wish to exercise any of your rights please contact us and we will be happy to help.

Changes to this policy

We may make changes to this policy from time to time. If we do we will update it here and a record of these is below.

  • Version: 2.0. Effective date: 23 May 2018.