Privacy and cookie notice
We are committed to protecting the privacy and security of our site visitors and clients. This policy sets out how we collect, use and store personal and other data for visitors and users of this website.
Who we are
The data controller in respect of our website is Bananadesign Limited, a registered company in England and Wales, number 6119615. If you wish to get in touch please see our contact page.
What information we may collect about you and why
Your name and contact details
How we collect it | How we use it |
---|---|
When you fill out a contact form on our website or if you call or email us. | To deal with your query. |
Lawful basis: legitimate interests | |
When you complete a registration form on our website. | To register you as a user of this website, or to register you for a course we run. |
Lawful basis: contract |
Information about your device, and how you use our website
How we collect it | How we use it |
---|---|
When you visit this website, information about your device, operating system, browser and your IP address are automatically saved in log files on the web server | This helps us ensure the security of our site by monitoring normal and malicious use of our site |
Lawful basis: legitimate interests | |
If you login to our site we also collect details of your IP address and the time of your login | This helps us ensure the security of restricted content for logged-in users or members |
Lawful basis: legitimate interests | |
We collect details of your visits to our site, including which pages you visit and actions you take. | This helps us to see what parts of our site are being used and to improve our site for our visitors and users |
Lawful basis: legitimate interests |
Ecommerce
How we collect it | How we use it |
---|---|
If you make a purchase from our website we may collect your contact details, your purchase details and transaction references. | To fulfil your purchase and keep a record for tax purposes. We never receive or store your card details. |
Lawful basis: contract |
Marketing
We do not currently collect information for marketing purposes.
Special category data
We do not currently collect any special category data.
Minors under 16
This website is intended for visitors and users over the age 16 and as such we do not knowingly collect any information about children.
Data retention
We will only keep your data for as long as necessary. For data that we have identified as being covered under the legitimate interests lawful basis, this will be for no more than two years. For data identified as being covered under the contract lawful basis, this will be kept for a minimum of six years and no longer than ten years. This includes keeping records as required by law for tax and auditing purposes.
Data storage
We store your data on our password protected, encrypted computers and server in our UK office. Your data may also be shared with third parties as detailed below.
Sharing your personal information
We take your privacy seriously and will only use your personal information to respond to your queries, to provide the services you have requested from us, provide administration notices, or for the normal functioning of this website. Your personal information will never be shared with third parties for marketing purposes and will not be used by us for marketing purposes without your explicit consent.
We do use some third party companies who act as data processors, to provide services in order to run our website and in order to run our business. Your data may be shared or stored with them as follows.
Reason | Location |
---|---|
We use a specialist server company called Layershift to host our website. | A secure datacentre in the UK. Data is permanently held unless changed or deleted. Onsite backups are kept for 7 days. |
We use a specialist server company called Hetzner to store additional backups of our website. | A secure datacentre in Germany. Backup data is encrypted. Data is kept for 30 days. |
We use a specialist email service provider called Mailgun (covered by the EU-US Privacy Shield Framework) to improve deliverability of email sent from this website. | Secure datacentres in the USA. Data is retained only for the purposes of sending email and providing us with information about its delivery. |
We use PayPal as our payment gateway provider to process card payments. | Secure datacentres in the EEA. |
We use Crashplan for backups of our computers which may contain personal information in emails or local copies of website backups. | A secure datacentre in the USA. Backup data is encrypted. |
We use accountancy software called FreeAgent which our accountant has access to as well. This is only applicable if you have a made a purchase through our website. | A secure datacentre in the UK. |
Cookies
Like most websites we set cookies to enable features on our website. You can find out more about cookies and how to manage them on the All About Cookies website.
We set strictly necessary cookies for security and to enable you to do things like login to our site.
Cookie name | Reason |
---|---|
wordpress_[hash] wordpress_sec_[hash] wordpress_logged_in_[hash] | Set by WordPress if you login to our site to store your authentication details. |
wordpress_test_cookie | Tests whether or not your browser has cookies enabled. |
wp-settings-{time}-[UID] | Set by WordPress and used to customize your view of admin area interface (if applicable), and possibly also the main site interface. |
We use third parties for some services such as website analytics, embedded maps, embedded videos and web fonts amongst others. Some of these may set non-essential performance cookies and some services such as Google Maps, Google Fonts and Youtube may collect IP addresses and/or set cookies. We ask for consent to set Google Analytics but do not control what cookies are set for the other services. For more information on all of Google’s services please see Google’s privacy policy.
Cookie name | Reason |
---|---|
_gid | Set by Google Analytics to distinguish users. We have enabled IP masking which ensures IPs are anonymised before being sent to Google. |
_ga | Set by Google Analytics to distinguish users. We have enabled IP masking which ensures IPs are anonymised before being sent to Google. |
SID, SAPISID, APISID, SSID, HSID, NID, PREF | Set by Google Maps to measure the number and behaviour of Google Maps users. Google may collect some data including search terms, IP addresses, and latitude/longitude coordinates. |
PREF, VSC, VISITOR_INFO1_LIVE, remote_sid | Set by YouTube using YouTube’s privacy-enhanced mode. This mode may set cookies on your computer once you click on the YouTube video player. |
Security
We take security very seriously and have taken appropriate measures to secure our website and your data. However please be aware that the internet is a public network and it is not possible to guarantee absolute security.
Measure | Why |
---|---|
Cloudflare | A website application firewall that increases security by blocking known hackers, abusive bots and malicious IP addresses. |
SSL | Encryption to ensure secure transmission of your personal information when you submit a form on our website. |
Firewalls and IP banning | Prevent unauthorised access to our server and block malicious users or bots. |
Activity logging | Keeps records of actions taken on our site to help identify security issues or breaches. |
Uptime monitoring | We receive notifications if our website is offline or unreachable for more than 3 minutes. This helps us to ensure our website stays online and to alert us to any potential threats which may take the site down. |
Two factor authentication logins for website administrators | This adds an extra layer of security to prevent unauthorised access to our website administration area. |
Security plugins | We make use of several security plugins that scan for malware and infected files and block access to suspicious activities and notify us of any unusual activity patterns, or administrator logins. |
Virtual Private Network (VPN) | We use software to encrypt our traffic over the internet which ensures that data such as login information cannot be read by hackers. |
Breach notifications
The ICO define a data breach as “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. We are required under law to tell the data protection regulator of data breaches within 72 hours. We are also required to notify individuals in certain circumstances and we will do so as required.
We have specialist insurance cover for professional liability and gives us access to a range of experts in the event of a data breach.
Your rights
- Right to confirmation – you have the right to know if we hold personal data that concerns you
- Right to access – you have the right to view and to obtain a copy of any personal data we hold that concerns you
- Right to rectification – you have the right to the correction of any inaccuracies within the personal data we hold that concerns you
- Right to erasure – you have the right to have your personal data removed from our systems
- Right to complain – you have the right to complain to the data protection regulator (the ICO in the UK) but we would appreciate it if you would contact us in the first instance so that we can help with any issues!
If you wish to exercise any of your rights please contact us and we will be happy to help.
Changes to this policy
We may make changes to this policy from time to time. If we do we will update it here and a record of these is below.
- Version: 2.0. Effective date: 23 May 2018.