Privacy Policy
Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.
This Privacy notice is here to inform you what to expect us to do with your personal information when you contact us in order to use one of our services.
Who we are
https://clarkpaintings.com is a website showing some the art work of Gareth Williams.
The site is run by Gareth Williams.
You may contact us by email :-
privacy@clarkpaintings.com
For general enquiries unrelated to the privacy policy please and use our contact page or email us at info@clarkpaintings.com
Data controller
For https://clarkpaintings.com – Gareth Williams acts in the capacity of Data Controller.
For any enquiries or concerns you may have about the data of yours that we may hold, you can contact us at the above email addresses.
What is ‘Personal Data’
Under the current EU GDPR your computer “IP” address is now considered personal data.
What data we collect and why we collect it
Contact forms
We collect this so we may reply to the enquiry.
We collect this information on the lawful basis of: – Consent
(GDPR Art 6(1)(a)):
” the data subject has given consent to the processing of their personal data for one or more specific purposes; “
You will see the check box which is next to our contact form which will not send the form without your consent to our processing your personal data.
Analytics
Under the Google Terms of Service we ask for your consent to process your personal data in this way.
We collect this information on the lawful basis of: – Consent
(GDPR Article6(1)(a)):
“the data subject has given consent to the processing of their personal data for one or more specific purposes; “
Cookies
Please note that you can at any time revise the your cookie preferences on our site by going to the footer and clicking on “manage cookies”.
A cookie is a small text file which is placed onto your computer (or other electronic device) when you access our website. We use cookies on this website to:
- recognise you whenever you visit this website
- carry out statistical analysis to help improve our content and to help us better understand our visitor and customer requirements and interests
- make your online experience more efficient and enjoyable.
In most cases we will need your consent in order to use cookies on this website.
The cookies we use on our site
Cookie Banner
One cookie which operates the cookie banner preferences
“tarteaucitron”
What it does: It remembers your cookies settings
Who gets this cookie: This is set for all users. Set for 365 days , but you can re-set it at any time and it would then run again for 12 months unless you re-set it again in the mean-time.
How this cookie helps: It remembers your settings and doesn’t bring up the banner again for 365 days, so you don’t have to accept every time you visit the site.
Google Analytics
Google analytics cookies that we set are first party cookies.
These cookies are used to collect information about how visitors use our website. We use the information to compile reports and to help us improve the website.
Cookies Set by Google Analytics – all three are first party cookies:
“_ga GA Google Analytics cookie”
What it does: It is used to distinguish users.
Who gets this cookie: This is set for all users. Set for 14 months.
How this cookie helps: It lets us see where different users are looking at on our site ie their habits and interests so we can improve our site for you
“_gat GA Google Analytics cookie”
Who gets this cookie: Everyone gets this cookie. Set for 1 minute and expires.
How this cookie helps: This cookie is used to throttle request rate.
“-gid Google Analytics cookie”
What it does: It is used to distinguish users.
Who gets this cookie: This is set for all users.
How this cookie helps: This helps us improve our site usability, by watching the way users navigate the site.
We collect this personal data on the lawful basis of: – Consent
(GDPR Article6(1)(a)):
“the data subject has given consent to the processing of their personal data for one or more specific purposes; “
You can find out about Google “Safeguarding your data” here –
Google Safeguarding your data
Wordfence
Cookies Set by Wordfence – this is a first party cookie:
“wfwaf-authcookie-(hash)” sets one cookie to uniquely identify visitors shown in Wordfence Live traffic.
What it does: This cookie is used by the Wordfence firewall to perform a capability check of the current user before WordPress has been loaded.
Who gets this cookie: This is only set for users that are able to log into WordPress.
How this cookie helps: This cookie allows the Wordfence firewall to detect logged in users and allow them increased access. It also allows Wordfence to detect non-logged in users and restrict their access to secure areas. The cookie also lets the firewall know what level of access a visitor has to help the firewall make smart decisions about who to allow and who to block.
We collect this information on the lawful basis of: – Our Legitimate Interests
(GDPR Art 6(1)(f)):
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
How to turn off cookies
If you do not want to accept cookies, you can change your browser settings so that cookies are not accepted. If you do this, please be aware that you may lose some of the functionality of this website. For further information about cookies and how to disable them please go to: www.aboutcookies.org or www.allaboutcookies.org.
To find out more about how to manage the cookies in your browser you can check the links below –
Technical Information
The logs are fully GDPR compliant. None of you information is leaving our database.
The logs help us as part of the process of identifying any security breaches, as they notify us when they detect unusual activity. Allowing us, in the case of a security breach, to investigate and then if necessary to notify our users within 72 hrs of any breach.
The logs only record the name, user role and IP address, along with some information about the device of users who are logged in along with the actions they complete when logged in.
No personal data is taken from visitors who are not logged in.
We collect this information on the lawful basis of: – Our Legitimate Interests
(GDPR Art 6(1)(f)):
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
We also run security software which regularly runs scans of the site data base to protect the website from malware and hackers with malicious intentions.
This software installs cookies on you browser – these are first party cookies.
This software, as with the activity log software, is there to protect the website visitors, users and the website itself, and as such we do not ask your consent to run these cookies.
We collect this information on the lawful basis of: – Our Legitimate Interests –
(GDPR Art 6(1)(f)):
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Contracts
If you, the user, should decide to become a client with us, you will need to enter into a contractual agreement with us. This may take place on or off the website, but if it occurs by email, then the information of the contract will be collected and stored on the wordpress database of https://clarkpaintings.com.
Contracts will have the personal data of the user, such as name, email, telephone number and address, along with the financial terms of the contract. We need this information to be able to fulfill our services for the user.
We collect this information on the lawful basis of: Contract
(GDPR Article 6(1)(b))-
“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
You have a lawful basis if:
- you have a contract with the individual and you need to process their personal data to comply with your obligations under the contract.
- you haven’t yet got a contract with the individual, but they have asked you to do something as a first step (eg provide a quote) and you need to process their personal data to do what they ask.
Please note that no financial transactions take place on https://clarkpaintings.com. The transactions will either be handled through PayPal, Stripe or via a bank draft.
Shipping Details
We collect this information on the lawful basis of: – Consent
(GDPR Art 6(1)(a)):
” the data subject has given consent to the processing of their personal data for one or more specific purposes; “
Proof Of Purchase
Small businesses in the UK must keep receipts for at least 6yrs and sometimes longer.
We collect this information on the lawful basis of: Legitimate Interests
(GDPR Art 6(1)(f)):
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
How long we retain your data
Security Audit Log
Wordfence Security
Contact Form Info
Receipts of purchase
Contracts
Shipping Details
To see how long the shipper keeps your personal data you will need to consult their website privacy policy.
Google Analytics
IP address for 14 months.
You can find more about google analytics here –
What rights you have over your data
Right to be informed
Your request may be verbal or in writing.
We have one calendar month to reply to your request.
Right of access
This may be done in verbally or in writing.
To make it easy for you we have a page specifically for this purpose with a form you can use quickly and easily – “Request User Data” which is in the footer menu of every page on the website, along with the “Privacy Policy” and “Terms of Use”.
We are allowed one month by the regulator to reply to your request.
Right of rectification
You can make your request either verbally or in writing.
We have one month to comply.
Right of erasure
The request may be made verbally or in writing.
Your right to erasure is not absolute and will only apply in certain situations, as the website is also obliged by to keep certain information, for example for taxes for a period of at least 6 years.
We have one calendar month to reply.
Right to restrict processing
- this could be asked for if you feel that there are inaccuracies in your data and you are verifying the accuracy;
- the data has been unlawfully processed, and instead of erasure you choose to request a dat restriction instead;
- you no longer have a need for the personal data which our website holds in storage;
- if an individual has objected to our processing their personal data we can restrict processing the data whilst we consider if our reasons for processing legitimately override those of the individual.
When your personal data has been restricted we are not allowed to process it in any way other than to store it without the your consent, except for legal matters or for important public interest.
We must restrict your data within one month of your request for a restriction of your data.
Right to data portability
It is to allow you to move your personal data from one IT environment to another.
The information covered by data portability is only personal information which you have provided to us.
You may either (a) ask to receive a copy of your personal data, or (b) ask to have your personal data transmitted from one controller to another.
We have one calendar month to reply to your request from the date of it’s receipt.
The right to object
You may make us aware of your objection either in verbally or in writing.
We have one calendar month to respond to your objection from the date of it’s receipt.
Rights related to automated decision making including profiling
The Right to complain
You can contact theme here –
Who we share your data with
Web Hosting
All our database is on their servers.
You can read their privacy policy here –
Google Analytics
We use google analytics to set cookies in users browsers. These cookies are used to track the way users are visiting and interacting with this website.
The information that they collect is the user’s IP address, which is, under the most recent GDPR regulation considered to be personal data.
We have provided you with an “opt-out” option box in the cookies notice which opens when you visit our website, so you can refuse the cookies before you start to browse the site.
You can always access the cookies notice from the footer of our website and at any time change your acceptance or refusal of these cookies by checking the relevant boxes.
For more info go to the section on cookies where you will also find relevant links explaining there usage on websites.
Or click the link below –
Defiant Inc.
Security – Wordfence
As Defiant is outside of the EU we have a signed Data Protection Agreement with them, as required by the EU, until their EU-US Privacy Shield application is ratified. The DPA uses the accepted EU Model Contract Clauses, and you can see the contract here –
https://www.wordfence.com/gdpr/dpa.pdf
You can also check the Wordfence/Defiant privacy policy here –
https://www.wordfence.com/privacy-policy/
Data is sent to Wordfence is attack data.
Shipping Agents
This personal is given to the shipper on their website and will be covered by their data protection policies.
We cannot provide the service without giving this information.
The third-party providers used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us.
We always seek consent in writing from the user/now client before we give their personal information to the shipper.
We do not have a preferred shipper.
PayPal Inc
This would be created on the PayPal Inc website, and we would be sharing your email, your name and the financial amounts to create the invoice.
Third-party service providers, such as payment gateways and other payment transaction processors, have their own privacy policies in respect to the information we are required to provide to them for your purchase-related transactions.
In particular, remember that certain providers may be located in or have facilities that are located in a different jurisdiction than either you or us. So if you elect to proceed with a transaction that involves the services of a third-party service provider other legal obligations may be placed upon them by the laws of their jurisdiction.
Please check PayPals’ Privacy Policy here-
Before we invoice a you, we will have already entered into a contractual agreement with you, and the terms and lawful basis for processing this data are listed here.
We will always seek your consent before giving Paypal the details to create the invoice.
Tax Authorities
Lawyers
We will only do this with your written prior consent.
The third-party providers used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us.
Where we send your data
Wordfence
The form of personal is visitor IP addresses
What they actually log from an attack is IP address, request time, referrer (when available) and browser user-agent string.
So from the above items they get:
IP address, location, search queries, date and time of request, referral URL, device make, model and OS, mobile network info, ISP, browser type and language, country, timezone.
The ‘metadata stored on the device’ refers to things like other HTTP headers that may indicate preferred language etc. This can be helpful in determining an attackers origin.
We have a signed Data Protection Agreement with Defiant Inc., the owners of Wordfence.
If your personal data is involved in an attack and you wish to see it, we submit a data request to Wordfence for your personal data which was involved in the attack, and in accordance with our Data Protection Agreement Wordfence will send us the requested data.
How we protect your data
Access control: Access to your data is limited to only the controller and the security specialists.
Security software: We operate security scanning and access control software on our website. This software is responsible for limiting login attempts to our site, blocking potentially malicious attempts to access our services, and regularly performing full file system scans. With the company that runs this service we have a signed Data Protection Contract.
Security Audit Log: we have a log of all activities by logged in users which will alert us if anyone tries to breach security and any actions they took.
Data encryption: This website is also secured with SSL encryption, which means that all traffic to and from our servers is encrypted. This applies to our own access to the website, as well as, that of users of our services
clarkpaintings.com itself has an SSL certificate – you will see in the browser window a padlock and the word “secure”, these indicate that the “https protocol” is activated, and that this allows a secure and encrypted connection from our web server to your browser.
What data breach procedures we have in place
We then would make contact with our Hosting company – Siteground Ltd
Following the establishment of the sensitivity of any breach we would follow the standard procedures outlined by the ICO in the UK.
We are required to keep logs of any breaches detected and of the nature of the data which has been breached and to report this to the ICO within 24 hrs of becoming aware of the essential nature of the breach.
You can check these here –
In the case of a data breach users have be notified within 72 hrs if any personal information has been breached and whether or not you need to take any action.