1. DATA CONTROLLER
A data controller is an organisation that collects and uses personal data and has responsibility for how the personal data is used and managed.
The Innis & Gunn Brewing Company Limited is the data controller of personal data that you provide to us. The Innis & Gunn Brewing Company Limited is registered in Scotland, number: SC237510, Registered Office: 6 Randolph Crescent, Edinburgh EH3 7TH.
Our websites are: www.innisandgunn.com and www.inveralmond-brewery.co.uk (our Websites).
2. PERSONAL DATA WE COLLECT ABOUT YOU.
We use different types of personal data about you.
The different kinds of personal data about you we may collect, use, store and transfer are as follows:
· Identity Data including name, date of birth, social media handles
· Contact Data including billing address, delivery address, business address, city, email address, telephone numbers, mobile phone numbers, fax address
· Investment Data (if you are a shareholder or investor) including data about your shareholding or investment such as investment type, amount and dividend or interest payments
· Transaction Data (if you use our online shop) including details about payments to and from you and other details of products and services you have purchased from us
· Profile Data including your username and password, purchases or orders made by you, including the dates and details of purchases
· Usage Data including details of your visits to and information about how you use our Websites and records of correspondence or contact between us and you
· Technical Data including internet protocol (IP) address, your login data, browser type and version, time zone setting and location data, traffic data, web server logs, operating system and platform, and other technology on the devices you use to access our Websites
· Marketing and Communications Data including your preferences in receiving marketing and communications from us.
3. HOW WE USE YOUR DATA
We use your personal data to provide goods and services to you, including to administer any accounts you may have with us if you purchase goods directly from us. We don’t sell your personal data.
We use your personal data in the following ways:
· To provide goods and services and to register and manage your customer account including administering payments, deliveries, returns and responding to queries or complaints
· To administer any prize draw or competition you may enter
· To analyse your shopping preferences or how you interact with or use our Websites
· To manage our relationship with you as a shareholder or investor (including AdventureCapital and BeerBond holders)
· To provide and administer shareholder and investor benefits
· For research and statistical purposes
· To send you special offers or discounts and/or to tell you about our products and services.
· To ensure that content from our Websites is presented in the most effective manner for you and the device you use to access our Websites
· For maintenance and improvements to our Websites
· To make and manage bookings for The Beer Kitchen outlets
· To operate and manage discount card and other customer benefits
· For promotional or public relations purposes.
We collect personal data directly from you when you purchase goods or services, create a customer account, register your details with us for marketing, change any of your details (such as your name or address), enter a promotion or competition, give your details or are photographed at an event we run, participate in surveys and market research or contact us.
We need you to provide personal data in order to assess whether to enter into a contract with you or to perform our contract with you and if you do not provide the personal data we request, we will be unable to enter into or fulfil this contract. Similarly, if you contact us with a query or problem, we will need some personal data from you in order to help you with that.
We may obtain data from third parties and publicly available information relating to you on the internet (for example on social media websites).
As you interact with us we may automatically collect technical data about your devices, browsing patterns and actions using cookies and other similar technologies. You can control the information given to us in your browser settings.
We will not sell your personal data to third parties for marketing and will only use your personal data when the law allows us to.
4. WHY WE NEED YOUR PERSONAL DATA
We need to process your personal data for a number of different reasons and this section explains our legal bases for processing. We also need to keep your personal data for as long as is necessary for us to operate our business and to comply with legal and regulatory obligations.
We rely on one or more of the following legal bases for processing personal data:
· To perform our contract with you or to enter into a contract with you: we need to process your personal data to fulfil our contract with you or to assess whether to enter into a contract with you, including in selling and delivering goods and services to you.
· To fulfil our legitimate interests or the legitimate interests of a third party: when we process personal data to fulfil our legitimate interests we will use it in a way in which you would reasonably expect and which the law allows. When we or third parties are relying on legitimate interests we will balance our interests against your interests and the privacy impact of the processing on you and we will process your personal data responsibly.
Examples of our legitimate interests are: fraud prevention, preventing and investigating crime, analysing the use of our Websites and cyber security.
· To comply with legal obligations to which our business is subject: Wwe have to comply with relevant laws in order to provide services and products and we may need to process your personal data in order to comply with these legal obligations.
· Consent: if we are relying on consent as our legal basis to process your personal data, you have the right to withdraw consent at any time. You can ask us to stop sending you marketing messages at any time by contacting us at firstname.lastname@example.org. Please note that the law may require us to keep some personal data about you even if you have withdrawn consent e.g. records of online shop purchases.
· Ensuring we have relevant information in the event of any queries or complaints
· Being able to identify if you have purchased a product which is subject to a product recall
· Proof of age verification for alcohol purchases (the delivery courier will request this when making a delivery)
· To assist with the establishment, exercise or defence of legal claims.
5. HOW LONG WE KEEP YOUR DATA.
We need to keep personal data for different periods of time.
The length of time we need to keep your personal data will vary depending on the nature of the personal data and the reason we hold it. We will apply appropriate risk based measures to protect your personal data which may include pseudonymising or anonymising the personal data. If personal data is pseudonymised, this means it is altered so you are no longer identifiable, but we can re-identify you if we have a requirement to do so. If personal data is anonymised, it is altered so you are no longer identifiable, but can never be re-identified in the future.
We will only retain your personal data for as long as necessary to fulfil a legally permitted purpose.
6. WHO WE TRANSFER DATA TO.
By law, transferring personal data to other organisations needs to take place with appropriate safeguards and you can be assured that we will only share the personal data that is needed for these organisations to be able to support what we do.
We may transfer your personal data to the following third parties:
· Innis & Gunn Group: other companies within the Innis & Gunn group of companies
· Technology service providers: our partners who provide IT and website services
· Customer service providers: our partners who work with us to administer your account and provide you with any help you may need
· Delivery companies: our couriers, parcel firms and mail firms who process or deliver your goods or services and manage any returns on our behalf
· Registrars: – our partners who assist in managing our shareholder and investor relationships and communications (such as share and BeerBond® registrars)
· Marketing service providers: our partners who provide marketing services as our sub-contractor
· Online reservations: third parties we use to make and manage reservations for The Beer Kitchen outlets
· Regulators: regulators and other governmental agencies or law enforcement agencies
· Purchasers: organisations who may be interested in purchasing our business or organisations who we may be interested in purchasing - we may sell parts of our business or acquire other businesses and your personal data may be shared with such third parties as part of this process
· Advisers: professional advisers including lawyers, accountants, bankers and insurers.
We will only transfer your personal data to third parties who adhere to appropriate data security standards and controls.
7. COUNTRIES YOUR PERSONAL DATA WILL BE SENT TO AND WHY
As Innis & Gunn operates around the world your personal data may be transferred across international borders. This section explains when this might happen and how we protect your privacy and rights.
EEA residents: your personal data will be used and stored within the European Economic Area (EEA).
Non-EEA residents: if you contact us from a country outside of the UK, when you provide information to us, you are providing it to Innis & Gunn in the UK. In order to answer contacts, queries and complaints, the information you provide to us may then be transferred to, processed in, and shared with our group companies or a distributor, agent or service partner located in other countries that help us deliver our services and assist in handling and resolving your query. This will, in certain situations, involve transferring your personal data outside the EEA to the country in which the group company, distributor, agent or service partner that will handle the response to your query is located; these other countries may not necessarily have data protection laws as comprehensive or protective as those in the UK.
Where this is the case, we will ensure that the transfer is subject to appropriate safeguards to protect your personal data and complies with applicable law. This may include having standard contractual clauses in place with the third party, the transfer being to a country which has been deemed by the European Commission to provide an adequate level of protection for the personal data (e.g. Canada) or, for the USA, under the EU-US Privacy Shield. For further information on how data can be transferred to other countries, please visit the European Commission website: https://ec.europa.eu/info/law/law-topic/data-protection_en
Our website servers are in the UK and our back up storage is within the EEA.
8. YOUR RIGHTS
You have certain rights in respect of your personal data and we have processes to enable you to exercise these rights.
Right of Access: this is known as a Subject Access Request. If you want to know if we are processing personal data relating to you and to have access to any such personal data you contact us at email@example.com.
Right to Rectification: if you believe that we hold inaccurate personal data about you, then you can either contact us at firstname.lastname@example.org with your request or, if you have a customer account, update this information directly by logging in to your customer account and updating the relevant details. Depending on the type of personal data you believe is inaccurate, we may ask you for further proof to ensure that the personal data is being corrected properly.
Right to Erasure: you have a right to ask for your personal data to be erased in certain circumstances. However, this right does not apply where we have to comply with a legal obligation or where we need personal data for the establishment, exercise or defence of legal claims. If you opt out of marketing communications or have previously opted out of marketing communications, we have to keep a record of your opt out to ensure that we do not contact you in the future.
Right to Restriction: you have a right to request that processing of personal data is restricted in certain circumstances. However, we will still continue to process the personal data for storage purposes, for the establishment, exercise or defence of legal claims or with your consent.
Right to Object: where we are relying on legitimate interests as a legal basis to process your data, you have a right to object to this processing on grounds relating to your particular situation.
Automated Processing: from time to time, we may use automated processing in relation to the information we hold about you to make recommendations of products and services we think you would be interested in and to improve your experience when you visit our website by making it relevant and tailored to you.
Right to Complain to the Information Commissioner: you have the right to lodge a complaint with the Information Commissioner and more details can be found on their website www.ico.org.uk.
If there is a change to your personal data at any time please let us know.
9. How to Contact Us
If you have any queries or concerns about how we use your information or on data protection generally please send an email to email@example.com or write us at Data Protection, Innis & Gunn, 6 Randolph Crescent, Edinburgh EH1 7TH, UK.
Last updated: 16 May 2018