Privacy Notice

1 Introduction

1.1 The Cardboard Cutout Company (CCO) is committed to safeguarding the privacy of persons for whom we process personal data. In this policy, we explain how we will treat personal data processed by us, in accordance with UK data protection legislation, and in accordance with the General Data Protection Regulation (‘GDPR’).

1.2 Personal data includes any information relating to an identified or identifiable natural person (‘data subject’) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.3 Processing, for the purpose of this Privacy Notice, means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.4 By consenting to this Privacy Notice you are giving us permission to process your personal data specifically for the purposes identified in this Privacy Notice.

1.5 You have a right to withdraw your consent to our processing your personal data at any time, and we have outlined the process for such a withdrawal within this Privacy Notice.

2 Processing Personal Data

2.1 We will only process such personal data which is adequate, relevant and limited to what is necessary for processing.

2.2 We may process the following kinds of personal data from your visit to our website:

(a) Information about your computer and about your visits to and use of our website (including your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths);

(b) Information that you provide to us when using the services on our website, or that is generated in the course of the use of those services (including the timing, frequency and pattern of service use);

(c) The information contained in or relating to any communication that you send to us or send through our website (including the communication content and metadata associated with the communication);

(d) Information needed for the administration of our website and business;

(e) Information that enables your use of the services available on our website;

(f) Information necessary so as to send statements, invoices and payment reminders to you and collect payments from you;

(g) Information necessary so as send you email notifications that you have specifically requested;

(h) Information required so as to provide third parties with statistical information about our users (but those third parties will not be able to identify any individual user from that information);

(i) Information required so as deal with enquiries and complaints made by or about you relating to our website;

(j) Information required so as to keep our website secure and to prevent fraud;

(k) Information required so as to verify compliance with the terms and conditions governing the use of our website (including monitoring private messages sent through our ‘Contact Us’ page on our website); and

(l) Any other personal information that you choose to send to us.

2.3 Before you disclose to us the personal information of another person, you must obtain that person’s consent to both the disclosure and the processing of that personal information in accordance with this policy.

2.4 In the event that we need to obtain special personal data from you, we will always tell you why, and how the information will be used.

2.5 We will process personal data for the following lawful purposes:

(a) The legitimate interests of our organisation. These include, but are not limited to the administration of our organisation, debt recovery and processing accounts;

(b) In the public interest or as a public authority;

(c) For the performance of a contract or to enter into pre-contractual negotiations;

(d) In order to ensure compliance with a legal obligation placed on us; (e) in order to protect the vital interests of either yourself or another person; and/or;

(f) For other reasons with your consent, which can be withdrawn at any time.

2.6 We may process information relating to transactions, including purchases of goods and services, that you enter into with us and/or through our website (“transaction data“). The transaction data may include your contact details, your card details and the transaction details. The transaction data may be processed for the purpose of supplying the purchased goods and services and keeping proper records of those transactions. The legal basis for this processing is the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract and our legitimate interests, namely our interest in the proper administration of our website and business.

We may process information that you provide to us for the purpose of subscribing to our email notifications and/or newsletters (“notification data“). The notification data may be processed for the purposes of sending you the relevant notifications and/or newsletters. The legal basis for this processing is consent OR the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.

2.7 We may process information contained in or relating to any communication that you send to us (“correspondence data“). The correspondence data may include the communication content and metadata associated with the communication.  Our website will generate the metadata associated with communications made using the website contact forms. The correspondence data may be processed for the purposes of communicating with you and record-keeping. The legal basis for this processing is [our legitimate interests, namely the proper administration of our website and business and communications with users.

The Cardboard Cutout Company (CCO) will usually process personal data for the lawful purposes of the performance of a contract, the legitimate interests of our organisation, and/or with your consent (which can be withdrawn at any time). If, we collect and/ or process your personal data for any other lawful purpose we will notify you at the time (unless we are prohibited by law from doing so).

3 Disclosing Personal Data

3.1 We may disclose your personal data to any of our employees, officers, insurers, professional advisers, agents, suppliers or subcontractors insofar as reasonably necessary for the purposes set out in this policy.

3.2 We may disclose your personal data obtained from you visiting our website to our agents, insofar as reasonably necessary for the purposes set out in this policy.

3.3 We will not, without your express consent, supply your personal data to any third party for the purpose of their or any other third party’s marketing.

3.4 Any third party who we share your personal data with are obliged to keep your details securely and when no longer needed, to dispose of them in accordance with our approved procedures.

3.5 If we wish to pass your special personal data on to a third party, we will only do so once we have obtained your explicit consent unless we are required to do so by law.

3.6 We may disclose your personal data:

(a) To the extent that we are required to do so by law;

(b) In connection with any ongoing or prospective legal proceedings;

(c) In order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk);

(d) To the purchaser (or prospective purchaser) of any business; or asset that we are (or are contemplating) selling.

3.7 Except as provided in this policy, we will not provide your personal data to third parties without first obtaining your consent.

4 Retaining Personal Data

4.1 Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

4.2 Unless we advise you otherwise, we will retain your personal data for:

(a) No more than 28 days after your job has been completed, except in our hard copy diary, which will be retained for up to 365 days;

(b) For all other purposes we determine retention periods for personal data based on legal requirements and best practice and in any event will not exceed six years.

5 Security of Personal Information

5.1 We will take reasonable and proportionate technical and organisational precautions to prevent the loss, misuse or alteration of your personal information.

5.2 We will store all the personal information you provide on our secure (password protected) servers.

5.3 You acknowledge that the transmission of information over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.

6 Amendments

6.1 We may update this policy from time to time by publishing a new version on our website.

6.2 You should check this page occasionally to ensure you are happy with any changes to this policy.

6.3 We may notify you of changes to this policy, by email, post or on our website.

7 Your Rights

You have the following rights regarding the personal data which we hold about you:

7.1 Right of access – you have the right to request a copy of the information that we hold about you;

7.2 Right of rectification – you have a right to correct personal data that we hold about you that you think is inaccurate or incomplete;

7.3 Right to be forgotten – in certain circumstances you can ask for the personal data which we hold about you to be erased from our records;

7.4 Right to restriction of processing – in certain circumstances you have a right to restrict the processing of personal data;

7.5 Right of portability – you have a right to have the personal data we hold about you transferred to another organisation;

7.6 Right to object – you have the right to object to certain types of processing, such as direct marketing; and;

7.7 Right to object to automated processing, including profiling – you have the right to be subject to the legal effects of automated processing or profiling.

8 Complaints Procedure and Right to Legal Redress

8.1 In the event that we refuse your request under rights of access, we will provide you with a reason why.

8.2 If you wish to make a complaint about how your personal data is being processed by us, or any third party on our behalf, we would be grateful if you would in the first instance contact our Data Protection Officer, who will endeavour to resolve your issue to your satisfaction.

8.3 You have the right to complain directly to the Information Commissioner’s Office and/or seek other legal remedies.

9 Third Party Websites

9.1 Our website may include hyperlinks to, and details of, third party websites.

9.2 We have no control over, and are not responsible for, the privacy policies and practices of third parties’ websites.

10 Updating Personal Data

You are responsible for letting us know if the personal data that we hold about you needs to be corrected or updated.

11 Transfers of Personal Data to Third Countries

  1. 1 If we need to transfer personal data for processing to a Third Country (which is to say a country outside of the EU), we will only do so, where we have either:

(a) Taken an adequacy decision;

(b) Lawful binding corporate rules are in place;

(c) Lawful model contract clauses are in place;

(d) We have obtained your specific consent to the proposed transfer, and you have been advised of the possible risks of such transfers;

(e) The transfer is necessary for the performance of a contract between ourselves, or are part of the implementation of pre-contractual measures taken at your requests;

(f) The transfer is necessary for the conclusion or performance of a contract concluded in the interested of you, and us, and another party;

(g) The transfer is necessary for important reasons of public interest;

(h) the transfer is necessary for the establishment, exercise or defence of legal claims; and/or;

(i) The transfer is necessary in order to protect the vital interests of you or others, where you are physically or legally incapable of giving legal consent.

12 Cookies

12.1 Our website uses cookies.

12.2 A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.

12.3 Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

12.4 Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.

12.5 We use only session cookies on our website.

12.6 Most browsers allow you to refuse to accept cookies.

12.7 Blocking all cookies will have a negative impact upon the usability of many websites.

12.8 If you block cookies, you may not be able to use all the features on our website.

12.9 You can delete cookies already stored on your computer.

12.10 We use Google Analytics to analyse the use of our website. Google Analytics gathers information about website use by means of cookies. The information gathered relating to our website is used to create reports about the use of our website. Google’s privacy policy is available at: The relevant cookies are __ga.

12.11 Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:

(a) (Chrome);

(b) (Firefox);

(c)  (Opera);

(d) (Internet Explorer);

(e) (Safari); and

(f)  (Edge).

13 International Transfers of Your Personal Data

13.1 In this Section 5, we provide information about the circumstances in which your personal data may be transferred to countries outside the European Economic Area (EEA).

13.2 The hosting facilities for our website are situated in the United Kingdom with back up servers situated in Ireland. The European Commission has made an “adequacy decision” with respect to the data protection laws of each of these countries.

14 Our Details

14.1 Our registered office is 137 Mendip Way, Stevenage. SG1 6GD. Our website address is

14.2 Our principal place of business is at our registered office.

14.3 You can contact us:

(a) By post, using the postal address, given above;

(b) Using our website contact form;

(c) By telephone on  07923 033 682

(d) By email This Policy is generally available to customers, clients, general members of the public and third parties on our website. If a hard copy or email version of this policy is required by any person, it will be sent to them without delay.

Our Data Protection Officer is Nathan Gardiner. He can be contacted using the details referred to in this clause.

The Cardboard Cutout Company – Privacy Notice – January 16th 2019