The Gunner's Store Ltd, 35-37 Chapelgate, Sutton St James, Lincolnshire, PE12 0EF, UK is the Data Controller for all matters relating to personal data held by the company.
We obtain Data for the purposes of:
- Processing Orders placed through our web shops, over the phone, by email, post and in store.
- Administering the Web site including the ability to ban IP addresses, identifying customers using our web shops in order to provide a smooth shopping experience. (see Cookie Information section)
- For the purposes of ordering/acquiring stock and supplies.
- For the purposes of accounts records and to respond to HMRC audit.
- Responding to customer's queries or complaints.
- To contact customers with information or queries about orders placed.
- Marketing purposes.
- Applying for Import/Export Licences from the relevant Government organisations.
- For use by the Authorities such as the Secretary of State, Police or security services to prevent or in the detection of crime and to maintain records of items such as Firearms which legally require those records to be maintained and retained for the required period.
- For the purposes of confirming that purchasers are legally able to buy certain kinds of goods which have an age restriction or other restriction.
- Recording details as required by legislation, including notifying relevant authorities such as the Home Office or Police of items we sell or otherwise transfer about which we are required to give information regarding the purchaser to the relevant authority.
We have assessed and identified the Lawful Bases of our information gathering as Contract and Legal. These have been identified on the basis of the purposes given above; Contract Basis are those required for processing customer orders of various types, buying items and placing orders with suppliers, interacting with customers, maintaining accounts records, marketing and information which may be imparted to the Authorities.
We also record CCTV on our physical premises in the interests of security and crime prevention and detection.
Legal interests are those required by virtue of legislation such as the VCR act which specifies minimum age limits and records for the purchase of certain kinds of goods and records that must be retained and the Firearms Acts which specify certain personal details which must be recorded for the sales and purchases of specific types of goods and notified to the relevant authority.
We obtain the following types of data from information entered by the customer in our web shops and by other means such as Email, and information and documents provided by customers:
Name, Address, Telephone number, Email address, IP address at the time of connecting to the web site (see our cookie policy for further information), Part of unique identifying numbers of identity/age/address proof documents and any copies or scans provided by the customer, notes of any searches done such as in the electoral rolls to confirm age/address/identity and Authorities to purchase/possess certain types of goods as required by the relevant legislation, in common with all businesses accepting payment cards we hold copies of receipts in accordance with the provisions of the Payment Card industry standards, Records of items purchased by customers and items purchased from suppliers, details of items ordered, CCTV footage.
Where a minimum age is specified for the purchase of certain types of items by mail order we will consult online references such as the electoral roll to confirm the buyers age and address, if that search is unsuccessful we may request additional information from the customer to prove the persons eligibility to purchase the item. We will retain for as long as we consider necessary all proofs of age/identity to show that we have carried out due diligence in the event of an inquiry by the authorities.
Where we are required by law to take details from persons whether suppliers or customers we will record for official purposes name/s, address, part of any number of a document used for Identification or age check and full details of any licence required for possession of the item/s. Where necessary we will notify the relevant authority of the sale or transfer.
If we attend an event in Kent we are required by virtue of the Kent Act to note Customer?s names and addresses connected with certain types and/or value of goods and retain the records for not less than two years
In order to process customer orders Data which can identify an individual will be passed to the following types of organisation: Ourselves in order to process an order or service, Sagepay our Payment card processing gateway for the purposes of authenticating and authorising payment for goods and/or services over the internet; Worldpay who actually process the card payment and credit the funds to our bank; Paypal to seek or receive a payment and to obtain delivery details; Parcelforce for the purposes of delivery of customer orders weighing over 2 kilogrammes or where parcels are under 2 kilos but too large for Royal Mail. We also use Royal Mail but no identifiable name is recorded by them during the provision of their service
For certain categories of items the Secretary of State or the Police where there is a legal requirement for us to advise them of a transaction, or because there is uncertainty as to whether a particular item should or should not be notified in which case we will err on the side of caution and notify the relevant authority, or because we gain the opinion that there may be something potentially of interest to the police in the transaction.
To receive items which are being sent to us by suppliers or customers whether private or commercial we may need to pass basic data which can identify a customer such as name, address, telephone number, email address to Parcelforce in order for a collection and delivery to be achieved.
To Import items requiring a licence which for our use or on behalf of customers we need to provide basic data including the senders name and address..
We do not transfer data to other countries outside the EU. Data in our webshops may be held on a server in another EU country with the appropriate safeguards as if it were held in the UK, this is the nature of the internet.
We retain data for the minimum which is legally required or which we consider appropriate for the future protection of ourselves and/or because we consider it appropriate for the purposes of proving legal compliance at a time in the future or to assist the authorities in the prevention and detection of crime. The lengths of time for the types of information are as follows:
Order details/purchasing details from Private individuals; depending on format of record (e.g. Paper, email, web based record) from 15 days to 6 years from the end of our current financial year. Card Payment details are held by card processor as a long-term record for their purposes in accordance with the Payment Card Industry PCI DSS standards.
Accounting sales information including order details: held permanently as a record of the sale contract but unless linked to a transaction with legal criteria, the recorded transaction only retains the customer's name as a reference.
Data required to comply or substantiate compliance with legislation is retained permanently.
Data held by the relevant authority (the Police or Secretary of State) relating to Firearms (including deactivated weapons complying with the technical specification issued by the Secretary of State under section 8A(5) of the Firearms (Amendment) Act 1988) must be held for 30 years after destruction of the Firearm/s to which the record relates.
Some of our processors such as Parcelforce will retain records for extended periods in order to provide a past delivery enquiry facility.
CCTV: 6 months or less as data is overwritten repeatedly making previous information unusable.
Individuals have the following rights (there are others which are not applicable to our Lawful Bases) with regard to the data we hold in connection with them:
We hold Data on the Basis of Contract, where we hold data on the basis of Legal Obligation differences are noted accordingly;
The Right to erasure of any details we hold (for example an email address for marketing purposes). Note that this does not apply to either 'Contract' or 'Lawful' Bases
The Right to object to Data we hold or the use of the Data (although this may mean we cannot process a transaction an individual requires). Note that this does not apply to either 'Contract' or 'Lawful' Bases
The right to be informed (the purpose of this document)
The right of access to Data held about them and for that information to be provided within one calendar month of the request being received (note that sufficient information must be provided to allow the search for and provision of this information to take place). No charge can be made for this unless requests are unfounded or excessive.
The right of rectification if records held are incorrect in any way
The right to restrict processing.
The right to Data Portability. This means that you can request the data about you be transferred or shared with another organisation. This does not include information that we hold for the Basis of Legal Obligation. The GDPR specifies that this only applies to Data an individual has provided to a controller; Where the processing is based on the individuals consent or for the purposes of a contract; and when processing is carried out by automated means. The information need only be transmitted to another organisation if it is technically feasible. We do not process by automated means other than receiving the details an individual has sent and hold only those basic details as described in this document, in most cases we only retain the individuals name in order to limit the amount of Data we hold.
Where the Data is held on the basis of Legal Obligation there are no rights available for erasure of Data or to Object.
The right to complain to the Information Commissioners Office whose details can be found at https://ico.org.uk/
Provision of Data required by law (for example, for purchase of an Air Weapon in a face to Face transaction, or for age verification in a mail order transaction) If a customer does not wish to provide such information then the no sale can proceed.
Data provided for purposes other than complying with the law will always relate to the supply of goods or services where we are either the supplier or the customer, in the vast majority of cases we will be the supplier. There is no legal or contractual requirement to provide the Data we require to process a customer's order (or to place an order with a business supplier, or to purchase goods being sold by an individual) but if the Data is not provided it may well be an impossible to complete the sale or purchase.
If a person wishes to remove consent to their data being processed providing they notify us before goods are charged for we can cancel the order and remove the order and their details from our system but cannot remove the charge request from the payment gateway and providers records as this constitutes part of the billing process between the customer and their card provider. The customer has made a decision (consented) to enter the payment details for authentication/authorisation by their card issuer, however we will co-operate and endeavour to do so should the customer request it, but it should be noted that if no charge has been placed by us nothing will appear for the transaction on the individuals bank statement and no funds will have been taken as on entering card and name/address details through the payment gateway the number is passed through an Authentication process but we do not take payment until we have checked availability of the goods required and then actioned the Authorisation procedure which charges the amount billed to the customers payment card.
Also note that we cannot remove personal details once the item has been charged for as these will be required as a transaction record for tax and possible legal reasons in the event of a dispute, but that the record will not be held longer than necessary and as required by regulation, law and the card industry PCI DSS standards. Consent opt in would seem to be covered by the customer ordering goods, entering details and making payment-seems pretty unambiguous.
If a customer wishes us to remove their details from our records we will do this once notified in writing by letter to our registered address or by email we will remove all records that are not required to be retained by law or as records of transactions. We will attempt to have records removed from third party databases such as payment gateways but due to the nature of the transaction and the need for audit trails by the customers card issuer this may not be possible.
We have created this privacy statement relating to your use of our website in order to demonstrate our firm commitment to privacy. The following discloses our information gathering and dissemination practices for this web site.
We use your IP address to help diagnose problems with our server, and to administer our Web site and to ban IP addresses which we believe may be malicious. Your IP address is used to help identify you within the webshop environment (it should be noted that Dynamic IP addresses are not unique to an individual but static IP addresses are to an individual or organisation) and to gather broad demographic information.
Our site uses cookies to keep track of your shopping cart. We use cookies to identify you so we can retrieve your information so you don't have to re-enter it each time you visit our site. See our Cookie Policy for more information just click the link in the Main Menu.
Our site's registration form requires users to give us contact information, like their name and email address, and unique identifiers. We use customer contact information from the registration form to send the user information about our company. The customer's contact information is also used to contact the visitor when necessary if they have subscribed to the mail list. Users may opt-out of receiving future mailings by choosing to un-subscribe. Unique identifiers are collected to verify the user's identity and for use in our record system.
This site may contain links to other sites. We are not responsible for the privacy practices or the content of such web sites.
Our web site uses an order form for customers to request information, products, and services. We collect visitor's contact information and unique identifiers. Contact information from the order form is used to send orders and information about our company to our customers. The customer's contact information is also used to get in touch with the visitor when necessary. Users may opt-out of receiving future mailings. Unique identifiers are collected from Web site visitors to verify the user's identity and for use as account numbers in our record system.
Web Version 1.03 5th May 2019
This site has security measures in place to protect the loss, misuse and alteration of the information under our control. All data is protected using the most advanced methods available. We do not store financial information like credit card numbers on this site.
This site gives users the following options for removing their information from our database to not receive future communications or to no longer receive mail list messages.
This site gives users the following options for changing and modifying information previously provided.