...

This Privacy Policy sets out how we, HeavenTree, collect, store and use information about you when you use or interact with our websites, www.heaventree.ie, and www.myheaventree.com (each a ‘website’ and together the ‘websites’) and where we otherwise obtain or collect information about you. This Privacy Policy is effective from January 2018.

Summary

This section summarises how we obtain, store and use information about you. It is intended to provide a very general overview only. It is not complete in and of itself and it must be read in conjunction with the corresponding full sections of this Privacy Policy.

 

Our details

The data controller in respect of our website is HeavenTree Ltd (company number 123456) of The Old Mill, Milltown, Dublin 14, Ireland. You can contact us by writing to Data Protection Officer at The Old Mill, Milltown, Dublin 14, Ireland or sending an email to info@heaventree.ie.

The Supervisory Authority in Ireland is the Data Protection Commission (DPC). You have the right to lodge a complaint with the DPC. If you wish to lodge a complaint, you can contact the DPC by post at 6 Pembroke Row, Dublin 2, D02 X963, Ireland.[1, 2]

 

Information we collect when you visit our websites

We collect and use personal data from website visitors in accordance with this section and the section entitled Disclosure and additional uses of your information.

Web server log information

We use a third-party server provider to host our websites. Our hosting provider uses web server log information, including:

  • Your IP address
  • The date and time of your visit
  • The pages you accessed and the documents you downloaded
  • The type of web browser and operating system you are using

The legal basis for the processing of this data is our **Legitimate Interests** (Article 6(1)(f)).[3] We have completed a Legitimate Interest Assessment (LIA) and have concluded that our interests are not overridden by your fundamental rights and freedoms.[4, 5] Specifically, our legitimate interests are: monitoring and improving the operational security and technical performance of our websites, and detecting and preventing fraud or misuse of the service.[6, 7] We retain web server log information for 12 months.[8] After this period, this information is deleted.

Cookies are small data files stored on your computer’s hard drive by a website.[9] We use cookies to collect information on how you use our websites.

Strict ePrivacy Notice: We only use non-essential cookies (Analytics, Advertising, and Performance) after receiving your explicit, informed consent via our cookie consent mechanism.[1] You have the right to refuse non-essential cookies, and this refusal will not prevent you from accessing our website.[1]

We classify our cookies by purpose, provenance (first-party or third-party), and duration (session or persistent).[10]

  • **Necessary cookies:** These are essential for the website to function securely and remember your preferences (e.g., remembering your language or login status). These do not require your consent.
  • **Analytics and Performance cookies:** These are used to analyse your use of our websites and help us improve our services. Our legal basis for this processing is **Consent** (Article 6(1)(a)).[11]
  • **Advertising and targeting cookies:** These are used to deliver relevant advertisements to you based on your browsing activity. Our legal basis for this processing is **Consent** (Article 6(1)(a)).[11]

You can manage and delete cookies via your browser settings. To easily withdraw or change your consent for non-essential cookies, the mechanism provided is as simple as the initial mechanism used to grant consent.[1] Full details of the specific names, exact purposes, and durations of all cookies used are provided in our dedicated Cookie Policy (linked in the footer) and within the consent banner.[6, 9]

 

Information we collect when you contact us

We collect and use personal data from individuals who contact us in accordance with this section and the section entitled Disclosure and additional uses of your information.

Enquiries

When you send an enquiry (e.g., via email or contact form), we collect your name and email address. This information is used solely to respond to your specific enquiry.

We rely on the legal basis of **Legitimate Interests** (Article 6(1)(f)) for this purpose.[5] Our legitimate interest is the efficient and professional management of customer communications, pre-contractual requests, and general operational support, which is necessary for our business. The data collected is minimal, necessary, and proportional to the purpose.[12]

Newsletter

When you sign up for our newsletter, we collect your email address. We rely on the legal basis of **Consent** (Article 6(1)(a)) for this purpose.[13] You can unsubscribe at any time via the link provided in every email. Withdrawal of consent is as easy as giving consent.[13]

 

Information we collect when you interact with our websites

Customer Support

When you use our customer support functions (e.g., chat), we collect communication history and other related information to resolve your query.

We rely on the legal basis of **Contract** (Article 6(1)(b)) for this purpose, as this processing is necessary to provide the service explicitly requested by you, or to take steps at your request prior to entering into a contract.[13]

 

Information we collect when you place an order for our goods or services

When you place an order, we collect and use personal data in accordance with this section and the section entitled Disclosure and additional uses of your information.

Processing your order

We collect your name, email, phone number, billing address and shipping address. This information is used to process your order, fulfil our contract, and for accounting and tax purposes.

Our legal basis is **Contract** (Article 6(1)(b)) for service fulfilment, and **Legal Obligation** (Article 6(1)(c)) for statutory requirements such as tax and financial record keeping.[13]

Payment processing

Payment details are handled by our third-party payment provider. We do not store full payment card details ourselves.

 

Our use of automated decision-making and profiling

We do not use any automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you, as defined by Article 22 of the GDPR.[14, 15] Profiling that may occur (e.g., tailoring marketing content) is limited in scope and does not result in a significant or legal effect on the individual.[14]

 

Disclosure and additional uses of your information

This section sets out the circumstances in which your information may be disclosed to third parties and additional purposes for which we use your information.

Disclosure to service providers

We use third-party service providers (e.g., website hosting, email services, payment processors) to help us operate our business. These providers act as Processors and only process data on our behalf under strict contractual instructions, which include the requirement to implement appropriate technical and organisational security measures.

We may share your information with law enforcement or other third parties if required by law or necessary to protect our legal rights (Legal Obligation or Legitimate Interest, depending on the circumstances).

 

How long we retain your information

In accordance with the principle of **Storage Limitation** (Article 5(1)(e)), we will only keep your information in an identifiable form for as long as is strictly necessary for the purpose it was collected.[8] We maintain a detailed internal retention schedule, and we have established mandatory time limits for the review and erasure of all personal data. Our retention periods are determined by balancing business necessity with statutory requirements (e.g., tax, labor law).[4]

Examples of our mandatory retention periods include:

  • **Customer Transaction Data (for tax compliance):** Retained for 7 years post-financial year end, as mandated by Irish tax law (Legal Obligation).
  • **Marketing Data (Consent-based):** Retained until withdrawal of consent, or 24 months of proven inactivity, followed by immediate deletion (Consent).
  • **Customer Support Enquiries (Non-transactional):** Retained for a maximum of 18 months to manage service history and inform product improvement (Legitimate Interest).
  • **Data retained for Legal Defense:** Data necessary to defend against possible future legal claims is retained only for the duration of the relevant statutory limitation period for a claim to arise, and is deleted promptly thereafter.[3]

When data is no longer needed, we will securely delete or irreversibly anonymise it.[4]

 

How we secure your information

We take appropriate technical and organisational measures to safeguard your personal data. These include SSL encryption, firewalls, secure access controls, pseudonymisation where appropriate, and regular security audits to protect against unauthorized access, disclosure, alteration, or destruction.

 

Transfers of your information outside the European Economic Area

Any transfer of personal data outside the European Economic Area (EEA) is subject to Chapter V of the GDPR.[2] Your information may be transferred to and stored in countries outside the EEA, including the United States, where our service providers are located.

For transfers to countries not deemed ‘adequate’ by the European Commission, we ensure the transfer is legal by relying on the following appropriate safeguards [16]:

  • **Standard Contractual Clauses (SCCs):** We rely on the EU Commission’s approved SCCs for data transfers. However, reliance on SCCs alone is insufficient. We commit to conducting **Transfer Impact Assessments (TIAs)** to evaluate the legal environment of the recipient country and, if necessary, implement supplementary technical and organisational measures to ensure your data retains the same level of protection guaranteed under the GDPR.[2]
  • **Adequacy Decisions:** For transfers to countries (or specific entities) that benefit from an Adequacy Decision, such as the EU-US Data Privacy Framework (DPF), we rely on this decision only where the recipient US organization is specifically certified under the DPF.[16]

We ensure that all onward transfers of your personal data from the third-country recipient to any other organisation are subject to the same stringent safeguards.[2]

 

Your rights in relation to your information

Under the GDPR, you have the following rights, which you can exercise by contacting our Data Protection Officer at the details provided in the “Our details” section:

  • **The Right to be Informed** (Articles 12-14): The right to know about the collection and use of your personal data.[7]
  • **The Right of Access** (Article 15): The right to view and request copies of your personal data.[7]
  • **The Right to Rectification** (Article 16): The right to request inaccurate or outdated personal information be updated or corrected.[11]
  • **The Right to Erasure** (The Right to be Forgotten, Article 17): The right to request your personal data be deleted.[11]
  • **The Right to Restrict Processing** (Article 18): The right to request the restriction or suppression of your personal data.[11]
  • **The Right to Data Portability** (Article 20): The right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.[7]
  • **The Right to Object** (Article 21): As detailed below.
  • **The Right to object to Automated Decision-Making and Profiling** (Article 22): The right to object to decisions based solely on automated processing (if applicable, though we confirm we do not engage in high-risk profiling).[11]

 

Your right to object to the processing of your information for certain purposes

You have the right to object to the processing of your information where we rely on **Legitimate Interests** (Article 6(1)(f)).[17] We will cease processing your data immediately unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

You have an **absolute right to object** to the processing of your data for **direct marketing purposes**.[11] When you exercise this right, we will immediately cease all direct marketing activities. To ensure your objection is honored and you are not contacted again, we will retain minimal necessary identifying information on a ‘suppression list’. This retention is a necessary exception to the Right to Erasure and is required for compliance with our legal obligation to honor your objection.[3]

 

Sensitive Personal Information

We do not knowingly or intentionally collect ‘sensitive personal information’ (special categories of data, as defined by Article 9 of the GDPR) from you, and we ask that you do not submit such information to us.

 

Changes to our Privacy Policy

We may change this privacy policy from time to time. The latest version will always be posted on our website. This policy was last updated on.

 

Children’s Privacy

Our website is not aimed at children under the age of 16. If you are under 16, please do not use our website. If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete that information promptly.

 

California Do Not Track Disclosures

“Do Not Track” is a preference you can set in your browser that tells websites you do not want to be tracked. We do not currently respond to DNT signals.

 

Copyright 2024 HeavenTree Ltd.

 

Get Started