GDPR Statement

Review of GDPR 2018 impacts and compliance

Hot Pot Pottery – tea-room, gallery & pottery studio

Change in the Law

We have reviewed our data use and storage in our business based on our understanding of the changes in Data Protection law on GDPR applicable from May 2018. The statements below represent our findings as a result of that review.

What data do we hold?

At Hot Pot Pottery we record the following information in our written diary and on hand written carbon copy receipts in relation to your booking for pottery painting, courses or pottery trial classes and the pottery you may be leaving for us to glaze & fire:

  • Booking date
  • Any food allergies/intolerances (if food is included in the booking)
  • Lead booking contact name
  • Contact telephone number(s) &/or email address
  • Postal address (if delivery is required) and any special instructions for our couriers
  • Details of the pottery being left and likely delivery date

We also have customers’ email addresses/mobile numbers in our email/phone records.

We do not take card payments through our website so we do not store bank card details. The majority of our payments are paid on-line directly into our bank account, in person through our card payment machine, by cheque or in cash.

On occasion, we do card details over the phone to put through our card machine but in this case they are hand written and destroyed immediately once the payment is complete.

Limited payment data is stored by the business’s Paypal card payments system within our Paypal account although this is only transaction data and no names and addresses and only partial card details are retained. Whilst the Paypal system does often supply a contact email/mobile number within the transaction to send a receipt to, these details are not available to use once the transaction is complete.

How do we store the data we hold?

We have a written daily diary with the details of those booking pottery trial classes/courses or pottery painting and written carbon receipts (which we keep one copy and the customer has a copy) for any pottery left here for glazing & firing.

We also have customers’ email addresses/mobile numbers in our email/phone records.

How do we use the data we hold?

The data we hold is purely used to contact customers about their booking/courses/classes prior to their arrival, during the course of classes/courses and afterwards in relation to delivery of pottery or any items left behind.

We do not contact customers (past, present or future) with any information regarding any promotions or future events at Hot Pot Pottery. All promotional marketing of this nature is undertaken via our ‘Latest News’ on our website, on our Facebook page, Twitter, WVFDTA website, press releases, printed materials and advertising.

The Hot Pot Pottery Facebook page is used to update those who have indicated they wish to be ‘friends’ of the business. This is subject to the normal security protocols of Facebook, contains no personal information and people can ‘unfriend’ at any point.

What will we do if you wish to change your data record or have it removed?

We do not proactively use data held to contact customers (past, present or future) so in the case where visitors’ contact details have changed then following an inbound communication from them in relation to a new booking, the new contact details would be used in relation to that booking.

In terms of access, we have stated here what data we hold on visitors, why we hold it and what it is used for.

In terms of personal data removal, should visitors wish us to remove their personal data held then the following would happen. We would delete all emails/mobile messages in our records relating to their email address & mobile number and (assuming all pottery had been delivered) destroy the carbon receipt and remove the written record in the diary.

In terms of any messages/communications/reviews etc left by visitors on Google, TripAdvisor, Facebook or any other third party platform then we would expect customers to manage and remove those as they saw fit, although we do feature some on our website and if we were asked to remove these then we would.

We would undertake this within a month or receiving the request (to allow for delay if we are on holiday) and we would then confirm the removal of data (and then destroy that communication).

Data Security

As our business is run by 2 people who are a married couple and they are the only people who have access to the data we hold, our assessment of the risk of a breach is that it is highly remote. We do not anticipate any security breaches.

Conclusion

We do not believe that the way we store and use the data we hold provides a security risk or falls within the scope of the changed data protection legislation in GDPR from May 2018.