Privacy Policy

Williamstudios.com are committed to ensuring that your privacy is protected.

 

Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.

This Privacy notice is here to inform you what to expect us to do with your personal information when you contact us in order to use one of our services.

Who we are

https://williamstudios.com is a website showing some the art work of Gareth Williams and Nicole Willson.

The site is run by Gareth Williams. 

You may contact us email :-

privacy@williamstudios.com

 

For general enquiries unrelated to the privacy policy please and use our contact page or email us at info@williamstudios.com

Data controller

For https://williamstudios.com – Gareth Williams acts in the capacity of Data Controller.

For any enquiries or concerns you may have about the data of yours that we may hold , you can contact us at the above email addresses.

 

What is ‘Personal Data’

Personal Data is any information which makes you identifiable as an individual. Examples of such data is your name, address, email, IP address, browser cookies.

Under the current EU GDPR your computer “IP” address is now considered personal data.

What data we collect and why we collect it

Outlined below are the various types of information data that we collect from you and the reasons for which we collect that data.
Contact forms
We use contact forms to collect user’s email address when theymake an enquiry.

We collect this so we may reply to the enquiry.

We collect this information on the lawful basis of: – Consent

(GDPR Art 6(1)(a)):

” the data subject has given consent to the processing of their personal data for one or more specific purposes; “

You will see the check box which is next to our contact form which will not send the form without your consent to our processing your personal data.

Analytics
We use Google Analytics cookies to track what website users are looking at on our website so that we may improve the site performance and make a better experience for you.

Under the Google Terms of Service we ask for your consent to process your personal data in this way.

We collect this information on the lawful basis of: – Consent

(GDPR Article6(1)(a)):

“the data subject has given consent to the processing of their personal data for one or more specific purposes; “

Cookies

 

Please note that you can at any time revise the your cookie preferences on our site by going to the footer and clicking on “manage cookies”.

A cookie is a small text file which is placed onto your computer (or other electronic device) when you access our website. We use cookies on this website to:

  • recognise you whenever you visit this website
  • carry out statistical analysis to help improve our content and to help us better understand our visitor and customer requirements and interests
  • make your online experience more efficient and enjoyable.

In most cases we will need your consent in order to use cookies on this website.

The cookies we use on our site –

Cookie Banner

One cookie which operates the cookie banner preferences

“tarteaucitron”

What it does: It remembers your cookies settings

Who gets this cookie: This is set for all users. Set for 365 days , but you can re-set it at any time and it would then run again for 12 months unless you re-set it again in the mean-time.

How this cookie helps: It remembers your settings and doesn’t bring up the banner again for 365 days, so you don’t have to accept every time you visit the site.

 

Google Analytics

Google analytics cookies that we set are first party cookies.

These cookies are used to collect information about how visitors use our website. We use the information to compile reports and to help us improve the website.

Cookies Set by Google Analytics – all three are first party cookies:

“_ga GA Google Analytics cookie”

What it does: It is used to distinguish users.

Who gets this cookie: This is set for all users.     Set for 14 months.

How this cookie helps: It lets us see where different users are looking at on our site ie their habits and interests so we can improve our site for you

“_gat GA Google Analytics cookie”

Who gets this cookie: Everyone gets this cookie.   Set for 1 minute and expires.

How this cookie helps: This cookie is used to throttle request rate.

“-gid Google Analytics cookie”

What it does: It is used to distinguish users.

Who gets this cookie: This is set for all users.

How this cookie helps: This helps us improve our site usability, by watching the way users navigate the site.

We collect this personal data on the lawful basis of: – Consent

(GDPR Article6(1)(a)):

“the data subject has given consent to the processing of their personal data for one or more specific purposes; “

You can find out about Google “Safeguarding your data” here –
Google Safeguarding your data

 

Wordfence

Cookies Set by Wordfence – this is a first party cookie:

“wfwaf-authcookie-(hash)” sets one cookie to uniquely identify visitors shown in Wordfence Live traffic.

What it does: This cookie is used by the Wordfence firewall to perform a capability check of the current user before WordPress has been loaded.

Who gets this cookie: This is only set for users that are able to log into WordPress.

How this cookie helps: This cookie allows the Wordfence firewall to detect logged in users and allow them increased access. It also allows Wordfence to detect non-logged in users and restrict their access to secure areas. The cookie also lets the firewall know what level of access a visitor has to help the firewall make smart decisions about who to allow and who to block.

We collect this information on the lawful basis of: – Our Legitimate Interests 

(GDPR Art 6(1)(f)):

“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

 

How to turn off cookies

If you do not want to accept cookies, you can change your browser settings so that cookies are not accepted. If you do this, please be aware that you may lose some of the functionality of this website. For further information about cookies and how to disable them please go to: www.aboutcookies.org or www.allaboutcookies.org.

To find out more about how to manage the cookies in your browser you can check the links  below –

Google Chrome

Microsoft Edge

Mozilla Firefox

Microsoft Internet Explorer

Opera

Apple Safari

Technical Information
In order to maintain the integrity, security and performance of our systems and infrastructure of the site for you, for other users and for ourselves, we must run security audit logs as a vital part of our service.

The logs are fully GDPR compliant. None of you information is leaving our database.

The logs help us as part of the process of identifying any security breaches, as they notify us when they detect unusual activity. Allowing us, in the case of a security breach, to investigate and then if necessary to notify our users within 72 hrs of any breach.

The logs only record the name, user role and IP address, along with some information about the device of users who are logged in along with the actions they complete when logged in.

No personal data is taken from visitors who are not logged in.

We collect this information on the lawful basis of: – Our Legitimate Interests 

(GDPR Art 6(1)(f)):

“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

We also run security software which regularly runs scans of the site data base to protect the website from malware and hackers with malicious intentions.

This software installs cookies on you browser – these are first party cookies.

This software, as with the activity log software, is there to protect the website visitors, users and the website itself, and as such we do not ask your consent to run these cookies.

We collect this information on the lawful basis of: – Our Legitimate Interests –

(GDPR Art 6(1)(f)):

“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Contracts

If you, the user, should decide to become a client with us, you will need to enter into a contractual agreement with us. This may take place on or off the website, but if it occurs by email, then the information of the contract will be collected and stored on the wordpress database of https://williamstudios.com.

Contracts will have the personal data of the user, such as name, email, telephone number and address, along with the financial terms of the contract. We need this information to be able to fulfill our services for the user.

We collect this information on the lawful basis of: Contract

(GDPR Article 6(1)(b))-

“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”

You have a lawful basis if:

  • you have a contract with the individual and you need to process their personal data to comply with your obligations under the contract.
  • you haven’t yet got a contract with the individual, but they have asked you to do something as a first step (eg provide a quote) and you need to process their personal data to do what they ask.

Please note that no financial transactions take place on https://williamstudios.com. The transactions will either be handled through PayPal, Stripe or via a bank draft.

Shipping Details
In the event that a website user enters into a contract with us and commissions a piece of work from us, we will then need to provide the shipping agent with the following forms of the site user’s personal data – Name, Surname, Address and possibly telephone number.

We collect this information on the lawful basis of: – Consent

(GDPR Art 6(1)(a)):

” the data subject has given consent to the processing of their personal data for one or more specific purposes; “

Proof Of Purchase
If a user buys something from us we have to keep the receipts with the user’s personal data on them for both tax purposes, and also to be able to provide them for any legal claims.

Small businesses in the UK must keep receipts for at least 6yrs and sometimes longer.

We collect this information on the lawful basis of: Legitimate Interests

(GDPR Art 6(1)(f)):

“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

How long we retain your data

Security Audit Log

Our security audit log records the activities of all logged in users, and as such website visitors are not recorded unless they attempt to hack into the site login. This information retained is their IP address which is held for 12 months, after any attempted security breach.

Wordfence Security

Attack data is collected and sent to Wordfence where it is kept until it is no longer useful. Generally that is 90 days but if the data is still malicious, it is kept active until it is no longer malicious.

Contact Form Info

Attack data is collected and sent to Wordfence where it is kept until it is no longer useful. Generally that is 90 days but if the data is still malicious, it is kept active until it is no longer malicious.

Receipts of purchase

Receipts of purchase, which may contain your name, address and email, are kept for at least 6yrs – small businesses in the UK are required to hold copies of all financial transactions for a minimum of 6yrs or longer.

Contracts

Contracts with data info are kept indefinitely. The personal data they contain is – name, address and email.

Shipping Details

The personal data we hold for  shipping details – name, address and sometimes telephone number, as they will included on the shipping payment receipt, will be held for at least 6 yrs – small businesses in the UK are required by law to hold copies of all financial transactions for a minimum of 6yrs or longer.

To see how long the shipper keeps your personal data you will need to consult their website privacy policy.

Google Analytics

Our Google analytics account is set to hold your –

IP address for 14 months.

You can find more about google analytics here –

Google Analytics

What rights you have over your data

In the situation where you have directly provided us personal information, such as through our contact form, you have a number of rights regarding the personal data we hold.

Right to be informed

This means you have the right to ask us about any collection and use of your personal data. In turn we must confirm if we are holding any of your personal data, what our purposes are for processing your personal, our retention periods for your personal data, and and with whom it may be shared.

Your request may be verbal or in writing.

We have one calendar month to reply to your request.

Right of access

You have the right to request and obtain a copy of any of your personal data which may be held on our website database – commonly referred to as subject access.

This may be done in verbally or in writing.

To make it easy for you we have a page specifically for this purpose with a form you can use quickly and easily – “Request User Data” which is in the footer menu of every page on the website, along with the “Privacy Policy” and “Terms of Use”.

We are allowed one month by the regulator to reply to your request.

Right of rectification

You have the right to ask us to rectify any incorrect, or incomplete, information we may hold about you.

You can make your request either verbally or in writing.

We have one month to comply.

Right of erasure

Otherwise known as “the right to be forgotten”, you may ask to have any of your personal data we hold to be erased.

The request may be made verbally or in writing.

Your right to erasure is not absolute and will only apply in certain situations, as the website is also obliged by to keep certain information, for example for taxes for a period of at least 6 years.

We have one calendar month to reply.

Right to restrict processing

You have the right to restrict the processing of your personal data in certain circumstances. Some examples are:

  • this could be asked for if you feel that there are inaccuracies in your data and you are verifying the accuracy;
  • the data has been unlawfully processed, and instead of erasure you choose to request a dat restriction instead;
  • you no longer have a need for the personal data which our website holds in storage;
  • if an individual has objected to our processing their personal data we can restrict processing the data whilst we consider if our reasons for processing legitimately override those of the individual.

When your personal data has been restricted we are not allowed to process it in any way other than to store it without the your consent, except for legal matters or for important public interest.

We must restrict your data within one month of your request for a restriction of your data.

Right to data portability

You have the right to ask us to obtain your personal data and to reuse it for your own purposes – this is known as “the right to portability”.

It is to allow you to move your personal data from one IT environment to another.

The information covered by data portability is only personal information which you have provided to us.

You may either (a) ask to receive a copy of your personal data, or (b) ask to have your personal data transmitted from one controller to another.

We have one calendar month to reply to your request from the date of it’s receipt.

The right to object

You have the right to object to the processing of your personal data in certain circumstances, and you have the right to stop the data being processed in those circumstances.

You may make us aware of your objection either in verbally or in writing.

We have one calendar month to respond to your objection from the date of it’s receipt.

Rights related to automated decision making including profiling

You have rights related to automated decision making including profiling.

The Right to complain

You have the right to complain to the regulatory authority in your country. In the UK the regulatory body is the Information Commissioners Office.

You can contact theme here –

ICO Make a complaint

Who we share your data with

Web Hosting

Our web hosting suppliers, Siteground Hosting Ltd, provide the physical server infrastructures that our website operates on, and also the backups. Our Siteground servers reside physically in the UK, and no customer data is transferred to data centres outside the EU.

All our database is on their servers.

You can read their privacy policy here –

Siteground Ltd Privacy

Google Analytics

We use google analytics to set cookies in users browsers. These cookies are used to track the way users are visiting and interacting with this website.

The information that they collect is the user’s IP address, which is, under the most recent GDPR regulation considered to be personal data.

We have provided you with an “opt-out” option box in the cookies notice which opens when you visit our website, so you can refuse the cookies before you start to browse the site.

You can always access the cookies notice from the footer of our website and at any time change your acceptance or refusal of these cookies by checking the relevant boxes.

For more info go to the section on cookies where you will also find relevant links explaining there usage on websites.

Or click the link below –

Google Analytics and your data

 

Defiant Inc.

Security – Wordfence

Defiant Inc, are the providers of the Wordfence™ security software that protects our website. Only limited, technical data (such as device IP address, browser type/version, language etc) are transmitted.

As Defiant is outside of the EU we have a signed Data Protection Agreement with them, as required by the EU, until their EU-US Privacy Shield application is ratified. The DPA uses the accepted EU Model Contract Clauses, and you can see the contract here –

https://www.wordfence.com/gdpr/dpa.pdf

You can also check the Wordfence/Defiant privacy policy here –

https://www.wordfence.com/privacy-policy/

Data is sent to Wordfence is attack data.

Shipping Agents

In the event that a website user enters into a contractual agreement  with us, and commissions a piece of work from us, we will then need to provide the shipping agent with the following forms of the user’s personal data – name, surname, address and sometimes email and telephone .

This personal is given to the shipper on their website and will be covered by their data protection policies.

We cannot provide the service without giving this information.

The third-party providers used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us.

We always seek consent in writing from the user/now client before we give their personal information to the shipper.

We do not have a preferred shipper.

PayPal Inc

In the event that a website user enters into a contractual agreement with us we will create an invoice with our PayPal Account.

This would be created on the PayPal Inc website, and we would be sharing your email, your name and the financial amounts to create the invoice.

Third-party service providers, such as payment gateways and other payment transaction processors, have their own privacy policies in respect to the information we are required to provide to them for your purchase-related transactions.

In particular, remember that certain providers may be located in or have facilities that are located in a different jurisdiction than either you or us. So if you elect to proceed with a transaction that involves the services of a third-party service provider other legal obligations may be placed upon them by the laws of their jurisdiction.

Please check PayPals’ Privacy Policy here-

PayPal Privay Policy

Before we invoice a you, we will have already entered into a contractual agreement with you, and the terms and lawful basis for processing this data are listed here.

We will always seek your consent before giving Paypal the details to create the invoice.

Tax Authorities

Any receipts of financial transactions that we conduct which contain your personal information will be kept to be shown to HMRC if requested. These will contain the client’s name and address.

Lawyers

Should you enter into a contractual agreement with us we are obliged to give your personal data – name and address – , to our lawyers so the that we may provide the services that we have promised to provide to you.

We will only do this with your written prior consent.

The third-party providers used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us.

Where we send your data

Wordfence

The personal data which is sent to Wordfence is attack data, and is sent to the US.

The form of personal is visitor IP addresses

What they actually log from an attack is IP address, request time, referrer (when available) and browser user-agent string.

So from the above items they get:

IP address, location, search queries, date and time of request, referral URL, device make, model and OS, mobile network info, ISP, browser type and language, country, timezone.

The ‘metadata stored on the device’ refers to things like other HTTP headers that may indicate preferred language etc. This can be helpful in determining an attackers origin.

We have a signed Data Protection Agreement with Defiant Inc., the owners of Wordfence.

If your personal data is involved in an attack and you wish to see it, we submit a data request to Wordfence for your personal data which was involved in the attack, and in accordance with our Data Protection Agreement Wordfence will send us the requested data.

How we protect your data

Access control: Access to your data is limited to only the controller and the security specialists.

Security software: We operate security scanning and access control software on our website. This software is responsible for limiting login attempts to our site, blocking potentially malicious attempts to access our services, and regularly performing full file system scans. With the company that runs this service we have a signed Data Protection Contract.

Security Audit Log: we have a log of all activities by logged in users which will alert us if anyone tries to breach security and any actions they took.

Data encryption: This website is also secured with SSL encryption, which means that all traffic to and from our servers is encrypted. This applies to our own access to the website, as well as, that of users of our services

williamstudios.com itself has an SSL certificate – you will see in the browser window a padlock and the word “secure”, these indicate that the “https protocol” is activated, and that this allows a secure and encrypted connection from our web server to your browser.

What data breach procedures we have in place

If a data breach occurs we are alerted by our security software “Wordfence” and also by alerts from our Security Audit log.

We then would make contact with our Hosting company – Siteground Ltd

Following the establishment of the sensitivity of any breach we would follow the standard procedures outlined by the ICO in the UK.

We are required to keep logs of any breaches detected and of the nature of the data which has been breached and to report this to the ICO within 24 hrs of becoming aware of the essential nature of the breach.

You can check these here –

ICO Data Breaches

In the case of a data breach users have be notified within 72 hrs if any personal information has been breached and whether or not you need to take any action.

What third parties we receive data from

We do not receive data from third parties.

Children’s Information

Even though our website is not designed for use by anyone under the age of 16, we realize that a child under the age of 16 may attempt to access our website. We do not knowingly collect personal data from children under the age of 16. If you are a parent or guardian and believe that your child is using our website, please contact us. Before we remove any information, we may ask for proof of identification to prevent malicious removal of account information. If we discover that a child is accessing our website, we will delete his/her information within a reasonable period of time. You acknowledge that we do not verify the age of our users nor do we have any liability to do so.

Changes to our Privacy Policy

We reserve the right at any time to change this Privacy Policy. Should we change this Privacy Policy we will post those changes on our website so that users can become aware of the changes to the Policy. We will only process our users’ and customers’ personal data for the purposes we declared at the time of the collection of that data. Your continued use of our website will constitute your acceptance of that change.

Pin It on Pinterest

Share This