• The personal data we collect
• How we collect your data
• How we use your data
• Marketing preferences, adverts and cookies
• Links to other websites and third parties
• How we share your data
• Your rights
• Changes to this privacy notice
• How to contact us
WHO IS NASTY GAL
OUR COMMITMENT TO YOU
We will only collect and use your personal data for the following purposes, to:
• fulfil your order(s)
• fulfil orders made on your behalf (e.g. e-gift card orders)
• keep you up to date with the latest offers and trends
• give you a better shopping experience
• help us to make our marketing more relevant to you and your interests
• improve our services
• meet our legal responsibilities
HOW WE KEEP YOUR DATA SAFE AND SECURE
The communication between your browser and our website uses a secure encrypted connection wherever your personal data is involved.
We require any third party who is contracted to process your personal data on our behalf to have security measures in place to protect your data and to treat such data in accordance with the law.
In the unfortunate event of a personal data breach, we will notify you and any applicable regulator when we are legally required to do so.
THE PERSONAL DATA WE COLLECT
While our website is designed for a general audience, we will not knowingly collect any data from children under the age of 13 or sell products to children. If you are under the age of 13, you are not permitted to use or submit your data to the website.
The following groups of personal data are collected:
Identity Data includes information such as: first name, last name, title, date of birth (optional), occupation, personal description, photo and gender.
Contact Data includes information such as: email address, billing address, delivery address, location, country, telephone number, loyalty programme membership number, and social media id (if you log in by social media).
Financial Data includes information such as: payment card details and bank account.
Transaction Data includes information such as: details of your purchases and the fulfilment of your orders (such as basket number, order number, subtotal, title, currency, discounts, shipping, number of items, product number, single item price, category, tax etc.); payments to and from you and details of other products and services you have obtained from us, correspondence or communications with you in respect of your orders, and details of any rewards and bonuses awarded.
Technical Data includes information such as: details of the device(s) you use to access our services, your internet protocol (IP) address, login data, your username and password, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform.
Profile Data includes information such as: purchases or orders made by you, product and style interests, preferences, feedback, and survey responses.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
HOW WE COLLECT YOUR DATA
Direct interactions – you may give us your Identity, Contact, Financial, Transaction, Profile, and Marketing and Communications data (as described above) by filling in forms, entering information online or by corresponding with us by post, phone, email, telephone or otherwise. This includes personal data you provide, for example, when you:
- Create an account or purchase products on our website;
- Subscribe to our newsletter, discussion boards, social media sites or create wish lists;
- Enter a competition;
- Join a Nasty Gal loyalty programme;
- Complete a voluntary market research survey;
- Contact us with an enquiry or to report a problem (by phone, email, social media, or messaging service);
- Use a “refer a friend” function on our website; or
- When you log in to our website via social media.
Automated technologies or interactions – as you interact with our website, we may automatically collect the following types of data (all as described above): Technical Data about your equipment, Usage Data about your browsing actions and patterns, and Contact Data where tasks carried out via our website remain uncompleted, such as incomplete orders or abandoned baskets. We collect this data by using cookies, server logs and other similar technologies. Please see our Cookies Policy here for further details.
Third parties – we may receive personal data about you from various third parties, including:
- Identity and Contact data from another individual when they purchase an e-gift card for you or use the "refer a friend" function on our website; - Technical Data from third parties, including analytics providers such as Google. Please see further information in the section entitled ‘Marketing preferences, adverts and cookies’.
- Technical Data from third parties, including analytics providers such as Google. Please see further information in the section entitled ‘Marketing preferences, adverts and cookies’.
- Technical Data from affiliate networks through whom you have accessed our website;
- Identity and Contact Data from social media platforms when you log in to our website using such social media platforms;
- Contact, Financial and Transaction Data from providers of technical, payment and delivery services.
- Identity and Contact data from third parties, including organisations (including law enforcement agencies), associations and groups, who share data for the purposes of fraud prevention and detection and credit risk reduction;
HOW WE USE YOUR DATA
We will only collect and process your personal data where we have a legal basis to do so. As a data controller, the legal basis for our collection and use of your personal data varies depending on the manner and purpose for which we collected it.
We will only collect personal data from you when:
- we have your consent to do so, or
- we need your personal data to perform a contract with you. For example, to process a payment from you, fulfil your order or provide customer support connected with an order, or
- the processing is in our legitimate interests and not overridden by your rights, or
- we have a legal obligation to collect or disclose personal data from you.
USES MADE OF YOUR PERSONAL DATA
|Purpose/Activity||Type of data||Lawful basis for processing including basis of legitimate interest|
|To create an account and register you as a new customer (either directly or via social media).||• Identity
|• Performance of a contract with you|
|To process and deliver your order including: recording your order details; keeping you informed about the order status; process payments and refunds, collect money owed to us; and automated decision making to assist fraud prevention and detection.||• Identity
|• Performance of a contract with you
• Necessary for our legitimate interests (e.g. to recover debts due to us) For automated decision making we consider that fraud detection and prevention is in our legitimate interests to ensure that fraudulent transactors are unable to benefit from our services and in the legitimate interest of the public as whole due to the impact of fraud on the consumer market; we also consider it a necessary element of entering into a contract with you that we are able to verify your identity and prevent fraud.
|To manage our relationship with you, including: providing you with any information, products and services that you request from us; notifying you about changes to our services, terms and conditions or privacy notice; asking you to leave a review or take a survey.||• Identity
• Marketing and Communications
|• Performance of a contract with you
• Necessary for our legitimate interests (to keep our records updated and to study how customers use our products and services)
|To enable you to take part in a competition, event, survey, or receive a reward for shopping with us.||• Identity
• Marketing and Communications
|• Necessary for our legitimate interests (to study how customers use our products and services, to develop them and grow our business)
• Where you have decided to enter into a competition or event, for the performance of a contract with you
|To administer, protect and improve our business and our website/app, including: troubleshooting, data analysis, testing, system maintenance, support, data analysis, reporting and hosting of data; setting default options for you, such as language and currency.||• Identity
• Marketing and Communications
|• Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, and to detect and prevent fraud)
• Necessary to comply with a legal obligation
|To deliver relevant website content, online advertisements and information for you; and measure the effectiveness of the advertising provided.||• Identity
• Marketing and Communications
|• Necessary for our legitimate interests (to study how customers use our products and services, to develop them, to grow our business and to inform our marketing strategy)|
|To use data analytics to: improve our website, products, services, marketing, customer relationships and experiences; and for market research, statistical and survey purposes.||• Technical
|• Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)|
|To recommend products, services discounts and offers that may be of interest to you, including to send you such information by email, post or SMS.||• Identity
• Marketing and Communications
|• Necessary for our legitimate interests (to develop our products and services and grow our business) or
• Consent. See further details in the section ‘Marketing preferences, adverts and cookies’
|To inform or remind you by email of any task carried out via our website which remains uncompleted, such as incomplete orders or abandoned baskets||• Identity
|• Necessary for our legitimate interests (to improve the shopping experience of our customers)|
|To process and deliver your e-gift card orders including taking payment and communicating with you and/or the nominated recipient if delivered to another person.||• Identity
|• For automated decision making we consider that fraud detection and prevention is in our legitimate interests to ensure that fraudulent transactors are unable to benefit from our services; we also consider it a necessary element of entering into a contract with you that we are able to verify your identity and prevent fraud.|
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we wish to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. We may process personal data without your consent, in compliance with the above rules, where this is required or permitted by law.
If you have any questions about how Nasty Gal use any of your personal data, please contact our Data Protection Officer, Keri Devine at DPO@nastygal.com.
HOW LONG WE KEEP YOUR DATA FOR
MARKETING PREFERENCE, ADVERTS & COOKIES
We may send you marketing communications and promotional offers:
• if you have opened an account with us or purchased goods from us, or registered for a promotion or event, and you have not opted out of receiving that marketing (in accordance with your preferences, as explained below);
• by email if you have signed up for email newsletters;
• if you have provided us with your details when you entered a competition and you have consented to receiving such marketing (in accordance with your preferences, as explained below).
We may use your Identity, Contact, Technical, Transactional, Usage, Profile Data and Marketing and Communications Data to form a view on what we think you may like, or what may be of interest to you, and to send you details of products and offers which may be relevant for you.
We will ask you for your preferences in relation to receiving marketing communications by email, post, SMS and other communication channels.
From time to time we may also include with your order, inserts advertising goods, services or offers from other third-party companies that you may be interested in.
In respect of third party marketing communications, we will obtain your express opt-in consent before we share your personal data with any third party for marketing purposes.
You will always have full control of your marketing preferences. If you do not wish to continue receiving marketing information from us (or any third party, if applicable) at any time:
• you can unsubscribe or ‘opt-out’ by using the unsubscribe button and following the link included in the footer of any marketing email; or
• account holders may withdraw their consent by simply logging in to ‘My Account’ here and editing your ‘Contact Preferences’.
We will process all opt-out requests as soon as possible, but please note that due to the nature of our IT systems and servers it may take a few days for any opt-out request to be implemented. Please be aware that opting out on one of our Services, does not opt you out from any of our other Services unless that option is specifically provided. Please note that despite unsubscribing from such communications, Nasty Gal may still contact you in relation to your order(s), purchase(s) or any issues relating any business you conduct with Nasty Gal.
OUR USE OF ANALYTICS & TARGETING TOOLS
The Digital Advertising Alliance (which includes companies such as Google, Responsys and Facebook) provides a tool called WebChoices that can perform a quick scan of your computer or mobile devices, find out which participating companies have enabled customised ads for your browser, and adjust your browser preferences accordingly.
If you would like any further information about the data collected by these third parties or the way in which the data is used, please contact us.
Google will use data for ad personalisation when a customer provides consent. Please see Google’s Privacy & Terms site which provides further detail as to how google uses your personal data.
LINKS TO OTHER WEBSITES & THIRD PARTIES
HOW WE SHARE YOUR DATA
• where you have consented for us to do so. For example, if you have consented to receive marketing materials from third parties, or in respect of third parties’ (including co-branded or jointly promoted) products and services, we may pass your data on to the relevant third parties for the purpose of sending you such marketing communications;
• to other companies within the boohoo Group which carry out order fulfilment and provide HR, financial, IT, facilities, customer service, legal, travel and health and safety support functions.
• to business partners, suppliers, sub-contractors and other third parties that we use in connection with the running of our business for the purposes set out in the table above in the section ‘How we use your data’, such as:
- third party service providers that we engage to provide IT systems and software, and to host our website;
- third party service providers that we engage to deliver goods you have ordered and to manage any returns;
- third party service providers that we engage to send emails and postal mail on our behalf including in relation to incomplete orders or abandoned baskets, or marketing communications, to provide data cleansing services and to provide marketing and advertising services;
- third party service providers that we engage to deliver and process your e-gift card orders and e-gift card payment (including Jigsaw Business Solutions Ltd and Stripe Payments UK Ltd)
- analytics and search engine providers that assist us in the improvement and optimisation of our website;
- affiliate networks through whom you have accessed our website;
• to any third party to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
• to protect our customers and website from fraud and theft, we may share your personal data with Ravelin and/or Risk Guardian and/or and or Forter and/or other fraud prevention and analysis service providers, in order to carry out fraud prevention checks on our behalf. If personal data is provided to Ravelin, Ravelin will also use this personal data to improve its service and machine learning to improve its automated processing. A copy of Ravelin's privacy notice can be found at: https://www.ravelin.com/privacy-policy-new which explains how Ravelin will use your personal data for these purposes; If personal data is provided to Forter, Forter will use this personal data to improve its service and machine learning to improve its automated processing. A copy of Forter’s privacy notice can be found at: https://www.forter.com/service-privacy-policy/ ; and we may further share personal data that is required to make identity checks and personal data that we obtain from making identity checks (including data relating to your age, name and location), together with account information, with organisations (including law enforcement agencies), involved in fraud prevention and detection and credit risk reduction. Please note that these third parties may retain a record of the information that we provide to them for this purpose;
• if we are under a duty to disclose or share your personal data in order to comply with any legal obligation; or
• to our professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
YOUR DATA & COUNTRIES OUTSIDE OF EUROPE
Whenever we transfer personal data outside the EEA, we will ensure a similar degree of protection is afforded to it by ensuring appropriate safeguards, as required by law, are in place. This may include using specific contractual clauses approved by the European Commission which give personal data the same protection as it has in Europe. More information about these is available here: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32010D0087
Please contact us if you want further information on the countries to which we may transfer personal data and the specific mechanism used by us when transferring your personal data outside the EEA.
• request access to your personal data
• request correction of your personal data
• request erasure of your personal data
• request restriction of processing of your personal data
• request the transfer of your personal data
• object to processing of your personal data
• request human intervention for automated decision making
Brief details of each of these rights are set out below. If you wish to exercise any of these rights, please email us at DPO@nastygal.com.
REQUEST ACCESS TO YOUR PERSONAL DATA
REQUEST CORRECTION TO YOUR PERSONAL DATA
REQUEST ERASURE OF YOUR PERSONAL DATA
REQUEST RESTRICTION OF PROCESSING YOUR PERSONAL DATA
REQUEST THE TRANSFER OF YOUR PERSONAL DATA
OBJECT TO PROCESSING OF YOUR PERSONAL DATA
REQUEST HUMAN INTERVENTION FOR AUTOMATED DECISION MAKING & PROFILING
We will try to respond to all legitimate requests within one month. Occasionally, it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. We may need to request specific information from you to help us confirm your identity and ensure your right to exercise any of the above rights. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
RIGHT TO LODGE A COMPLAINT
CHANGES TO THE PRIVACY NOTICE
CALIFORNIA CONSUMER PRIVACY ACT
HOW TO CONTACT US
Please send any questions, comments or requests for more information to our nominated representative and Data Protection Officer Keri Devine, who can be contacted at DPO@nastygal.com.
This privacy notice was last updated on 1st June 2022(NG UK and Europe Version 1.13)
Nasty Gal UK Limited,
Registered Company Number: 10487954,
UK VAT Number: 185 4874 61.
If you are a California resident, please click here for more information about your specific privacy rights.