By Jordan Mauger
DATA PROCESSING NOTICE
We care about your personal data and ensuring you are informed about how we use it. We promise to protect your data, and to manage any information you share with us in line with data protection law.
This Notice sets out how and why we collect and use your personal data and our legal basis for doing so.
Who Are We?
We are Island Web Design Limited. We are registered with the Guernsey Registry (no. 71657). We are also registered with The Office of the Data Protection Authority (registration number DPA8763).
What do we do?
We at Island Web Design specialise in the design and development of custom built websites, apps, stores and online platforms. We also engage in social media marketing via Facebook & Instagram and on a smaller scale we engage in other web related activities such as search engine optimisation.
What Data We Collect
Website Form Submissions: We collect personal information through our website forms. This includes full name, email address, phone number, and any messages provided by the user. This data is then passed to a thank-you page upon form submission.
Data Extraction and Processing: Separate from the thank-you page, we extract additional data such as cookies and IP addresses through different methods. This data is not directly passed through the thank-you page but is collected and processed through other means within our digital infrastructure.
Data Tracking and Analytics with Facebook and Google: The data collected, including the form data, cookies, and IP addresses, is sent to Facebook via the Facebook Pixel and Conversions API, managed through Google Tag Manager. This is done for analytics purposes and to match data with Facebook accounts for targeted marketing. The same data is also sent to Google Analytics 4 (GA4) for comprehensive website analytics.
Hashing of Data Sent to Facebook: As part of our commitment to data security and user privacy, all personal data sent to Facebook, including details extracted from website form submissions, is hashed before transmission. This means the data is converted into a secure, fixed-size code, rendering it unreadable and anonymous. This process ensures that even we cannot view the original data once it has been hashed, thereby enhancing the security and privacy of user information.
Integration with HubSpot CRM: Data from form submissions is integrated into HubSpot via their API, creating a contact in our CRM system. We use IP address data in this process for accurate data matching and customer relationship management.
Marketing and Audience Targeting: We use the collected data to develop targeted marketing lists and audiences on platforms like Facebook and Google, enhancing our marketing strategies and user experience.
Email Communication and Security: Email communications are managed through the HubSpot API, ensuring efficient and targeted outreach. We also implement Google’s Captcha on our server for security and spam prevention.
Cloud-Based Data Handling: Our data processing, including the handling of the Conversions API, is conducted using the Google Cloud Platform with a custom subdomain, ensuring secure and robust data management.
Management of DNS Records: We handle the DNS (Domain Name System) records for our clients through platforms like Netlify, Hostinger, and GoDaddy. This involves managing the settings that connect domain names to IP addresses, essential for the proper functioning of websites. We ensure that this data is handled with utmost care and security, adhering to best practices in domain management and data protection.
Storage of Private API Keys: For the secure operation of our services, we use private API keys which are crucial for integrating various applications and services. These keys are securely stored on Netlify, safeguarded by robust security measures. We ensure that these keys are accessed and used only for their intended purposes, maintaining their confidentiality and integrity.
Where Does This Information Come From?
The personal data we process primarily comes directly from our clients through website form submissions and interactions with our services. Additionally, certain technical data like IP addresses and cookies are collected automatically through our digital platforms and tools. We do not collect personal data from third-party sources without explicit consent.
How we use your personal data
We use the collected personal data to provide and enhance our web design and digital marketing services. This includes creating and managing websites, applications, and online platforms, conducting analytics for website optimization, engaging in targeted marketing and audience building on platforms like Facebook and Google, and maintaining client relationships through our CRM system. We also use this data for internal administrative purposes, such as managing DNS records and ensuring the security of our digital infrastructure.
Our Lawful Basis For Processing Your Personal Data
Contractual Necessity: We process personal data as necessary to fulfill our contractual obligations to our clients. This includes using personal information to design, develop, and manage websites, applications, and online platforms as agreed upon in our service contracts.
Legitimate Interests: We also process data based on legitimate business interests. This includes using data for analytics to improve our services, conducting marketing activities to promote our business, and managing our internal operations effectively. When processing data based on legitimate interests, we ensure that the impact on privacy is minimal and that the processing is necessary for our legitimate business purposes.
Consent: For certain activities, particularly in direct marketing and certain data analytics, we rely on obtaining explicit consent from our clients and website users. We ensure that consent is freely given, specific, informed, and unambiguous, with clear options for individuals to opt in or withdraw consent.
Compliance with Legal Obligations: In some instances, we process personal data to comply with relevant legal obligations. This includes adhering to data protection laws, tax, and corporate governance regulations.
Vital Interests: Although less common in our line of business, we may process data if it is necessary to protect someone’s life, which falls under processing for vital interests.
Obtaining Consent: We obtain consent to process personal data in several ways:
Website Interactions: Through clear and specific consent mechanisms on our website, such as cookie consent banners and opt-in checkboxes for marketing communications and analytics.
Direct Communication: Consent may also be obtained orally or via email, especially in situations where we engage in direct communication with clients or potential clients.
Online Forms and Registrations: Consent is sought through our online forms where users explicitly agree to the processing of their personal data for specified purposes.
Scope and Limitations of Consent: When we rely on consent to process personal data, we ensure that it is given freely, specifically, informedly, and unambiguously. We provide clear information about the data being collected, the purpose for its collection, and how it will be used.
Withdrawing Consent: Individuals have the right to withdraw their consent at any time. We provide easy and accessible ways to do this, such as unsubscribe links in emails or contact options on our website. It’s important to note that withdrawing consent may affect our ability to provide certain services. For example, without consent to process contact information, we may not be able to respond to queries or engage in business transactions effectively.
Transparency and Record-Keeping: We maintain records of consent, documenting when and how it was given, and the specific purposes it was given for. This helps us ensure compliance with data protection regulations and provides transparency to our users.
Types of Personal Data We Collect
Personal Identification Information: This includes full names, postal addresses, email addresses, and contact numbers. These details are typically gathered from website form submissions and direct communications.
Website Interaction Data: Data collected through interactions with our website, such as IP addresses, cookies, and usage data, which are used for analytics and improving our services.
Communication Data: Records of communications with clients and users, including email exchanges, contact form submissions, and communication preferences.
Bank and Payment Details: For transactional purposes, we may collect bank details or payment information when providing our services.
Digital Marketing and Analytics Data: Information gathered through digital marketing tools and analytics platforms, like Facebook Pixel and Google Analytics, which may include hashed data sent to Facebook, click IDs, and other online identifiers.
CRM Data: Information stored in our CRM system, such as client interaction history, preferences, and client service records.
DNS Records Management Data: For clients whose DNS records we manage, the relevant domain-related information.
Data Related to API Keys: Any data related to the use and management of private API keys necessary for integrating various applications and services.
Special Category Data
Defined in the Law as – “Personal data revealing an individual’s racial or ethnic origin, political opinion, religious or philosophical belief, trade union membership, genetic data, biometric data, health data, data concerning an individual’s sex life or orientation, & criminal data.” The Law requires this data to be processed with additional protection.
We do not process Special Category Data as defined by the Law.
Sharing of your Personal Data
We take the privacy of your personal data seriously and do not sell or rent your personal data to any third parties for marketing purposes. However, in the course of providing our web design and digital marketing services, certain personal data may be shared with trusted third-party service providers and platforms.
Digital Marketing and Analytics Platforms: Personal data collected through our website and digital marketing activities, such as user interactions and analytics data, may be shared with platforms like Facebook (through Facebook Pixel), Google Analytics, and other digital marketing tools for the purpose of analytics, audience targeting, and marketing efficiency.
CRM System: Data related to client interactions and communications is managed through our CRM system, HubSpot, necessitating the sharing of relevant data for efficient client relationship management.
Cloud-Based Services and Hosting Providers: We use cloud-based services and hosting providers, such as Netlify and Google Cloud Platform, which involves sharing data for the purpose of website hosting and data processing.
In all instances of data sharing, we ensure that our service providers adhere to strict data protection and privacy standards, consistent with our own policies and relevant data protection laws. We share only the necessary data required to deliver the service and maintain transparency in our data processing activities.
Transfer of Data
While our operations are primarily based within the Bailiwick of Guernsey, the global nature of the internet and digital services means that the personal data we collect may be transferred and processed outside of Guernsey. This can occur in the following instances:
Use of International Digital Services: We utilize various digital platforms and services for analytics, marketing, and client relationship management, such as Google Analytics, Facebook Pixel, and HubSpot. These platforms often operate on a global scale, and therefore, data processing may take place in different countries.
Cloud-Based Hosting and Storage: Our use of cloud-based services, including website hosting and data storage with providers like Netlify and Google Cloud Platform, may involve data transfer to data centers located outside of Guernsey.
Legal and Compliance Reasons: In certain circumstances, we may be required to transfer data to international authorities or entities for legal or compliance reasons.
In each case, we ensure that appropriate safeguards are in place to protect the personal data during transfer and processing. This includes verifying that our service providers are compliant with relevant data protection laws and standards, and where necessary, implementing measures such as standard contractual clauses or relying on adequacy decisions.
Our commitment is to maintain the security and confidentiality of your personal data, regardless of where it is processed.
While Island Web Design engages in digital marketing, including social media advertising on platforms like Facebook and Instagram, we do not engage in traditional forms of direct marketing, such as unsolicited emails or SMS messages to promote our services. Our marketing efforts are primarily focused on online channels and are not direct marketing in the conventional sense.
However, should we undertake any direct marketing activities in the future, we will provide clear and straightforward mechanisms for recipients to opt out of receiving such communications. This aligns with our commitment to uphold your preferences and comply with data protection laws.
Retention of Data
At Island Web Design, we are committed to retaining personal data securely and only for as long as necessary. Our data retention practices are as follows:
Purpose-Based Retention: We retain personal data only for the duration necessary to fulfill the purposes for which it was collected, as outlined in our Data Processing Notice. This includes providing our web design and digital marketing services, complying with our contractual obligations, and adhering to legal and regulatory requirements.
Statutory Obligations: In compliance with applicable laws, we retain certain types of data for specific periods as required by law. This might include financial records, transaction data, and other information relevant to tax laws and corporate reporting obligations.
Review and Weeding Process: Consistent with industry standards, we conduct regular reviews of the data we hold. Data that is no longer necessary for the purposes for which it was collected, or beyond the period required by law, is securely deleted or anonymized. Currently, our standard practice is to review and weed data after a period of 7 years.
Retention Policy Details: For specific details about the retention periods for different types of data, please refer to our comprehensive Retention Policy. This policy outlines the retention periods for various data categories in accordance with our legal obligations and operational requirements.
Adjustment of Retention Periods: We continuously evaluate our retention periods to ensure they are appropriate for our business needs and compliant with legal standards. Should we determine that a shorter or longer retention period is necessary or justified, we will adjust our practices and update our policies accordingly.
Our aim is to balance the need to retain data for legitimate business and legal purposes with our commitment to data minimization and privacy protection.
The Law provides you with a number of rights, but specifically and of relevance, you have the right to:
- request confirmation of the personal data that we hold about you and what we are doing with your data
- request correction of your personal data if incorrect, out of date or incomplete
- request that we stop any consent-based processing of your personal data after you have withdrawn that consent
While Island Web Design engages in social media marketing and maintains a presence on platforms such as Facebook and Instagram, this notice does not extend to the privacy practices of these third-party social media sites. Our interaction and use of these platforms are governed by the privacy policies and terms of the respective platforms.
We are not responsible for the data collection, use, and sharing practices of these third-party social media websites. When you interact with our content on these platforms, your data is subject to the privacy policies and terms of service of the platform itself. We encourage you to review the privacy statements and policies of these third-party websites and social media platforms to understand how they collect, use, and share your information.
Our use of social media platforms is primarily for marketing and communication purposes, and while we may collect insights and analytics provided by these platforms, the direct handling of personal data on these platforms is governed by their own policies, over which we have no control.
Functional Cookies: These are essential for navigating our site and using its features. They include cookies that enable services like form submissions and client login areas.
Analytics and Performance Cookies: We use tools like Google Analytics to collect information about how visitors use our website. These cookies help us understand user behavior, allowing us to improve our web services and content.
Advertising and Targeting Cookies: Through Google Tag Manager and Facebook Pixel, we implement cookies that track user interactions and help us tailor our marketing efforts on platforms like Facebook and Google. These cookies enable us to measure the effectiveness of our ads and customize the advertising content you see.
CRM Integration: Cookies are also used to integrate with our CRM system, HubSpot, enhancing our ability to manage client relationships effectively.
For further details, please see the ‘about Hotjar’ section of Hotjar’s support site.”
We are defined as a Controller according to the Law. If you have any questions or queries regarding how your personal data is being managed, please contact Jordan Mauger by writing to Kris-Kei, Clos Du Bois, Grand Bouet, St. Peter Port Guernsey GY1 2RR or by emailing firstname.lastname@example.org.
Contacting the Regulator
If you feel that your personal data has been handled incorrectly or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the data protection regulator – The Office of the Data Protection Authority (ODPA). You can contact them for advice by writing to:
The Office of the Data Protection Authority St Martin’s House Le Bordage St Peter Port Guernsey GY1 1BR
Last update/review: 2024