Privacy Policy & Cookies Statement Overview

This Policy is issued on behalf of the The Winery at Hundred Hills Limited (“Hundred Hills”), so when we mention “we”, “us” or “our” in this Policy, we are referring to Hundred Hills who are responsible for processing your data. The Winery at Hundred Hills Limited (reg. no. 8269454), with registered address at 2 Chawley Park, Cumnor Hill, Oxford, Oxfordshire, England, OX2 9GG is the controller and responsible for this website.

We are registered as a Data Controller under the Data Protection Act 2018 with the Information Commissioner’s Office under registration number ZA669673.

If you have any questions about this policy or if you want to exercise any of your data protection rights then you can contact us by email to info@hundredhills.wine or by post to the registered address.

This Policy applies to anybody who browses our webpage(s) or who provides personal data via our website at www.hundredhills.wine (our “Website”). It also applies to those who request communication via our Website, orders products via our Website, those who post material on our Website or social media sites, and to personal data processed in pursuit of our own marketing and business development efforts. We may also ask you for personal data when you report a problem on our Website.

This policy does not apply to the personal data of our Job Applicants, Employees, Agents and Contractors.  The fair, lawful and secure processing of these types of data is governed by other company policies outside the scope of this Policy.

This Website is not intended for children and we do not knowingly collect data relating to children.

It is important that you read this Policy together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This Policy supplements other notices and privacy policies and is not intended to override them.

This Policy was last updated on 2 December 2020. Future changes we may make to our Privacy Policy will be uploaded to our website. If the changes are significant then we will notify you directly.

By submitting personal data to Hundred Hills you acknowledge and accept the practices described in this Policy.

We will endeavour to bring this Policy to your attention every time we ask for your personal information and we will seek your specific consent whenever this is required.

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity concerned has been removed.

We may collect (and subsequently use, store and transfer) the following personal data about you:

• when you sign up for our newsletter, e.g. your name, email address and county;
• your name and contact details when making an enquiry, or registering as a customer, or otherwise submit data via this Website;
• when you place an order with us for our products: your name and delivery address, contact details (email address, phone number) and bank and payment details;
• when you browse this Website: technical data including internet protocol (IP) address, browser type and settings and other information about your device (for more information on Hundred Hills’ use of Cookies, see below);
• your marketing preferences, which may be adjusted or withdrawn at any time;
• information you provide when you complete surveys or enter competitions or enrol in promotional events;
• information about your use of our Website and apps;
• when you make a data subject access request.

You are not obliged to provide your personal data to us, but if you fail to provide personal data required to allow us to fulfil our contract with you, for example a delivery order for our products, we may not be able to carry out the contract and may have to cancel the relevant order or service in these circumstances.

How we process your personal data

This section explains what data we process about you, the purpose of the processing and what lawful basis we rely upon to carry out that processing.

Under data protection law you can exercise your right of access (also known as a ‘subject access request’) by making a written request to receive copies of some of the information we hold about you. We may request proof of your identity, or proof of your authority if making the request on behalf of someone else, before we can supply the information to you. Requests should be sent to us using the contact details set out at the top of this policy.

You do not need to pay a fee to exercise this right unless you are requesting copies of documents you already hold, in which case we may charge our reasonable administrative costs. We are also allowed to charge you for our reasonable administrative costs in collating and providing you with details of the requested information which we hold about you if your request is clearly unfounded or excessive. 

In very limited circumstances, data protection law permits us to refuse to comply with your request. If we refuse to comply then we will notify you of that fact.

Your personal information is not shared with anyone except where we are required to do so to comply with the law, to protect our rights, or to effectively operate our business.

We may share your information with the following people or groups of people:

1. Outsourced service providers. Our service providers (including delivery companies and IT providers) may be granted access to your information as part of the service they provide to us. Our service providers are subject to strict contractual obligations to treat your personal information confidentially and to comply with data protection law at all times.
2. Professional advisers. We may share personal information with our legal, financial and other professional advisers for the purpose of obtaining their advice. These transfers are protected by our advisers’ duties of confidentiality.
3. Government bodies and the courts. If we have a legal obligation to do so, we will share your information with government bodies, regulators and/or the courts.
4. Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.

We do not transfer your information outside of the UK.

Under data protection law you have the following rights:

1. if we are processing your personal information on the basis of your consent then you have the right to withdraw that consent at any time. Consent can be withdrawn by contacting us using the details set out at the top of the Policy;
2. the right to access a copy of your information which we hold. This is sometimes called a ‘subject access request’. Additional details on how to exercise this right are set out in the ‘Access to Information’ section below;
3. the right to prevent us processing your information for direct marketing purposes. We will inform you (before collecting your data) if we intend to use your personal information for this purpose or if we intend to disclose your information to any third party for this purpose. You can also exercise this right at any time by contacting us;
4. the right to object to decisions being made about you by automated means;
5. the right to object to us processing your personal information in certain other situations;
6. the right, in certain circumstances, to have your information rectified, blocked, erased or destroyed if it is inaccurate; 
7. the right, in certain circumstances, to claim compensation for damages caused by us breaching data protection law; and
8. the right, in certain circumstances, to request that we erase, rectify, cease processing and/or delete your information.

You also have the general right to complain to us (in the first instance) and to the Information Commissioner’s Office (if you are not satisfied by our response) if you have any concerns about how we hold and process your information. The Information Commissioner’s Office website is www.ico.org.uk.

For further information on your rights under data protection law and how to exercise them, you can contact the Information Commissioner’s Office (www.ico.org.uk).

We only keep your information for as long as it reasonably takes to achieve the purpose we collected it for. Generally speaking, we keep your information for the following periods of time:

1. For customers, their employees and representatives (but excluding information contained in our marketing lists which we keep for a shorter period): 6 years from when they are collected. This may be extended, for example, if a dispute arises.
2. For suppliers, their employees and representatives: 6 years from when they are collected. This may be extended, for example, if a dispute arises.
3. For financial and compliance records where we have a legal obligation to keep them, for as long as that legal obligation lasts.

We have taken appropriate technical and organisational measures to ensure our own and our suppliers’ information security standards are appropriate to the risks associated with the personal data processing we undertake.  Our security objectives include guaranteeing the confidentiality, integrity and availability of personal data and the resilience of the systems that process it. We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

It is your responsibility to keep the password provided to you on registration secure and confidential at all times. We will not be held liable for any breach of data protection law arising from your improper use of the Website, or due to your password details being disclosed to any third party. In the event you have reason to believe your interactions with us are not secure, or the integrity of your login has been compromised, please contact us immediately.

Our Website uses cookies. By using our Website and agreeing to this policy, you consent to our use of cookies in accordance with the terms of this policy.

A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.

Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies. Cookies are very easy to delete and block.

We use cookies for the following purposes:

• authentication – we use cookies to identify you when you visit our Website and as you navigate our Website;
• status – we use cookies to help us to determine if you are logged into our Website;
• personalisation – we use cookies to store information about your preferences and to personalise the Website;
• security – we use cookies as an element of the security measures used to protect user accounts, including preventing fraudulent use of login credentials, and to protect our Website generally;
• analysis – we use cookies to help us to analyse the use and performance of our Website;
• cookie consent – we use cookies to store your preferences in relation to the use of cookies more generally.

Our service providers use cookies and those cookies may be stored on your computer when you visit our Website.

Like most modern websites we use Google Analytics to analyse the use of our Website. We also use Social Media buttons to connect our visitors to their social accounts on Instagram, LinkedIn and others. Google Analytics gathers information about website use by means of cookies. The information gathered relating to our Website is used to create reports about the use of our Website. Google’s privacy policy is available at: www.google.com/policies/privacy. You can opt out of Google Analytics if you disable or refuse the cookie, disable JavaScript, or use the opt-out service provided by Google.

Most, if not all, browsers allow you to refuse to accept cookies by adjusting your settings. For example: (1) in Internet Explorer you can refuse all cookies by clicking “Tools”, “Internet Options”, “Privacy”, and selecting “Block all cookies” using the sliding selector; (2) in Firefox you can block all cookies by clicking “Tools”, “Options”, and un-checking “Accept cookies from sites” in the “Privacy” box.

You can also delete cookies already stored on your computer: (1) in Internet Explorer, you must manually delete cookie files (you can find instructions for doing so at http://support.microsoft.com/kb/278835); (2) in Firefox, you can delete cookies by, first ensuring that cookies are to be deleted when you “clear private data” (this setting can be changed by clicking “Tools”, “Options” and “Settings” in the “Private Data” box) and then clicking “Clear private data” in the “Tools” menu.

Doing this may have a negative impact on the usability of many websites. In the case of our Website, disabling cookies means its functionality will be impaired.