VTSDesign as a Data Controller

Home > GDPR Overview > VTSDesign as a Data Controller

Request a quotation

Simply fill out the form below or call us on 01653 272 900 and tell us about your project. We'll get right back to you with some ideas and potential costs.
There's no obligation at all.

Your Name

Your Phone (optional but helpful)

Your Email (need this please)

Existing Website (if applicable)
Enquiry Details

 

VTSDesign as a Data Controller

We take our responsibilities to client data extremely seriously and we have detailed this below in a full review of our systems effective as of the 09/04/2018.

What information do we store and why do we store it? 

We process client data on a number of platforms outlined below.

We never sell or give away data to third party companies.

Client Accounts

We store essential account information only to allow us to maintain contact with you.

This includes business name, first name, surname, postal address, email, landline and mobile.

This information is only kept as long as required and once a client no longer holds any services or dealings with us, it is removed.

We also store the date your account was opened and your order/invoice history.

We do not store any payment information.

All passwords are fully encrypted.

Access to this information is locked to our office IP address only.

This information is stored with and processed by VTSHosting Ltd as our Data Processor. You can read their GDPR Statement for further information.

Support Tickets

All support tickets are kept and stored. These are hosted securely by Teamwork.com in Ireland. Support tickets only contain your name and email address and email text. We don't store passwords or other secure information within tickets. We keep old tickets to allow us to look back at any previous issues you may have had and how they were resolved.

Client Websites and supplied data

All data supplied for client websites is stored in our secure office file system which is only accessible via our own IP address.

Once a client website is complete, we delete all supplied information that contains any information or images that contain personal or identifiable information.

All client websites that are hosted by us are stored and processed by VTSHosting Ltd. You can read their GDPR statement here.

Online/Telephone payments

We process online payments through Paypal and Paypal Pro.

Telephone payments are taken through Paypal Virtual Terminal and are entered into the Virtual Terminal system as they are given. We do not store them anywhere.

All card data is entered directly on the Paypal Servers which are PCI compliant.

Access to the business Paypal account is restricted to the office location only and we use two factor Authentication to authorise access.

We do not store card details - any written details are securely shredded and recorded card details given over the phone are deleted.

You can read how they manage their data and their approach to GDPR here.

Direct Debits

We process client Direct Debits for some clients via Go Cardless. The store name, address and bank sort code and account number. 

You can read how they manage their data and their approach to GDPR here.

Web Design Contracts

Our online contracts are stored and processed by Adobe EU. Once signed, a copy of the PDF is kept within their systems.

We also keep a PDF copy in our local file storage system.

You can read how they manage their data and their approach to GDPR here.

Company Emails

We use GSuite by Google to process our company emails.

Any emails containing passwords or other secure information are deleted.

You can read how G-Suite manage their data and their approach to GDPR here.

Tawk To Live Chat

We use the live chat service provided by Tawk To to provide customer support and to handle sales enquiries on our website.

They store transcripts of chats on their system which are also emailed to us to keep for reference. We remove any sensitive information from chat transcripts before archiving them. The archives are kept for reference for any future discussion.

You can read how they manage their data and their approach to GDPR as soon as they make their statement available.

Phone Calls

We use Soho 66 to process our phone calls.

All calls are recorded, stored and processed within their network. We do this for training purposes and to be able to clarify supplied information.

Should you wish for your call not to be recorded, then we can arrange to call you from a different number.

We delete phone calls where a call has been made to make a payment or any other secure details are detailed in the call.

You can read how they manage their data and their approach to GDPR as soon as they make their statement available.

 

Cookies and Visitor Tracking

A cookie is a small text file which is placed on your computer by your browser.

Temporary Cookies

We use Temporary Session Cookies to manage your movement between pages and to handle the session of your visit. These are essential for the site to function correctly.

They have a maximum lifetime of 100 minutes and are removed once expired.

They contain no identifiable information and do not track your activities on other sites.

Analytical Cookies - Google Analytics

We use analytical cookies from Google Analytics to identify which pages are being used. These usually have names such as UTMA, UTMB, UTMC, UTMZ.

This helps us analyse data about web page traffic and general visitor behaviour on our website in order to tailor it to customer needs.

We only use this information for statistical analysis purposes and it does not contain any personally identifiable information. We ensure this by using Google Analytics anonymizeIp function to ensure that the IP address of a visitor cannot be matched with analytical data.

Analytical Cookies - Tawk To

Tawk To is our live chat software detailed above. It uses cookies to track visitors returning to continue previous chats. They will be introducing an IP anonymize function as Google have in time for GDPR to maintain visitor anonymity.

Visitor Activity Recording - Smartlook.com

Smartlook is a tool that allows us to record visitor activity to help us understand how people interact with the website.

It does not record sensitive information.

Smartlook will be upgrading their systems for GDPR to allow individual recordings to be deleted on request - Read more here.

 

How to request a copy of your data/data removal

We believe in complete transparency in line with the purpose of the GDPR and will endeavour to meet the following targets:

  • Respond to a request for an individual's data within 12 working hours and supply the data where possible within three weeks
  • Respond to a request for data to be removed within 12 working hours and complete the deletion subsequent to appropriate checks within three weeks with complete documentation to prove this

To make a data request, please click here.

 

Our response policy in the event of a data breach

We endeavour to keep the sites we design as secure as possible by keeping all plugins and components up to date on our client sites.

We also apply security updates as they are released.

We also ensure that passwords are as secure as possible using a combination of upper and lower case letters and special characters.

We also, through VTSHosting Ltd, that each client site is kept in a virtual cage, completely isolated from any other site. Therefore in the result of there being a data breach, the people involved will not be able to access further than the site in question.

Data breach within a single client site

In the event of a client reporting a data breach on their site, we will change all passwords relevant to that account and restore the site from a clean backup where possible (assuming we have been notified in time to use a backup). If the client has registered users on their site, we would recommend that all passwords are reset and that they contact their own clients to advise them of a data breach under their GDPR responsibilities.

Data breach within our own internal systems

The immediate priority is to identify and isolate the breach by locking down all systems and resetting all system passwords.

We would then reset all client passwords and check the logs to see if any client sites have been accessed as a result of the breach.

We would notify all clients of the breach, explaining what had happened and what steps we had taken to prevent future occurrence.

If we detected that any client sites had been accessed as a result of the breach, then we would notify them and if the client has registered users on their site, we would recommend that all passwords are reset and that they contact their own clients to advise them of a data breach under their GDPR responsibilities.

In the event that client websites had been accessed as a result of the breach of our system, we would then report the breach to the relevant authorities within 72 hours as per the GDPR requirements.

 

Finding out more...

We love to discuss new ideas and projects - talk to us!

Call us on 01653 272 900, use our Live Chat service or simply fill out the form below and we'll get right back to you.

Close form
Your Name

Your Phone

Email Address

Enquiry Details
 
Go to top