Privacy Policy

Last updated 12th October 2020

Introduction

This Privacy Policy (hereinafter referred to as the "Policy") sets out information about how the Allura Art Website (hereinafter referred to as the "Website") processes and uses your personal data.

This Policy describes your rights as a User of the Website. It provides information about your rights relating to your personal data along with how we collect, use and share your data. Allura is firmly committed to respecting your privacy and the confidentiality of the personal information you supply to us and all personal data will be processed in accordance with the Data Protection Act (Chapter 586 of the Laws of Malta) and subsidiary legislations thereunder (hereinafter referred to as the "Act") and the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the "General Data Protection Regulation" or "GDPR").

By using our Website you consent to our collection and use of your personal data as described in this notice. In the event that Allura modifies and upgrades this Policy, we will post those changes on our website to keep you aware of what Information we collect, how we use it and under what circumstances we may disclose it. Your continued use of the Website after this Policy has been amended shall be deemed to be your continued acceptance of this Policy, as amended.

 

Who we are

The Allura Art Website is the property of Allura Limited, a limited liability company duly registered under the laws of Malta bearing company registration number C 90221 with registered office situated at 98 Triq il-Parrocca, Mellieha, MLH 1063, (hereinafter referred to as "Allura", "we", "our"). For GDPR purposes, Allura is deemed to be the Data Controller.

Should you require further information regarding our privacy practices, kindly do not hesitate to contact us via email at info@allura.mt.

Our designated person in relation to privacy and data protection matters is Laura Swale who may be contacted via email at laura@allura.mt.

Key Definitions

"Data Controller" means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

"Data subject" refers to any living person (natural person) whose personal data is being collected, held or processed.

"Data Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

"Processing" means any operation/s which is/are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

It should be noted that information relating to legal persons (e.g. company, other legal entities) does not constitute personal data in terms of both the Act and the GDPR. Nonetheless, the aforesaid information will still be handled in a confidential manner, in accordance with our standard internal practices and professional secrecy obligations.

What is personal data?

Personal information or personal data is data which identifies a person from the information provided or if combined with other information that we may have access to:

In summary, personal data is:

  • Name and address

  • Telephone numbers

  • Date of birth

  • Email address

  • Social media links

  • An IP address

  • In addition, there are "special categories" of personal data which means that the data, in law, is considered more sensitive, such as:

  • Personal data related to your health

  • Genetic data

  • Personal data related to your religious beliefs

  • In the event that we need to collect personal data that falls into special categories, we will inform you at the time of collection why we require it. We will only use this type of information about you for the specific purpose for which it has been collected. If we wish to use the information for any other purposes, we will ask for your permission to do so unless there is a legal requirement for us to process your personal data.

What do we collect?

When you make use of the Website, either by registering as a User, subscribing to our mailing list or making a purchase, we may request personal data such as your name, surname, email address, password and any other personal data that may be required to provide you with a quality service. For example, in the event of your purchasing an item through the Allura Art Website you will be required to provide further details including your telephone number and address. Furthermore, we log your Internet Protocol (hereinafter referred to as the "IP") address in order to receive and send information from and to you over the internet.

As a User (or Data Subject) of the Website, you will fall into one or more of four categories:

  • Visitors

  • Registered Account Holders

  • Mailing List Subscribers

  • Buyers

When you use our Website, information may be collected by us through our use of cookies, please refer to the Cookie Policy for details. This information allows us to deliver more helpful information, services and advertisements. Our Cookie policy, which may be found in the footer at the bottom of our Website, will give you more details.

Minors under 18

Our Services are not directed to persons under 18 and we do not intentionally collect any information on minors under 18 years of age. However, individuals aged sixteen (16) or seventeen (17) years of age are permitted to use the Website and its Service provided that they have the permission of a parent or legal guardian to use the Service and moreover, the parent or guardian has read and agreed with our Terms of Service on their behalf. By using the Website Users are agreeing to the Terms of Service (available in the footer at the bottom of our Website).

If you become aware that your child has provided us with personal information without your consent, please contact us at info@allura.mt. We will undertake to delete any details of such users where a parent or guardian has notified us that any such details have been obtained.

Processing of personal data

In principle, we collect and use personal data of our Users only to the extent necessary for the provision of a functional website and our content and services. The collection and use of personal data takes place only with the consent of the respective User. An exception applies to cases in which prior consent cannot be obtained for practical reasons and the processing of the data is permitted by law.

  • Typically, we will use your information as necessary and as appropriate for our business purposes, including but not limited to:

  • Administering your account;

  • Responding to enquiries or requests that you direct to us;

  • Fulfilling your requests for artwork and other products featuring on our Website;

  • Sending communications and administrative e-mails about the Website or products featuring on our Website/Application;

  • Sending service messages to request feedback on customer experience;

  • Personalising and better tailoring the features, performance and support of the Website for your use;

  • Responding to applicants for job vacancies.

Irrespective of how we have collected the data subject’s personal data, we undertake that we will only process such data only for the purpose for which we have collected it or for other purposes which are inherently related thereto, including also any fulfilment of any legal or regulatory obligation imposed on us. When processing personal data for purposes other than the purpose for which personal data was collected, and still strictly connected to the purpose for which such data was collected, we shall inform you accordingly.

Marketing

We may use your information for contacting you about events and services where we have permission to do so and where the law allows this communication to take place. We are well aware of the irritations of unsolicited marketing communications and are committed to ensuring that your rights and our obligations are fully respected at all times.

You may at any time request us to stop using your personal data for direct marketing purposes. If you wish to do this, please unsubscribe from our mailing list or contact us on info@allura.mt.

Other advertising

We believe that advertising is more interesting to you when it is relevant. Where you have given permission for us to do so, we may customise the advertising that you see based upon your personal information.

We may use personal information for this purpose including:

  • the Information you voluntarily provide to us;

  • geographic location information, which we may determine through your IP address, from your mobile device, or other ways;

  • data we receive from third parties; or 

  • your visits to our website or your use of our services via the use of cookies.

You can control how cookies are used via your browser. For more information please view our Cookie Policy which may be found in the footer at the bottom of our Website.

Who do we share your personal data with?

We may disclose your personal information if we are under a duty to disclose or share your information to comply with any legal obligation or in order to enforce or apply or fulfil our terms and conditions and other agreements or protect the rights, property, or safety of our customers, our group companies or others. Where your personal data must be shared for us to provide you with a service, then we make sure that our partners have the right controls in place to use your information responsibly and under our control.

It is important for us that you understand who your information may be shared with and the seriousness with which we take the confidentiality of your personal data. If you have questions about such uses of your personal data, kindly send us an email on info@allura.mt.

We will not share your personal data unless there is a valid legal reason or need to do so.

Security of personal data

Keeping your personal data secure is of the utmost importance to us. We undertake to put in our best efforts to keep any disclosed personal information secure by implementing the appropriate technical and organisational measures with the aim of protecting your personal data against unauthorised or unlawful processing, encompassing also accidental losses, destruction, storage or access. However, no system is perfect or can fully guarantee that the above-mentioned events will not occur.

Third-Party infrastructures

Users should note that in using the Service, sensitive information will travel through third-party infrastructures which are not under Allura’s control, such as third-party servers and the internet, including those of our Website provider Squarespace and the online payment provider Stripe, which is used to facilitate online payments made when purchasing items through the Website.

Stripe

When you purchase an item from the Website using an online payment method. In order to process your payment your details are transmitted securely to the payment processor Stripe. 

Below is a statement about Security at Stripe.

“Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry.” 

Below is an extract from Stripe’s global privacy policy.

In this context the ‘Stripe User’ is the Allura Art Website.

“If you are a Customer of a Stripe User, when you make payments or conduct transactions through a Stripe User’s website or application or device we provide, we will receive your transaction information. Depending on how the Stripe User implements our Services, we may receive this information directly from you, or from the Stripe User or third parties. The information that we collect will include payment method information (such as credit or debit card number, or bank account information), purchase amount, date of purchase, and payment method. Different payment methods may require the collection of different categories of information. The Stripe User will determine the payment methods that it enables you to use, and the payment method information that we collect will depend upon the payment method that you choose to use from the list of available payment methods that are offered to you by the Stripe User. When you make a transaction, we may also receive your name, email, billing or shipping address and in some cases your transaction history to authenticate you.”

Squarespace

The Allura Art Website operates on a platform run by Squarespace. In terms of the security of your information on the Allura Art Website, all possible steps are taken to guarantee the security and integrity of your personal information while using the Website. In order to do this the Website employs SSL (Secure Socket Layer) encryption and HSTS Secure technology.

The paragraph below from the Squarespace Privacy Policy on data transfers explains how data is processed through their systems.

“Personal information that you submit through the Services may be transferred to countries other than where you live, such as, for example, to our servers in the U.S. We also store personal information locally on the devices you use to access the Services.

Your personal information may be transferred to countries that do not have the same data protection laws as the country in which you initially provided the information.

We rely upon a number of means to transfer personal information which is subject to the European General Data Protection Regulation (“GDPR”) in accordance with Chapter V of the GDPR.”

Legal basis of the processing of personal data

Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 (1) (a) GDPR serves as the legal basis. For the processing of personal data necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations required to carry out pre-contractual measures. Insofar as the processing of personal data is required to fulfil a legal obligation that our company is subject to (e.g. national reporting laws), Art. 6 (1) (c) GDPR serves as the legal basis. If the processing is necessary to safeguard the legitimate interests of our company or a third party, and if the interests, fundamental rights and freedoms of the data subject do not prevail over the first interest, Art. 6 (1) (f) GDPR serves as the legal basis for processing.

Data retention

Personal data will only be retained exclusively for the period which is necessary to fulfil the purposes for which we collected it (the provision of the services and the ongoing business relationship with you) and thereafter, for the purpose of satisfying further legal and regulatory requirements or obligations to which we are subject. This period may also be extended further to be able to assert, exercise or defend possible future legal claims against or otherwise involving the data subject.

In the context of a contractual relationship between us and the data subject, the latter’s personal data will be retained for a period of five (5) years from the termination date of the contractual relationship on the basis of legitimate interests to protect ourselves against any civil disputes in relation to the aforementioned contractual relationship.

Please be aware that we use external services, some of which have data centres based outside the EU. These services include those provided by Squarespace, Mailchimp, Stripe and Google. You should check the policies of these providers regarding data retention as it is important to note that those will be governed by different laws. Moreover, the above-mentioned time periods may be extended for longer periods when we have a legitimate interest related to exercising or defending legal claims or in case of inspections by relevant authorities. Other than the instances mentioned above, Personal Data which was provided based upon the data subject’s consent, shall only be exclusively retained up until the data subject withdraws his/her consent.

Data subject's legal rights

Data subjects (Users) have various rights vis-à-vis their personal data:

The right to be informed: As a User you have the right to be given clear information regarding how your personal data is processed. We do this by means of this Privacy Policy which will be duly revised from time to time, and by means of and any future communications directly with you on a case by case basis.

The right to access personal data: You may send us a request to access all the personal data we hold in your respect. To avail yourself of this right, kindly contact us on info@allura.mt. We will do our best to attend to your request within one (1) month. In case of more complex requests, the timeframe will be extended by a further one (1) month. Should you disagree with our judgement, you can complain to the Information and Data Protection Commissioner (hereinafter referred to as the ‘IDPC’) on https://idpc.org.mt/en/Pages/contact/complaints.aspx

The right to rectification: You can also request that any inaccurate or incomplete personal data which we hold in your regard be corrected. Kindly contact us on info@allura.mt.

The right to erasure: there are certain instances whereby you may also elect to request deletion of his personal data. On a general note, we will comply with your request in this regard. However, we may have the necessity not to comply if retention of the data is required for us to be compliant with a legal obligation and/or such data would be required by us to exercise or defend any legal claims.

The right to stop direct marketing messages.

The right to object: you may object regarding your personal data being processed, including when such processing is based on legitimate interest.

The right to data portability: you have the right to put forward a request asking us to provide you with certain personal data which you had provided us with in a structured, commonly used and machine-readable format. When technically feasible, you may also request that your personal data be transferred to a third-party controller of your choice.

The right to withdraw consent: you can also retract your previously given consent to any other consent-based processing at any time.

The Right to Lodge a Complaint: Please be informed that you have the right to lodge a complaint against any personal data breach by communicating such breach to the IDPC by filling in the complaint form available at https://idpc.org.mt/en/Pages/contact/complaints.aspx

How do I request information you hold on me?

You have the right to request a copy of the information that we hold about you. We may require additional verification depending on the nature of your request.

Please make a written application preferably by email to Allura’s designated representative Laura Swale at laura@allura.mt or write to the following address: 98 Triq il-Parrocca, Mellieha, MLH 1063.

If any of the Information that we hold about you is inaccurate, you can either contact us via the details outlined above or change the details yourself in the ‘My Account’ section of the Website.

Contact

While every effort is done to protect the privacy of individuals, if you feel that your privacy has been affected or have further questions do not hesitate to contact Allura’s designated representative Laura Swale at laura@allura.mt.

Notices and changes

Any notices or other communications permitted or required hereunder, including those regarding modifications to this Privacy Policy, will be in writing and given: by Allura (i) via email (in each case to the address that you provide) or (ii) by posting to the Website. For notices made by email, the date of receipt will be deemed the date on which such notice is transmitted. The date of the most recent update to these Terms and Conditions appears at the top of the document.