Last updated: May 25, 2018
Who I am
Moonsteam Design is run by me, Sara. It’s just me, a one-woman show. I do not have any employees or assistants or helpers.
What personal data I collect and why I collect it
Information collected via contact forms is used only by me to communicate with you regarding your inquiries. No one else receives this information.
When you sign up for my mailing list, your name and email are kept by my mailing list provider, Mailerlite, for the purpose of sending newsletters via email.
While you visit the site, it will track:
- Products you’ve viewed: this is used to, for example, show you products you’ve recently viewed
- Location, IP address and browser type: used for purposes like estimating taxes and shipping
- Shipping address: needed to estimate shipping before you place an order and then to be able to send you the order
When you purchase something, you are asked to provide information including your name, billing address, shipping address, email address, phone number, credit card/payment details and optional account information like username and password. I will use this information for purposes such as:
- Send you information about your account and order
- Respond to your requests
- Process payments and prevent fraud
- Set up your account for the store
- Comply with any legal obligations, such as calculating taxes
- Improve store offerings
If you create an account, I will store your name, address, email and phone number, which will be used to populate the checkout for future orders.
I accept shop payments through PayPal. When processing payments, some of your data will be passed to PayPal, including information required to process or support the payment, such as the purchase total and billing information.
The IP address of visitors, user ID of logged in users, and username of login attempts are conditionally logged to check for malicious activity and to protect the site from specific kinds of attacks. Examples of conditions when logging occurs include login attempts, log out requests, requests for suspicious URLs, changes to site content, and password updates. This information is retained for 14 days.
Cookies are used by various plugins on my site in order to give me information about website visitors (analytics), to keep track of cookie consent/denial, to monitor shop information, and used by various social media sites when I embed content from them (ex: Youtube videos).
You can also clear your browser cache of all data (many cookies only last for a “session,” i.e. the duration of your visit).
Who I share your data with
I do not share names or email addresses sent via contact forms with any other party.
If you sign up for my mailling list, Mailerlite will have your name and email address.
Google Analytics only retains info about visitors, pages viewed, etc. GA does not collect any info that could identify you personally (but they collect data around the web in various forms and aggregate it, so see further info below to manage that data).
Information collected by my shopping cart, Woocommerce, is seen by me, by my payment processor Paypal, and by order fulfillment service Printful in order to fulfill and manage orders. Woocommerce does not collect any data from me (I have opted out of their data collection).
Data collected by social media companies, such as that from embedded Youtube videos, becomes part of the data that Google collects; see the note below about managing your Google data.
WordPress itself does not share any data with anyone.
How long I retain your data
My newsletter service will retain your name and email until you ask me to have you “forgotten,” which takes 30 days to happen. Email me directly (you can use my contact form) and ask me to “forget” you from the mailing list. When I remove you, I am able to competely remove your data. From Mailerlite: “When you use the Delete function in the subscriber section of MailerLite, the information is not entirely removed. The reason for this is simple. If that person later resubscribes, his or her history is still there so you don’t have to rebuild their profile. … MailerLite created a new feature called Forget that completely wipes a person’s data from our system. This function was built specifically for GDPR compliance of the right to be forgotten. … When you choose the option, Forget, the subscriber’s data will be completely removed. Everything will be permanently deleted including reports, clicks, profile data, etc.” Once initiated, data is entirely gone within 30 days.
Google Analytics keeps data on site traffic up to 14 months, the shortest retention period available (but remember, site stats do not have any info about who you are personally). While my site does not give Google any personal info about you, other websites might have at some point…you can find out more & use tools to manage your Google data here: https://privacy.google.com/your-data.html.
I generally store information about you/your order(s) for as long as I need the information for the purposes for which I collect and use it, and I am not legally required to continue to keep it. For example, I will store order information for 5 years for tax and accounting purposes. This includes your name, email address and billing and shipping addresses.
Security logs are retained for 14 days.
How your data is protected
I use the plugin Wordfence to keep my site and data secure. I also use two-factor authentication for my domain and hosting.
While I do not personally keep any data on any visitors, some plugins that I use do keep data. These plugins are all GDPR-compliant (or about to be), and have provided detailed privacy information:
- Yoast SEO: Collects website data only, no personal info: find out more here.
- Wordfence: Wordfence is a security plugin that helps guard against hacks and data breaches. They are fully GDPR compliant.
- Woocommerce: Owned by Automattic; privacy info here.
- Akismet: Owned by Automattic; privacy info here.
What data breach procedures I have in place
If my mailing list is ever compromised, I will notify every subscriber and let them know what data was breached, to the best of my knowledge.