Protecting your Data

How we handle your sensitive data is one of the things that makes us unique. Unlike other e-commerce and corporate gifting companies, creating software for enterprise-level companies is part of our DNA.

We’re in a unique position to maintain the security and privacy of your data when processing your order.

Once you place an order on this site (operated by our e-commerce partner Shopify), you’ll be given a secure link to provide your sensitive information such as recipient addresses and contact details. This process happens on our dedicated secure server located in a UK based, PCI-compliant data centre.   

Your sensitive data never leaves the UK and is stored electronically with 256-bit SSL encryption.  

Collecting Personal Data

We collect personal data at two points during your order:

1. When you place the order via our e-commerce partner Shopify. This is the server where you choose products, create an order and make payment. At this stage, we collect:
   • Details about the items on your order and their quantities
   • The name and/or company name of the person placing the order
   • The billing address that the payment card is registered to
   • Contact details for the person placing the order – typically, phone number and email address
     
     
2. When you complete your order setup on our secure UK server at https://wellbox.app. At this stage, we collect:

• The message you want to include with each gift
• The date you would like the gifts to be delivered
• Optionally, if you choose to use the secure upload, we also take the name, address, email (optional), mobile numbers (optional) and dietary preferences (optional) for your gift recipients

Cyber Essentials Certification

Cyber Essentials is a UK government-backed, industry-recognised scheme designed to help organisations protect themselves against common cyber threats.

The certification focuses on five key areas of cybersecurity:

• Boundary firewalls and internet gateways
• Secure configuration
• Access control
• Malware protection
• Patch management

By addressing these core technical controls, the Cyber Essentials scheme offers organisations a straightforward yet effective way to guard against a wide range of common cyber threats. This helps to create a safer and more secure online environment.

Our Cyber Essentials certification highlights our unwavering commitment to maintaining the highest standards in cybersecurity and best practices in information protection.

We take a proactive approach to safeguarding sensitive and personal data, providing you with peace of mind when entrusting us with your information.

Sharing Data and Third-Party Processors

Data collected on wellbox.co.uk will be processed and shared in accordance with our privacy policy that can be found here - https://wellbox.co.uk/policies/privacy-policy

Raw data collected on the secure server (claim.wellboxes.co.uk and wellbox.app) is never shared, with the exception of using supplied address data to create shipping orders.

This data is sent to our shipping partner Royal Mail electronically, and used to create electronic files from which shipping labels are printed.

Recipient address data is erased 30 days after dispatch. For tracking and reporting purposes, we retain:

1. The recipient’s postcode
2. Details about the product the recipient was sent
3. Dates and times when the delivery was completed
   
   

Rights of Access

The order contact or a designated representative from your organisation can request the deletion of any remaining data points. In doing this, they accept that we would no longer be able to provide tracking or delivery information. 

Data Retention Policies

Even before GDPR, our policy has always been to never retain information longer than is needed. In the case of Recipient data, data is only ever stored long enough to generate shipping manifests and labels for the gifts. Once the gifts have been dispatched, all PII data points are anonymised in 30 days.

User data for inactive (company) accounts can be set to auto-delete after 60 days of inactivity.

Data Processing Locations

Data collected on wellbox.co.uk (data on the individual placing the order) is securely processed by our e-commerce partner Shopify both in the UK and on servers located in the US. 

Data collected on welllbox.app or claim.wellboxes.co.uk (data on your recipients and their preferences) is securely processed on our dedicated server based in the UK. This servers is maintained in a PCI-compliant data facility. 

Data Security Processes

Our processes can be broken down into technical and people processes.

People Processes

• Data Security Awareness Level 1 training is provided to all new employees as part of their induction programme. This is a base level of training that covers areas such as data protection principles, data subject rights, and security of personal data.
• Department managers, IT and those in supervisory roles also undertake Data Security Awareness Level 2 training.
• All employees receive refresher training at least every twelve months or following a material change in data protection law, GDPR compliance guidelines or regulation.
• We keep a record of what training has been undertaken by each employee.

Technical Processes

• Across the organisation, we have basic technical controls such as those specified by established frameworks like Cyber Essentials.

• We use 256-Bit SSL encryption to secure all communication between your device and our servers. We use the same encryption to secure communications between our own employee devices and our servers.

• Our server data centre is ISO 27001 certified, PCI-compliant and secured to UK government IL4 standards.

• We have concurrent maintainability to ensure 100% network uptime. We operate N+1 configurations throughout, including UPS and standby diesel generators. We ensure we can restore access to business-critical data in the event of any incidents through our backup process.

• We conduct regular testing and reviews of our measures to ensure they remain effective, and act on the results of those tests where they highlight areas for improvement.
  
  

Data Centre Accreditations

Our server data centre is ISO 27001 certified, PCI-compliant and secured to UK government IL4 standards.