Protecting your Data

How we handle your sensitive data is one of the things that makes us unique. Unlike other e-commerce and corporate gifting companies, creating software for enterprise-level companies is part of our DNA.

We’re in a unique position to maintain the security and privacy of your data when processing your order.

Once you place an order you’ll be given a secure link to provide your sensitive information such as recipient addresses and contact information. This happens on our own dedicated secure server (based in Manchester, England) at a PCI-compliant data centre maintained by ANS.   

Your sensitive data never leaves the UK and is stored electronically with 256-bit SSL encryption.  

Collecting Personal Data

We collect personal data at two points during your order:

1. When you place the order via our ecommerce partner Shopify. This is the server where you choose products, create an order and make payment. At this stage, we collect:
   • Details about the items on your order and their quantities
   • The name and/or company name of the person placing the order
   • The billing address that the payment card is registered to
   • Contact details for the person placing the order – typically, phone number and email address
     
     
2. When you complete your order setup on our secure UK server at https://app.wellboxes.co.uk or https://claim.wellboxes.co.uk. At this stage, we collect

• The message you want to include with each gift
• The date you would like the gifts to be delivered
• Optionally, if you choose to use the secure upload, we also take name, address, email (optional), mobile numbers (optional) and dietary preferences (optional) for your gift recipients

Sharing Data and Third-Party Processors

Data collected on wellboxes.co.uk will be processed and shared in accordance with our privacy policy that can be found here - https://wellboxes.co.uk/policies/privacy-policy

Raw data collected on secure server (claim.wellboxes.co.uk, app.wellboxes.co.uk) is never shared, with the exception of using supplied address data to create shipping orders.

This data is sent to our shipping partner Royal Mail electronically, and used to create electronic files from which shipping labels are printed.

Recipient address data is erased 30 days after dispatch. For tracking and reporting purposes, we retain

1. The recipient’s postcode
2. Details about the product the recipient was sent
3. Dates and times when the delivery was completed

Rights of Access

The order contact or a designated representative from your organisation can request the deletion of any remaining data points. In doing this, they accept that we would no longer be able to provide tracking or delivery information. 

Data Retention Policies

Even before GDPR, our policy has always been to never retain information longer than is needed. In the case of Wellbox recipient data, data is only ever stored long enough to generate shipping manifests and labels for the boxes. Once the boxes have been dispatched, most data points are deleted in 30 days.

User data for inactive (company) accounts can be set to auto-delete after 60 days of inactivity.

Data Processing Locations

Data collected on wellboxes.co.uk (data on the individual placing the order) is securely processed by our ecommerce partner Shopify in the UK and on servers located in the US. 

Data collected on app.wellboxes.co.uk or claim.wellboxes.co.uk (data on your recipients and their preferences) is securely processed on our own servers based in Manchester, UK. These servers are maintained in a PCI compliant data facility by ANS. 

Data Security Processes

Our processes can be broken down into technical and people processes.

People Processes

• Data Security Awareness Level 1 training is provided to all new employees as part of their induction programme. This is a base level of training that covers areas such as, data protection principles, data subject rights, and security of personal data.
• Department managers, IT and those in supervisory roles also undertake Data Security Awareness Level 2 training.
• All employees receive refresher training at least every twelve months or following a material change in data protection law, GDPR compliance guidelines or regulation.
• We keep a record of what training has been undertaken by each employee.

Technical Processes

• Across the organisation, we have basic technical controls such as those specified by established frameworks like Cyber Essentials.

• We use 256 Bit SSL encryption to secure all communication between your device and our servers. We use the same encryption to secure communications between our own employee devices and our servers.

• Our server data centre is ISO 27001 certified, PCI-compliant and secured to UK government IL4 standards.

• We have concurrent maintainability to ensure 100% network uptime. We operate N+1 configurations throughout, including UPS and standby diesel generators. We ensure we can restore access to business-critical data in the event of any incidents through our backup process.

• We conduct regular testing and reviews of our measures to ensure they remain effective, and act on the results of those tests where they highlight areas for improvement.

Data Centre Accreditations

Our server data centre is ISO 27001 certified, PCI-compliant and secured to UK government IL4 standards.