Privacy Policy

MakeRoom (and it’s operating company RoomFifty Ltd) respects the privacy of its Merchants (Artists) and Users and is fully committed to protecting their personal data and using it in accordance with our legal obligations. This Privacy Policy & Cookie Policy describes how MakeRoom and its operating companies (“we”, “Company” or “us”) may collect and use personal data and the rights granted to our visitors, users, customers, and merchants regarding their respective data.


By accessing or using this website or any of our Services, you signify your approval of the terms set out in this Privacy Policy, Terms & Conditions, and other terms and policies posted on our websites. If you do not agree to this Privacy Policy, you must leave this website and discontinue all use of any of our Services.


1. Information we collect

1.1. Information collected from Merchants (Artists)

If you are providing us with personal data relating to another individual, you are to be considered as a Merchant and your data is processed as follows.


If you are a Merchant, you agree to comply with data protection laws applicable to your business. Furthermore, you agree that you acquire legal basis for the processing of personal data of your Customer, including, but not limited to, the use and access of the respective personal data by MakeRoom and other third parties used by MakeRoom for the provision of its Services.


We collect the following data to confirm your identity, contact you, invoice you, and otherwise provide our Services:


Name

Address

Email address and phone number

Payment details

To give you access and to improve our Services, we may collect data about:


How and when you access your account

Information about the device and browser you use

Your network connection

Your IP address

For us to be able to provide you our Services and support, to process orders, for you to better serve your Customers, and to improve our Services, we also collect information about your Customers:


Name, surname, company name

Shipping and billing address

Email address and phone number

Payment details

IP address and device data

Other information that you share with us or that customers provide while using our Services or during checkout.

Upon starting to use our Services we may process your email address to send you informative materials, such as newsletters, advertisements and others. At any point in time you can unsubscribe from receiving the above-mentioned information in our email footers and through your notification settings on MakeRoom. We will not use the details of your Customers to directly advertise our Services to them.


1.2. Information collected from our Users

If you use our Services to place personal orders without processing the data of third parties, you are to be considered as the User, where data are processed as follows.


We collect the following data to confirm your identity, contact you, invoice you, and otherwise provide our Services:


Name, surname, company name

Shipping and billing address

Email address and phone number

Payment details

IP address and device data

Other information that you share with us while using our Services or during checkout

We collect the above-mentioned personal data when a User uses or accesses our Services, places an order, or signs-up for an account on our websites or apps.


Upon starting to use our Services or when you subscribe to our blog or newsletters, we may process your email address to send you informative materials. At any point in time you can unsubscribe from receiving the above-mentioned information in our email footers and through your notification settings on MakeRoom.


1.3. Information collected from MakeRoom Group websites

To ensure a smooth customer support experience, we process information that you provide on our website (eg. in chat or on the comment section of our blog), in emails, or through other means of communication you have used. For this purpose, we may process the following information to provide and enhance our Services and answer your questions:


Your name

Email address

Website address

Any information that you share

IP address

Upon visiting our website, requesting customer support, or subscribing to our blog, we may collect and process the following information related to you to provide you with a better customer experience and to improve our Services:


Your device and browser

Your IP address

Other information that is collected from cookies.

1.3.1. What are cookies?

Our site uses cookies (very small files that are sent by us to your computer or other access device) which we can access when you visit our site in future.


There are four types of cookie:


Website functionality cookies: These cookies enable you to browse the website and use our features such as shopping baskets and wish lists.

Website analytics cookies: We use these cookies to measure and analyse how our customers use the website. This allows us to continuously improve our website and your shopping experience.

Customer preference cookies: When browsing or shopping online, the website will remember preferences you make (for example your user name, language or location). This makes your browsing experience simpler, easier and more personal to you.

Targeting cookies or advertising cookies: These cookies are used to deliver adverts relevant to you. In addition, they limit the number of times you see an advertisement as well as helping us measure the effectiveness of our advertising campaigns.

By using our website you agree that we can place these types of cookies on your device and access them when you visit the site in the future.


If you want to delete any cookies that are already on your computer, please refer to the help and support area on your internet browser for instructions on how to locate the file or directory that stores cookies.


Information on deleting or controlling cookies is available at www.aboutcookies.org. Please note that by deleting our cookies or disabling future cookies you may not be able to access certain areas or features of our site.


2. Sharing personal data with third parties

In order for MakeRoom to provide you with our Services, we work with third parties with whom we may share personal data to support these Services. Your personal data may be shared with third parties who provide hosting and server co-location services, communications and content delivery networks, data and cyber security services, billing and payment processing services, fraud detection and prevention services, web analytics, email distribution and monitoring services, session recording services, marketing services, our legal and financial advisors, among others (together – “Third Party Service Providers”). The Third Party Service Providers may only receive the minimum amount of personal data necessary, depending on their particular roles and purposes in facilitating and enhancing our Services and business, and may only use it for such purposes. We will only share personal data to Third Party Service Providers that have undertaken to comply with obligations set out in applicable data protection laws.


Note that while our Service may contain links to other websites or services, we are not responsible for each respective website’s or service’s privacy practices, and encourage you to be aware when you leave our Services and read the privacy statements of each and every website and service you visit. This Privacy & Cookie Policy does not apply to third-party websites and services.


If you are a Merchant, by using our Services you are providing us with irrevocable consent to use any Third Party Service Provider at our discretion for the purposes of providing the Service.


MakeRoom remains responsible for the processing of personal data carried out by Third Party Service Providers that MakeRoom has engaged with for respective data processing in accordance with applicable laws.


In certain circumstances, we may also be required to share information with third parties to conform to legal requirements or to respond to lawful requests by public authorities as well as to protect our, or a third party’s, lawful interests.


3. Retention periods

We may retain your personal data, as well as your Customers’ information, for as long as your relationship with us is active by having a MakeRoom account, or as otherwise needed to provide you our Services.


After terminating your relationship with us by deleting your MakeRoom account or otherwise ceasing to use our Services, we may continue to store copies of your and your Customers’ personal data as reasonably necessary to comply with our legal obligations, to resolve disputes between you and us or you and your Customers, to prevent fraud and abuse, to enforce our agreements, and/or to protect our legitimate interests.


4. Data subject’s rights

If you are located in the European Economic Area, in accordance with European Union data protection regulations, you have certain rights with respect to your personal data.


You have the right to request access to your personal data and to correct, amend, delete, or limit the use of your personal data by logging into your MakeRoom account or by contacting our Data Protection Office via email [email protected]. Furthermore, if you believe that we have unlawfully processed your personal data, you have the right to submit a complaint to the contact information provided below, or to your respective data protection supervisory authority. If you are the Customer of a Merchant, please contact the Merchant to exercise your data subject’s rights stated above.


5. Information security

We seek to use reasonable organizational, technical, and administrative measures to protect the confidentiality, integrity, and availability of personal data.


We take reasonable steps to maintain appropriate safeguards to ensure the security, integrity and privacy of the information you have provided us with. When you place an order or access your account information, we use a Secure Socket Layer (SSL) encryption which encrypts your information before it is sent to us, to protect it from unauthorised use. In addition, we will take reasonable steps to ensure that third party business partners’ to whom we transfer any data will provide sufficient protection of that personal information.


Unfortunately, no data transmission or storage system is guaranteed to be 100% secure, therefore we cannot guarantee absolute security of information. We encourage you to take care of the personal data in your possession that you process online and set strong passwords for your MakeRoom account, limit access of your computer and browser by signing off after you have finished your session, and avoid providing us with any sensitive information whose disclosure you believe could cause you substantial harm.


All of MakeRoom’s authorized personnel involved in the processing of your and your Customer’s personal data have committed themselves to confidentiality obligations and shall not access or otherwise process your personal data without your authorization if it’s not for the purposes of providing you our Services.


In the event that we experience a personal data breach, we will notify you (as a Merchant or a User) in compliance with the obligations set out in applicable laws.


6. International transfers of data

All the information you provide may be transferred or accessed by MakeRoom, its affiliated companies and subsidiaries around the world for the provision of our Services as described in this Privacy Policy. When we transfer your information globally we will take necessary measures to ensure adequate protection of your information.


7. Privacy Policy changes

We may occasionally amend this Privacy Policy, for example in cases when we introduce new services or new features. The amendments to this Privacy Policy enter into force and are applied from the moment they have been uploaded to this page.


Therefore, we encourage you to check this page from time to time. By continuing to use our Services or otherwise providing personal data to us, after the amendments to this policy have been implemented, you agree to the updated terms of Privacy Policy.


Contact

All comments, queries and other requests relating to our use of your information or this Privacy Policy should be addressed our Data Protection Officer on [email protected] or by post to: Data Protection, MakeRoom by RoomFifty Ltd, Castleton Mill, Castleton Avenue, Leeds, LS12 2DS, UK


 


Data Breach Policy

1. Introduction

1.1. MakeRoom holds, processes, and shares a limited amount of end-consumer personal data which is an asset needing to be suitably protected.


1.2. Every care is taken to protect personal data from incidents (either accidentally or deliberately) to avoid a data protection breach that could compromise security.


1.3. Compromise of information, confidentiality, integrity, or availability may result in harm to individual(s), reputational damage, detrimental effect on service provision, legislative non-compliance, and/or financial costs.


2. Purpose

2.1. MakeRoom is obliged under the Data Protection Act to have in place an institutional framework designed to ensure the security of all personal data during its lifecycle, including clear lines of responsibility.


2.2. This Policy sets out the procedure to be followed to ensure a consistent and effective approach is in place for managing data breach and information security incidents across MakeRoom.


3. Scope

3.1. This Policy relates to all personal and sensitive data held by MakeRoom regardless of format.


3.2. This Policy applies to all staff at MakeRoom. This includes temporary, casual or agency staff and contractors, consultants, suppliers and data processors working for, or on behalf of MakeRoom.


3.3. The objective of this Policy is to contain any breaches, to minimise the risk associated with the breach and consider what action is necessary to secure personal data and prevent further breaches.


4. Definition / Types of Breach

4.1. For the purpose of this Policy, data security breaches include both confirmed and suspected incidents.


4.2. An incident in the context of this Policy is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately, and has caused or has the potential to cause damage to MakeRoom’s information assets and/or reputation.


4.3. An incident includes but is not restricted to, the following:


Loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g. loss of laptop, USB stick, iPad/tablet device, or paper record);

Equipment theft or failure;

Unauthorised use of, access to or modification of data or information systems Attempts (failed or successful) to gain unauthorised access to information or IT system(s);

Unauthorised disclosure of sensitive / confidential data;

Website defacement;

Hacking attack;

Unforeseen circumstances such as a fire or flood; and

Human error

5. Reporting an incident

5.1. Any individual who accesses, uses or manages MakeRoom’s information is responsible for reporting data breach and information security incidents immediately to the Data Protection Officer at [email protected].


5.2. If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is practicable.


5.3. The report will include full and accurate details of the incident, when the breach occurred (dates and times), who is reporting it, if the data relates to people, the nature of the information, and how many individuals are involved.


6. Containment and Recovery

6.1. The Data Protection Officer (DPO) will firstly determine if the breach is still occurring. If so, the appropriate steps will be taken immediately to minimise the effect of the breach.


6.2. An initial assessment will be made by the DPO in liaison with relevant team members to establish the severity of the breach and who will take the lead investigating the breach (this will depend on the nature of the breach in some cases it could be the DPO).


6.3. The DPO will establish whether there is anything that can be done to recover any losses and limit the damage the breach could cause.


6.4. The DPO will establish who may need to be notified as part of the initial containment and will inform the police, where appropriate.


6.5. Advice from experts across MakeRoom may be sought in resolving the incident promptly.


6.6. The DPO, in liaison with the relevant team members will determine the suitable course of action to be taken to ensure a resolution to the incident.


7. Investigation and Risk Assessment

7.1. An investigation will be undertaken by the DPO immediately and wherever possible within 24 hours of the breach being discovered / reported.


7.2. The DPO will investigate the breach and assess the risks associated with it, for example, the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to occur.


7.3. The investigation will need to take into account the following:


the type of data involved its sensitivity;

the protections are in place (e.g. encryptions);

what’s happened to the data, has it been lost or stolen;

whether the data could be put to any illegal or inappropriate use;

who the individuals are, number of individuals involved and the potential effects on those data subject(s); and

whether there are wider consequences to the breach

8. Notification

8.1. The DPO, in consultation with the CTO and CEO, will determine who needs to be notified of the breach.


8.2. Every incident will be assessed on a case by case basis; however, the following will need to be considered:


Whether there are any legal/contractual notification requirements;

Whether notification would assist the individual affected – could they act on the information to mitigate risks?

Whether notification would help prevent the unauthorised or unlawful use of personal data?

Would notification help MakeRoom meet its obligations under the seventh data protection principle;

If a large number of people are affected, or there are very serious consequences, whether the Information Commissioner’s Office (ICO) should be notified. The ICO will only be notified if personal data is involved. Guidance on when and how to notify ICO is available from their website at: https://ico.org.uk/for-organisations/guide-to-eidas/breach-reporting/.


8.3. Notification to the individuals whose personal data has been affected by the incident will include a description of how and when the breach occurred and the data involved. Specific and clear advice will be given on what they can do to protect themselves, and include what action has already been taken to mitigate the risks. Individuals will also be provided with a way in which they can contact MakeRoom for further information or to ask questions on what has occurred.


8.4. The DPO must consider notifying third parties such as the police, insurers, bank or credit card companies, and trade unions. This would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future.


9. Evaluation and response

9.1. Once the initial incident is contained, the DPO will carry out a full review of the causes of the breach; the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be undertaken.


9.2. Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents occurring.


9.3. The review will consider:


Where and how personal data is held and where and how it is stored;

Where the biggest risks lie, and will identify any further potential weak points within its existing measures;

Whether methods of transmission are secure; sharing minimum amount of data necessary;

Identifying weak points within existing security measures;

Staff awareness; and

Implementing a data breach plan and identifying a group of individuals responsible for reacting to reported breaches of security.

9.4. If deemed necessary a report recommending any changes to systems, policies and procedures will be considered by RoomFifty Ltd’s board of directors.