Select Page
Privacy Policy

From the 25th May 2018, the General Data Protection Regulations (GDPRs) imposes legal obligations upon EU businesses who collect and process personal data, which is any information relating to an identifiable person. The policy sets out what data we collect, why we need it, how we protect it and your rights.

From time to time we may change this policy by updating this page. You should regularly check this page to ensure that you are happy with any changes.

what we collect

We may collect the following information:

  • Your Name
  • Your Postal address
  • Your Email address
  • Your Telephone number

what we do with the information we gather

For general enquiries:

  • To be able to respond you enquiry

For customers:

  • To administer your contract with us, including service delivery and invoicing
  • To contact your directly to inform you of important services relating to their website and other services we provide

For website comments:

  • To show your name alongside the comment on our blog comments system

who is responsible for this data?

The Data Controller is responsible for the way in which personal data is processed. For all enquiries to the Data Controller, please use the following details:

Data Controller: Laurence Cope
Address: Office 5, Rombourne Business Centre, Moy Road Industrial Estate, Moy Road, Taffs Well, Cardiff, CF15 7QR
Telephone: 029 2009 8313

how we protect your data and keep it secure

We are committed to doing all that we can to keep your data secure. We have set up systems and processes to prevent unauthorised access or disclosure of your data. See our security policy tab for more information.

your rights

You have the right to request:

  • information about how your personal data is processed
  • a copy of that personal data
  • that anything inaccurate in your personal data is corrected immediately

You can also:

  • raise an objection about how your personal data is processed
  • request that your personal data is erased if there is no longer a justification for it
  • ask that the processing of your personal data is restricted in certain circumstances

If you have any of these requests, get in contact with our Data Protection Officer above, clearly stating what your request is for.

sharing your information

We will not share your information with any third parties for the purposes of direct marketing, nor for any reason unrelated to fulfil the nature of the enquiry or contractual service we provide. If we need to share your data with third parties in order to deal with your enquiry or service we provide, we will contact you for consent.

We will have contracts in place with any data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

In some circumstances we are legally obliged to share information. For example under a court order or where we cooperate with other European supervisory authorities in handling complaints or investigations. We might also share information with other regulatory bodies in order to further their, or our, objectives. In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share the information and document our decision making and satisfy ourselves we have a legal basis on which to share the information.

how long we keep your data

We will only retain your personal data for as long as:

  • it is needed for the purposes set out in this document
  • the law requires us to

In general, this means that we will only hold your personal data for a minimum of 1 year and a maximum of 7 years.

links to other websites

This site contains links to other websites.

This privacy policy only applies to Fielder Digital Ltd, and doesn’t cover other websites or organisations. Third party websites we link to should have their own terms and conditions and privacy policies.

If you go to another website from this one, read the privacy policy on that website to find out what it does with your information.

contact us or make a complaint

You can contact us via the contact form on the home page or the details above

You can make a complaint using our complaints process tab

Cookie Policy

What Are Cookies

A cookie is a small file which is placed on your computer’s hard drive to help store your user preferences, login and session states, analyse web traffic or let you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

Cookies Used On This Site

The following cookies may be set.

System specific: Visit this link for more information

Google Analytics: __utma, __utmb, __utmc, __utmz: We use Google Analytics to monitor and report on our website usage such as the number of visitors to the site, search phrases used to find us, pages visited on the site and time spent on the site. The statistics gathered are a necessary requirement in order for us to provide and improve our value added products and services and to stay competitive. The cookies do not identify users nor associate your IP address with any personally identifiable information. These cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. Google’s privacy policy is found herehttp://www.google.com/analytics/learn/privacy.html

Third Party Cookies

Our website uses features of other websites that may leave a cookie. These are third-party cookies and we are unable to block or prevent them without removing the feature from our site. For information about those cookies you would need to check the originator’s website for their cookie policy. Third-parties cookies left are as follows:

Facebook: Our website utilises the Facebook Like button functionality to share content. If a user clicks the Like button and logs into Facebook via our website, Facebook will leave a cookie on the users computer. This is the same process as if the user logs into Facebook directly, or clicks Like on any other website. Facebooks privacy policy is set out herehttp://www.facebook.com/about/privacy/ 

How To Disable Cookies

Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org. To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.

Disclaimer

The information contained in this website is for general information purposes only. Although we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.

In no event will we be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website.

Through this website you are able to link to other websites which are not under our control. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.

Every effort is made to keep the website up and running smoothly. However, we take no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Copyright

This website and its content is copyright the website owner. All rights reserved.

Any redistribution or reproduction of part or all of the contents in any form is prohibited other than the following:

  • You may print or download to a local hard disk extracts for your personal and non-commercial use only
  • You may copy the content to individual third parties for their personal use, but only if you acknowledge the website as the source of the material

You may not, except with our express written permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any other website or other form of electronic retrieval system.

Security Policy

Fielder Digital takes security seriously which is why we have the following policy in place:

servers

  • We frequently update all our web hosting servers to use the latest software, which would include security and bug patch releases
  • Serious security threats would be patched on the servers as soon as possible
  • We have an industry leading firewall to protect the servers, in particular:
    • DDoS Attacks
    • Block vulnerable scripts in CMS
    • Monitor suspicious activity (several password failures for example) and block IP addresses
    • Closed all ports except from approved IP addresses
  • No public facing control panels
  • Secure password policy, at least 8 characters of random upercase and lowercase letters, numbers and symbols, including database passwords
  • Virus and maliclious file scanner contnuously scanning the server for malicious files with immediate quarantine
  • Connection to servers from our approved IP addresses is via Secure Shell Access methods only (SSH). We do not use insecure FTP, but secure SFTP.

websites

  • Secure password policy for logins
  • Systems kept up to date where feasible*
  • Reputable content management systems and plugins that has in-built security protection
  • Hard to guess admin URLs
  • SSLs as standard**
  • We have strict guidelines, standards and a go live checklist we follow to build websites to a high standard and to ensure security is met

WordPress in particluar additionally has:

  • Security and firewall plugins to monitor and protect it from malicious access
    • Includes virus and maliclious file scanner contnuously scanning the server for malicious files with immediate quarantine
  • Automatic and frequent updates to WordPress core, themes and plugins
  • Disabled XMLRPC and JSON API
  • Only reputable themes and plugins and used, with high ratings and frequent updates.
  • We try our best NOT to use WordPress themes that are abundantly available online, due to securiy, bug and usage issues. ***
  • Further information about WordPress security can be found here

eCommerce Websites

  • All our eCommerce websites do NOT store credit card information. We use third party gateways to process the payments (e.g. Stripe or Paypal)
  • Where possible we encourage customers to use offsite payment processing where the user is directed to the payment gateway site for payment, or to use Stripe, so card data never passes through our system (some eCommerce websites do process card data via the payment gateway plugins and so could technically be hijacked if malicious users gain access. The above security policy is aimed to prevent this access).

And of course, expert developers on hand to deal with any issues that do arise.

* Some older systems are not easily upgradeable and require rebuilds at cost, and so would be the responsibility of the customer to instigate this. Newer systems such as WordPress are auto-updated
** SSLs as standard has only been in practice since 2017 and so older websites may not have them unless requested
*** Except DIVI which is technically theme, but unlike no other!

employees

  • Employees are required to surrender any company data they may have upon leaving employment and sign a form to state they have done so
  • Passwords are then changed and any access to systems they may have are revoked

email server

  • We operate a seperate email server to web servers so it allows us to be more selective on the software running on them, and reduces the chance of malicious emails stored on web servers
  • Secure password policy for email accounts
  • Firewall protection as above, with IP banning after several incorrect login attempts
  • Secure mail server via SSL

data protection

As a team, we do need to share passwords and other sensitive data. So we use a leading secure password and note management system to store and share passwords and notes with sensitive data within the team. The password manager uses industry standard encryption to encrypt data, and requires several authentication levels to access it.

It is rare we store sensitive data on paper, but if we do then its temporary and will be shredded afterwards. We normally transfer paper based information to digitally stored.

Mobile devices such as laptops and mobile phones, that may have access to sensitive data (e.g. in an email) are protected by password, PIN or fingerprint access that only the owner knows.

site access

  • Our office is in a shared business centre protected first by a passcode/card entry door, and then our own office door.
  • CCTV exists on the premises
  • The office door is locked when no one is present
  • Out of general office hours the main front door is locked and the building protected by an alarm

data breach process

If in the unfortunate event we do have a data breach, we have a data breach process in place here

data centre

Our servers are hosted at London’s Harbour Exchange Square with a leading european data centre, TelecityGroup, and using Linode as the server supplier

Data Centre Security

  • Controlled access – access cards, biometrics and visual identification
  • 24/7/365 manned security
  • High security standards – ISO27001:2005 Security Management standard
  • Audited by the governments Centre for the Protection of National Infrastructure
Data Breach Policy

data breach policy

The Data Protection Officer (DPO): Laurence Cope

introduction

Amity Web Solutions collects, stores, processes, and shares personal data of it’s customers and it’s customers’ customers. Every care is taken to protect personal data from accidental or deliberate incidents to avoid a data protection breach. A data breach of personal data may result in harm to individual(s), reputational damage, detrimental effect on service provision, legislative non- compliance, and/or financial costs.

purpose and scope

Amity Web Solutions is obliged under Data Protection legislation to have in place a framework designed to ensure the security of all personal data during its lifecycle, including clear lines of responsibility.

This Policy sets out the procedure to be followed to ensure a consistent and effective approach is in place for managing data breach and information security incidents

This policy relates to all personal and special categories (sensitive) data held by Amity Web Solutions regardless of format.

This policy applies to all staff at Amity Web Solutions. This includes temporary, casual or agency staff and contractors, consultants, suppliers and data processors working for, or on behalf of Amity Web Solutions.

The objective of this policy is to have a formal process in place to help contain any breaches, to help minimise the risk associated with the breach and consider what action is necessary to secure personal data and prevent further breaches.

definitions / types of breach

A personal data breach is:
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”.

A personal data breach may mean that someone other than the data controller gets unauthorised access to personal data. But a personal data breach can also occur if there is unauthorised access within an organisation, or if a data controller’s own employee accidentally alters or deletes personal data.

An incident includes but is not restricted to:

  • Loss or theft of personal data or the equipment on which the data is stored e.g. laptop, memory stick, smartphone, or paper record
  • theft or failure of equipment on which personal data is stored
  • Unauthorised use of or access to personal data
  • Attempts to gain unauthorised access to personal data
  • Unauthorised disclosure of personal data
  • Website defacement
  • Hacking attack

reporting an incident

Any person using personal data on behalf of Amity Web Solutions is responsible for reporting data breach incidents immediately to the DPO. The report should contain the following details:
  • Date and time of discovery of breach
  • Details of person who discovered the breach
  • The nature of the personal data involved
  • How many individuals’ data is affected
  • The report must include
  • who is reporting it
  • details of the incident
  • when the breach occurred (dates and times)
  • if the data relates to people and how many individuals are involved
  • the nature of the information

The forms are located are the bottom of this document.

containment and recovery

The DPO will first determine if the breach is still occurring and take the appropriate steps to minimise the effect of the breach.

An initial assessment will be made by the DPO and with relevant staff members to establish the severity of the breach

The DPO will determine the suitable course of action to be taken to ensure a resolution to the incident

investigation and risk assessment

An investigation will be carried out without delay and where possible within 24 hours of the breach being discovered. The DPO will assess the risks associated with the breach, the potential consequences for the data subjects, how serious and substantial those are and how likely they are to occur

The investigation will take into account the following:

  • The type of data involved and its sensitivity
  • The protections in place (e.g. encryption)
  • What has happened to the data
  • Whether the data could be put to illegal or inappropriate use
  • Who the data subjects are, how many are involved, and the potential effects on them
  • Any wider consequences

notification

If the breach is likely to adversely affect the personal data or privacy of our customers or customers’ customers, we will notify our customers of the breach without unnecessary delay. We will tell them:

  • Our name and contact details;
  • the estimated date of the breach;
  • a summary of the incident;
  • the nature and content of the personal data;
  • the likely effect on the individual;
  • any measures you have taken to address the breach; and
  • how they can mitigate any possible adverse impact.

We do not need to notify customers about a breach if we can demonstrate that the data was encrypted (or made unintelligible by a similar security measure)

ipo notification

We will notify the ICO within 24 hours of becoming aware of the essential facts of the breach. This notification will include at least:

  • Our name and contact details;
  • the date and time of the breach (or an estimate);
  • the date and time you detected it;
  • basic information about the type of breach; and
  • basic information about the personal data concerned.
  • We will report a breach using the IPO breach notification form https://report.ico.org.uk/security-breach/
  • If possible, we will also include full details of the incident, the number of individuals affected and its possible effect on them, the measures taken to mitigate those effects, and information about your notification to customers. If these details are not yet available, we will provide them as soon as possible.

We will submit a second notification form to the IPO within three days, either including these details, or tell them how long it will take to get them.

evaluation and response

Once the incident is contained, the DPO will carry out a full review of the causes of the breach; the effectiveness of the response(s) and instigate corrective action to systems, procedures and controls to minimise the risk of similar incidents occurring

more information

data breach reporting forms

Once a data breach has been identified, the person identifying the breach should complete the forms and give them to the DPO.
There are 3 forms to be used:
  • Data Breach Form 1: Personal details and information on the affected company (not to be shared with third parties)
  • Data Breach Form 2: Details on the data breach incident as per the indications in Article 33 of the GDPR, to be sent to the national supervisory authority, where feasible, no later than 72 hours after having become aware of the breach
  • Data Breach Form 3: A section to be completed following the 72-hour period when more information is available on the data breach, which includes complementary data sets to gain more in-depth knowledge of the nature of the breach