Ride Sunderland - Cycle World Privacy Policy & Cookies

Data matters. Here’s our privacy policy.

Who are we?
‘We’ are Cycle World Sunderland Limited, a privately owned family business. We are the controller of your personal data. A controller decides how and why your information is processed. We, us and our throughout this page, means Cycle World Sunderland TA Ride Sunderland

Overview
Essentially, we process your personal data to sell you a product or service, or give you information about a product you’ve expressed an interest in; including all of the necessary steps to fulfil that. We also process your data that you provide during a sale or enquiry to tell you about other products that we think you might be interested in the future, either by email, SMS, mobile messaging service or telephone.

When we use your data for unsolicited marketing through email and SMS, we give you a clear choice to opt-out either on the website or when in person, at the time we collect your data; furthermore we will always give you a clear, easy to use option to opt-out at any future time we send you any unsolicited marketing however the data was collected. If you’re not enquiring about a specific product, then you have to opt in to our newsletter.

Where we use your personal data collected through cookies (see below) for statistics or usage data on the website through, the only data we collect is the IP address and that never gets recorded to a customer file. It mostly so we can see how the site is performing, with stuff like page load times and page views.

We do not merge personally-identifiable information (for example information from any orders placed with us) with non-personally identifiable information collected through cookies or other means.

We may use your data collected through the website or in store to look at your buying history or enquiries to send you information about related products or services which we think you could be interested in. We could contact you about these by telephone, email, post or SMS/mobile messaging services.

We never pass your details to third parties for their marketing without your consent, and we never buy or sell lists in either.

We will never use automated marketing by telephone.

We will never process your data using any lawful basis in a way that we would ever think you could consider unreasonable.

We like to think we’re the good guys, and if you’re unhappy with anything we’ve done then we want to know about it so we can put it right, regardless of your rights under the General Data Protection Regulations. We’re not in the business of selling motorcycles and everything that goes with it to intentionally upset people, life is too short.

About this policy
We take your privacy seriously and it is very important to us. New GDPR rules which govern why and how we store your data, and what we do with it came into force across the whole of Europe on 25th May, 2018.

We continually revise and strengthen our IT systems, security policies and privacy policies to make sure we are following best practice in protecting our data, and yours.

We never have, and never will buy in or sell customer data, and only pass personal data to third parties where we believe there is a lawful basis for processing that data.

You will find contact details at the end of this page which can be used if you have any questions or concerns, including how to make a complaint.

As with all policies, this policy may change from time to time. This policy was last updated on 26th June, 2023.

What do we actually collect?
We collect personal data from you in order to fulfil a contract, or handle a request for information. This information may be given over the internet, telephone, email, in person or any other way you choose.

The information you give to us includes your name, contact details (such as phone number, email address and address), enquiry details and your opinion of our products. When you’re on our website, we also collect and record your IP address for statistic building. The only time your IP address is recorded against your account is when you place an order for an item online, this forms part of our fraud checks.

The ICO consider an IP address personal data, and we understand why. However, in reality it’s generally the IP address given to the router you are connected to and is shared by every other device connected to that router. Furthermore, most users have their IP address changed by their service providers on pretty regular intervals, at which point, somebody else could have ‘your’ IP. It’s largely useless to us as a way of identifying you, other than confirming at the time it’s recorded only, roughly where the computer/device is at the time they are on our site.

We may automatically collect the following personal information through cookies: details of your browser and operating system, the website from which you visited our website (the referrer, such as Google or manufacturer websites), the pages that you visit on our website, the date of your visit, and, for security reasons, e.g. to identify attacks on our website, the Internet protocol (IP) address assigned to you by your internet service. This data is never linked to a customer record, and is essentially, anonymised.

Please see our link to our Cookie Policy at the bottom of this page for further info.

We may also collect any personal information which you allow to be shared that is part of your public profile on a third party social network such as Facebook, Instagram or others. We might use this data to send targeted adverts on social media, but again we don’t actually record that information.

Personal information we may receive from other sources
We obtain certain personal information about you from sources outside our business which may include third party companies with whom you have granted content, or who have a legitimate interest in sharing data with us.

We process your data, based on one of the following lawful basis:
Consent
Where you have given us a clear instruction to use your data to provide a service. It may be that you have given us your data to order a product for example or provide you with a finance quote or product information. It may be that you haven’t enquired about a product or bought one but have opted in to our marketing. Generally, in the form of an occasional newsletter.

Contract
Much like the above, we may lawfully use your information in order to enter into a contract with us; for example, making a finance application ahead of a purchase.

Vital Interests
Although Vital Interests are largely not a lawful basis for us to process much of your data, we take a view that letting you know about an important safety recall on a product you have purchased would be processed under this basis in order to protect you from possible malfunction or product failure that could result in serious injury or death.

Legitimate interests
We may use your personal information where it is necessary for us to pursue our legitimate interests, or those of a third party.

There’s generally a lot of common sense written about this. Guidance from the ICO (see ICO.org.uk) say that this basis for processing is:
“It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing”

Even before the new GDPR rules came in, we complied with the DPA and we would never have processed your personal data in a way that we’d expect you to find unreasonable or breach your privacy in any significant way. We’ve talked about this a lot over the years, for example we used to send postcards years ago through the post, but we stopped when we considered that customers may not want the person delivering the card to know that there was a bike in the garage (or their partner to know, for that matter)… Anything we send now is in unmarked, sealed envelopes. It’s small stuff, but we do try to consider it all.

ICO guidance suggests that Legitimate Interests can include our own interests or those of third parties, and can include processing for commercial interests.

For example, you may purchase a new Giant bicycle from us. We may pass your contact details to Giant in order for them to send you a survey to get feedback from you about your purchase. There is a commercial reason for Giant to want to gather this information and share it back with us (anonymised or otherwise at your request) and we will process this under legitimate interests. It’s not contractual, as it is not necessary to share data in this way in order to fulfil the contract and you can opt out of contact from Giant or Third Parties at any time by telling us.

We also use Legitimate Interests as a lawful basis for the following:
• for analysis, and profiling (looking at what you’ve bought or enquired about) to inform our marketing strategy
• to understand which products our wider customer base is interested in, aggregating data
• to administer our website, including testing and statistic building (all we use for this purpose is an IP address, which doesn’t get correlated with a single user in our database)
• for marketing activities (other than where we rely on your consent) including sending/pushing marketing messages through social media and other third party platforms;
• for the prevention of fraud and other criminal activities;
• to correspond and communicate with you;
• for network and information security in order for us to take steps to protect your information against loss or damage, theft or unauthorised access;
• to comply with a request from you in connection with the exercise of your rights (for example where you have asked us not to contact you for marketing purposes, we will keep a record of this on our opted-out lists in order to be able to comply with your request);
• to enforce or protect our contractual or other legal rights or to bring or defend legal proceedings; and
• for general administration including managing your queries, complaints, or claims.

Unsolicited Marketing
The rules under the Privacy and Electronic Communications Regulations lay out the rules under which we can send you unsolicited marketing information, that is, marketing about a product or service which has not been specifically requested by you.

Broadly speaking, we process your personal data for unsolicited marketing where you have given us clear consent, or have soft opted-in to marketing, from us and us alone, as an existing customer by either buying, negotiating or asking for information about a product or service we sell.

Where we rely on the soft-opt in as a lawful basis for sending unsolicited marketing by email and SMS/mobile messaging services, we have and will always give you the option to opt out of these message; both when you first give us your information and every time we contact you in the future by those means.

Our suppliers and service providers
We may disclose your information to our third party service providers, agents, subcontractors and other organisations for the purposes of providing services to us or directly to you on our behalf. Such third parties may include courier companies, cloud services providers (such as web hosting and email management) or advertising services such as MailChimp, administrative services or other third parties who provide services to us.

When we use third party service providers, we only disclose to them any personal information that is necessary for them to provide their service and in a way that we not expect you to think was unreasonable, meaning usually, your email address and name. They do not pass this data on to any other companies/Processors.

We have worked hard to ensure that information transferred to and from all of our service providers (Processors) is done securely and following best practice, only done where it’s necessary and generally to fulfil a contract in the enquiry, purchase or negotiation of a sale that you have initiated.

How long do we keep your data?
There are a number of factors determining this, including what the data is and what legal obligations are elsewhere in data retention, but generally not longer than seven years from the date of last interaction. Data is held securely in all instances. This applies to both staff data, and customer data.

Your rights to your data
You have a number of rights in relation to your personal information under data protection law. In relation to certain rights, we may ask you for information to confirm your identity and, where applicable, to help us to search for your personal information. Except in rare cases, we will respond to you within 30 days after we have received this information or, where no such information is required, after we have received your request.

Accessing your personal information
You have the right to ask to see the information that we hold about you by emailing or writing to us at the address at the end of this policy. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information.

This information is generally held in a non-downloadable form, may include copies of bike invoices, application and order forms, job cards or bike registration documents which are archived securely offsite. We can show you the data we have in person and on screen, generally it will include your name and address, telephone number, email address, bike registration, make and model, purchase history and enquiry history. We do not store or use any data collected through cookies to attach it to your customer history, or link any personal information from any social channels.

Withdrawing your permission
Where we rely on your consent to process your information, you can request that we stop doing that by calling our main number (0191 514 1974) and asking to withdraw consent of data processing. We may still have a lawful basis for processing your data based on the above, but we will try wherever we can to comply with your request.

You have a number of rights in relation to your personal information under data protection law. In relation to certain rights, we may ask you for information to confirm your identity and, where applicable, to help us to search for your personal information. Except in rare cases, we will respond to you within 30 days after we have received this information or, where no such information is required, after we have received your request.

Complaining to the UK data protection regulator
You have the right to complain to the Information Commissioners Office (ICO) if you are concerned about the way we have processed your personal information. Please visit the ICO’s website for further details.