Everything you need to know.
Updated: MAY 2018
- Data Controller
- GDPR Data Protection Framework
- Privacy Principles
- What personal data we collect
- How we use your data
- Our Cookies Policy
- How long we keep your data?
- The Legal Basis for using your data
- How we ensure your privacy is maintained
- Your Legal Rights relating to your personal data
- Contact Details
At AP Diving we are committed to ensuring that your personal information is protected and never misused.
We take full responsibility for the security of the personal information we collect about you, we aim to be transparent about how we handle it and we aim to give you complete control over the retention or deletion of your personal information.
The Data Controller in respect of personal data supplied to us is Ambient Pressure Diving Ltd (company registration number: 04118978).
DATA PROTECTION FRAMEWORK
AP Diving has completed applicable Privacy Impact Assessments (also known as Data Protection Impact Assessments under GDPR) for all areas of our business and activities related to our business that involve the control and processing of personal information.
Privacy Policies can be complicated. We have tried to make ours as clear as possible. To help, this is a brief summary of our privacy principles.
At AP Diving we:
- Will only ask for or collect the personal information we need to provide and improve the service, products and experiences our customers expect.
- Give you control over the personal information we hold about you to ensure it is accurate and reflects your preferences.
- Make sure your personal information is always secure and protected.
- Are fair and transparent about how we use the personal information we hold.
- Only ever use your personal information for the purposes that you trusted us to use it for.
- Will never sell or give away your personal information.
- Respect your choices and will inform you if there are important changes that affect your personal information or how we use it.
- Take responsibility for the personal information that we hold about you.
- Where data is given by “Consent” we will make sure this is an active opt-in for a specific and unambiguous purpose. That is, an act of silence, pre-ticked boxes or inactivity do not qualify as an opt-in.
These principles demonstrate our commitment to protecting your privacy and handling your personal information in the right way and as you would expect it to be handled.
If you have any questions, comments or concerns about any aspect of this Policy or how we handle your personal information at AP, please email our Privacy Team at email@example.com
This Policy applies whether you purchase goods or services from us from the apdiving.com website, via telephone, email or fax, from a visit to our factory site or purchase from the AP Diving stand at one of the many Dive Shows we attend nationally and internationally.
WHAT PERSONAL DATA DO WE COLLECT?
AP Diving may collect the following information about you:
- When you place an order for goods or services on our website, by telephone/fax or in person at our factory sales office or at the AP Diving stand at any Dive Show: we may collect all or some of the following: your name, email address, billing address, shipping address, company name (if applicable), VAT number (if applicable) and payment card details. If you do not provide this information, you may not be able to purchase goods or services from us or enter into a contract with us.
- your communication and marketing preferences;
- your on-line browsing activities on the AP Diving website;
- your interests, preferences, feedback and survey responses;
- your correspondence and communications with AP Diving; and
- other publicly available personal data, including any which you have shared via a public platform (such as a Twitter feed, or public Facebook page).
This list is not exhaustive and, in specific instances, we may need to collect additional data for the purposes set out in this Policy. Some of the above personal data is collected directly, for example when you set up an on-line account on our website, complete an online order form or send an email to our sales team. Other personal data is collected indirectly, for example your browsing or shopping activity. We may also collect personal data from third parties but only if they can prove your consent to pass your details to us.
See the section below “Legal Basis for Using Your Data” for more information.
PERSONAL DATA WE DO NOT COLLECT
Sensitive Personal Information
We do not knowingly or intentionally collect what is commonly referred to as ‘sensitive personal information’ such as religion, health status, ethnic origin, political views, union membership, your biometric information, sexual orientation etc. Please do not submit sensitive personal information about yourself to AP Diving. For more information about what constitutes sensitive personal information, please see https://ico.org.uk/and navigate to the Special Category Data section.
Children’s Personal Data
The AP Diving website or AP Diving sales offices or Dive Show stands, and any goods or services available from AP Diving, are not directed to children under the age of 13. If you learn that a child under the age of 13 has provided us with their personal information without having parental consent, please contact the Company’s Data Protection Team (firstname.lastname@example.org) immediately so that we can take appropriate action.
HOW WE USE YOUR DATA
AP Diving uses your personal data:
- to provide goods and services to you;
- to make a tailored website available to you;
- to manage any registered account(s) that you hold with us;
- to verify your identity;
- for crime and fraud prevention, detection and related purposes;
- for product warranty purposes where applicable;
- to maintain a voluntary register of Inspiration rebreather owners to verify user qualification status, as part of our commitment to safety as a responsible manufacturer;
- to inform you of any safety notices and/or product recalls;
- to contact you electronically with important product updates, such as firmware and software upgrades;
- with your agreement: to contact you electronically about promotional offers and products and services which we think may interest you;
- for market research purposes - to better understand your needs;
- to enable AP Diving to manage customer service interactions with you; and
- where we have a legal right or duty to use or disclose your information (for example in relation to an investigation by a public authority or in a legal dispute).
AP Diving aims to inform existing customers about products & services, which are of interest and relevance to you as an individual. We will also send such emails to individuals who may not yet be AP Diving customers but who have opted to receive our newsletters by requesting this on the apdiving.com website or in person for example, requesting to join this mailing list at a Dive Show.
You have the right to opt out of receiving promotional communications at any time, by:
- changing your marketing preferences in the “Account Information” section of your AP Diving account;
- making use of the simple “unsubscribe” link in emails or the “STOP” number for texts; and/or
- contacting our Privacy Team at email@example.com.
Web Banner Advertising
If you visit our website, you may receive personalised banner advertisements whilst browsing other websites. Any banner advertisements you see will relate to products you have viewed whilst browsing our websites on your computer or other devices.
Sharing Data With Third Parties
Our service providers and suppliers:
In order to make certain services available to you, we may need to share your personal data with some of our service partners. These include IT, delivery and marketing service providers.
AP Diving only allows its service providers to handle your personal data when we have confirmed that they apply appropriate data protection and security controls. We also impose contractual obligations on service providers relating to data protection and security, which mean they can only use your data to provide services to AP Diving and to you, and for no other purposes.
Other Third Parties:
Aside from our service providers, AP Diving will not disclose your personal data to any third party, except as set out below. We will never sell or rent our customer data to other organisations for marketing purposes.
We may share your data with:
- credit reference agencies where necessary for card payments;
- governmental bodies, regulators, law enforcement agencies, courts/tribunals and insurers where we are required to do so: -
- to comply with our legal obligations;
- to exercise our legal rights (for example in court cases);
- for the prevention, detection, investigation of crime or prosecution of offenders; and
- for the protection of our employees and customers.
To deliver products and services to you, it is sometimes necessary for AP Diving to share your data outside of the European Economic Area. This will typically occur when service providers are located outside the EEA or if you are based outside the EEA. These transfers are subject to special rules under GDPR data protection laws.
If this happens, we will ensure that the transfer will be compliant with data protection law and all personal data will be secure. Our standard practice is to use ‘standard data protection clauses’ which have been approved by the European Commission for such transfers. Those clauses can be accessed at: https://ec.europa.eu/info/law/law-topic/data-protection_en.
Where third party service providers are located in the United States of America we ensure that your data is protected under the EU-US Privacy Shield framework. https://www.privacyshield.gov/welcome
What are cookies?
How are cookies managed?
The cookies stored on your computer or other device when you access our websites are designed by:
- AP Diving, or on behalf of AP Diving, and are necessary to enable you to a make purchases on our website;
- third parties who participate with us in marketing programmes; and
- third parties who broadcast web banner advertisements on behalf of AP Diving.
What are cookies used for?
The main purposes for which cookies are used are:
- For technical purposes essential to effective operation of our websites, particularly in relation to online transactions and site navigation.
- For AP Diving to market to you, particularly web banner advertisements and targeted updates.
- To enable AP Diving to collect information about your browsing and shopping patterns, including to monitor the success of campaigns, competitions etc.
- To enable AP Diving meet its contractual obligations to make payments to third parties when a product is purchased by someone who has visited our website from a site operated by those parties.
How do I disable cookies?
If you want to disable cookies you need to change your website browser settings to reject cookies. How you can do this will depend on the browser you use. Further details on how to disable cookies for the most popular browsers are set out below:
For Microsoft Internet Explorer:
- Choose the menu “tools” then “Internet Options”
- Click on the “privacy” tab
- Select the setting the appropriate setting
For Google Chrome:
- Choose Settings> Advanced
- Under "Privacy and security," click “Content settings”.
- Click “Cookies”
- Choose Preferences > Privacy
- Click on “Remove all Website Data”
For Mozilla firefox:
- Choose the menu “tools” then “Options”
- Click on the icon “privacy”
- Find the menu “cookie” and select the relevant options
For Opera 6.0 and further:
- Choose the menu Files”> “Preferences”
What happens if I disable cookies?
This depends on which cookies you disable, but in general the website may not operate properly if cookies are switched off. If you only disable third party cookies, you will not be prevented from making purchases on our site. If you disable all cookies, you will be unable to complete a purchase on our site.
HOW LONG DO WE KEEP YOUR DATA?
We will retain your data for no longer than necessary for the purposes set out in this Policy. Different retention periods apply for different types of data.
Rebreather Owner Register:
In the case of the Inspiration Rebreather Owner Register, we will retain this personal information for as long as that person continues to own a rebreather (regardless of whether they dive with it) unless they request we remove them from the register in the event that they sell or scrap that rebreather.
Personal data collected for the purpose of completing a contract in the sale of AP Diving goods and services will be retained for 6 years, which is the time we are obliged by HMRC to keep a record of all financial transactions. https://www.gov.uk/running-a-limited-company/company-and-accounting-records
Direct Selling or Newsletter Sign-up Data:
The longest we will hold any personal data is 6 years from the recorded date of consent.
BCD Product Warranty Data:
AP Diving Customers have the option on purchase of our BCD products to register this purchase and qualify for the extended warranties we offer. These include a 3-year warranty on all outer materials and a ““First-owner Life-time Warranty” on the integrity of the inner bladder. Therefore we will hold any personal data submitted as part of this registration indefinitely or until requested otherwise by the customer.
LEGAL BASIS FOR USING YOUR DATA
We are required to set out the legal basis for our ‘processing’ of personal data.
AP Diving collects and uses customers’ personal data because is it necessary for:
- the pursuit of our “Legitimate Interests” (as set out below);
- the purposes of complying with our duties and exercising our rights under a “Contract” for the sale of goods or services to a customer (as set out below); or
- complying with our “Legal Obligations”.
- “Consent” for direct marketing communications to prospective customers - but only when we have a clear record of the nature of this consent, when this consent was given and if it falls within the time frame of how long we state we will retain such data in this Policy.
- “Vital interests”. That is, “life or death” situations to protect the vital interests of the data subject, or another natural person.
- “Public interest”. That is, if it relates to tasks executed in the public interest, by official authority of the data controller.
- “Member state specific purposes”, including national law and public interest requirements.
In general, we only rely on “Consent” as a legal basis for processing in relation to sending direct marketing communications to prospective customers via email or text message.
Customers have the right to withdraw consent at any time. Where consent is the only legal basis for processing, we will cease to process data after consent is withdrawn.
Our Contractual Interests
The normal legal basis for processing customer data, is that it is necessary for the contractual interests of AP Diving, including:
- Contracting to sell and supply goods and services to our customers;
Legal basis for processing: “Contractual necessity” – the data is necessary to perform a contract (Article 6(1)(b) of the General Data Protection Regulation).
Reason why necessary to perform a contract: we need the mandatory information collected by our checkout form online or for our sales team/ERP systems, to establish who the contract is with and to contact you to fulfil our obligations under the contract, including sending you order confirmations, goods and receipts.
Legal obligation: we have a legal obligation to issue you with an invoice for the goods and services you purchase from us where you are VAT registered and we require the mandatory information collected by our checkout form or our sales team/ERP systems, for this purpose. We also have a legal obligation to keep accounting records, including records of transactions.
Our Legitimate Interests
The normal legal basis for processing customer data, is that it is necessary for the “Legitimate Interests” of AP Diving, including:
- Protecting customers, employees and other individuals and maintaining their safety, health and welfare;
- Promoting, marketing and advertising our products and services to existing customers;
- Sending promotional communications which are relevant and tailored to individual existing customers;
- Understanding our customers’ behaviour, activities, preferences, and needs;
- Improving existing products and services and developing new products and services;
- Complying with our legal and regulatory obligations;
- Preventing, investigating and detecting crime, fraud or anti-social behaviour and prosecuting offenders, including working with law enforcement agencies;
- Handling customer contacts, queries, complaints or disputes;
- Managing insurance claims by customers;
- Protecting AP Diving, its employees and customers, by taking appropriate legal action against third parties who have committed criminal acts or are in breach of legal obligations to AP Diving;
- Effectively handling any legal claims or regulatory enforcement actions taken against AP Diving; and
- Fulfilling our duties to our customers, colleagues and other stakeholders.
HOW WE PROTECT YOUR DATA
Our Controls - How we secure your information
AP Diving is committed to keeping your personal data safe and secure.
Our security measures include:
- encryption of data;
- regular cyber security assessments of all service providers who may handle your personal data;
- regular scenario planning and crisis management exercises to ensure we are ready to respond to cyber security attacks and data security incidents;
- regular penetration testing of systems;
- security controls which protect the entire AP Diving IT infrastructure from external attack and unauthorised access; and
- internal policies setting out our data security approach and training for employees.
SSL Encryption of Payment Card Details
When purchasing goods online from apdiving.com your card details are SSL encrypted and go directly to SagePay (https://www.sagepay.co.uk), our third party card payment processing company. The card details are not visible to (or obtainable by) any employee of AP Diving.
Our site uses the strongest commercially available level 256-bit Secure Socket Layer (SSL) encryption, which is verified and certified annually by GeoTrust. Our current GeoTrust certificate can be seen by going here https://www.apdiving.com/en/security-policy/ and clicking on the GeoTrust symbol. See https://www.geotrust.com for more information. This ensures that your transactions are secure and your information cannot be hi-jacked or redirected.
AP Diving also uses 3D Secure as an additional layer of fraud prevention security in conjunction with SagePay, our third party card payment processing company.
3D Secure stands for 3 Domain Server. There are 3 parties that are involved in the 3D Secure process:
- The company the purchase is being made from;
- The Acquiring Bank (the bank of the company);
- VISA and MasterCard (the card issuers themselves).
3D Secure allows shoppers to create and assign a password to their card that is then verified whenever a transaction is processed through a site that supports the use of the scheme. The addition of password protection allows extra security on transactions that are processed online.
The scheme is a collective of Verified by VISA (VBV) https://www.visa.co.uk/products/protection-benefits/verified-by-visa/ and MasterCard Secure Code (MSC) https://www.mastercard.co.uk/en-gb/consumers/features-benefits/securecode.html. It is the most recent fraud prevention initiative that is available currently. More information can be found here: https://www.sagepay.co.uk/support/12/36/3d-secure-explained
Payment Card Details
When you make a purchase or place an order with us via telephone, in person at AP Diving or at a Dive Show your payment card details are collected but only for the period of the transaction. No payment card records are retained unless specifically requested by the customer. Such records are secured electronically and encrypted. No physical copy is retained and any that are made temporarily during the transaction are destroyed by shredding or securely redacted.
We are committed to an ongoing employee-training programme and to fostering a culture of privacy & data security among all AP Diving staff involved in the processing and protection of personal data. We are committed to the GDPR principles of ‘Privacy by Design & Default’ in that we take appropriate technical and organisational measures to secure your information and to protect it against unauthorised or unlawful use and accidental loss or destruction, including:
- only sharing and providing access to your information to the minimum extent necessary, subject to confidentiality restrictions where appropriate, and on an anonymised basis wherever possible;
- using secure servers to store your information;
- verifying the identity of any individual who requests access to information prior to granting them access to information;
- using Secure Sockets Layer (SSL) software to encrypt any information you submit to us via any forms on our website and any payment transactions you make on or via our website;
- only transferring your information via closed system or encrypted data transfers.
Transmission of information to us by email
Transmission of information over the internet is not entirely secure, and if you submit any information to us over the internet by email, you do so entirely at your own risk.
We cannot be responsible for any costs, expenses, loss of profits, harm to reputation, damages, liabilities or any other form of loss or damage suffered by you as a result of your decision to transmit information to us by such means.
AP Diving uses a third party email security provider to store and filter emails you send us. Our third party email provider is NCi Technologies. More information is available here: https://www.ncitech.co.uk/Business_IT_Services/IT_Security
Where we store your personal information
Customer order data is stored electronically within a secure ERP system on a secure and protected server. Paper copies of goods and services transactions are kept in secure storage.
AP Diving uses a third party IT company to protect and secure our company intranet. Our third party IT provider is NCi Technologies. This is a comprehensive package of managed security services including: Anti-virus, Firewall, a Backup & Disaster Recovery (BDR) system, Email security and Web Content Filtering. More information is available here: https://www.ncitech.co.uk/Business_IT_Services/IT_Security
Customer registration data and consensual email marketing data are stored in locked files held on the secured company server. Any personal data is secured and encrypted if and when it is transported away from the AP Diving servers for example when necessary for use at Dive Shows on company laptop computers or mobile phones.
By registering on the website or sending us your personal information by other means, you are indicating your consent for your personal information to be stored on our servers within the EEA.
Should your personal data be processed by any of our GDPR-compliant sub-processors that are based outside of the EEA (in order to fulfil our services to you) we will have practiced due diligence in vetting these third parties and ensured that your data is protected under the EU-US Privacy Shield framework (USA) or a ‘standard data protection clause’ approved by the European Commission for Third Parties operating in other non-EEA countries.
WHAT YOU CAN DO TO HELP PROTECT YOUR DATA
AP Diving will never ask you to confirm any bank account or credit card details via email. If you receive an email claiming to be from AP Diving asking you to do so, please ignore it and do not respond.
If you are using a computing device in a public location, we recommend that you always log out and close the website browser when you complete an online session.
In addition, we recommend that you take the following security measures to enhance your online safety both in relation to AP Diving and more generally:
- keep your account passwords private.
- when creating a password, use at least 8 characters with a combination of letters and numbers. Do not use dictionary words, your name, email address, or other personal data that can be easily obtained. We also recommend that you frequently change your password. You can do this by logging into your account > click ‘Account Information’ > and check the ‘Change Password’ tick box.
- avoid using the same password for multiple online accounts.
Under GDPR you have the following rights:
- the right to ask what personal data we hold about you at any time and for the reply to be completed in a timely manner within 30 days maximum;
- the right to ask us to update and correct any out-of-date or incorrect personal data that we hold about you free of charge; and
- (as set out above) the right to opt out of any marketing communications that we may send you.
- you have the right to lodge a complaint with the Information Commissioner’s Office.
If you wish to exercise any of the above rights, please email AP Diving using firstname.lastname@example.org or any of the contact methods set out below.
If you have any questions about how AP Diving uses your personal data that are not answered here, or if you want to exercise your rights regarding your personal data, please contact us by any of the following means:
- Phone us on: 0044 (0)1326 561 040;
- Email us at: email@example.com or
- Write to us at: The Privacy Team, AP Diving Ltd, Water-ma-Trout Industrial Estate, Helston, Cornwall, UK. TR130LW
You have the right to lodge a complaint with the Information Commissioner’s Office. Further information, including contact details, is available at https://ico.org.uk.
This policy was last updated in May 2018.