Before We Begin...
We recognize that privacy is especially important to many of our website's visitors and customers due to the nature of our business. In addition to meeting our legal obligation to disclose how we manage the personal information you share with us, we also use this document to discuss how we handle user generated content (such as comments or reviews) which does not strictly fall under the umbrella of personal information.
As fair warning, running an e-commerce business is a pretty complicated affair, so grab a strong cup of coffee and let’s dig in to the details. We’re glad for the opportunity to lay it all out (and that you have decided to read it) because we take your privacy very seriously.
1. Who We Are
The Site is owned and operated by Terrible Toyshop Ltd. Throughout the Site, the terms “Terrible Toyshop”, “we”, “us” and “our” refer to Terrible Toyshop Ltd.
2. Personal Information We Collect and Why We Collect It
2.1 Device Information
When you visit the Site, we automatically collect certain information about your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device. Additionally, as you browse the Site, we collect information about the individual web pages or products that you view, what websites or search terms referred you to the Site, and information about how you interact with the Site. We refer to this automatically-collected information as “Device Information”.
We collect Device Information using the following technologies:
- “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit https://www.allaboutcookies.org.
- “Log files” track actions occurring on the Site, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.
- “Web beacons”, “tags”, and “pixels” are electronic files used to record information about how you browse the Site.
2.2 Subscriber and Account Information
The Site provides the option for you to subscribe to our email newsletter and/or create a personal user account. We refer to this information as “Subscriber and Account Information”.
2.3 Order Information
When you make a purchase or attempt to make a purchase through the Site, we collect certain information from you, including your name, billing address, shipping address, and payment information (including credit card numbers, email address, and phone number). We refer to this information as “Order Information”.
2.4 User Generated Content
When visitors leave comments or reviews on the Site, we collect the data that users provide in the comment or review form. That data may include media uploaded by the user such as image or video files. We also collect the visitor’s IP address and browser user agent string to help spam detection.
If you upload images to the Site, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract location data from images on the Site.
If you leave a comment on the Site you may opt-in to saving your name and email address in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
2.6 Embedded Content from Other Websites
Pages on the Site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website directly.
3. How We Use Your Personal Information
We collect Subscriber and Account Information to provide communications and services that you request, such as receiving our email newsletter or accessing a customer loyalty program.
We use the Order Information that we collect to fulfill orders placed through the Site (including processing your payment information, arranging for shipping, and providing you with invoices and/or order confirmations).
Additionally, we use Order Information to:
- Communicate with you about your order (for example, through order and shipping confirmation emails);
- Screen our orders for potential risk or fraud; and
- When it is in line with the preferences you have shared with us, provide you with information or advertising relating to our products or services.
We use the Device Information that we collect to help us screen for potential risk and fraud (in particular, your IP address), and more generally to improve and optimize our Site (for example, by generating analytics about how our customers browse and interact with the Site, and to assess the performance of our marketing and advertising campaigns).
We use User Generated Content (UGC) to inform other visitors to the Site, engage with our audience on social media, and promote our products and services. We may display UGC in email newsletters, paid advertising, and printed materials (such as the pamphlets included in our shipments or distributed at a trade show). We will ask for your written permission before we display photographs or videos outside of the Site.
4. Who We Share Your Data With
4.1 Personal Information
We share your Personal Information with third parties to help us fulfill contracts we might have with you (for example, if you make an order through the Site) or otherwise to pursue our legitimate business interests (for example, by sending you our email newsletter).
To provide a more detailed example, we use ShipStation (https://www.shipstation.com) as part of our order fulfillment process. We transmit Order Information from the Site to ShipStation in order to validate shipping addresses, fill out customs forms efficiently, purchase postage, print shipping labels provided by the parcel carrier, and share tracking information with customers by email.
We use Google Analytics to help us understand how our customers use the Site. You can read more about how Google uses Device Information collected through Google Analytics here: https://www.google.com/intl/en/policies/privacy. You can also opt out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.
We also use your Personal Information to provide you with targeted advertisements or marketing communications we believe may be of interest to you. For more information about how targeted advertising works, you can visit the Network Advertising Initiative’s (“NAI”) educational page at http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work.
You can opt out of targeted advertising by using the links below:
- Facebook: https://www.facebook.com/settings/?tab=ads
- Google: https://www.google.com/settings/ads/anonymous
- Bing: https://advertise.bingads.microsoft.com/en-us/resources/policies/personalized-ads
Additionally, you can opt out of some of these services by visiting the Digital Advertising Alliance’s opt-out portal at: http://optout.aboutads.info.
Please note that we do not alter the Site’s data collection and use practices when we see a Do Not Track signal from your browser.
We may also share your Personal Information to comply with applicable laws and regulations, respond to a lawful request for information (such as a subpoena or search warrant), or to otherwise protect our rights.
4.2 User Generated Content
We display User Generated Content (UGC) on the Site at our discretion, including the review section on product pages and in other contexts such as testimonials and photo galleries. We may also use UGC (in full or in part) and/or provide links to comments and reviews in our marketing materials (such as our email newsletter, social media posts, and printed promotional materials).
We will never publicly associate any UGC you provide with Personal Information that we collect for other purposes. For example, we will never publicly display the shipping/delivery name, address, or email address you used to place an order along with the UGC that you provide provide through a product review form.
We use our judgement to further anonymize UGC if we display it in a context outside of the Site. In other words, we will make reasonable efforts to remove Personal Information from UGC before we use it elsewhere. For example, we typically abbreviate the author’s screen name to initials in social media or printed materials.
5. How Long We Retain Your Data
When you place an order through the Site, we will maintain your Order Information for our records unless and until you ask us to delete this information.
For users that register for an account on our website, we store the Personal Information that they provide indefinitely in their user profile. Users can see, edit, or delete their Personal Information at any time (except they cannot change their username). Website administrators can also see and edit that information.
If you submit User Generated Content (UGC) to the Site, comments, reviews, and any associated media are retained indefinitely. We retain this content so that we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue. We will not display media (such as photographs or video) associated with UGC outside of the Site without your written permission.
6. Rights You Have Over Your Data
If you have placed an order, registered for an account, or have submitted comments or reviews to the Site, you can request to receive an exported file of the Personal Information we hold about you, including any additional data you have provided to us. You can also request that we erase any Personal Information we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes. If you would like to exercise these rights, please contact us using the contact information below.
If you are a European resident, note that we process your information in order to fulfill contracts we might have with you (for example if you make an order through the Site), or otherwise to pursue our legitimate business interests, as described above. Additionally, note that your information will be transferred outside of Europe, including to Canada and the United States.
If you have submitted User Generated Content (UGC) that contains Personal Information, you can also request that we erase any Personal Information that you included in UGC. If requested, we will also make reasonable efforts to remove any UGC you submitted anywhere it is displayed on the Site.
7. Where We Send Your Data
When you complete the checkout process, your address and payment information is transmitted to Moneris or PayPal for authorization and processing, depending on the payment method you select.
In the process of fulfilling orders, we then transmit the Order Information to ShipStation (https://shipstation.com), which is the platform that we use to prepare shipping documents including shipping labels, customs forms, and manifests.
Once the package has been prepared for shipment, the package dimensions, its weight, and your shipping address are then transmitted to the shipment carrier – most likely Canada Post (https://canadapost.ca) – to purchase and print a shipping label and customs form.
If you sign up for our email newsletter, we transmit your name and email address to MailChimp (https://mailchimp.com/) to manage our promotional mailing.
8. Additional Information
8.1 How We Protect Your Data
We will not confirm or deny the existence of an order placed on the Site until we confirm that we are communicating with the person who placed the order. If you contact us about your order, we will not disclose any Order Information (including that an order even exists) unless the inquiry comes from the email address associated with the order -or- the sender provides their full name and order number.
We use Secure Socket Layer (SSL) encryption to protect all information that is transmitted to and from the Site. This level of security is used both when you transmit information to or from terribletoyshop.com and when we transmit data to or from third-party service providers.
Terrible Toyshop is powered by a secure and up-to-date installation of WordPress and WooCommerce hosted on Kinsta (https://kinsta.com). Kinsta is a managed WordPress hosting service that uses the enterprise grade Google Cloud Platform. Our website is secured behind the Google Cloud Platform Firewall alongside well-known clients such as Intuit, FreshBooks, TripAdvisor and Buffer.
8.2 Data Breach Procedures We Have In Place
Terrible Toyshop’s definition of a personal data breach is any incident of security, lack of controls, system or human failure, error or issue that leads to, or results in, the destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information.
As soon as a data breach has been reported, measures will be taken to contain the breach as soon as possible. The aim of any such measures should be to stop any further risk/breach to the organization, customer, client, third-party, system or data prior to further investigation.
Terrible Toyshop recognizes our obligation and a duty to report data breaches in certain instances. When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will always communicate the personal data breach to affected individuals without undue delay, in a written, clear and legible format.
The notification to affected individuals will include:
- The nature of the personal data breach;
- The name and contact details of our Privacy Compliance Officer and/or any other relevant point of contact (for obtaining further information);
- A description of the likely consequences of the personal data breach; and
- A description of the measures taken or proposed to be taken to address the personal data breach (including measures to mitigate its possible adverse effects).
We reserve the right not to inform the data subject of any personal data breach where we have implemented the appropriate technical and organizational protection measures which render the data unintelligible to any person who is not authorized to access it (i.e. encryption, data masking etc) or where we have taken subsequent measures which ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialize.
If informing the data subject of the breach involves disproportionate effort, we reserve the right to instead make a public communication whereby the data subject(s) are informed in an equally effective manner.
The Site is not intended for, nor do we knowingly permit access to, individuals under the age of majority. We do not knowingly collect Personal Information from visitors under the age of majority.
9. How to Contact Us
For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by e‑mail at firstname.lastname@example.org or by mail using the details provided below:
Terrible Toyshop Ltd.
Attn: Grⅇgory Mcℂlary, Privacy Compliance Officer
708 Bathurst St
Toronto, ON M5S 2R4