• When you visit our website and make an online purchase
• When you create an account with us
• When you purchase a product or service online or by phone
• When you contact us by any means with queries, complaints etc

Klaremont may collect the following information about you:

• Your name, age/date of birth and gender.
• Your contact details: postal address including billing and delivery addresses, telephone numbers (including mobile numbers) and e-mail address.
• Purchases and orders made by you.
• our password(s).
• When you make a purchase or place an order with us, your payment card details your communication and marketing preferences

We want to give you the best possible customer experience. One way to achieve that is to get the richest picture we can of who you are by combining the data we have about you.

The data privacy law allows this as part of our legitimate interest in understanding our customers and providing the highest levels of service.

Whenever we collect or process your personal data, we only keep it for as long as is necessary for the purpose for which it was collected.

To assist Klaremont resolve technical issues, we may need to share your data with our IT infrastructure support partners. Our support partners are obliged to delete this data, once the issue has been resolved.

You have the following rights;

• The right to ask for a copy of personal data that we hold about you (the right of access)
• The right (in certain circumstances) to request that we delete personal data held on you; where we no longer have any legal reason to retain it (the right of erasure or to be forgotten).
• The right to ask us to update and correct any out-of-date or incorrect personal data that we hold about you (the right of rectification).
• The right to opt out of any marketing communications that we may send you and to object to us using / holding your personal data if we have no legitimate reasons to do so (the right to object).
• The right (in certain circumstances) to ask us to ‘restrict processing of data’; which means that we would need to secure and retain the data for your benefit but not otherwise use it (the right to restrict processing)
• The right (in certain circumstances) to ask us to supply you with some of the personal data we hold about you in a structured machine-readable format and/or to provide a copy of the data in such a format to another organisation (the right to data portability).

To make full use of the online shopping and personalised features on klaremont.com, your computer, tablet or mobile phone will need to accept cookies, as we can only provide you with certain personalised features of this website by using them.

Our cookies don't store sensitive information such as your name, address or payment details: they simply hold the 'key' that, once you're signed in, is associated with this information. However, if you'd prefer to restrict, block or delete cookies from klaremont.com, or any other website, you can use your browser to do this.

Each browser is different, so check the 'Help' menu of your particular browser (or your mobile phone's handset manual) to learn how to change your cookie preferences.

All of our serves are located within the U.K.

Data Protection Policy

Introduction

Klaremont’s Data Protection Policy sets out our commitment to protecting the personal data we control and how we implement this commitment with regards to the collection and use of personal data as defined by the Data Protection Act 1998 and EU regulation 2016/679 (GDPR – General Data Protection Regulation).

This Data Protection Policy adds more detail and expands on Klaremont's Information Security Policy 

1.Commitments

Klaremont is committed to:

• meeting our legal obligations as detailed in the Data Protection Act 1998 and EU regulation 2016/679 (GDPR)
• ensuring that personal data we control is collected and processed fairly and lawfully
• collecting and processing personal data only in order to meet our operational needs or fulfil legal or contractual requirements
• taking reasonable steps to ensure that personal data is up to date and accurate when acting as a controller for the data
• establishing appropriate retention periods for personal data under our control
• providing adequate security measures to protect personal data under our control
• ensuring that a nominated officer (Data Protection Officer) is responsible for data protection compliance and provides a point of contact for all data protection issues
• ensuring that all employees are made aware of good practice in data protection
• ensuring that all employees handling personal data knows where to find further guidance
• ensuring that queries about data protection, internal and external to the organisation, are dealt with effectively and promptly
• reviewing data protection procedures and guidelines within the organisation on a regular basis
• not transferring personal data to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data

2. Klaremont as a controller 

Klaremont collects and processes a limited set of personal data in relation to its operational needs and support of our Customers, which are necessary for the performance of a contract with the data subject and/or its employees or to take steps to enter into a

The activities are limited to :

• order processing 
• invoicing
• marketing activities

Use of Information Technology Assets

1. Acceptable Use and Ethics

• All datacontained on, or passing through company internal assets is subject to monitoring and remains the property of Klaremont FSP Limited.
• Under no circumstances is an employee authorised to engage in any activity that is illegal under local, UK and European law while utilising company-owned resources.
• System users who receive a username and password must keep that information confidential and not allow use of their account by others
• System users who leave their workstations should enable a password protected screen saver or log off to prevent unauthorised access, ‘Locking’ the workstation is also acceptable
• Employees must not use company accounts to post publicly accessible messages or posts
• System users must not tamper with or disable anti-virus software installed on their workstations under any circumstances
• System users are expressly forbidden to install any software on their workstations without prior approval from the Technical Operations Team
• System users must be very careful when opening email attachments, and should disregard unsolicited emails containing attachments
• System users may not perform vulnerability scans, monitor network traffic, or perform any action that is designed to elevate privileges or gain access to information that was not expressly intended for them
• System users must not reveal any information about company customers, employees, business practices, technology, schedules, or any other information not already publicly available to any outside resource or person without expressed permission from a company director
• System users must not use their company email accounts for purposes other than the conduct of company business. Forbidden actions include any and all forms of harassment, phishing, solicitation, spamming, forwarding chain letters and pyramid schemes, conducting personal business, and general personal correspondence

2. Password Policy

• Encrypted passwords should be enabled on any devices where it is not on by default
• Each network user will have a unique username and password that is not shared with any other user
• Network account passwords should be changed at least every 60 days
• Network account password should be strong and unique from previously used passwords
• Accounts will be locked after 3 login failures.

3. Remote Access

• Any computer system used for remote access of company assets, not including public portions, must comply with company configuration guidelines
• Remote access software must use encrypted communications, be configured to use unique usernames and passwords for each user, and have any other security features enabled
• Only users authorised to do so by their Line Manager and the Technical Operations Team may access the network using dial up Virtual Private Networks. Dial up/client VPNs are secured by 2 factor authentication.

4. Wireless Network Access

Customers and staff may use wireless devices in the office network. The wireless is logically separated from the main network using Layer 2 VLANs. There are two wireless access points both with the SSID ‘Klaremont’, there is no encryption on either network and the SSID is not broadcasted. As well as this, wireless isolation is employed to prevent packet sniffing.

Once connected to the wireless network, the user will be presented with a login page. All Customers are provided with unique credentials with time limited access, only once they have logged in is web access permitted. Klaremont employees are allowed to access the wireless network based on the device MAC address.

Wireless credentials are isolated from any other function on the network, they are unique and only for the wireless service. All wireless traffic passes via its own firewall which is separated both logically and physically from any other network firewalls. In addition to this, the traffic is NAT’d to its own, unique external IP address on wireless firewall and need to pass the incoming ACLs if accessing Klaremont’s services and there are no specific rules granting that traffic special access over standard external traffic. The wireless network will only provide internet access between 8am and 6:30pm Monday to Friday. At any other time, access is blocked.

5. Information Sensitivity

Personal data is defined according to the EU regulation 2016/679 (GDPR – General Data Protection Regulation) and UK Data Protection Act 1989, and all subsequent revisions as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

• Personal data is not to be collected, processed nor released unless prior approval (consent) is received from the person whose information is in question or where a valid order from a legal court in the United Kingdom is issued or it is required to meet Klaremont’s operational needs or fulfil legal or contractual requirements
• Personal data must be kept safe and secure from potential abuse, theft, or loss
• Personal data must be securely disposed of when no longer needed. Consult with the Information Security Officer (ISO) for specific disposal techniques
• The full contents of credit card magnetic stripes (or chips, or other storage mechanism) may not be stored in any database, log files, or point of sale products
• The card-validation code may not be stored in any database, log file, or point of sale product
• All but the last four digits of credit card account numbers must be masked (i.e. With X’s or *’s) when storing or displaying
• 128-bit SSL (or other industry acceptable method) encryption should be used where personal data is transmitted over public networks
• Encryption should be used when transmitting personal data over e-mail
• Personal data should be sanitized before using in a development environment
• The only personnel who should have access to personal data are those with explicit need-to-know
• Personal data printed on paper or received by fax must be protected against unauthorized access
• Employees that will need access to personal data should have a background investigation check
• Third parties that have access to card holder data should be contractually obligated to comply with card association security standards – PCI DSS

6. Disciplinary Action

Failure to comply with this security policy may, at management’s discretion, result in disciplinary action up to and including termination of employment.

7. Access Control and Physical Security

• When an employee leaves the company, that employee's company user accounts, passwords and any remote access permissions should be immediately revoked
• System user accounts should regularly be reviewed and audited for malicious, obsolete, and unneeded accounts
• Inactive accounts should be disabled after a pre-defined period
• Remote maintenance accounts should be enabled when needed and disabled when the maintenance process is completed
• All access to cardholder data should be logged
• Successful and unsuccessful login attempts and the accessing of the audit logs should be logged
• System clocks should be synchronized, and log files should contain date and time stamps
• Multiple physical security controls should be implemented to prevent unauthorised access to data centres

8. Secure media management

• The distribution and disposal of backups and other media containing personal data should be in accordance with a procedure approved by the Information Security Officer
• Equipment and media containing personal data should be physically protected from unauthorised access
• Media that contains personal data should be inventoried and securely stored
• Media that contains personal data should be deleted, shredded, or degaussed before disposal

Security Personnel

1. Information Security Officer

For daily security matters, an Information Security Officer, who is an employee of the company is appointed. The Information Security Officer is responsible to oversee that the provisions of this Information Security Policy are performed as needed for all system users, the ISO is non-biased and is able to apply rules objectively.

2. Incident Response

Security incidents should be handled according to the security incident response plan and disaster recovery plan (contained within technical team documentation).

Security incidents should be immediately reported to the Information Security Officer.An incident response team will be appointed by the Information Security Officer, and will be ready for deployment in case of personal data compromise.

3. Incident Response Plan (IRP)

If a compromise is suspected:

Alert the Information Security Officer who will perform an initial investigation and notify the Incident Response Team if necessary.

Immediately report the suspected or confirmed loss or theft of any material or records that contain personal data.If a security breach is suspected with a merchant or service provider, take immediate action to investigate the incident and limit the exposure of personal data.

Steps for compromised entities.Immediately contain and limit the exposure. Prevent further loss of data by conducting a thorough investigation of the suspected or confirmed compromise of information.

To preserve evidence and facilitate the investigation:

• Do not access or alter compromised systems (i.e., don't log on at all to the machine and change passwords, do not log in as ROOT).
• Do not turn the compromised machine off. Instead, isolate compromised systems from the network (i.e., unplug network cable).
• Preserve logs and electronic evidence.
• Log all actions taken.
• Be on "high" alert and monitor all systems with personal data.

Alert all necessary parties immediately. Be sure to contact:

• Information Security Officer and Incident response team.
• The Customer who’s data were compromised
• Data Protection local Supervisory Authority
• Affected Merchants Payment Solutions Provider
• Local law enforcement High-tech / Technology Investigation team

4. Incident Response Team

The incident response team will always consist of:

• The Information Security Officer
• The most senior engineer available (in the absence of the Senior Engineer)
• The most senior developer available (in the absence of the Development Manager)
• A company director and account manager

Incidents will be managed in accordance to the Incident Response Plan (IRP) and each individual is required to submit a written report on the conclusion of the incident which should be stored securely (either electronically or in paper format).