Privacy policy

 In this Document:

1. Privacy Policy

2. CCTV Policy

Appendix: Subject Access Requests

Privacy Policy

Last updated: 20/04/2024

This Privacy Policy describes how Wheel of Fate (the "Site", "we", "us", or "our") collects, uses, and discloses your personal information when you visit, use our services, or make a purchase from www.wheeloffate.co.uk (the "Site") or otherwise communicate with us (collectively, the "Services"). For purposes of this Privacy Policy, "you" and "your" means you as the user of the Services, whether you are a customer, website visitor, or another individual whose information we have collected pursuant to this Privacy Policy.

Please read this Privacy Policy carefully. By using and accessing any of the Services, you agree to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree to this Privacy Policy, please do not use or access any of the Services.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time, including to reflect changes to our practices or for other operational, legal, or regulatory reasons. We will post the revised Privacy Policy on the Site, update the "Last updated" date and take any other steps required by applicable law.

How We Collect and Use Your Personal Information

To provide the Services, we collect and have collected over the past 12 months personal information about you from a variety of sources, as set out below. The information that we collect and use varies depending on how you interact with us.

In addition to the specific uses set out below, we may use information we collect about you to communicate with you, provide the Services, comply with any applicable legal obligations, enforce any applicable terms of service, and to protect or defend the Services, our rights, and the rights of our users or others.

What Personal Information We Collect

The types of personal information we obtain about you depends on how you interact with our Site and use our Services. When we use the term "personal information", we are referring to information that identifies, relates to, describes or can be associated with you. The following sections describe the categories and specific types of personal information we collect.

Information We Collect Directly from You

Information that you directly submit to us through our Services may include:

  • Basic contact details including your name, address, phone number, email.
  • Order information including your name, billing address, shipping address, payment confirmation, email address, phone number.
  • Account information including your username, password, security questions.
  • Shopping information including the items you view, put in your cart or add to your wishlist.
  • Customer support information including the information you choose to include in communications with us, for example, when sending a message through the Services.

Some features of the Services may require you to directly provide us with certain information about yourself. You may elect not to provide this information, but doing so may prevent you from using or accessing these features.

Information We Collect through Cookies

We also automatically collect certain information about your interaction with the Services ("Usage Data"). To do this, we may use cookies, pixels and similar technologies ("Cookies"). Usage Data may include information about how you access and use our Site and your account, including device information, browser information, information about your network connection, your IP address and other information regarding your interaction with the Services.

Information We Obtain from Third Parties

Finally, we may obtain information about you from third parties, including from vendors and service providers who may collect information on our behalf, such as:

  • Companies who support our Site and Services, such as Shopify.
  • Our payment processors, who collect payment information (e.g., bank account, credit or debit card information, billing address) to process your payment in order to fulfill your orders and provide you with products or services you have requested, in order to perform our contract with you.
  • When you visit our Site, open or click on emails we send you, or interact with our Services or advertisements, we, or third parties we work with, may automatically collect certain information using online tracking technologies such as pixels, web beacons, software developer kits, third-party libraries, and cookies.

Any information we obtain from third parties will be treated in accordance with this Privacy Policy. We are not responsible or liable for the accuracy of the information provided to us by third parties and are not responsible for any third party's policies or practices. For more information, see the section below, Third Party Websites and Links.

How We Use Your Personal Information

  • Providing Products and Services. We use your personal information to provide you with the Services in order to perform our contract with you, including to process your payments, fulfill your orders, to send notifications to you related to you account, purchases, returns, exchanges or other transactions, to create, maintain and otherwise manage your account, to arrange for shipping, facilitate any returns and exchanges and to enable you to post reviews.
  • Marketing and Advertising. We use your personal information for marketing and promotional purposes, such as to send marketing, advertising and promotional communications by email, text message or postal mail, and to show you advertisements for products or services. This may include using your personal information to better tailor the Services and advertising on our Site and other websites.
  • Security and Fraud Prevention. We use your personal information to detect, investigate or take action regarding possible fraudulent, illegal or malicious activity. If you choose to use the Services and register an account, you are responsible for keeping your account credentials safe. We highly recommend that you do not share your username, password, or other access details with anyone else. If you believe your account has been compromised, please contact us immediately.
  • Communicating with you. We use your personal information to provide you with customer support and improve our Services. This is in our legitimate interests in order to be responsive to you, to provide effective services to you, and to maintain our business relationship with you.

Cookies

Like many websites, we use Cookies on our Site. For specific information about the Cookies that we use related to powering our store with Shopify, see https://www.shopify.com/legal/cookies. We use Cookies to power and improve our Site and our Services (including to remember your actions and preferences), to run analytics and better understand user interaction with the Services (in our legitimate interests to administer, improve and optimize the Services). We may also permit third parties and services providers to use Cookies on our Site to better tailor the services, products and advertising on our Site and other websites.

Most browsers automatically accept Cookies by default, but you can choose to set your browser to remove or reject Cookies through your browser controls. Please keep in mind that removing or blocking Cookies can negatively impact your user experience and may cause some of the Services, including certain features and general functionality, to work incorrectly or no longer be available. Additionally, blocking Cookies may not completely prevent how we share information with third parties such as our advertising partners.

How We Disclose Personal Information

In certain circumstances, we may disclose your personal information to third parties for legitimate purposes subject to this Privacy Policy. Such circumstances may include:

  • With vendors or other third parties who perform services on our behalf (e.g., IT management, payment processing, data analytics, customer support, cloud storage, fulfillment and shipping).
  • With business and marketing partners, including Shopify, to provide services and advertise to you. Our business and marketing partners will use your information in accordance with their own privacy notices.
  • When you direct, request us or otherwise consent to our disclosure of certain information to third parties, such as to ship you products or through your use of social media widgets or login integrations, with your consent.
  • With our affiliates or otherwise within our corporate group, in our legitimate interests to run a successful business.
  • In connection with a business transaction such as a merger or bankruptcy, to comply with any applicable legal obligations (including to respond to subpoenas, search warrants and similar requests), to enforce any applicable terms of service, and to protect or defend the Services, our rights, and the rights of our users or others.

We have, in the past 12 months disclosed the following categories of personal information and sensitive personal information (denoted by *) about users for the purposes set out above in "How we Collect and Use your Personal Information" and "How we Disclose Personal Information":

Category Categories of Recipients
  • Identifiers such as basic contact details and certain order and account information
  • Commercial information such as order information, shopping information and customer support information
  • Internet or other similar network activity, such as Usage Data
  • Vendors and third parties who perform services on our behalf (such as Internet service providers, payment processors, fulfillment partners, customer support partners and data analytics providers)
  • Business and marketing partners
  • Affiliates

We do not use or disclose sensitive personal information for the purposes of inferring characteristics about you.

User Generated Content

The Services may enable you to post product reviews and other user-generated content. If you choose to submit user generated content to any public area of the Services, this content will be public and accessible by anyone.

We do not control who will have access to the information that you choose to make available to others, and cannot ensure that parties who have access to such information will respect your privacy or keep it secure. We are not responsible for the privacy or security of any information that you make publicly available, or for the accuracy, use or misuse of any information that you disclose or receive from third parties.

Third Party Websites and Links

Our Site may provide links to websites or other online platforms operated by third parties. If you follow links to sites not affiliated or controlled by us, you should review their privacy and security policies and other terms and conditions. We do not guarantee and are not responsible for the privacy or security of such sites, including the accuracy, completeness, or reliability of information found on these sites. Information you provide on public or semi-public venues, including information you share on third-party social networking platforms may also be viewable by other users of the Services and/or users of those third-party platforms without limitation as to its use by us or by a third party. Our inclusion of such links does not, by itself, imply any endorsement of the content on such platforms or of their owners or operators, except as disclosed on the Services.

Children’s Data

The Services are not intended to be used by children, and we do not knowingly collect any personal information about children. If you are the parent or guardian of a child who has provided us with their personal information, you may contact us using the contact details set out below to request that it be deleted.

As of the Effective Date of this Privacy Policy, we do not have actual knowledge that we “share” or “sell” (as those terms are defined in applicable law) personal information of individuals under 16 years of age.

Security and Retention of Your Information

Please be aware that no security measures are perfect or impenetrable, and we cannot guarantee “perfect security.” In addition, any information you send to us may not be secure while in transit. We recommend that you do not use unsecure channels to communicate sensitive or confidential information to us.

How long we retain your personal information depends on different factors, such as whether we need the information to maintain your account, to provide the Services, comply with legal obligations, resolve disputes or enforce other applicable contracts and policies.

Your Rights and Choices

Depending on where you live, you may have some or all of the rights listed below in relation to your personal information. However, these rights are not absolute, may apply only in certain circumstances and, in certain cases, we may decline your request as permitted by law.

  • Right to Access / Know. You may have a right to request access to personal information that we hold about you, including details relating to the ways in which we use and share your information.
  • Right to Delete. You may have a right to request that we delete personal information we maintain about you.
  • Right to Correct. You may have a right to request that we correct inaccurate personal information we maintain about you.
  • Right of Portability. You may have a right to receive a copy of the personal information we hold about you and to request that we transfer it to a third party, in certain circumstances and with certain exceptions.
  • Restriction of Processing: You may have the right to ask us to stop or restrict our processing of personal information.
  • Withdrawal of Consent: Where we rely on consent to process your personal information, you may have the right to withdraw this consent.
  • Appeal: You may have a right to appeal our decision if we decline to process your request. You can do so by replying directly to our denial.
  • Managing Communication Preferences: We may send you promotional emails, and you may opt out of receiving these at any time by using the unsubscribe option displayed in our emails to you. If you opt out, we may still send you non-promotional emails, such as those about your account or orders that you have made.

You may exercise any of these rights where indicated on our Site or by contacting us using the contact details provided below.

We will not discriminate against you for exercising any of these rights. We may need to collect information from you to verify your identity, such as your email address or account information, before providing a substantive response to the request. In accordance with applicable laws, You may designate an authorized agent to make requests on your behalf to exercise your rights. Before accepting such a request from an agent, we will require that the agent provide proof you have authorized them to act on your behalf, and we may need you to verify your identity directly with us. We will respond to your request in a timely manner as required under applicable law.

 

Complaints

If you have complaints about how we process your personal information, please contact us using the contact details provided below. If you are not satisfied with our response to your complaint, depending on where you live you may have the right to appeal our decision by contacting us using the contact details set out below, or lodge your complaint with your local data protection authority.

International Users

Please note that we may transfer, store and process your personal information outside the country you live in, including the United States. Your personal information is also processed by staff and third party service providers and partners in these countries.

If we transfer your personal information out of Europe, we will rely on recognized transfer mechanisms like the European Commission's Standard Contractual Clauses, or any equivalent contracts issued by the relevant competent authority of the UK, as relevant, unless the data transfer is to a country that has been determined to provide an adequate level of protection.

Contact

Should you have any questions about our privacy practices or this Privacy Policy, or if you would like to exercise any of the rights available to you, please call +447831560135 or email us at tara@wheeloffate.co.uk or contact us at 63 Causewayside, Edinburgh EH9 1QF, United Kingdom. From February 2026: 24 Haddington Place, Edinburgh, EH7 4AF

 

 CCTV POLICY   

Version:  

1.2 

Date created:  

24/4/2024 

Author:  

Tara McGilvray-Guard 

Ratified by:  

 

Date ratified:  

 

Review date:  

 

 

 

Revision History:   

Version  

Date   

created  

Date   

ratified  

Author  

Summary of changes  

1.0 

22/4/24 

 

Tara McGilvray-Guard 

First Version 

1.2 

25/04/2024 

 

Tara McGilvray-Guard 

Added SAR instructions 

1.3 

26/02/2025 

 

Tara McGilvray-Guard 

Added to section 6.4 to include remote viewing exclusively by Tara McGilvray-Guard.  

 

 

 

 

 

 

 

 

 

 

 

 

1 

1. Policy Statement   

1.1 Wheel of Fate uses Close Circuit Television (“CCTV”) on the premises.  

The purpose of this policy is to set out the position of Wheel of Fate as to the management, operation and use of the CCTV across all company offices and buildings.   

1.2 This policy applies to all members of our workforce, visitors to Wheel of Fate  and its surrounding area and all other persons whose images may be captured by the CCTV system.   

1.3 This policy takes account of all applicable legislation and guidance, including:  1.3.1 General Data Protection Regulation (“GDPR”)   

 1.3.2 Data Protection Act 2018 (together the Data Protection  Legislation)   

1.3.3 CCTV Code of Practice produced by the Information Commissioner   

1.3.4 Human Rights Act 1998   

1.4 This policy sets out the position of Wheel of Fate in relation to its use of CCTV.   

2 Purpose of CCTV   

2.1 Wheel of Fate Directors will use CCTV for the following purposes:   

2.1.1 To provide a safe and secure environment for staff and visitors   

2.1.2 To prevent the loss of or damage to Wheel of Fate’s buildings   

and/or assets   

2.1.3 To assist in the prevention of crime and assist law enforcement agencies in apprehending offenders   

3 Description of system   

3.1 Two CCTV cameras cover the Wheel of Fate retail front area including the main entrance, till, and shop floor, as well as the rear workshop room. The cameras are linked back to a phone app, from which they can be viewed.   

4 Siting of Cameras   

4.1 All CCTV cameras will be sited in such a way as to meet the purpose for  which the CCTV is operated. Cameras will be sited in prominent positions where they are clearly visible to staff and visitors.   

4.2 Cameras will not be sited, so far as possible, in such a way as to record areas  that are not intended to be the subject of surveillance. Wheel of Fate will make all reasonable efforts to ensure that areas outside of the premises and grounds are not recorded.   

4.3 Signs will be erected to inform individuals that they are in an area within  which CCTV is in operation.   

4.4 Cameras will not be sited in any areas where members of staff have an  expectation of privacy, such as changing rooms or toilets.   

4.5 Cameras may be located in communal areas and, where this is the case,  visitors and members of staff will be made aware. Access to the footage is restricted and will only be used to fulfil the purposes in 2.1.   

5 Privacy Impact Assessment   

5.1 Prior to the installation or repositioning of any CCTV camera, or system, a  privacy impact assessment will be conducted by Wheel of Fate to ensure that the proposed installation is compliant with legislation and ICO guidance. The assessment will be approved by Wheel of Fate designated Data Protection Officer. The DPIA assessment can be found at the end of this document. 

5.2 Wheel of Fate will adopt a privacy by design approach when installing new  cameras and systems, taking into account the purpose of each camera so as to avoid recording and storing excessive amounts of personal data.   

6 Management and Access   

6.1 The CCTV system within Wheel of Fate will be managed by the Managing Director Tara McGilvray-Guard, and in their absence, a member of the senior management team.  

6.2 Any allegations against company staff will be referred immediately to the Managing Director and only they will determine who needs to view the footage and the course of action necessary.  

6.3 On a day to day basis the CCTV system will be operated by individuals who  have been specifically trained in the operation of the system and are both competent and considered to have the appropriate technical ability.   

 

6.4 The viewing of live CCTV images will be restricted to the leadership team and staff, and live viewing can only be carried out 1.) on the premises or 2.) remotely by Tara McGilvray-Guard (company director). In doing so they will ensure that the purposes in 2.1  are satisfied.  

6.5 Recorded images which are stored by the CCTV system will be restricted as in  6.4. Relevant images may be shared with the leadership teams allowing  them to review incidents where disciplinary matters or complaints need to  be addressed.   

6.6 No other individual will have the right to view or access any CCTV images  unless in accordance with the terms of this policy as to disclosure of images.   

6.7 The CCTV system is checked daily to ensure that it is operating effectively   

7 Storage and Retention of Images   

7.1 Any images recorded by the CCTV system will be retained only for as long as  necessary for the purpose for which they were originally recorded.   

7.2 Recorded images are stored for a maximum of 14 days unless there is a  specific purpose for which they are retained for a longer period.   

7.3 Wheel of Fate will ensure that appropriate security measures are in place to  prevent the unlawful or inadvertent disclosure of any recorded images. The  measures in place include:   

7.3.1 CCTV recording systems being located in restricted access areas;  7.3.2 The CCTV system being encrypted/password protected;   

7.3.3 Restriction of the ability to make copies to specified members of  staff  

7.4 A log of any access to the CCTV images, including time and dates of access,  and a record of the individual accessing the images, will be maintained by  Wheel of Fate.   

8 Disclosure of Images to Data Subjects   

8.1 Any individual recorded in any CCTV image is a data subject for the purposes  of the Data Protection Legislation, and has a right to request access to those images.   

8.2 Any individual who requests access to images of themselves will be  considered to have made a subject access request pursuant to the Data  Protection Legislation. Such a request should be considered in the context of  the Trust’s Subject Access Request Policy.   

8.3 When such a request is made the appropriate individual with access to the  CCTV footage (ref 6.4) will review the CCTV footage, in respect of relevant  time periods where appropriate, in accordance with the request.   

8.4 If the footage contains only the individual making the request then the  individual may be permitted to view the footage. This must be strictly  limited to that footage which contains only images of the individual making  the request. The individual accessing the footage must take appropriate  measures to ensure that the footage is restricted in this way.   

8.5 If the footage contains images of other individuals then the academy/Trust  must consider whether:   

8.5.1 The request requires the disclosure of the images of individuals  other than the requester, for example whether the images can be distorted so as not to identify other individuals;   

8.5.2 The other individuals in the footage have consented to the  disclosure of the images, or their consent could be obtained; or   

8.5.3 If not, then whether it is otherwise reasonable in the circumstances to disclose those images to the individual making the request.   

8.6 A record must be kept, and held securely, of all disclosures which sets out:  8.6.1 When the request was made;   

8.6.2 The process followed by to the individual with access to the  CCTV footage in determining whether the images contained third parties;   

8.6.3 The considerations as to whether to allow access to those images; 

8.6.4 When the individuals that were permitted viewed the images   

8.6.5 Whether a copy of the images was provided, and if so to whom,  when and in what format.   

Note that, when a subject access request is made then, unless an exemption applies (such as  in relation to third party data that it would be unreasonable to disclose) then the requester is  entitled to a copy in a permanent form. There is reference here only to “access” as opposed  to a “permanent copy” as Wheel of Fate may consider it preferable in certain circumstances  to seek to allow access to images by viewing in the first instance without providing copies of  images. If an individual agrees to viewing the images only then a permanent copy does not  need to be provided. However, if a permanent copy is requested then this should be  provided unless to do so is not possible or would involve disproportionate effort.   

 9 Disclosure of Images to Third Parties   

9.1 Wheel of Fate will only disclose recorded CCTV images to third parties where  it is permitted to do so in accordance with the Data Protection Legislation.   

9.2 CCTV images will only be disclosed to law enforcement agencies in line with  the purposes for which the CCTV system is in place.   

 

9.3 If a request is received from a law enforcement agency for disclosure of  CCTV images then the individual with access to the CCTV footage must  follow the same process as above in relation to subject access requestsDetail should be obtained from the law enforcement agency as to exactly  what they want the CCTV images for, and any particular individuals of  concern. This will then enable proper consideration to be given to what  should be disclosed, and the potential disclosure of any third party images.   

9.4 The information above must be recorded in relation to any disclosure.   

9.5 If an order is granted by a Court for disclosure of CCTV images then this  should be complied with. However very careful consideration must be given  to exactly what the Court order requires. If there are any concerns as to  disclosure then the Data Protection Officer should be contacted in the first  instance and appropriate legal advice may be required.   

10. Review of Policy and CCTV System   

10.1 This policy will be reviewed every two years or earlier should the need arise.   

11 Misuse of CCTV systems   

11.1 The misuse of CCTV system could constitute a criminal offence.   

11.2 Any member of staff who breaches this policy may be subject to disciplinary  action.   

12 Complaints relating to this policy   

12.1 Any complaints relating to this policy or to the CCTV system operated by the  academy/Trust should be made in accordance with the academy/Trust  Complaints Policy.  

Appendix: Subject Access Request Template: 

To submit a Subject Access Request to view CCTV footage of yourself please email tara@wheeloffate.co.uk with the email subject “Subject Access Request [date of request]” and the following information: 

  • your name; 

  • your email address and phone number; 

  • the date and time you were in the shop, plus a description of yourself to help us find you on our camera; 

  • the reason you want the information (you don't have to include this but it could help us find what you need); 

  • written statement from anyone else depicted in the footage stating we have their permission to show their image to you (if applicable), 

  • when you would like to view the footage in person, and if you will need a copy on USB to take away. 

Please allow 48hrs for us to pre-screen the footage and ensure we can show it to you without infringing on other individuals’ data protection. 

We prefer to view the footage together with you in person first to ensure the images captured are the ones you are requesting. We can then provide you with a copy of the footage on USB to take away. 

We may not be able to carry out every request for valid reasons: e.g. our footage has been auto-deleted after 14 days, there are other members of the public captured on film whose permission it is not possible to obtain/whose image cannot be obscured. If you need to access images of others whose permission cannot be obtained and this relates to a criminal or legal matter, please contact Police Scotland in the first instance.