Who we are
This website is operated by Medulla Supplies Ltd, a company registered in England and Wales.
Registered office:
Column House,
London Road,
Shrewsbury,
Shropshire,
SY2 6NN
Company registration number: 15426466
You can contact us regarding privacy matters at:
This Privacy Policy explains our strong commitment to privacy and compliance with the GDPR (General Data Protection Regulation). It describes the steps we take to protect your personal data, so you can feel confident sharing information with us online. By visiting our website, you accept and consent to the practices described in this policy. The following sections outline what personal data we collect and how we handle it.
What personal data we collect and why we collect it
Personal Data We May Collect from You
Data you provide to us – You may give us personal data about yourself when you complete a form on our website or correspond with us by phone, email, social media, or post. The personal data you give us may include your name, address, email address, and phone number, as well as financial and credit card information.
Why Do We Collect This Personal Data for You?
For contractual reasons – to carry out our obligations arising from any contracts entered into between ourselves and you, and to provide you with the information, products and services that you request from us.
We retain your personal data with your consent, primarily to provide information about goods and services similar to those you have enquired about or purchased. With your permission, we may use your email to send newsletters with relevant tips and offers.
If you supply us with your business card, such as at a trade show or business event, we interpret this as your implied consent for our business to contact you using the information on that card. Implied consent in this scenario means you have chosen to provide your contact details for legitimate business communications. If at any time you wish to withdraw this consent, you retain the right to do so (see the ‘Your Rights’ section below). You are not required to provide a business card, and declining will not affect any other services we provide.
To notify you about changes to our services and practices – our services and practices may change over the course of our processing of your personal data. If you have consented, we will use your email address to inform you of any changes we believe will affect you or the service you receive from us.
How We Collect Your Personal Data
We do not purchase data from third parties, such as databases of email addresses and phone numbers, for marketing purposes.
We collect personal data through our website’s online forms and when you contact us by phone, email, social media, or in person.
Comments
When visitors leave comments on the site, we collect the data shown in the comments form, as well as the visitor’s IP address and browser user agent string to help with spam detection. An anonymised string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service Privacy Policy is available here: https://automattic.com/privacy/. After your comment is approved, your profile picture is visible to the public alongside your comment.
Media
If you upload images to the website, avoid uploading images with embedded location data (EXIF GPS). Visitors to the website can download and extract any location data from images on the website.
Cookies
If you leave a comment on our site, you may opt in to saving your name, email address and website in cookies. These are for your convenience so you do not have to re-enter your details when you leave another comment. These cookies will last for one year.
When you visit our login page, we set a temporary cookie to determine whether your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser. When you log in, we will also set several cookies to save your login information and screen display preferences. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed. If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day. Magic links create a temporary cookie named “itsec-ml-lockout-bypass” that enables users to log in through a link sent to their email. This cookie references session data containing the user’s ID and IP address. It automatically expires after 30 minutes. A cookie named “itsec_interstitial_browser” is created to track a user’s login process to implement enhanced security features.
Embedded content from other websites
Articles on this site may include embedded content (e.g., videos, images, articles). Embedded content from other websites behaves exactly as if the visitor had visited the other website. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.
Security Logs
The IP address of visitors, the user ID of logged-in users, and the username of login attempts are conditionally logged to check for malicious activity and to protect the site from specific kinds of attacks. Examples of conditions when logging occurs include login attempts, log-out requests, requests for suspicious URLs, changes to site content, and password updates. This information is retained for 60 days.
Forms
We provide forms for user registration, login, and profiles. Through these forms, we collect personal data from users, including information provided during registration and profile updates.
How long do we retain your data?
To comply with GDPR Principle 5, we do not retain personal data for longer than necessary for the purpose for which it was obtained:
- If your job application is unsuccessful, we will delete your personal data from our systems after 6 months.
- If you leave our employment, we delete your next of kin’s details from our systems immediately.
- If you filled out a website form or requested a quote but did not use our service, we will delete your personal data after 12 months.
- If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users who register on our website, we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except for their username). Website administrators can also see and edit that information. Security logs are retained for 60 days. Registered user information is retained in the website’s database indefinitely. User information can be exported or removed upon the user’s request via the existing WordPress data exporter or eraser. You are welcome to make a request for us to delete your personal data at any time (see the section titled ‘Your Rights’ below).
How We Keep Your Personal Data Safe
Unfortunately, the transmission of information via the internet is not completely secure. However, we take the following steps to ensure strong security: We store all information you provide on secure servers. All payment transactions are encrypted using SSL. Only necessary personnel have access to your personal data to reduce risk. Our premises house our PCs, hard drives, and USB drives. These can be used to access your Personal Data. The premises are locked overnight and kept secure with appropriate security alarms and measures. We use strong, randomly generated passwords that are changed regularly. We also use two-factor authentication, requiring two pieces of information to access personal data. We do not use the same password for different applications. These steps keep your personal data in cloud-based services, such as our CRM and shared folders, as secure as possible.
What data breach procedures do we have in place?
If a data breach poses a risk to you, we will inform the Information Commissioner’s Office (ICO) and you without undue delay. Where feasible, we notify within 72 hours of the breach to comply with GDPR. This gives you a chance to protect your position, for example, by changing passwords and informing your banks that you might be at risk of identity fraud.
We are exempt from informing you and the ICO of any data breaches if:
- Appropriate technical and organisational procedural measures were applied after a data breach.
- Subsequent measures were taken to ensure that the high risk no longer exists.
- If millions of people are affected by a data breach, a press release would be issued within 72 hours instead of individual notifications. Afterwards, we would follow up with notifications to affected individuals, but not within the 72-hour period. Our business would cooperate with the ICO in most cases involving large-scale breaches.
Who we share your data with
We will only supply your personal data to our sub-contractors, business partners, or suppliers if it is outlined in the written contract we have with you, necessary for us to fulfil our contractual obligations to you, and if we have your explicit consent.
We may disclose your personal data to third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation or in the event that we sell or buy any business or assets, in which case we may have to disclose your personal data to the prospective seller or buyer of such business or assets.
If you request a password reset, your IP address will be included in the reset email.
A QR code image is generated for users who set up two-factor authentication for this site. This image is generated using a SolidWP-hosted API. During image generation, your username is sent to the API. This data is not logged. For details on the privacy policy, please see the SolidWP Privacy Policy.
When running Security Check, solidwp.com will be contacted as part of a process to determine if the site supports TLS/SSL requests. No personal data is sent to solidwp.com as part of this process. Requests to solidwp.com include the site’s URL. For SolidWP.com privacy policy details, please see the SolidWP Privacy Policy.
This site is scanned for potential malware and vulnerabilities by the SolidWP Site Scanner. We do not send personal information to the scanner; however, the scanner could find personal information posted publicly (such as in comments) during the scan.
To ensure file integrity, Solid Security pulls data from wordpress.org, solidwp.com, ithemes.com, and amazonaws.com. No personal data is sent to these sites. Requests to wordpress.org include the WordPress version, the site’s locale, a list of installed plugins, and a list of each plugin’s version. Requests to solidwp.com and amazonaws.com include the installed SolidWP products and their versions. For WordPress.org privacy policy details, please see the WordPress Privacy Policy. For SolidWP.com privacy policy details, please see the SolidWP Privacy Policy. Requests to amazonaws.com are to retrieve content added and managed by SolidWP, which is covered by the Amazon Web Services Data Privacy policy.
If syncing data to a 3rd-party service (e.g., Mailchimp via our Mailchimp extension), the data is retained there until you unsubscribe or delete it. Ultimate Member does not send any user data outside of the site by default. If you have extended the plugin’s functionality (e.g., sending registered user data to MailChimp via our MailChimp extension), this user information may be passed to these external services. These services may be located abroad and outside the EU.
Payments
We accept payments through PayPal and Stripe. When processing payments, some of your data will be passed to these payment processors, including information required to process or support the payment, such as the purchase total and billing information. Please see the PayPal Privacy Policy and Stripe Privacy Policy for more details. We share information with Google services for WooCommerce functionality. Learn more about the data Google collects in its privacy policy.
What rights do you have over your data?
Under the GDPR, you have the right to:
- Be informed about the collection and use of your personal data.
- Have access to your personal data.
- Have data about you deleted.
- Have information about you corrected.
- Object to or restrict the processing of data about you.
- Data portability to allow you to obtain and reuse your personal data for your own purposes, across different services.
- This allows you to easily move, copy, or transfer personal data from one IT environment to another in a safe and secure way, without affecting its usability.
- This enables you to take advantage of applications and services that can use this data to find a better deal for you.
- Rights related to automated individual decision making (making a decision solely by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about you).
- You can request human intervention or challenge automated decision-making and profiling.
- If you have an account on this site or have left comments, you can request an export of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Due to our business’s compliance with GDPR, we ensure:
- Once we have verified your identity, we respond to and resolve all Subject Access Requests we receive from you regarding your personal data within the 30-day time limit of you making the request, as outlined under the GDPR.
- We also do not charge you any fees for making a Subject Access Request or for us resolving your Request.
- We send you the information you need to resolve your Subject Access Request in the format you used to make the request. For example, if you email us to make your Subject Access Request, we will email you the required information. If you submit your Subject Access Request through our Business’ Facebook account via Facebook Messenger, we will send you the necessary information there.
- We always justify why we cannot comply with your Subject Access Request. For example, if you are enquiring about personal information we had about you that we have since deleted due to our 12-month data retention period (see above), we will inform you.
If Subject Access Requests made by you are deemed to be excessive or unfounded, we reserve the right granted to us under GDPR to:
- Refuse to provide you with the information, always justifying our refusal in writing.
- Charge a reasonable admin fee and always justify in writing the reason for any fees.
- If your Subject Access Request is particularly complex, for example, we have to go through a large amount of data to access the information necessary to resolve your Subject Access Request, we will write to you within the first 30 days of you making the Subject Access Request and inform you why it will take us longer to comply with your request.
- Under the GDPR, if we follow these steps, we will have a further 2 months to comply with your Subject Access Request.
Erasing the Personal Data We Have About You
We will erase any personal data we hold about you when you withdraw your consent to us holding it (which you can do at any time), where holding it is no longer necessary and where we can find no legitimate interest in continuing to process it.
Reserving the rights granted to us under the GDPR and demonstrating our compliance, we will only refuse to erase your data if:
- We need your personal data to comply with the legal obligations of the Union Member State.
- We require your personal data for the establishment, exercise or defence of legal claims.
- Your personal data is necessary for us to perform a public interest task or exercise official authority.
- We need your personal data for public health reasons.
- We require your personal data for archival, research or statistical purposes.
- Your personal data is necessary for us to exercise our right to freedom of expression or information.
- In the majority of cases, we can delete the personal data we hold about you upon request.
- Where we cannot, we will always provide you with a written justification for our inability to comply with your request.
Where your data is sent
Visitor comments may be checked through an automated spam detection service. This site is part of a network that protects against distributed brute-force attacks. To enable this protection, the IP addresses of visitors attempting to log in to the site are shared with a service provided by solidwp.com. For details on the privacy policy, please see the SolidWP Privacy Policy.
Contact Information
For any privacy-specific concerns or to exercise your data protection rights, please contact us at:
Telephone: 0121 269 0200
Trade account - Register HERE