Who we are:
We are a UK company called Lagoon Ltd. Company No. 10552532. VAT Number 259 6978 28. Our website address is: https://lagoon.studio.
What personal data we collect and why we collect it:
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
We do not use contact forms. We use email links and the phone.
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
We use Google Analytics.
Who we share your data with:
Your analytics data is only viewed by employees at Lagoon Ltd. We do not share with third parties.
How long we retain your data:
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
What rights you have over your data:
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Where we send your data:
Visitor comments may be checked through an automated spam detection service.
Your contact information:
If your contact information is supplied, it is only retained indefinitely on secure servers. You can also request that we erase any contact information about you.
How we protect your data
Our website uses an SSL certificate. Our hosting company is Media Temple. Your data is safe with Media Temple. All hosting servers are under their direct control at all times in secure, state-of-the-art East and West Coast US data centres. Both centres are certified Tier 3+, meaning at least 99.99% network uptime guaranteed. They’re also connected to each other directly by a redundant, low-latency private fiber connection, and staffed 24/7/365 with HP-certified technicians and armed security.
What data breach procedures we have in place
We inform individuals about any personal data breaches where there is a high risk to the individuals’ rights and freedoms. In such a situation, individuals will be informed without undue delay. The communication will use clear and plain language and contain, as a minimum, the following information: A description of the nature of the breach; The name and contact details of the data protection officer or other contact point; A description of the likely consequences of the breach; and A description of the measures taken or proposed to be taken by the controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
What third parties we receive data from
If we receive data from third parties like Google Analytics, we handle this in the same way as data we have collected.
What automated decision making and/or profiling we do with user data
To comply with the GDPR…
- We have a lawful basis to carry out profiling and/or automated decision-making and document this in our data protection policy.
- We send individuals a link to our privacy statement when we have obtained their personal data indirectly.
- We explain how people can access details of the information we used to create their profile.
- We tell people who provide us with their personal data how they can object to profiling, including profiling for marketing purposes.
- We have procedures for customers to access the personal data input into the profiles so they can review and edit for any accuracy issues.
- We have additional checks in place for our profiling/automated decision-making systems to protect any vulnerable groups (including children).
- We only collect the minimum amount of data needed and have a clear retention policy for the profiles we create.
As a model of best practice…
- We carry out a DPIA to consider and address the risks before we start any new automated decision-making or profiling.
- We tell our customers about the profiling and automated decision-making we carry out, what information we use to create the profiles and where we get this information from.
- We use anonymised data in our profiling activities.
Solely automated individual decision-making, including profiling with legal or similarly significant effects (Article 22)
To comply with the GDPR…
- We carry out a DPIA to identify the risks to individuals, show how we are going to deal with them and what measures we have in place to meet GDPR requirements.
- We carry out processing under Article 22(1) for contractual purposes and we can demonstrate why it’s necessary.
Industry regulatory disclosure requirements
We have aimed to cover all industry regulatory and disclosure requirements including for the GDPR as of 24th May 2018.