Privacy Policy
We are committed to protecting your privacy and this page contains important information about how we collect, and use, the personal information you provide us with.
Frank Thomas is fully owned by J&S Accessories Ltd. Our Head Office address is; Chester Road, Oakmere, Northwich. Cheshire. CW8 2HB. Registered in England Number 02611014.
When you make a purchase from our website we collect personal information from you which may include: your name, address, email address, or contact number. We do not store credit or debit card information.
We only use your information to; process and deliver your order, for warranty purposes, for statistical purposes to improve our service and, if you have subscribed, to email you our newsletter and any offers we believe that you might be interested in.
We will keep your information for as long as is reasonably necessary for the purposes set out in this policy and to fulfil our legal obligations.
Monitoring and recording
We use CCTV recording equipment in and around our premises to improve the quality of our service and to prevent and detect criminal activities.
Sharing your information
We will share your name, address and contact details with our courier companies, DPD, DHL, DX and Evri, to deliver your order to you.
If you have subscribed to receive our newsletters we will share your name and email address with our transmission company, Klaviyo, to deliver the email to your inbox.
If you have opted-in to receiving marketing text messages from us we will share your name and mobile number with our transmission company, Klaviyo, to deliver the text to your phone.
We will not sell, distribute or disclose information about you as an individual or your personal usage of our site.
We may have to share your information with regulatory authorities, to prevent or detect crime (including fraud), to recover any monies owed to us, or if we are required or permitted to do this by law (for example, if we have a request from the police).
Marketing
We may use your personal information and information about your use of our products and services to carry out research and analysis to help us meet your needs in the future.
We may anonymise the information you have given us and combine it with other anonymised data for statistical analysis purposes.
We may contact you if you abandon or fail to complete an online purchase to see if we can offer you any assistance with this.
If you do not want us to use your personal information for marketing or research and analysis, please email us at [email protected] with the word "unsubscribe" in the subject line.
Cookies
A cookie is a small text file which is generated when you visit a website and stored on your computer. Cookies are commonly used on the internet, cannot harm your computer and do not store personal information. Internet browsers normally accept cookies by default, although it is possible to set your browser to reject cookies.
Our website only uses cookies that are strictly necessary for you to use its features, such as being able to access your shopping basket at any time, so refusing to accept cookies will restrict your use of our website.
We use 'analytical' cookies to help us understand the number of visitors to our website and how they move around when they're using it. This analysis helps us improve our website, by making sure users can find what they need easily.
We also use cookies in our email communications; to track whether the email has been opened, read, or any links within the email have been used; allowing us to improve the emails we send you.
If you wish to know more about cookies visit www.allaboutcookies.org.
Security
The checkout payment section of our website uses Secure Socket Layer (SSL) encryption technology which is the industry standard for protecting and maintaining the security of message transmissions over the internet.
You can see this in the address bar of your browser with the little padlock symbol and with each page starting https://.
Any information you enter on secured sites like ours is encrypted into an unreadable format to discourage unauthorised access by others.
Our website does provide links to other sites which are outside our control and we cannot be held responsible for the privacy or security on these sites. If you access any of these sites they may wish to collect information from you and you should read their privacy policy to see how they will use this information before giving any personal details.
Use and storage of your information overseas
We, our courier, or our email transmission company may transfer, store or process electronic copies of your information outside the European Economic area. If we, or they do this, we will ensure that the information is protected as securely as it would be under European Union law.
Your rights
You have the right to ask for access and to receive a copy of your personal information. If you would like to receive a copy, or if you would like further information on, or wish to complain about, the way that we use your personal information, please write to the Data Manager at Frank Thomas, Chester Road, Oakmere, Northwich, Cheshire, CW8 2HB. giving your name and address.
If any of your details are incorrect, you wish to restrict, or stop us using your information let us know and we'll amend, or delete, your information accordingly, and confirm to you that this has been done.
You also have the right to complain to the Information Commissioner's Office (ico.) if you object to the way we use your personal information. For more information please go to www.ico.org.uk.
Please note that there may be some instances where you make a request concerning your personal information where we may not be able to action your request as it may result in us not being able to fulfil our legal obligations or where there is a minimum statutory period for which we must keep your information. If this situation arises we will let you know our reasons.
We keep this privacy, cookies and security policy under review and will publish any updates on this page. This notice was last updated on 26th June 2023.
Amazon Data Protection Policy
This Data Protection Policy ("ADPP") governs the receipt, storage, usage, transfer, and disposal of the data vended and retrieved through the Amazon Services API (including the Marketplace Web Service API). This policy is applicable to all systems that store, process, or otherwise handle data vended and retrieved from the Amazon Services API.
1. General Security Requirements
Consistent with industry-leading security, J&S Accessories Ltd (“The Company”) will maintain physical, administrative, and technical safeguards, and other security measures (i) to maintain the security and confidentiality of Information accessed, collected, used, stored, or transmitted by the Company, and (ii) to protect that his Information from known or reasonably anticipated threats or hazards to its security and integrity, accidental loss, alteration, disclosure, and all other unlawful forms of processing. Without limitation, the Company will comply with the following requirements:
1.1 Network Protection. The Company will implement network protection controls including network firewalls and network access control lists to deny access to unauthorised IP addresses. The Company will implement anti-virus and anti-malware software on end-user devices. The Company will restrict public access only to approved users.
1.2 Access Management. The Company will assign a unique ID to each person with computer access to Information. The Company will not create or use generic, shared, or default login credentials or user accounts. The Company will implement baselining mechanisms to ensure that at all times only the required user accounts access Information. The Company will review the list of people and services with access to Information at least quarterly, and remove accounts that no longer require access. The Company will restrict employees and contractors from storing Information on personal devices. The Company will maintain and enforce "account lockout" by detecting anomalous usage patterns and log-in attempts, and disabling accounts with access to Information as needed.
1.3 Least Privilege Principle. The Company will implement fine-grained access control mechanisms to allow granting rights to any party using the Application and the Application's operators following the principle of least privilege. Access to Information will be granted on a "need-to-know" basis.
1.4 Password Management. The Company will establish minimum password requirements for personnel and systems with access to Information. Password requirements will be a minimum of eight (8) characters, contain upper and lower case letters, contain numbers, contain special characters.
1.5 Encryption in Transit. The Company will encrypt all Information in transit with secure protocols such as TLS 1.2+, SFTP, and SSH-2. The Company will enforce this security control on all applicable internal and external endpoints. The Company will use data message-level encryption where channel encryption (e.g., using TLS) terminates in untrusted multi-tenant hardware (e.g., untrusted proxies).
1.6 Incident Response Plan. The Company holds and maintains a plan to detect and handle Security Incidents. Such plans will identify the incident response roles and responsibilities, define incident types that may affect Amazon, define incident response procedures for defined incident types, and define an escalation path and procedures to escalate Security Incidents to Amazon. The Company will review and verify the plan every six (6) months and after any major infrastructure or system change, including changes to the system, controls, operational environments, risk levels, and supply chain. The Company will notify Amazon (via email to [email protected]) within 24 hours of detecting Security Incident or suspecting that a Security Incident has occurred. The Company will investigate each Security Incident, and document the incident description, remediation actions, and associated corrective process/system controls implemented to prevent future recurrence. The Company will maintain the chain of custody for all evidences or records collected, and such documentation will be made available to Amazon upon request (if applicable). If a Security Incident occurred, The Company cannot represent or speak on behalf of Amazon to any regulatory authority or customers unless Amazon specifically requests in writing that the Developer do so.
1.7 Request for Deletion or Return. The Company will permanently and securely delete or return Information upon and in accordance with Amazon's notice requiring deletion or return within 72 hours of Amazon’s requests unless the data is necessary to meet legal requirements, including tax or regulatory requirements. Secure deletion will occur in accordance with industry-standard sanitisation processes such as NIST 800-88. The Company will also permanently and securely delete all live (online or network accessible) instances of Information 90 days after Amazon's notice. If requested by Amazon, the Developer will certify in writing that all Information has been securely destroyed.
2. Additional Security Requirements Specific to Personally Identifiable Information
The following additional Security Requirements will be met for Personally Identifiable Information ("PII"). PII is granted to The Company for select tax and merchant fulfilled shipping purposes, on a will-have basis. If an Amazon Services API contains PII, or PII is combined with non-PII, then the entire data store will comply with the following requirements:
2.1 Data Retention. The Company will retain PII for no longer than 30 days after order delivery and only for the purpose of, and as long as is necessary to (i) fulfil orders, (ii) calculate and remit taxes, (iii) produce tax invoices, or (iv) meet legal requirements, including tax or regulatory requirements. If the Company is required by law to retain archival copies of PII for tax or other regulatory purposes, PII will be stored as a "cold" or offline encrypted backup (e.g., not available for immediate or interactive use).
2.2 Data Governance. The Company will create, document, and abide by a privacy and data handling policy for their Applications or services, which govern the appropriate conduct and technical controls to be applied in managing and protecting information assets. A record of data processing activities such as specific data fields and how they are collected, processed, stored, used, shared, and disposed for all PII should be maintained to establish accountability and compliance with regulations. The Company will establish a process to detect and comply with privacy and security laws and regulatory requirements applicable to their business and retain documented evidence of their compliance. The Company will establish and abide by their privacy policy for customer consent and data rights to access, rectify, erase, or stop sharing/processing their information where applicable or required by data privacy regulation.
2.3 Asset Management. The Company will keep inventory of software and physical assets (e.g. computers, mobile devices) with access to PII, and update quarterly. Physical assets that store, process, or otherwise handle PII will abide by all of the requirements set forth in this policy. The Company will not store PII in removable media, personal devices, or unsecured public cloud applications (e.g., public links made available through Google Drive) unless it is encrypted using at least AES-128 or RSA-2048 bit keys or higher. The Company will securely dispose of any printed documents containing PII.
2.4 Encryption at Rest. The Company will encrypt all PII at rest using at least AES-128 or RSA with 2048-bit key size or higher. The cryptographic materials (e.g., encryption/decryption keys) and cryptographic capabilities (e.g. daemons implementing virtual Trusted Platform Modules and providing encryption/decryption APIs) used for encryption of PII at rest will be only accessible to the Developer's processes and services.
2.5 Secure Coding Practices. The Company will not hardcode sensitive credentials in their code, including encryption keys, secret access keys, or passwords. Sensitive credentials will not be exposed in public code repositories. The Company will maintain separate test and production environments.
2.6 Logging and Monitoring. The Company will gather logs to detect security-related events to their Applications and systems including success or failure of the event, date and time, access attempts, data changes, and system errors. The Company will implement this logging mechanism on all channels (e.g., service APIs, storage-layer APIs, administrative dashboards) providing access to Information. All logs will have access controls to prevent any unauthorised access and tampering throughout their lifecycle. Logs will not contain PII unless the PII is necessary to meet legal requirements, including tax or regulatory requirements. Logs will be retained for at least 90 days for reference in the case of a Security Incident. The Company will build mechanisms to monitor the logs and all system activities to trigger investigative alarms on suspicious actions (e.g., multiple unauthorised calls, unexpected request rate and data retrieval volume, and access to canary data records). The Company will implement monitoring alarms to detect if Information is extracted from its protected boundaries. The Company should perform investigation when monitoring alarms are triggered, and this should be documented in the Developer's Incident Response Plan.
2.7 Vulnerability Management. The Company will create and maintain a plan to detect and remediate vulnerabilities. The Company will protect physical hardware containing PII from technical vulnerabilities by performing vulnerability scans and remediating appropriately. The Company will conduct vulnerability scanning or penetration tests at least every 180 days and scan code for vulnerabilities prior to each release. Furthermore, The Company will control changes to the storage hardware by testing, verifying changes, approving changes, and restricting access to who may perform those actions.
3. Audit and Assessment
The Company will maintain all appropriate books and records reasonably required to verify compliance with the Acceptable Use Policy, Data Protection Policy, and Amazon Services API Developer Agreement during the period of this agreement and for 12 months thereafter. Upon Amazon's written request, The Company will certify in writing to Amazon that they are in compliance with these policies.Upon request, Amazon may, or may have an independent certified public accounting firm selected by Amazon, audit, assess and inspect the books, records, facilities, operations, and security of all systems that are involved with the Company's Application in the retrieval, storage, or processing of Information. The Company will cooperate with Amazon or Amazon's auditor in connection with the audit or assessment, which may occur at the Company's facilities and/or subcontractor facilities. If the audit or assessment reveals deficiencies, breaches, and/or failures to comply with our terms, conditions, or policies, the Company will, at its sole cost and expense, and take all actions necessary to remediate those deficiencies within an agreed-upon timeframe. Upon request, the Company will provide remediation evidence in the form requested by Amazon (which may include policy, documents, screenshots, or screen sharing of application or infrastructure changes) and obtain written approval on submitted evidence from Amazon before audit closure.
4. Definitions
"Amazon Services API" means any application programming interface (API) offered by Amazon for the purpose of helping Amazon Authorised Users to programmatically exchange data.
"API Materials" means Materials we make available in connection with the Amazon Services API, including APIs, documentation, specifications, software libraries, software development kits, and other supporting materials, regardless of format.
"Application" means a software application or website that interfaces with the Amazon Services API or the API Materials.
"Authorised User means a user of Amazon’s systems or services who has been specifically authorised by Amazon to use the applicable systems or services.
"Customer" means any person or entity who has purchased items or services from Amazon's public-facing websites.
"Company" means J&S Accessories Ltd.
"Information" means any information that is exposed through the Amazon Services API, Amazon Portals, or Amazon's public-facing websites. This data can be public or non-public, including Personally Identifiable Information about Amazon Customers.
"Personally Identifiable Information" ("PII") means information that can be used on its own or with other information to identify, contact, identify in context, or locate an Amazon Customer or Authorised User. This includes, but is not limited to, a Customer or Authorised User's name, address, e-mail address, phone number, gift message content, survey responses, payment details, purchases, cookies, digital fingerprint (e.g., browser, user device), IP Address, geo-location, nine-digit postal code, or Internet-connected device product identifier.
"Security Incident" means any actual or suspected unauthorised access, collection, acquisition, use, transmission, disclosure, corruption, or loss of Information, or breach of any environment containing Information.