Privacy Policy

In relation to the website:

[www.oustudentsshop.com] (“Site”).

Owner

OU Students Shop (“we/us”).

Customer services:

ousa-services @open.ac.uk

Postal address:

OU Students Shop
PO Box 397
Walton Hall
Milton Keynes
MK7 6BE

Services:

The Shop sells OU branded merchandise, stationery and distributes a wide range of past examination papers for use as study aids.

The Shop fosters a corporate identity for students of the Open University; to promote the Open University and the Association’s activates to students and to encourage their active participation in their study journey.

The Shop also helps to raise funds for Open University Students Educational Trust (OUSET); a student charity that helps OU Students in financial hardship. ( www.oustudents.com/ouset)

(“Services”).

Use of Your Data

We take data privacy very seriously. We have set out below the uses to which we will put the information that we have about you in the delivery of the Services, and the legal basis for this, as well as introducing the rights that you have over the way that we use your information. This policy should be read in conjunction with the Open University’s Data Protection Policy.

For the purposes of the General Data Protection Regulation (GDPR) and any subsequent UK legislation covering data protection, we are the data controller (the entity which processes your data). All queries relating to this policy and/or data protection more generally should be referred to the General Manager of the Students Association at the above address.

The information collected about you might include the following:

Personal data

• First name
• Last name
• Preferred pronoun
• Email (for login and order confirmation)
• Address
• Postcode
• Phone number
• Details of specific webpages visited within the Site and actions taken on those webpages
• Details of devices used to visit/view the Site
• Actions taken within the Site

• Information about your use of the Site, including details of your purchases

• Information about transactions carried out over the Site

(“Personal Data”)

Sensitive personal data

• None collected

(“Sensitive Personal Data”)

(hereinafter together, “Data”)

The Data is collected when you sign up and register for an account on the Site, when you complete our endorsed surveys via SurveyMonkey or sign up to our email subscription services via MailChimp.

We may add any additional Data that we collect subsequent to initial Data collection, to your record.

Where you have registered with Open University at www.open.ac.uk and have opted-in to receive information from us, you agree that the Data collected by Open University can be shared with us, further details of this can be found in their Data Protection Policy and Privacy policy

All Data will be kept private and not shared automatically.

We may use the Data that you provide for the following purposes:

• To administer the Site

• To personalise the Site for you

• To enable your access to and use of the Site services

• To send you products that you purchased or download

• To send you statements, invoices or order and delivery updates

• To collect payments from you

• To ask you to participate in a product survey
• to deal with your enquiry or application and to provide you with appropriate services which may include sending you further information, sending you our newsletter and any additional newsletters which you have opted to receive.

• for research purposes and to help us plan and improve our Services. We may contact you ourselves or ask outside research agencies to do so on our behalf.
(“the Purpose(s)”).

The use of your information for the Purposes is lawful because one or more of the following applies:

• you have given consent to this. You may withdraw consent to these uses at any time either by using the opt-out option (where applicable), by emailing us at ousa-services@open.ac.uk or by writing to us at OU Students Shop, PO Box 397, Walton Hall, Milton Keynes MK7 6BE, noting that: (1) this will not affect the lawfulness of processing of your Data prior to your withdrawal of consent being received and actioned; and (2) if we have asked for your consent to a specific part of the service and you wish to withdraw this consent, you may not be able to partake in some of our services if you do so.;
• it is necessary for us to hold and use your Data so that we can perform our obligations under the contract we have entered into with you for the Purpose(s).

(“Lawful Uses”).

Transfer to Third Parties

Your information may be collected, passed and/or held by the following third parties if you have opted in to permit us to do this or you have registered directly with any or all of the entities below:
Open University Students Association

Open University Warehouse
Survey Monkey
Mailchimp
Facebook
Twitter
Gravit-e Centric Ltd (our website provider)

Gravit-e use a company called Send Grid in the United States to send email notifications. They are part of the EU-US Privacy Shield – see section below: “Transfers outside of the European Economic Area”

Use of your data will be subject to each of the above Party’s Privacy Polices, further details of which set out in our Disclaimer which you will be asked to accept.

Your information may also be transferred to another company in the event of the transfer of our assets to a third party. In that event, we will endeavour to ensure that your rights and freedoms in respect of the processing of your personal data are adequately and appropriately protected.

Use of aggregated data:

Where Data can be aggregated (and anonymised), we may use this without restriction for research purposes (not limited).We are entitled to do this because use of your information for these purposes is for one of the Lawful Uses.

We may also use the Information we gather to notify you about important functionality changes and alterations to the Site, or offer of products, services or information that might be of particular interest to you (where you have consented to this). We ensure that any third parties processing your Data on our behalf protect your data as carefully as we do and that they provide an adequate level of protection for your rights as a data subject. This may involve transferring your Data to other companies, inside or outside the EU.

By submitting your Information and subscribing to the Services, you consent to such use and transfer.

Save as provided below, we will not sell, rent, distribute or disclose your Data without your consent or unless required or permitted to do so by law.

Storage of Data

Your information will be stored only for so long as is reasonably necessary in order to carry out the Purpose(s).

Your rights

You have the right to request details of the processing activities that we carry out with your personal information through making a subject access request. Such requests have to be made in writing. More detail about how to make a request and the procedure to be followed can be found on the ICO’s website .

You also have the following rights:
• The right to request rectification of information that is inaccurate or out of date;
• The right to erasure of your information (known as the “ right to be forgotten”);
• The right to object to the way in which we are dealing and using your Data;
• The right to restrict the processing of your Data;
• The right to request that your information be provided to you in a format that is secure and suitable for re-use (known as the right to portability).

All of these rights are subject to certain safeguards and exemptions, more details of which can be found on the ICO’s webpage . To exercise any of these rights, you should contact the General Manager at the above address.

If you are not happy about the way in which we have processed or dealt with your information, you may file a complaint with Information Commissioners’ Office .

More detail about how you may do so can be found here.

Transfers outside of the European Economic Area

We may send your information outside of the European Economic Area (EEA). We do this because your Data may be stored on servers based outside the EEA. However, we meet our obligations under the relevant legislation by ensuring that the information has the same protection as if it were being held within the EEA. We do this by ensuring that any third parties processing your Data outside the EEA either benefits from the EU – U.S. Privacy Shield and/or, where appropriate, we have entered into a Data Processing Agreement containing the model EU clauses.

Security of Your Data

The Site is a UK-based website and we take reasonable care to comply with the requirements of the UK Data Protection Act 1998 (‘ the Act’) relating to the personal information you supply on the Site. The Site uses a security system that protects your information from unauthorised use. However, as no data transmissions over the internet can be guaranteed to be one hundred percent secure, we cannot ensure or warrant the security of any information you transmit to us and you do so at your own risk.

Updating your Information

If any of the information you provide when subscribing to the services on the Site changes, please update your profile by logging in or alternatively, please notifyousa-services @open.ac.uk.

Accessing your Information

We are data controllers for the purposes of the Act and if you wish to request access to your Information held by us, you may contactousa-services @open.ac.uk.

Mailing Lists

If you subscribe to our mailing lists for news releases and other information, we may also ask you to answer various general questions about yourself. You will be asked to specify the areas in which you are interested so that we can tailor the information which we send to you to cover the new products and special offers which we believe you might be interested in.

Newsletters

If you subscribe to one of our newsletters and at any time you wish to stop receiving this or any other information you may have requested from us or any other company, please email ousa-services@open.ac.uk or click the Unsubscribe link at the bottom of any communication you may receive from us.

Surveys and user groups

We always aim to improve the services we offer. As a result we canvass our customers using surveys via Survey Monkey. Participation in surveys is voluntary, and you are under no obligation to reply to any survey you might receive from us. Should you choose to do so, we will treat the information you provide with the same high standard of care as all other customer information.

Competitions

Your participation on our Site may mean that we occasionally contact you with the opportunity to enter competitions. Entry to competitions is voluntary, and you are under no obligation to take up an invitation from us to enter. Should you choose to enter a competition, we will treat the information you provide with the same high standard of care as all other customer information, and use the information provided strictly within the entry terms of the competition and this Privacy Policy.

Links to third parties' sites

Please note that we may provide links to other sites, which may not be governed by this Privacy Policy and you should view the privacy policy of those sites for further information.

Traffic Patterns/Site Statistics

We may monitor customer traffic patterns, Site usage and related Site information in order to optimise your use of the Site and we may give aggregated statistics to a reputable third-party, but these statistics will include no information personally identifying you.

Cookies

In addition to the Information which you supply to us, information and data may be automatically collected through the use of cookies. Cookies are small text files the Site can use to recognise repeat users and allow us to observe behaviour and compile aggregate data in order to improve the Site for you. For example, cookies will tell us whether you viewed the Site with sound or with text on your last visit. Cookies also allow us to count the number of unique and return visitors to our Site. Some of our associated companies may themselves use cookies on their own websites. We have no access to, or control of these cookies, should this occur.

Cookies may be either “persistent” cookies or “session” cookies. A persistent cookie consists of a text file sent by a web server to a web browser, which will be stored by the browser and will remain valid until its set expiry date (unless deleted by the user before the expiry date). A session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

The law states that we can store cookies on your machine if they are essential to the operation of the Site, but that for all others we need your permission to do so.

Targeted Advertising - We and third parties may serve you with targeted advertisements through the use of first-party or third-party cookies, pixels and web beacons when you visit our website or visit third party websites. In some instances, these cookies may be persistent cookies. We and our third party service providers may also use cookie and other information to try to identify other devices and web browsers that you may use so we and our third-party service providers may serve targeted advertisements to those devices. We do this to provide you with advertising that we believe may be relevant for you as well as to improve our own products and services, including the functionality and performance of our website. To learn more about opting out of certain types of targeted advertising, please see the “Opting out of cookies” section below.

The list below explains the cookies we use and why:

Cookie Description

Name

Purpose

Google Analytics cookies, set a first-party cookie in order to anonymously identify when users return to a website.

View the full list of cookie names on the Google Analytics website.

Non-essential cookie to help us track site usage and make improvements to user experience.

Gravit-e cookie – user session

PHPSESSID

Essential cookie which Identifies the user's session. It expires at the end of the session

Gravit-e cookie

eu_cookie_consent_continued

Non-essential cookie which sets when the user accepts cookies. It hides the cookie warning and expires in one year.

Twitter cookies (in conjunction with Twitter’s Tailored audiences )

Full details of Twitter’s cookie usage is available on their website .

Cookies from Twitter users are used and matched to the cookie IDs of our website visitors to gather analytics and create targeted advertising campaigns to these recent website visitors.

Facebook Javascript (in conjunction with Facebook Pixel)

Although not strictly a cookie, the Facebook pixel uses Javascript code to track activity. You can find out more about the pixel on the Facebook website . To change your settings on what adverts you see via the Facebook pixel, please visit this page.

IDs from Facebook users are used and matched to the IDs of our website visitors to gather analytics and create targeted advertising campaigns to these recent website visitors.

If you do not wish to receive cookies from us or any other website, you can turn cookies off on your web browser: please follow your browser provider’s instructions in order to do so. Unfortunately, we cannot accept liability for any malfunctioning of your PC or its installed web browser as a result of any attempt to turn off cookies.


Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.aboutcookies.org , www.allaboutcookies.org or www.civicuk.com/cookie-control/browser-settings .

It is important to remember that our Site and/or use of our Services may not function properly if your cookies are disabled. For example, if we begin to tailor the content to your interests as expressed by your browsing behaviour this depend on cookies. If you have declined cookies then this kind of service will not be available to you.

Amendments to this Privacy Policy

We may occasionally make modifications to this Privacy Policy (“Variations”) and, if the Variations are significant, will endeavour to give you prior notification (including, for certain services, email notification of Privacy Policy Variations). Variations become effective immediately upon posting to the Site and by continuing to use the Site, you will be deemed to accept any such Variations.

We also keep prior versions of the Privacy Policy in an archive, which are available for you to review upon email request to us atousa-services @open.ac.uk.

Privacy Policy, version [1.5] (updated May 2018)

1