Privacy and Information Security Policy
“User” means the person or entity using the website.
“Website” means www.assetdrop.co and the Asset Drop store, store.assetdrop.co and all subdomains.
Our customers are the most important thing to us, and so we have done everything in our power to keep your data safe and secure. We will never share or sell any data we collect about you to a third party (unless you give permission, or it is necessary).
We take Children’s Privacy very seriously. Our Terms and Conditions only allow this website to be accessed by persons eighteen (18) years or older. Due to the age restrictions of this web site, none of the information obtained by this web site falls within the Child Online Privacy Act (COPA). However, if your minor child has provided us with personally identifiable information, we encourage you to contact us so we can delete this information from our records.
Here at Asset Drop, we take your data protection and information security very seriously. I hope this document has reassured you of that.
However, if you have any further questions about your privacy and our information security protocols, please get in touch by using the Contact Form on our website. We’ll get back to you as soon as possible.
This site uses a Wildcard Secure Socket Layer (SSL) Connection to offer secure communications by encrypting all data to and from the site. This gives us the Secure symbol you see in your browser, which can only be on websites that begin with https:// (where the ‘s’ stands for secure).
All our payments are processed by industry-standard, SSL secure, PCI-SSC* compliant and PA-DSS** compliant, encrypted payment application vendors. We use PayPal, Amazon Pay, Apple Pay and Stripe (for credit and debit cards). This means your financial data never actually goes through our server.
*(PCI-SSC: Payment Card Industry Security Standards Council)
**(PA-DSS: Payment Application Data Security Standard)
We also take many other steps towards ensuring the security of the personal information you provide to us:
- We are registered with the ICO to ensure that we adhere to the Data Protection Act of 1998 and EU General Data Protection Regulation Information Commissioner’s Office
- Transmissions of sensitive data on this website are encrypted through a strong SSL connection
- All our anti-virus software, plugins and firewall are maintained on a strict update schedule, and we use vulnerability scanning software
- Passwords are changed every 60 days as a minimum
- Our own server is PCI-SSC compliant (as well as our third party payment applications, like PayPal), giving you double the security
- We have the most secure login to our website possible (which is 2 factor authentication) to prevent any malicious hacking.
- We use a world-class, industry-recognised cyber security plugin, which regularly scans the website for malware, viruses, spam and more.
- We do not collect data we don’t need, and any data we do collect will only be retained as long as it is necessary for us to provide the Asset Drop service.
However, data transmission over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet, no-matter the detailed procedures and effort we put in.
You are responsible for keeping your password and user details confidential. You are responsible for protecting your own computer or electronic device with antivirus and anti-malware software, plus a strong firewall to help prevent fraud. You should never share your card payment data with anyone else, or write it down.
“Personal Information” means information that is about any individual, or from which any individual is directly or indirectly identifiable.
“Process”, “Processing” or “Processed” means anything that is done with any Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Although we never see your credit or debit card information, we do need certain data to be able to process your orders and create an account for you. We need to know your name, email address, and delivery address.
The information we collect will be kept accurate and up to date where possible. You can update things (or see what data we hold on you) by contacting us at [email protected], or heading to Your Account page. There is no charge for updating your information, in fact we absolutely encourage you to ensure your information is up to date. We will immediately correct any inaccuracies you report, such as changing your shipping address.
Exact Data We Collect:
- Personal details: your name; username or log in details; password;.
- Demographic information: age/date of birth; and language preferences.
- Contact details: postal address; telephone and/or mobile number; email address; and your public social media handles or profile(s).
- Consent records: records of any consents you may have given, together with the date and time, means of consent and any related information (e.g., the subject matter of the consent).
- Purchase and payment details: records of purchases and prices; subscription details; how much you choose to pay and which charities you designate as recipients of your money; invoice records; payment records; billing address; payment method; cardholder or accountholder name; payment amount; and payment date;
- Views and opinions: any views and opinions that you or other users choose to send to us, or publicly post about us on social media platforms or in the Services
We also collect other kinds of information from you or other sources, which we refer to as “Other Information” in this Policy, which may include but is not limited to:
- Information about your use of the Services, such as usage data and statistical information, which may be aggregated.
- Browsing history including the websites or other services you visited before and after interacting with the Services.
- Non-precise information about the approximate physical location (for example, at the city or zip code level) of a user’s computer or device derived from the IP address of such computer or device (“GeoIP Data”).
- Internet Protocol (“IP”) address, which is a unique string of numbers automatically assigned to your device whenever you access the Internet.
- Device type, settings and software used.
- Log files, which may include IP addresses, browser type, ISP referring/exit pages, operating system, date/time stamps and/or clickstream data, including any clicks on customized links.
- Web Beacons, which are electronic files that allow a website to count users who have visited that page or to access certain cookies.
- Pixel Tags, also known as clear GIFs, beacons, spotlight tags or web bugs, which are a method for passing information from the user’s computer to a third party website.
- Local Shared Objects, and Local Storage, such as HTML5.
We will use this data for the purpose of providing a service to you, such as your subscription box, as well as for improving the products and services we provide.
Account creation on Asset Drop is mandatory. Account creation includes submitting your name, email address, telephone numbers, and shipping address. This is mandatory so that we can award you credits for your various activities, including creating an account. Without an account, you would not receive any reward credits for your activities and purchases. If you are not logged in when you visit the website, you will not see this discount.
You may access your account information at any time by logging into ‘My Account’ from the home page.
When creating an account through the “My Account” page you are provided with a password to access your account. That password is for your personal use only, unless otherwise specified. You agree to be responsible for the security of your password.
It shall be your responsibility to maintain the secrecy and confidentiality of your password and for all activities that transpire on or within your account. It shall be your responsibility to notify Asset Drop immediately if you notice any unauthorized access or use of your account or password or any other breach of security. Asset Drop shall not be held liable for any loss and/or damage arising from any failure to comply with this.
Sensitive Personal Information
We do not collect or otherwise Process Personal Information about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sexual life, any actual or alleged criminal offences or penalties, or any other information that may be deemed to be sensitive under GDPR (collectively, “Sensitive Personal Information”) in the ordinary course of our business. Where it becomes necessary to Process Sensitive Personal Information under GDPR, we would rely on one of the following legal bases:
- Compliance with applicable law: We may Process your Sensitive Personal Information where the Processing is required or permitted by applicable law;
- Detection and prevention of crime: We may Process your Sensitive Personal Information where the Processing is necessary for the detection or prevention of crime (including the prevention of fraud);
- Establishment, exercise or defense of legal rights: We may Process your Sensitive Personal Information where the Processing is necessary for the establishment, exercise or defense of legal rights; or
- Consent: We may Process your Sensitive Personal Information where we have, in accordance with applicable law, obtained your prior, express consent prior to Processing your Sensitive Personal Information.
Children. The Services are not intended for use by children, especially those under 13. No one under the age of 13 should provide any Personal Information. Minors under the age of 18 are not permitted to make purchases through the Services or obtain coupons or codes from the Services to purchase goods or services on third party websites. If it is discovered that we have collected Personal Information from someone under 13, we will delete that information immediately.
At Asset Drop we only use your data where necessary and only provide your data to other organisations critical to the functionality of Asset Drop as a business. All companies involved in the processing of your data for the purpose of the Asset Drop service functioning correctly are fully GDPR compliant. They are:
Recharge Payments: Fully GDPR compliant
Stripe: Fully GDPR compliant
Shopify: Fully GDPR compliant
Royal Mail: Fully GDPR compliant
DPD: Fully GDPR compliant
Tansglobal: Fully GDPR compliant
The purposes for which we may Process User Information, subject to applicable law, include:
- Provision of the Services to You: providing the Services to you from Asset Drop or its partners including (i) offering of promotional giveaways, (ii) processing of your payment information for your purchases or subscriptions, both on the Service as well as developer’s sites, (iii) management of your account, (iv) offering promotional and marketing information to you, and (v) customer support and relationship management.
- Offering and Improving the Services: operating and managing the Services for you; providing personalized content to you; communicating and interacting with you via the Services; identifying issues with the Services and planning improvements to or creating new Services; and notifying you of changes to any of our Services.
- Surveys: engaging with you for the purposes of obtaining your views on our Services.
- Communications: communicating with you via any means (including via email or social media) regarding information in which you may be interested, subject to ensuring that such communications are provided to you in compliance with applicable law; maintaining and updating your contact information where appropriate; and obtaining your prior, opt-in consent where required. We may provide direct marketing to you as set out in Section 6 below.
- Advertising: providing advertising based on your interests and interactions with the Services and Channels, including using User Information to serve you advertisements on the Channels. For further information, please see Section 7 below.
- Audience Engagement: identification and development of audience engagement, advertising and promotional strategies on various platforms and channels, both within the Service and on Channels.
- User Engagement and Purchases: tracking purchase traffic and activity across the Service and on Channels, including review of your browsing history (if available); provision of analytics and measurement of cost of traffic against money being made.
- Fraud Prevention: Our Service uses third party fraud prevention software designed to prevent your credit card and other Personal Information from being used in a fraudulent purchase through the Service. This offering works by analyzing user behavior and detecting patterns that indicate fraud; these third parties may also track your activity over time and over a network of sites (Stripe).
- IT Administration: administration of Asset Drop’s information technology systems; network and device administration; network and device security; implementing data security and information systems policies; compliance audits in relation to internal policies; identification and mitigation of fraudulent activity; and compliance with legal requirements.
- Security: electronic security measures (including monitoring of login records and access details) to help mitigate the risk of and provide the ability to identify and rectify a security incident.
- Financial Management: general business and financial management purposes, including: economic, financial and administrative management; planning and reporting; personnel development; sales; accounting; finance; corporate audit; and compliance with legal requirements
- Investigations: detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with applicable law.
- Legal Proceedings: establishing, exercising and defending legal rights.
- Legal Compliance: Subject to applicable law, we reserve the right to release information concerning any user of Services when we have grounds to believe that the user is in violation of our Terms and Conditions or other published guidelines or has engaged in (or we have grounds to believe is engaging in) any illegal activity, and to release information in response to court and governmental orders, other requests from government entities, civil subpoenas, discovery requests and otherwise as required by law or regulatory obligations. We also may release information about users when we believe in good faith that such release is in the interest of protecting the rights, property, safety or security of Humble Bundle, any of our users or the public, or to respond to an emergency.
Oh and rest assured, we will never sell your data!
Lawful basis for processing personal information:
In Processing your User Information in connection with the purposes set out in this Policy, we may rely on one or more of the following legal bases, depending on the circumstances:
- Consent: We may Process your User Information where we have obtained your prior, express consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way);
- Contractual necessity: We may Process your User Information where the Processing is necessary in connection with any contract that you may enter into with us;
- Compliance with applicable law: We may Process your User Information where the Processing is required by applicable law;
- Vital interests: We may Process your User Information where the Processing is necessary to protect the vital interests of any individual; or
- Legitimate interests: We may Process your User Information where we have a legitimate interest in carrying out the Processing for the purpose of managing, operating or promoting our business, and that legitimate interest is not overridden by your interests, fundamental rights, or freedoms.
When you create an account or become a customer, you will have the option to Opt into receiving marketing information from us. This option will be not be ticked, so you will need to check it to make sure you receive marketing emails from us. If you leave it un-ticked, we will not add your email address to a mailing list in our Active Campaign account.
If you accept email’s from us, then we may Process your User Information to contact you via email or other methods of communication to provide you with information regarding the Services that may be of interest to you. We may send information to you regarding the Services, upcoming promotions and other information that may be of interest to you, using the contact details that you have provided to us and always in compliance with applicable law.
You may unsubscribe from our newsletter lists at any time by following the unsubscribe instructions included in every email we send. We will not send you any emails from a list you have selected to be unsubscribed from, but we may continue to contact you to the extent necessary for the purposes of any other Services you have requested or for additional emails you have signed up for.
Active Campaign is also fully GDPR compliant.
We collect information about how you use our website in order to improve your experience. We can see which pages you visit, where you visit us from, and if you purchase anything. This allows us to improve our marketing. For example, if we know what products you have bought, we won’t recommend products those products to you.
We can also track if you should be awarded reward credits by monitoring your actions while on our website (such as Referring a Friend, liking us on Facebook or filling out a survey).
Asset Drops web servers also gather your IP address to assist with the diagnosis of problems or support issues with our services. Information is gathered in aggregate only and cannot be traced to an individual user.
When you subscribe to Asset Drop, we will ask you to complete a survey about your interests in wargaming and miniatures in exchange for reward credits. We will connect this information to you personally so that we can seek out special offers for you from relevant companies.
For example, if you tell us you collect Malifaux miniatures, we will send you Malifaux promotions, rather than those from another game you do not collect. This is to improve our ability to serve you and provide value to the Asset Drop community. You can opt out of receiving these offers in your monthly box at any time by emailing us.
We may also send you other surveys and use that data to improve our boxes. For example, we will collect feedback about each monthly box and your thoughts on the paints inside.
Sometimes we will share links to other websites, either on our social media or from our online store for example. Please be aware that we are not responsible for the privacy policies, practices or security of any third party websites.
We also do not control and are not liable for the actions of any third parties websites we may promote. We pride ourselves in working with quality companies, but have no control over the actions of those third parties. While we are not liable for any of the actions of those third parties, you should feel free to give us feedback from time to time on your experiences them so that we may enhance our future service to all customers.
In addition to the company’s safeguards, your personal data is protected in the UK by the Data Protection Act 1998 (the ‘Act’). The Act requires us, as registered Data Controllers with the Information Commissions Office, to ensure that the data we hold about you is processed lawfully and fairly. It should be accurate, relevant and not excessive. The information should, where necessary, be kept up to date and not retained for longer than needed. It should be kept securely to prevent unauthorised access by other people.
We uphold all of these safeguards and take your privacy very seriously.
We will never sell your data. We will never share your data with any unnecessary third party companies.
We may use your personal information to contact you about joint venture opportunities if it appears that you would be a suitable joint venture partner.
If we are requested by the police or any other regulatory authority investigating suspected illegal activities to provide your personal information, we will do so.
Also, in the event that we sell or buy any business or assets, we may need to disclose your personal data to the prospective seller or buyer of such business or assets.
Finally, although we won’t share or sell your information with unrelated third party companies, it may sometimes be necessary to share your data with our trusted third party applications. These companies may assist us in operating our website, conducting our business, or providing services for you (such as shipping your items). We will only share data where absolutely necessary and only if those third parties agree to keep the information confidential too. It is rare that we share any data in this way.
What Can I Do To Control My Information
You may directly take steps to change your preferences as follows:
Your Newsletter and Email Subscriptions. You can opt out or unsubscribe to a newsletter or other email list at any time by following the instructions at the end of the newsletters or emails you receive. Please allow five to ten business days for changes to take effect. On some parts of the Service, member service-related communications are an integral part of such Services to which you subscribe and you may continue to receive emails as part of that particular portion of the Services unless you cancel your account, even if you opt out of the newsletters or email list. If you have provided more than one email address to us, you may continue to be contacted unless you request to unsubscribe each email address you have provided.
Cookies and Pixel Tags. You may stop or restrict cookies and pixel tags on your computer or purge cookies from your browser by adjusting your web browser preferences. However, if you “turn off,” purge, or disable cookies or pixel tags, although you may still use the Services, you may not be able to use all of the features, functions, or services available on the Services.
EU Residents. GDPR provides certain rights for EU residents. You may decline to share certain information with us, in which case we may not be able to provide some of the features and functionality of the Services. These rights include, in accordance with applicable law, the right to object to or request the restriction of processing of your information, and to request access to, rectification, erasure and portability of your own information. Where we process your information on the basis of your consent, you have the right to withdraw that consent (noting that such withdrawal does not affect the lawfulness of any Processing performed prior to the date on which we receive notice of such withdrawal, and does not prevent the Processing of your Personal Information in reliance upon any other available legal bases). Requests should be submitted by contacting us (using the contact instructions in Section 17 below). If you are an EU resident and have any unresolved privacy concern that we have not addressed satisfactorily after contacting us, you have the right to contact the appropriate EU Supervisory Authority and lodge a complaint.
We are always happy to hear from you and will always do our best to alleviate any privacy concerns you may have!