Privacy Policy
Group
Global Vision Direct Ltd (UK) trading as Artisan Furniture, and its affiliates, including Global Vision Direct Private Limited (India) and other regional entities (together, “Artisan”, “we”, “our”, “us”).
This master policy governs privacy practices across our six regional websites (UK, EU, US, Canada, Australia, India) and connected B2B portals. Local addenda (UK, EU, US, CA, AU, IN) complement this master with jurisdiction-specific requirements.
- Accessibility Statement
- API/Data Syncing 🟣⚫
- Assembly Policy
- B2B Warranty
- Base Camp ⚫
- Community Charter 🟡⚫
- Content Stiudio ⚫
- Content Stiudio
- Customer Services (Country Option) 🟡⚫
- Delivery & Surcharges ⚪⚫
- Dropship & On-Demand ⚫
- Dropship Glossary ⚫
- Dropship Program ⚫
- Dropship Pros & Cons ⚫
- E - Commerce 🟣⚫
- Eco Sustainability 🟢⚫
- Escalation Procedure 🟡🔴
- Fulfilment Program ⚫
- GenZ Furniture ⚫
- GenZ Story ⚫
- Global Framework ⚫
- Global Pricing
- Hybrid Whoesale Program ⚫
- Interior Projects ⚪⚫
- IP Digital Assets
- Mango Wood Ageing ⚪🟢
- No RRP Policy ⚫🔵
- Packaging Returns
- Plant a Tree 🟢⚫
- Policy Incorporation Framework 🔵⚫
- Product Categorisation
- Replacement Parts Guide ⚪
- Reseller Fit Guide
- Reseller Growth 🟡⚫
- Reseller Guidance
- Reseller Invoicing ⚫
- Smart Talk 🟡⚫
- Supplier Registration ⚫
- Sustainability Governance
- Swatch Guidance ⚪
- Timber White ITW ⚫
- Trade Programe ⚫
- Virtual Assistant 🟣⚫
- Wholesale Programe ⚫
- Work Framework ⚫
- Account Security 🔵🔴
- B2B & B2C 🔵⚫
- Cancellation Policy 🔵🔴
- Chargeback Policy 🔵🔴
- Compliance Playbook 🔵🔴
- Content Usage Policy 🔵
- Cookie Policy 🔵
- CTPAT Statement 🔵
- Digital Products Returns Policy 🔵🔴
- Engagement Framework 🟡🔵
- Ethical AI 🟣🔵
- Methyl Bromide Dossier 🟢🔵
- Modern Slavery Policy 🟢🔵🔴
- Our Accrediation 🟢🔵
- pEPR Framework 🟢🔵
- Privacy Policy 🔵🔴
- Protecting Employees 🟢🔵
- Reseller Guidence 🟡🔵
- Reseller Restrictions 🔵🔴
- Reseller Tax Guidance 🔵
- Returns Policy 🔵🔴
- SBTi Commitment 🟢🔵
- Social & Environmental 🟢🔵
- Sustainability 🟢🔵
- Terms & Condition 🔵🔴
- Transit Impact Policy 🟢🔵
- Wholesale Returns 🔵🔴
- Wood Movement Advisory 🟢🔵
1) Who we are & scope
- Business model: We are a B2B supplier (wholesale & dropship). We sell to trade customers (resellers/retailers). End customers (consumers) do not access our platforms.
- Websites covered (6): UK, EU, US, Canada, Australia, India (plus linked B2B portals listed below).
- UK: https://www.artisanfurniture.net/
- US: https://www.artisanfurniture.us/
- EU: https://www.artisanfurniture.eu/
- CA: https://www.artisanfurniture.ca/
- AU: https://www.artisanfurniture.au/
- IN: https://www.artisanfurniture.in/
- Group structure: UK parent (Global Vision Direct Ltd, trading as Artisan Furniture) with affiliated companies, including Global Vision Direct Private Limited (India), which is an independent legal entity within our group and is controlled through Amit Basu (Person of Significant Control / UBO).
- Role allocation:
- For B2B accounts & portals, Artisan is a controller.
- For end-customer data provided by B2B clients solely to fulfil delivery, the B2B client is the controller, and Artisan acts as a processor (or service provider/contractor under local law).
2) Platforms and external portals (B2B-only access)
Trade (B2B) users may access:
- Inventory: https://inventory.artisanadmin.net/
- ArtisanFlo – Data Sync: https://app.artisanflo.net/
- Flo Admin: https://floadmin.azurewebsites.net/
- ERP Admin: https://www.artisanerp.net/public_html/admin/
- ArtisanBot (Virtual Assistant): https://artisanbot.net/
- ArtisanFurniture AI CMS: https://artisanfurniture.ai/
These require authorization. End customers never access these systems.
3) What data we process
A. B2B contacts (our direct customers)
- Identification & business contact: name, job title, employer, work email, work/mobile phone.
- Account & access: usernames, hashed passwords, role/permissions, audit logs.
- Commercial/finance: billing details, payment method tokens (via gateway), transaction records, tax/VAT/GST data.
- Communications: emails/tickets, chat transcripts (including via Flo), call notes.
- Technical: device/browser info, IP address, usage logs, cookies/analytics (subject to consent where required).
B. End customers (consumers of our B2B clients) – delivery only
- Name, delivery address, postcode, email, phone/mobile — exclusively to arrange, ship, and track deliveries and handle delivery issues/returns on behalf of the B2B client.
C. Special categories / sensitive data
- We do not intentionally collect special category/sensitive data.
- We do not knowingly collect children’s data (see Section 18).
4) How we collect data
- Directly from B2B users (account creation, orders, support).
- From B2B clients’ systems (via APIs/feeds/ArtisanFlo) for catalogue, orders, and fulfilment.
- From couriers/payment providers/communication tools (status, confirmations).
- Automatically via our websites/portals: logs, cookies, and similar technologies.
5) Purposes & legal bases (high-level)
Purpose | Typical data | UK/EU legal basis | US (CPRA) | CA (PIPEDA) | AU (APPs) | IN (DPDP) |
Provide B2B services (accounts, portals, inventory, ERP, ArtisanFlo) | A | Contract; Legitimate interests | Necessary for services; no sale/share | Appropriate purposes | Reasonable necessity | Consent/legitimate use per contract |
Fulfil dropship deliveries (for end customers) | B | Contract (with B2B client); Legitimate interests; Processor role | Service provider/contractor | Appropriate purposes | Reasonable necessity | Legitimate use to perform service |
Payments & invoicing | A | Contract; Legal obligation | Service provider | Appropriate purposes | Reasonable necessity | Legitimate use/legal obligation |
Customer support & comms (incl. Flo) | A | Legitimate interests; Contract | Service provider | Appropriate purposes | Reasonable necessity | Legitimate use |
Security, fraud prevention, audit | A | Legitimate interests; Legal obligation | Service provider | Appropriate purposes | Reasonable necessity | Legitimate use/legal obligation |
Analytics, quality, service improvement | A (pseudonymized where possible) | Legitimate interests; Consent where required (cookies) | No sale/share; opt-out where applicable | Appropriate purposes | Reasonable necessity | Consent/Legitimate use |
Legal, tax, compliance | A/B | Legal obligation | Legal compliance | Legal compliance | Legal compliance | Legal obligation |
Marketing: We market B2B-only. We do not market to end customers.
Automated decisions: We do not make decisions producing legal/similarly significant effects solely by automated means (see Section 17).
6) Cross-navigation and region routing
To give region-appropriate content, we may automatically redirect you between regional sites (e.g., UK → EU) and open a new tab. We may use cookies/headers/IP to infer region. You can always change site/region manually. This does not reduce your privacy protections.
7) Cookies & similar technologies
- We use strictly necessary cookies, and (with consent where required) functional, performance/analytics, and limited advertising/retargeting cookies (B2B).
- Consent Management: We display a banner where required (UK/EU and similar regimes).
- Global Privacy Control (GPC): Honoured where applicable (e.g., California).
- You can manage preferences via our cookie banner or browser settings.
- See our Cookie Notice for details (names, purposes, lifetimes).
8) Recipients & disclosures (categories)
We disclose data only as needed:
- Group companies (UK, India, and as applicable regional affiliates) for operations/fulfilment.
- Couriers & logistics (e.g., UPS, DHL, pallet networks) – end-customer delivery details only.
- Payment processors/financial services (e.g., PayPal; B2B finance partners such as iwocaPay).
- Communications providers (e.g., email/SMS gateways, chat/AI tooling including Flo).
- Cloud/hosting & IT (e.g., AWS, Azure), backups, CDN, monitoring, security tools.
- Approved external developers/partners (API/integration support under NDA & DPAs).
- Professional advisors (auditors, lawyers, insurers, banks) and authorities when legally required.
- Corporate transactions: In a merger/acquisition/financing, data may transfer under safeguards.
We maintain Data Processing Agreements (DPAs) and conduct vendor diligence. A current sub-processor list can be provided upon request.
9) International transfers
- Primary hosting: UK and US clouds; certain workloads may run/backup in India.
- Data flows:
- UK data → India (group operations/support).
- US/CA/AU/EU data → UK + India as needed for operations/support.
- IN data → remains in India unless otherwise stated/consented
Safeguards:
- UK IDTA and/or EU SCCs with UK Addendum (as applicable).
- Transfer Risk Assessments (TRA) and Schrems II measures.
- Encryption (in transit/at rest), role-based access, need-to-know access, logging.
10) Security (technical & organizational)
- TLS 1.2+ in transit; AES-256 at rest (where supported).
- Network segmentation, firewalls, least-privilege access, MFA, SSO for admins.
- Secret management & key rotation; code review & CI/CD controls.
- Centralized logging, SIEM monitoring, vulnerability management, patching.
- Penetration tests (periodic) and incident response playbooks.
- Employee & contractor confidentiality, security awareness training.
- Vendor risk management and sub-processor oversight.
11) Retention (how long we keep data)
We minimize retention and delete/irreversibly anonymize when no longer needed.
Data category | Typical retention |
B2B account & contract records | Contract term + 7 years (tax/audit) |
Orders, invoices, shipping docs | 7 years (tax/audit) |
End-customer delivery data (as processor) | For the fulfilment lifecycle and statutory recordkeeping (generally up to 7 years within order records); otherwise deleted/pseudonymized earlier where feasible |
Support tickets & chat transcripts | 3 years from closure (unless legal hold) |
Access logs & security logs | 12–24 months (security/forensics) |
Cookie/analytics data | As per Cookie Notice (e.g., 6–26 months) |
Marketing to B2B contacts | Until opt-out/objection, or inactivity policy (e.g., 24 months), whichever is earlier |
Legal holds may extend retention if required by law or litigation.
12) Your rights & how to exercise them
We respond to rights without undue delay and within legal time limits. We will verify identity and, where we act as processor for your retailer, we will route requests to the controller.
A. UK/EU (UK GDPR / GDPR)
- Access, rectification, erasure, restriction, portability, objection, and withdraw consent.
- Object to legitimate interests (including B2B direct marketing) at any time.
- Complain to the ICO (UK) or your EU supervisory authority.
B. United States (CPRA/CPPA & state laws)
- Know/access, delete, correct, limit use of sensitive PI (not used), opt-out of sale or sharing (cross-context behavioral advertising).
- We do not “sell” or “share” personal information as defined by CPRA.
- No retaliation for exercising rights.
- Use an authorized agent if desired (we’ll require proof & verification).
C. Canada (PIPEDA)
- Access and correction; challenge compliance with the OPC.
- Appropriate purposes and safeguards required.
D. Australia (Privacy Act / APPs)
- Access and correction; complain to the OAIC.
- Reasonable steps to keep information accurate and secure.
E. India (DPDP Act 2023)
- Access, correction, erasure, grievance redressal; use of consent managers where applicable.
- Complain to the Data Protection Board of India.
How to submit a request: See Section 16 (Contact). Please state your jurisdiction and whether your request concerns: (i) your B2B user account data, or (ii) end-customer delivery data (in which case we may direct you to the relevant retailer/controller).
13) Marketing & communications
- B2B marketing only (product updates, service notices, newsletters).
- Legal bases: legitimate interests / soft opt-in where applicable, or consent.
- Opt out anytime via email footer or by contacting us (Section 16).
- No marketing to end customers whose details we process strictly for delivery.
14) Automated decision-making & profiling
- We do not engage in automated decision-making producing legal/similarly significant effects.
- We may use limited analytics/propensity scoring to improve B2B services (not for end-customer marketing).
15) Children’s data
- Our services and websites are not directed to children.
- We do not knowingly collect data from individuals under the age defined by local law (e.g., under 16 in the EU/UK, under 13 in US COPPA). If you believe a child has provided data, contact us to delete it.
16) Contact, DPO/Privacy Lead & complaints
Global Vision Direct Ltd
T/A Artisan Furniture
5th Floor, Watson House
54–60 Baker Street
London W1U 7BU
United Kingdom
Email – finance@artisanfurniture.net
Global Vision Direct Ltd acts as the data controller for all personal data processed across Artisan Furniture’s digital platforms, websites, sub domain Compliance and Policies Hub and services.Supervisory authorities:
- UK: Information Commissioner’s Office (ICO) – report/complaint via ico.org.uk
- EU: Your local Data Protection Authority
- US: State privacy regulators (e.g., California Privacy Protection Agency)
- Canada: Office of the Privacy Commissioner of Canada (OPC)
- Australia: Office of the Australian Information Commissioner (OAIC)
- India: Data Protection Board of India
17) Processor instructions (for our B2B clients)
Where we act as processor for your end-customer delivery data, we will:
- Process only on your documented instructions (order fulfilment/returns).
- Maintain confidentiality, security, and sub-processor controls.
- Assist with data subject requests, breach notifications, and DPIAs where relevant.
- Delete or return personal data after processing (subject to legal retention).
- Make available information to demonstrate compliance (incl. audit cooperation).
A Data Processing Agreement (DPA) is available on request.
18) Data protection by design & assessment
- We apply privacy by design/default to new systems and features.
- We conduct DPIAs for high-risk processing and TRAs for international transfers.
- AI/chat features (e.g., Flo) are configured to minimize personal data capture; transcripts are retained per Section 11.
19) External links & third-party sites
Our sites/portals may link to third-party websites or tools (e.g., courier tracking pages). Those sites have their own privacy policies. We are not responsible for third-party practices.
20) Data breaches & incident response
If we become aware of a personal data breach, we will follow our incident response procedures, including:
- Containment, assessment, and remediation.
- Notifications to controllers (where we are processor) and to authorities/individuals when legally required and within statutory timeframes.
21) Changes to this policy
We may update this policy to reflect legal, technical, or business changes. Material changes will be posted with a new Effective date; where required, we will seek consent or provide additional notice.
Local Addenda (high-level summaries)
Full jurisdiction-specific policies will be published on each regional site. Below are headline differences.
A) UK Privacy Policy (UK GDPR & DPA 2018)
- Lead supervisory authority: ICO.
- Legal bases and rights as in Sections 5 & 12(A).
- International transfers under IDTA/UK Addendum to EU SCCs + TRA.
- Cookies per PECR; consent banner where required.
B) EU Privacy Policy (GDPR)
- Lead DPA: based on main establishment or as per country of the site/user.
- Legal bases and rights per GDPR.
- Cross-border transfers via EU SCCs + Schrems II measures.
- ePrivacy/cookies: consent where required.
C) US Privacy Policy (CPRA/State Laws)
- We do not sell or share personal information as defined by CPRA.
- Provide Do Not Sell/Share link if practices change.
- Sensitive PI: not used beyond exempt security/operational purposes.
- Verification/authorized agents process; non-discrimination.
D) Canada (PIPEDA)
- Accountability, identifying purposes, consent where required, limiting collection, safeguards, openness, access/correction, challenging compliance (OPC).
E) Australia (Privacy Act 1988 & APPs)
- APP 1–13 compliance; overseas disclosures under APP 8 with contractual safeguards.
F) India (DPDP Act 2023)
- Roles (Data Fiduciary/Processor), notice & consent (or legitimate use), security safeguards, breach reporting, grievance redressal, consent managers support.
Operational clarifications specific to your model
- B2B only: End customers never access our systems.
- End-customer details are processed only for delivery (labels, courier notifications, failed-delivery contact, returns).
- White-label dropship: We do not reveal wholesale details or otherwise contact end customers for marketing.
- Hosting: Primary clouds in UK/US; certain workloads/backups may run in India.
- Cross-navigation: We may open a new tab to the appropriate regional site without a pop-up notice; this is disclosed here and in local policies.
- Approved developers: Limited, audited access under NDAs/DPAs for integration support.
How to use this master policy
- Publish this Global policy on each site.
- Link the local policy (UK/EU/US/CA/AU/IN) from the footer and from this page.
- Publish a Cookie Notice and Sub-processor List (or provide on request).
- Add a DSAR/privacy request form and Do Not Sell/Share link (US) even if not currently selling/sharing (to future-proof).
Published January 2026 | Effective from January 2026 until Superseded or Amended