Privacy Policy

Kyoto Data Policy (Incorporating GDPR)

Due to Review (Nov 21)

GDPR Controllers and Processors

Kyoto is a “Controller and Processor” – determining the purposes and means of processing personal data and responsible for processing personal data.

Policy Overview

Kyoto is committed to being transparent about how it collects and uses the personal data of its customers (internal and external), and to meeting its data protection obligations. This policy sets out our commitment to data protection, and individual’s rights and obligations in relation to personal data.
This policy applies to the personal data of Employees, Customers, Suppliers and Contractors referred to as personal and business data.

“Persona/Business data” is any information that relates to an individual who can be identified from that information. Processing is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.
The Company processes personal/business data in accordance with the following data protection principles:

  • We process personal data lawfully, fairly and in a transparent manner.
  • We collect personal data only for specified, explicit and legitimate purposes.
  • We process personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
  • We keep accurate personal data and take all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
  • We keep personal data only for the period necessary for processing.
  • We adopt appropriate measures to make sure that personal data is secure and protected against unauthorised or unlawful processing, accidental loss, destruction or damage.
  • We inform individuals of the reasons for processing their personal data, how we use such data and the legal basis for processing in the Company’s privacy notices (see below). We will not process personal data of individuals for other reasons.
  • We will update personal data promptly if an individual advises that his/her information has changed or is inaccurate.
  • Personal data gathered during the employment or business relationship, is held in hard copy or electronic format, or both.  The periods for which the Company holds personal data are contained in its privacy notices (see below).
  • We keep a record of our processing activities in respect of personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).

Individual rights

As a data subject, individuals have the right to make a subject access request. If an individual makes a subject access request, the Company will comply in accordance with the GDPR controls.  To make a subject access request, the individual should send their request to the Data Protection Officer.  The Company will normally respond to a request within a period of one month from the date it is received. If a subject access request is unfounded or excessive, the Company is not obliged to comply with it. Alternatively, the Company can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request.

1. Information Held by Kyoto:

1.1 Information Audit Map – Data held at Kyoto

See appendix 1

1.2 Use of Personal Data held at Kyoto

See appendix 2

1.3 Lawful basis for processing personal data

All personal data processed shall be in keeping with lawful guidelines and be kept secure at all times.  Data shall be destroyed in such ways as to not risk compromise and shall be overseen by Management. Staff handling data will be trained in the handling and storing of data (Effective Handling Awareness).

1.4 Consent of Use of Data.

Kyoto has reviewed how consent is requested confirmed from suppliers and customers. (The recording and management of ongoing consent to be addressed by an annotation within account application form/update terms of business for new companies).  Reviewing of the process will be on-going.

1.5 Protection of Electronic Data

Kyoto will consistently monitor and review the processes for the protection of data alongside the key IT Software and Hardware Agents to ensure the Security and Safety of all data held in line with GDPR requirements.

1.6 Data Breaches

Data Breaches (theft or loss of personal data) will be reported within 72 hours to the Information Commissioners Office (ICO) as per GDP Regulations ICO Breach reporting tel: 0303 123 1113.

The Kyoto Data Protection Policy will incorporate the Company Internet & E-mail Policy and the Employee Data Protection Statement (as laid out in Individual Staff Contracts).

2. Internet & E-mail Policy

  1. This company encourages the use of both e-mail and the internet for legitimate business purposes. It aims to maximise the use of these facilities for the business whilst avoiding potentially serious pitfalls of misuse by employees. 

  2. Both facilities allow users easy access to an extensive communications capability both internally and externally. However they may also expose the company and its employees to highly visible and unprecedented risks.  It is crucial therefore that usage of both e-mail and the internet are carefully managed to ensure the company’s image is protected and its liability limited.  It is also of equal importance to ensure that its employees are protected from any unauthorised use or abuse of these facilities.

  3. Both e-mail and the internet must be used only for legitimate business purposes.  These facilities must not be used to seek, retrieve, display, download or circulate electronically to others, information (including graphics) which is indecent, profane, subversive, criminal or which may constitute an act of discrimination including harassment of another employee, client, customer, supplier or agent of the company. 

  4. Any harassment by e-mail will be dealt with according to the company’s Equal Opportunity Policy and will constitute an offence of gross misconduct. 

  5. Nothing that an employee would not be prepared to write in a proper memo should be included in an e-mail.

  6. Employees may not send e-mail from another employee’s PC under that employee’s log-on password without the prior consent of that employee. 

  7. All information and data contained on or accessed via the company’s systems remain the property of the company.

  8. The company reserves the right to monitor the use of both the e-mail and internet facilities and as such employees should have no expectation of privacy in anything they create, store, send or receive on either system.

  9. Security in respect of the use of the systems and facilities is paramount.  The company’s confidentiality clause as contained in the employee’s Contract of Employment applies equally to the use of these systems and facilities.  It is the responsibility of each employee to ensure that they take all necessary steps to secure their systems by the use of passwords, not sharing passwords or by not changing their password when instructed to do so. 

  10. Non-compliance of any of the terms of this Policy will result in the employee being subject to the company’s Disciplinary Procedure.

3. Data Protection

3.1 Through your employment with the Employer, personal data will come into your knowledge, possession or control.  In relation to such personal data (excluding personal data contained in personal communications) whether you are working at the Employer’s premises or working remotely, you must:

  • keep them secret and confidential and you must not disclose them to any other person unless authorised to do so by the Employer.  If in doubt ask your Line Manager

  • familiarise yourself with the date protection policy

  • process personal data strictly in accordance with the Data Protection Act 1998, the data protection policy and any other policies and procedures issued by the Employer; and

  • not make personal or other inappropriate remarks about customers or colleagues on manual files or computer records since the subject of such remarks has a right to see information the Employer holds on that individual.

  • The Employer views any breach of the Data Protection Act 1998 (including GDPR May 2018) and our data protection policy as gross misconduct which may lead to a summary dismissal under our disciplinary procedures.

  • If you make or encourage another person to make an unauthorised disclosure knowingly or recklessly you may be held criminally liable.



data protection policy.doc

Privacy notices

Record Data Retention:

Documents Duration


Company held information is within our electronic software, which includes:

  • Company Name
  • Company Address including site locations
  • Company contacts (Buyers, Sales, Accounts, Management etc.)
  • Various Telephone numbers and Fax numbers as supplied by you
  • Various e-mail addresses for your business
  • VAT Number
  • Bank Account Details
  • Trading Agreement/Terms of Business

Information about a company is backed up and stored securely for loss prevention purposes.  This information will only be used for restore purposes by our company.

We hold addresses within our Microsoft Office Software.

Although Kyoto is already encrypting emails we do still accept non encrypted transmissions (inbound and outbound) but we will be moving to only accept encrypted emails in the near future, please ensure your IT department has enabled your email server for the sending and receiving of TLS encryption

We use data relating to a business to facilitate trading with a company and for general correspondence with staff on a regular basis.  Kyoto Futons will never pass on or sell this information without permission.


We provide online services that are easy to use, useful and reliable. These can involve placing small amounts of information on your computer or mobile phone or other device. These include small files known as cookies. There's a link to general advice about managing cookies at the end of this page. Cookies cannot be used to identify you personally.

Below is a list of cookies that are used on this Website.

Iconography Ecommerce Cookies

Typical content: randomly generated number
Expires: when user exits browser

Name: style
Typical content: stores the user's preference to whether they wish to view products in a list or a grid
Expires: 1 year

Name: key
Typical content: randomly generated number to remember the user for their next visit
Expires: 4 weeks

Name: bkey
Typical content: randomly generated number to remember the basket contents for the customers next visit
Expires: 4 weeks

Name: recent
Typical content: stores recently viewed products for display on the customers next visist
Expires: 4 weeks

Name: facebookLike
Typical content: used for promotional offers, stores whether the customer has "liked" the website on Facebook
Expires: 4 weeks

Name: allowAllCookies
Typical content: stores the user's preference to whether they wish to allow all Cookies on this Website or not
Expires: 1 year

Google Analytics Cookies

Name: _utma
Typical content: randomly generated number
Expires: 2 years

Name: _utmb
Typical content: randomly generated number
Expires: 30 minutes

Name: _utmc
Typical content: randomly generated number
Expires: when user exits browser

Name: _utmv
Typical content: randomly generated number
Expires: 2 years

Name: _utmz
Typical content: randomly generated number and information about how the page was reached (eg directly or via a link, organic search or paid search)
Expires: 6 months

For further details on the cookies set by Google Analytics, see the link below.

Add-This Cookie

Name: _atuvc
Typical content: numeric content (e.g. 8|21) that helps you share content through social networks
Expires: 2 years

Social networking websites

Social networking websites may place cookies on your computer. Social bookmarks are a way of saving links to web pages that interest you, and sharing those links with other people. You should read their respective privacy policies carefully to find out what happens to any data that these services collect when you use them.

More about Cookies

For more information about how to manage your cookies, visit