Privacy policy
1. INTRODUCTION.
1.1 Definitions - “The GDPR” refers to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Applicable law” refers to the legislation applicable to the processing of personal data, including the GDPR, supplementary national legislation, as well as practices, guidelines and recommendations issued by a national or EU supervisory authority.
- “Controller” is the company/organization that decides for what purposes and in what way personal data is to be processed and is responsible for the Processing of Personal Data in accordance with applicable law.
- “Processor” is the company/organization that processes Personal Data on behalf of the Controller and can therefore only process the Personal Data according to the instructions of the Controller and the Applicable Law.
- “Sensitive data” refers to data relating to race or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, genetic or biometric data, health or mortality, sex life or sexual orientation.
- “Aggregated data” refers to statistical or demographic data which may be derived from Your personal data but is not considered personal data as it will not, directly or indirectly, reveal Your identity.
- “Automated decision making” refers to the process of making a decision by automated means without any human involvement, including profiling. Such decisions can be based on factual data, as well as on digitally created profiles or inferred data.
-
“Personal data breach” is defined in article 4.12 of the GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
1.4 Our privacy policy is fully compliant with the GDPR.
2. WHAT IS “PERSONAL DATA” AND WHAT IS “DATA PROCESSING”?
2.1 What is considered personal data and processing of such is defined in article 4 of the GDPR. Summarized, personal data is all and any information relating, directly or indirectly, to an identified or identifiable natural person (“data subject”). Such information may include phone numbers, street addresses, names, personal identity numbers, company registration numbers for sole proprietorships, customer IDs, or photographs of identified or identifiable persons.
2.1.1 We do not process any type of sensitive data.
2.2 Data processing (“processing”) refers to any automatized or non-automized operation or set of operations performed on personal data, i.e., essentially any way personal data is handled, managed, or used. Such operations may include, but are not limited to, collecting, storing, registering, reading, modifying, transferring, and deleting the data.
2.2.1 We do not use personal data for automated decision making.
2.2.2 If aggregated data is combined with or connected to Your personal data so that it can, directly or indirectly, identify You, we treat the combined data as personal data which will be used in accordance with our privacy policy.
3. LAWFUL BASIS FOR PROCESSING YOUR PERSONAL DATA
3.1 According to article 6 of the GDPR, we are required to establish and provide a lawful basis for our processing of Your personal data. This means that we are allowed to process Your personal data if
a. You have consented to us processing Your personal data for one or multiple purposes, (“consent”); or
b. the processing is necessary for the fulfillment of an agreement You have entered into with us; or, on Your request, to prepare for an agreement for You to enter into with us (“contract”); or
c. if the processing is necessary for us to fulfill any legal obligations that are incumbent on us as a Controller (“legal obligation”); or
d. we assess our legitimate interests to process Your personal data override Your fundamental rights and freedoms and integrity as a data subject, and the processing is necessary for the intended purpose (“legitimate interests”).
4. TERMS OF CONSENT
4.1 As a Controller, we must be able to demonstrate that You have given consent to the processing of Your personal data. For this reason, information regarding the processing of Your personal data is always provided in connection with the request of consent and never concealed in other contract text or other information provided to You, and You have the right to withdraw Your consent at any time.
5. WHY WE PROCESS YOUR PERSONAL DATA
5.1 Personal data processed to fulfill a purchase agreement may include Your name, title, contact information, personal identity number, street address, phone number, email address, company registration number (or personal identity number for sole proprietorships) and other data that You have provided in communication with us.
5.2 The personal data we collect is typically provided by You when You use our services and/or make a purchase on our website and is related to the types of services and products we provide. We may also collect Your personal data through sourcing from public sources (such as social media, company websites, etc.), through third-party analytical technology (e.g., cookies) and through information curated from data analysis.
5.2.1 We may process Your personal data to fulfill our obligations to You as a user or customer.
5.2.2 We may process Your personal data to confirm Your identity or to verify Your personal and contact information to fulfill our obligations to You as a user or customer.
5.2.3 We may process Your personal data to communicate with You in order to efficiently help You with any problems, questions or concerns and provide relevant information regarding our services and products.
5.2.4 We may process Your personal data to perform user and/or customer analysis for the purpose of improving our services and products as well as enhancing the user experience as well as for business purposes.
5.2.5 We may process Your personal data to provide You with information about our services and products for marketing and business purposes.
5.2.6 We may process Your personal data for activities to increase awareness of our services and products for sales purposes.
5.2.7 We may process Your personal data for customer relationship management for the purpose of supporting You as an existing customer.
5.2.8 We may process Your personal data for customer relationship management for the purpose of sales to You as a potential customer.
6. STORAGE TIME
6.1 We never store Your personal data for longer than necessary for the purpose of which it was collected. Depending on the lawful basis on which we justify the processing this may be
a. regulated in a contract; or
b. dependent on consent; or
c. legal obligations; or
d. based on an assessment of legitimate interests.
6.2 Personal data may be stored for up to ten years after the end of the contractual relationship with You (statute of limitation for legal claims in most EEA countries), unless a shorter or longer retention period applies under applicable data protection laws.
6.3 The intended recipients of this Policy are the following groups, whose data we store in accordance with the criteria set out below.
6.3.1 Personal data of users will be stored during the period that the user uses our services and to comply with legal obligations, such as handling alleged errors in our services.
6.3.2 Personal data of potential customers will be stored during the period required to determine whether or not the potential customer wish to enter into an agreement.
6.3.3 Personal data of customers will be stored during the period it takes to deliver products and during the period necessary to comply with legal obligations, such as handling a reclamation.
6.3.4 Personal data of employees at a potential customer’s company will be stored for the period required to determine whether the potential customer wants to enter into an agreement.
6.3.5 Personal data of employees at an existing customer’s company will be stored during the time required to provide the service and to fulfill legal obligations such as handling alleged errors in the service.
6.4 In the list below we indicate, where possible, the period during which Your personal data will be stored, and the criteria used to determine the storage period:
6.4.1 Purpose: Communication in order to efficiently help You with any problems, questions or concerns and provide relevant information regarding our services and products.
Personal data: Name, email address, phone number, company name.
Source: Directly from You or, if applicable, a representative of the company that is a user and/or customer of our services and/or products.
Lawful basis: Legitimate interests of providing our services.
Storage period: Chat/email conversations are stored for 12 months.
6.4.2 Purpose: Activities to increase awareness of our services and products for marketing, business and sales purposes.
Personal data: Name, email address, phone number, company name.
Source: Directly from You or, if applicable, a representative of the company that is a user and/or customer of our services and/or products; and sourcing.
Lawful basis: Legitimate interests of conducting business, marketing and networking.
Storage period: 2 years or until You unsubscribe.
6.4.3 Purpose: Keep information of who has unsubscribed to not send further marketing emails in the future.
Personal data: Email address.
Source: Directly from You.
Lawful basis: Legitimate interests of complying with applicable law.
Storage period: 2 years.
6.4.4 Purpose: Statistics and analytics for the purpose of improving our services and products and enhancing the user experience as well as for business purposes.
Personal data: Email address, IP-address, browser information.
Source: Directly from You.
Lawful basis: Legitimate interests of providing our services.
Storage period: 7 days.
6.4.5 Purpose: Customer relationship management for the purpose of sales to potential customers.
Personal data: Name, email address, phone number, company name.
Source: Directly from You or, if applicable, a representative of the company that is a user and/or customer of our services and/or products; or sourcing.
Lawful basis: Legitimate interests of sales.
Storage period: 3 months.
7. COOKIES
7.1 We use cookies and similar tracking techniques to provide You with the best user experience possible. Personal data of visitors to our website is processed in accordance with the terms set out in our cookie policy: Link
8. TRANSFER OF PERSONAL DATA
8.1 In order to run our business, we may need to share Your personal data with third parties that process personal data on our behalf (“Processors”). Processors can only process personal data according to the instructions of us as Controller and applicable law.
8.1.1 We may disclose Your personal data to third parties if
a. we are under a duty to disclose or share Your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms and conditions, terms of use and/or any other legal agreements;
b. we need to protect our rights, property, safety, our customers or others, including exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction;
c. we sell or buy any business or assets, in which case we may disclose Your personal data to the prospective seller or buyer of such business or assets;
d. we or a member of our group of companies or substantially all of their assets are acquired by a third party, in which case personal data held by them about their customers will be one of the transferred assets;
e. in the normal course of operating our business, share aggregated data with other site or service users, our customers or publicly to show trends or benchmark the general use of our site, services and products.
8.2 To follow are categories of recipients with whom we may share Your personal data:
a. any member of our group, which means our subsidiaries, our ultimate holding company, and its subsidiaries;
b. business partners, suppliers, and sub-contractors for the performance of any contract we enter into with them or You to provide services such as IT and system administration services, email communications, hosting services, backup services, credit card processing, research, development, deliveries, marketing and customer support, including Bring and Bring Shelfless, DHL, Microsoft 365, PostNord, Shopify and Shopify Payments, Stremify, Survey Monkey;
c. professional advisors acting as service providers to us in relation to our site, services or products, including lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance and accounting services;
d. tax authorities, regulators and other authorities who require reporting of processing activities in certain circumstances;
e. advertisers and advertising networks that require the personal data to select and serve relevant adverts to You and others – we do not disclose personal data about identifiable individuals to our advertisers, but we may provide them with aggregated data about our users and use such aggregated data to help advertisers reach the kind of audience they want to target to enable us to comply with our advertisers’ wishes by displaying their advertisement to that target audience;
f. analytics and search engine providers that assist us in the improvement and optimization of our site and services, including Consid, Google Analytics, Ingager, Meta, Shopify;
g. credit reference agencies for the purpose of assessing Your credit score where this is a condition of us entering into a contract with You.
8.3 We have Processers in following countries outside the EU/EEA:
a. USA, where we transfer personal data on the basis of the European Commission’s standard contract clauses for data transfer to non-EU/EEA countries; and
b. Malaysia and Singapore, where we transfer personal data on the basis of the European Commission’s standard contract clauses for data transfer to non-EU/EEA countries.
8.3.1 We have entered into Data Processing Agreements (DPA) with all our Processors. The DPA sets out, among other things, how the Processor may process the Personal Data and what security measures are required for the Processing.
9. SECURITY MEASURES
9.1 To ensure the safety of Your integrity, we take technical and organizational measures to process Your personal data in a secure manner and protect it from loss, abuse, and unauthorized access.
9.1 Technical security measures are measures implemented through technical solutions. These solutions include, but are not limited to, password protection, encryption, access control levels, access logs, data back-ups, two-factor authentication, secure networks, password management software for all passwords and regular security inspection.
9.1.1 Organizational security measures are measures that are implemented in work methods and routines within the organization. Such measures include, but are not limited to, internal governance documents (policies and/or instructions), login and password management and information security policy.
9.2 If Your personal data is shared with third parties that process personal data on our behalf (“Processors”), Your personal data will be equally protected and processed according to our instructions as Controller and applicable law.
10. YOUR RIGHTS
10.1 You are, according to the GDPR, entitled to information on how and why we process Your personal data, during which period Your personal data will be stored, who has access to Your personal data and what the consequences of the processing are. You can contact us at any time to exercise Your rights. Our contact information can be found at the end of our privacy policy.
10.2 According to article 15 of the GDPR You have the right to access Your processed personal data (“right of access by the data subject”) within 30 days of the request. You also have the right to, upon request, receive confirmation on whether Your personal data is being processed by us, and, if so, the purpose of the processing, what types of personal data is being processed.
10.2.1 You have the right to, if possible, know the anticipated storage time of the personal data. If this is not possible, You have the right to know the criteria which are used to determine this storage time.
10.2.2 You have the right to, upon request, be provided with a copy of Your personal data undergoing processing (also known as an “extract from the register”).
10.3 According to article 16 of the GDPR You have the right to have incorrect personal data about You corrected (“right to rectification”). You also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
10.4 According to article 17 of the GDPRP You have the right to obtain the erasure of Your personal data without undue delay if any criteria in article 17 is met (“right to erasure”, “right to be forgotten”). These criteria include, but are not limited to, if
a. the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b. You withdraw consent on which the processing is based;
c. You object to the processing pursuant to point 12.1 below and there are no overriding legitimate grounds for the processing;
d. the personal data is being processed for direct marketing purposes;
e. the personal data has been unlawfully processed;
f. the personal data has to be erased for compliance with a legal obligation in the Union or Member State law to which we as Controller are subject.
10.4.1 Your right to erasure shall not be applied to the extent that processing is necessary for compliance with legal obligations which requires us as Controller to process Your personal data, or for the performance of a task carried out in the exercise of official authority vested in the controller.
10.5 According to article 18 of the GDPR You have the right to obtain restriction of processing if any criteria in article 18 is met (“right to restriction of processing”). These criteria include, but are not limited to, if
a. You contest the accuracy of the personal data;
b. the processing is unlawful and You oppose the erasure of the personal data and requests the restriction of their use instead;
c. we no longer need the personal data for the purposes of processing, but they are required by You for the establishment, exercise, or defense of legal claims.
10.6 According to article 20 of the GDPR You have the right to receive Your processed personal data, which You have provided to us as Controller, in a structured, commonly used, and machine-readable format (“right to data portability”). You have the right to transmit those data to another controller without hindrance from us, if the processing is based on consent pursuant to point a) of 4.1 above or on a contract pursuant to point b) of 4.1; and the processing is carried out by automated means.
10.6.1 In exercising Your right to data portability, You have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
10.7 According to article 22 of the GDPR You have the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning You or similarly significantly affects You.
10.8 According to article 34 of the GDPR You have the right to, without any undue delay, be notified of any personal data breach likely to result in a high risk of the rights and freedoms of natural persons.
11. OUR NOTIFICATION OBLIGATION REGARDING RECTIFICATION OR ERASURE OF PERSONAL DATA OR RESTRICTION OF PROCESSING
11.1 According to article 19 of the GDPR we as Controller are obliged to communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with 10.3, 10.4 or 10.5 above to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. We shall, upon Your request, inform You about those recipients.
12. HOW TO EXERCISE YOUR RIGHTS
12.1 According to article 21 of the GDPR You have the right to object, on grounds relating to Your particular situation, at any time to processing of personal data (“right to object”). What objections can be made have been described above. How You exercise Your right to object is described below.
12.2 If You believe that we have processed Your personal data in violation of the GDPR we ask You to promptly contact us. Our contact information can be found at the end of our privacy policy. You may also submit a complaint to the Swedish Authority for Privacy Protection (IMY): Link
12.2.1 If we have processed Your personal data in violation of the GDPR and this has caused You any damage, You may be eligible for compensation. If You believe You have the right to such claims of compensation, You can submit a claim for indemnity with us or appeal to civil court. A claim for indemnity with us shall be made in writing to us by mail or email. Your claim for indemnity should clearly state why You claim compensation from us and provide information on who You are, including Your name, personal identity number, email address, phone number and address. Our contact information can be found at the end of our privacy policy.
12.3 As described in point 5.1 above You have the right to withdraw Your given consent at any time. You can withdraw Your given consent by contacting us by mail, email, or phone. Our contact information can be found at the end of our privacy policy.
12.4 As described in point d) of 10.4 above You have the right to opt out of being contacted by us for the purpose of direct marketing. If You no longer wish to be contacted by us for this purpose, You shall contact us by mail, email, or phone. Your demand to no longer be contacted by us for the purpose of direct marketing shall provide information on who You are, including Your name, personal identity number, email address, phone number and address; as well as a clear statement that You no longer wish to be contacted by us for the purpose of direct marketing. Our contact information can be found at the end of our privacy policy.
12.5 As described in point 10.1 above You have the right to receive information on how and why we process Your personal data. A request for such information shall be made in writing to us and be signed by You as well as provide information on who You are, including Your name, personal identity number, email address, phone number and address. Our contact information can be found at the end of our privacy policy.
12.6 As described in point 10.3 and 10.4 above You have the right to have incorrect personal data about You corrected and/or to obtain the erasure of Your processed personal data. You can exercise these rights by contacting us through mail, email, or phone. Our contact information can be found at the end of our privacy policy.
13. CHANGES TO OUR PRIVACY POLICY
13.1 We reserve the rights to make changes to this policy.
13.1.1 In the event that any change affects our obligations or Your rights, we will inform You about the changes in advance so that You are given the opportunity to take a position on the updated policy.
13.2 You can review the most current version of our privacy policy at any time at this page.
14. CHANGES TO THIS POLICY
14.1 We reserve the rights to make changes to this Policy. In the event that the change affects our obligations or Your rights, we will inform You about the changes in advance so that You are given the opportunity to take a position on the updated policy.
15. CONTACT INFORMATION
15.1 Questions about our privacy policy should be sent to us at hello@minolei.com.
15.2 Our contact information is posted below:
H Cosmetics AB
559237-1909
SE559237190901
Box 312
751 05 Uppsala, Sweden
privacy@minolei.com
+46736533579
