1. LEGAL BASIS FOR PROCESSING PERSONAL DATA
We shall process your personal data for the following reasons:
- The execution of contracts or precontractual obligation, which you are party to.
- Complying with our legal obligations.
- Marketing and other business legitimate interests.
2. LEGITIMATE INTERESTS
Legitimate interests include the following:
- Sending our newsletter to our customers from whom we have obtained the contact details in the course of a sale (or negotiations for a sale) of a product or service.
- Collection of personal data to provide you with best possible customer experience.
- Operational requirements necessary for internal processes.
- Fulfilling your requirements or requests regarding our services and products.
- Fraud prevention.
- Protecting our rights, employees, and property.
3. PURPOSES OF PERSONAL DATA PROCESSING
- Online purchases (when you place an order or ask for a refund).
- Direct marketing (when we send our newsletters).
- Administration of user accounts.
- Enforcing our Terms and Conditions.
- Communication through our email, contact forms, social networks, or Customer Care.
- Managing subscriptions to our Volonté Blog.
This means that we want to provide you the most optimal and personalized service possible. Of course, we keep your privacy in mind. We will retain your shopping history and use details of the products you have previously purchased to make suggestions to you for other products which we believe you will also be interested in. We will retain and evaluate information on your recent visits to our website and how you move around different sections of our website for analytics purposes to understand how people use our website so that we can make it more intuitive.
4. Why we use your personal data
- Processing, analysing and delivering your purchases.
- Taking payments and making refunds.
- Sending you service messages by SMS, email or otherwise.
- Providing customer care services and support, handling returns, warranty claims.
- All forms of fraud detection and prevention.
- Security and Protecting our website/IT systems.
- Showing you our advertisements while you browse the web.
- Providing you with information about our products and services, promotions, discounts and news regarding your preferences and wishes.
- Improving our website.
5. MARKETING ACTIVITIES
We process personal data when you subscribe to our newsletter, event, Volonté Blog, or you purchase our products. For this purpose, we process data, such as, name, surname, country, email address. If you give us your consent for receiving our newsletter, we use Mailchimp services. We process data regarding opening e-mails, bounce rate, clicks, subscription, news segments. We segment buyers according to previously bought products, gender, country.
Based on our legitimate interest (so called, soft opt-in), we send our newsletter to our customers who made a purchase of our product using Omnisend services.
If you contact us through webforms on our website, through an e-mail, phone, or social network profile we will process data from contact form and a message based on our legitimate interest to connect and communicate with potential customers.
In any case you can object to direct marketing activities, and you may unsubscribe from our newsletter by clicking the link in our email or responding to us with your claim. In such case we will stop with marketing activities and store your data in an unsubscribed list for 5 years from the day of unsubscribing, based on our legitimate interest to prove facts on compliance steps we need to take.
Based on our legitimate interest to protect our employees, customers, business associates, and our property we process personal data, such as log files, IP address, traffic data, metadata, incident reports, data from data breaches.
In case of personal data breach, we perform risk assessment and based on this assessment we will inform supervisory authority and data subjects.
Since no means of security, transmission or storage is 100% secure, we cannot guarantee absolute security, but we do use applicable technical and organizational security measures. We use access control, encryption and hashing of passwords, including industry standards authentication practices SSL and 2-factor authentication. We protect our IT systems from brute-force attacks by limiting the number of log-in attempts from a single IP address. We track logs and we make regular backups.
7. TYPES OF PERSONAL DATA
- Identity and contact information (email address, first name, last name, address, phone number, password).
- Financial and transaction information (cardholder data, details about payments provided by 3rd party payment processors, shipping, and billing address, order ID, payment method, order details, tracking ID, tax ID – if required by law, IP address).
- Profile information (user profile ID, first name, last name, email address, password, gender, time zone, date of birth, orders, reviews).
- Facebook account contact details if you choose this type of log in.
- Shipping information and billing information (country, first name, last name, address, house/apartment No., postal code, city, phone number, tax ID – if required by law, IP address).
- Warranty claims (proof of purchase, invoice number, image, or video of the product, tracking ID number, user address, shipping data).
- Technical information (IP address, your login data, browser info, time zone, language, browser plug-in types and versions, operating system, and other technology on the devices you use to access the LELO website).
- Marketing and communications information (email address, first name, last name, gender, time zone, region, country, purchase date, IP address, order date, product purchased, subscription source, language, order ID, user ID, cookie ID, website visits, subscription date, last change date).
8. DATA ABOUT MINORS
We do not knowingly collect or solicit personal data from anyone under the age of 13. Do not use our sites if you are under age of 13. If we learn that we have collected information from a child under the age of 13, we will delete this information as soon as possible.
If you believe that we might have any information from or about a child under 13, please contact us by sending an e-mail to the email address, or contact forms, as communicated to you on our sites.
Minors may not make purchases through our sites unless they have appropriate permission and are under the direct supervision of their parent or legal guardian who owns the account. All financial information on the account, such as a credit card or PayPal account, must be that of the parent or legal guardian.
In accordance with the UK General Data Protection Regulation (UK GDPR), in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 13 years old. Where the child is below the age of 13 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
9. HOW LONG WE KEEP YOUR PERSONAL DATA
We will keep your personal data for as long as you have your account, or if it is needed to be able to provide services to you, including product warranty lasting, or (in the case of any contact you may have with our Customer Care) for as long as is necessary to provide support-related reporting.
We may keep some of your personal data, if required so by law, even after your account has been closed and we no longer need to provide any services to you. For the general business activities, we keep the data for 6 years, and we keep accounting and financial records for 6 years from the end of the last company financial year for which data relates to. In some cases, where the law does not define maximum data retention period, we keep some personal data based on legitimate interest, in case we need to defend our claim at court or some other public authority, in accordance with statutory limitations periods. If you wish to close your registered profile, please contact our customer support.
10. SHARING YOUR DATA WITH THIRD PARTIES
We share your data with the following categories of companies as an essential part of being able to provide our services to you, as set out in this statement:
- Affiliated companies and processors - based on fulfilment of the purchase agreement or to perform internal processes and procedures.
- Companies issuing credit cards, providers of payment services to process payments and banks, based on your order to fulfil a purchase agreement.
- Carriers to deliver your order or services. We use logistics services from MOTUS EUROPE d.o.o. and BROZ Inc.
- Third parties, such as law enforcement agencies, other governmental agencies, and related parties, if we are required by law to do so.
- Data processors - we share personal data with authorised data processors for providing IT support, accounting, legal, HR, marketing, and sales services. For this type of activities, we also engage affiliated Lelo and Foreo companies. Affiliated company Lelo Adria d.o.o. has been engaged in the maintenance of our websites, support of the process of on-line sales, marketing, promotion, social networks, PR, and customer care services. We also use Zendesk services, as data processor, for chat and customer support. We send to all our customers automatic emails regarding their purchase through Mandrill Mailchimp add-on.
- Network operators and/or other communications service providers - when necessary for the set-up of proper routing and connectivity.
- Third-party service providers - to the extent strictly necessary for them to perform specific actions on our behalf. We may share personal data with our trusted and verified third-party service providers for example to enable them to process payments for us or to prevent fraud.
- Relevant legislation - in case we are presented with a legal obligation, we will share the data from users with such third parties that are legally entitled and authorized to request the same, such as within criminal procedures or threats to the public security.
- Reviews – through Bazaarvoice services consumers can submit reviews, and to comment on or rate goods, products, and services. You should be aware that any information you provide in the area that is intended to collect may be published on a publicly facing website or mobile application and may be read, collected, and used by Bazaarvoice, its affiliates, subsidiaries, vendors, and clients. Therefore, please do not include any information within these areas that you do not want to share with the public, including personally identifiable information, such as your name, email address or financial information. You may be required to create an account with the Bazaarvoice Client. During account creation, you may be asked to submit information, such as but not limited to, your name, email address, mailing address or phone number, and other data. The consumer account info may be collected by both Bazaarvoice and Lelo.
- Mergers and acquisitions – in accordance with the applicable law, personal data may be transferred to data recipients who are in the process of buying our company (for example, in case of due diligence process), or personal data can be transferred to a company which merged with our company or to company who bought partially or in whole our company in case of business acquisitions or resolution/bankruptcy proceeding.
11. PAYMENT METHODS
A customer may choose iDEAL to make online payments in a reliable, secure and easy way. Payments are done using the mobile banking app or the online banking environment of the customer's bank. iDEAL is a direct online transfer from the customer's bank account to Lelo's bank account. The iDEAL payment description always includes the name of the organisation you paid. However, it is possible that customers do not recognize the name of the beneficiary because some organisations (web shop or other online organisations) outsource the collection of payments to third parties.
Customers that use Sofort, as service of Klarna, in order to provide the service, such as our checkout and customer portal, Klarna collects certain personal data to complete the purchase and help us handle your order, but also to prevent fraud and meet legal requirements, such as, IP address, email address, name, surname, user profile ID, shipping data, order ID, transaction ID, payment method, language, items, credit card partial data – last 4 digits).
Stripe is also an available payment method for our customers. Stripe uses data (email address, name, surname, amount spent, credit card data, shipping address, IP address) to verify the identity to comply with fraud monitoring, prevention and detection obligations, laws associated with the identification and reporting of illegal and illicit activity, such as AML (Anti-Money Laundering) and KYC (Know-Your-Customer) obligations, and financial reporting obligations.
If a customer uses Sezzle services, the customers give consent to Sezzle to collect personal data to manage Sezzle Services, to detect and prevent fraud, to help Sezzle follow government regulations and otherwise comply with law, to communicate and personalize user experience.
The Privacy Notice to Users of Alipay Services applies to users of Alipay Services, including each individual who is a registered member of a merchant site, and who makes online purchase or sale from the merchant site using Alipay Services. Alipay Services use transaction data, such as, email address, name, surname, user profile ID, shipping data, order ID, transaction ID, payment method, language, items).
For purchases via Amazon services, we process data, such as, name, surname, email address, ID number, items, price, date.
When you add a card to Apple Pay, card-related information, location, and information about device settings and use patterns may be sent to Apple to determine eligibility. Some of the above information, account-related information, and paired-device details may be shared with your card issuer or bank to determine eligibility and for anti-fraud purposes. When you use Apple Pay in apps and on the web, information necessary to process the payment is shared with the app or website. Your actual card number isn’t shared with the Lelo.
12. WHAT ARE YOUR RIGHTS
- The right to access personal data we hold about you. You have the right to request information about personal data we hold about you.
- The right to portability. You have the right to get a copy of your data in a structured, commonly used, and machine-readable format transferred to you or to another data controller.
- The right to rectification. You have the right to request rectification of your personal data if it is incorrect, including the right to have incomplete personal data completed.
- The right to erase. You have the right to request that we delete, stop processing or collecting any personal data in accordance with the relevant law.
- The right to object to processing of personal data that is based on legitimate interest.
- The right to object personal data processing.
You have the right to object to direct marketing, including profiling analysis made for direct marketing purposes.
In case we use your personal data based on your consent, you are entitled to withdraw that consent at any time subject to applicable law. We rely on you to ensure that your personal data is complete, accurate and current. Please inform us of any changes to or inaccuracies of your personal data by contacting us immediately.
If you would like to exercise your rights, require assistance, file a complaint, or just have any questions, please do not hesitate to contact us on firstname.lastname@example.org.
You have right to file a complaint to data protection supervisory authority:
Information Commissioner's Office
Telephone: 0303 123 1113
13. BREXIT NOTICE
From 1 January 2021, the UK is no longer considered as an EU Member State and UK GDPR started to apply. Based on the agreement between the UK and the EU, until 2025 all the personal data transfers from the EU to the UK are not considered as transfers to a third country. For the transfer from the UK to the EU, UK finds this transfer as transfer with adequate protection, so currently there are no additional requirements needed for such personal data transfers.
14. SUPPLEMENTAL NOTICE FOR CALIFORNIA RESIDENTS
The CCPA requires disclosure of the categories of personal information collected over the past 12 months. While this information is provided in greater detail above, the categories of personal information that we have collected – as described by the CCPA – are:
- Identifiers, including name, email address, IP address, and an ID or number assigned to your account.
- Other individual records such as phone number, billing address, or credit or debit card information. This category includes personal information protected under pre-existing California law (Cal. Civ. Code 1798.80(e)) and overlaps with other categories listed here.
- Demographics, such as your age or gender, or, where you have provided such information voluntarily. This category includes data that may qualify as protected classifications under other California or federal laws.
- Commercial information, including purchases and engagement with our services.
- Internet activity, including your interactions with our services.
- Inferences, including information about orders, interests, preferences, and favourites.
We collect and use these categories of personal information for our business and commercial purposes that are previously described, including providing and improving our services, maintaining the safety and security of our services, processing purchase and sale transactions, and for advertising and marketing services. We share personal data as described above under Sharing data with third parties.
|CATEGORY OF PERSONAL
|PURPOSE OF SUB-PROCESSING|
A name, alias, online identifier,
Internet Protocol (IP) address, email address,
account name, or other similar
Personal information categories listed in the
Protected classification characteristics under
Internet or other electronic network activity
|Inferences drawn from other personal
information to create a profile about a consumer
Profile reflecting a consumer’s preferences,
behaviour on web site
We may access, preserve, and disclose each of the categories listed above to external parties if we, in good faith, believe doing so is required or appropriate to: comply with law enforcement or national security requests and legal process, such as a court order or subpoena; protect your, our, or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity.
“Sales” of Personal Information under the CCPA
For the purposes of the CCPA, Lelo does not “sell” personal information, nor do we have actual knowledge of any “sale” of personal information of minors under 16 years of age.
To opt-out of receiving interest-based advertising, you can exercise your choice by using your privacy settings.
Additional Privacy Rights for California Residents
Non-Discrimination. California residents have the right not to receive discriminatory treatment by us for the exercise of their rights conferred by the CCPA.
Authorized Agent. Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. To designate an authorized agent, please contact us on email@example.com.
Verification. To protect your privacy, we will take the following steps to verify your identity before fulfilling your request. When you make a request, we will ask you to provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative, which may include contact information. We will only ask for the minimum data and only what is relevant in the given context.
If you are a California resident and would like to exercise any of your rights under the CCPA, please contact us firstname.lastname@example.org.