The purpose of this policy is to describe how
Hairlust ApS with Danish company registration number 38076582,
Langebrogade 1, Building D2
(”Hairlust”) collects and processes the personal data provided by you or collected by us via our website www.hairlust.com.
2. Contact information for the data controller
3. What personal data is collected and what are the purposes and legal basis for the processing
The legal basis for the processing is the EU General Data Protection Regulation, article 6 (1) (f) and section 6 (1) of the Data Protection Act. When you purchase a product or communicate with use via the website, we collect the data provided by you, e.g. name, address, email address, telephone number, payment method, data about time of purchase, what products you purchase and possible returns, delivery requests and data about the IP-address from which the order has been placed. The purpose is, to ensure that we can create a customer account for you and deliver the products you have ordered as well as enable us to fulfil our agreement with you and to administrate your rights to return and complain, to prevent fraud, and to ensure that we comply with legal requirements, including requirements related to our book-keeping and accounting.
The legal basis for the processing is the EU General Data Protection Regulation, article 6 (1) (b) (sub-sections 22.214.171.124. – 2.), (c) (sub-section 126.96.36.199) and (f) (sub-section 188.8.131.52.) and section 6 (1) of the Data Protection Act. When you subscribe to our newsletter, we collect data about your name, email address, IP-address and possibly your cell phone number. We also collect data about when you subscribed to the newsletter, when you unsubscribed to the newsletter as well as data about where and when you read the newsletter. The purpose is to supply you with newsletters, to prepare statistics for use in optimization of the newsletters and to market our services as well as to document your consent to receive the newsletter.
The legal basis for the processing is the EU General Data Protection Regulation, article 6 (1) (f) and article 6 (1) (a) if we have your consent to the processing as well as section 6 (1) of the Data Protection Act.
Use of social media
When you visit our Instagram or Facebook pages, please be aware that we use Facebook’s analysis tool ”Facebook Insight” for visitor statistics, including number of likes, who is liking, number of page views and interactions with the page, withdrawal of likes and reach etc.
We are joint controllers with Facebook for this collection of personal data and you will have access to information about this processing when you visit our Facebook-page. Please see https://www.facebook.com/legal/terms/information_about_page_insights_data for more information.
We have entered into an agreement with Facebook regulating our joint controllership. Please see https://www.facebook.com/legal/terms/page_controller_addendum for details of the agreement.
When you join our customer club, you are asked to provide your name, address, date of birth, your preferences and interests etc. Apart from your name and email address this data is voluntary. In addition to this, we collect data about your use of the customer club advantages, competitions you take part in etc. We compare this data with other data we have for you, including data about your purchases. The purpose is to administrate your membership and provide the services and offer the advantages related to the customer club membership, to send out newsletters and offer you products we believe may have your interest. The legal basis for the processing is the EU General Data Protection Regulation, article 6 (1) (b) (sub-section 184.108.40.206.) and (f) (sub-section 220.127.116.11) as well as section 6 (1) of the Data Protection Act. When you join the customer club, you will be requested to provide specific consent to electronic marketing. The legal basis for the processing of your personal data on the basis of this consent is the EU General Data Protection Regulation, article 6 (1) (a) as well as section 6 (1) of the Data Protection Act.
4. Legitimate interests being pursued in the processing
As mentioned above, our processing of your personal data is partially based on the provisions regarding balancing of interests in the EU General Data Protection Regulation, article 6 (1) (f). We have balanced our legitimate interests in marketing, improving the website and security and preventing fraud against your interests in order to ensure that your interests or basic rights or civic rights do not exceed our interests. If you wish to know more about the balancing we have carried out, you are welcome to contact us at the address listed in section 2.
5. Transfer of personal data
Data concerning your name, address, email, telephone number as well as order number and specific delivery requests is transferred to our couriers in charge of delivery of your purchases. If you have purchased items that are not available from our own warehouse, this data may be transferred to the manufacturer or importer of said product in order for them to carry out delivery.
Personal data may be transferred to public authorities if we are obligated by law or to the police in case of suspected offences or as part of the investigation into specific offences. Data about a purchase, including data about the purchaser and the delivery address, may be transferred to the card issuer if the card holder informs us that the card has been abused in connection with the specific purchase.
Data may be transferred to external partners who process the data on our behalf. We make use of external partners for e.g. hosting, technical operations and website improvements, distribution of newsletters and targeted marketing, including retargeting as well as for your evaluation of our company and products. These companies are data processors under our instruction and process data for which we are data controllers. The data processors are not entitled to use the data for purposes other than fulfilment of their agreement with us and are subject to confidentiality clauses.
Two of these data processors, Google Analytics represented by Google LLC. and Facebook Inc. are incorporated in the US. When we transfer personal data to a third country or an international organisation based outside the EU/EEA, we ensure prior to a transfer of personal data that the transfer is carried out in a manner which provides sufficient guarantee for the protection of the personal data, e.g. by using the EU’s standard data protection contract provisions. In that connection we also evaluate prior to the transfer of the personal data whether supplementary provisions are required in order to ensure that the personal data remains protected at a level that reasonably corresponds to the same level as in the EU, including the provisions of the General Data Protection Regulation read with the EU charter on basic rights.
6. Your rights
With a view to ensuring transparency regarding the processing of your data, we hereby inform you of your rights in our capacity of data controllers. If you wish to exercise your rights, you are welcome to contact us at the addresses listed in section 2.
Right of access
You have a right to receive information about the personal data registered about you, the purpose of the registration, the categories of personal data and recipients, if any as well as information about the data origination. You also have a right to receive a copy of this information.
Right to rectification
You have a right to rectification of any incorrect personal data about you. Data collected when you joined our customer club may be rectified by logging into your user profile.
Right to erasure
In certain cases, you have a right to request that we delete all or part of your personal data, e.g. if you withdraw your consent and we do not have another legal basis for the continued processing. If a continued processing of your data is necessary, e.g. in order for us to comply with our legal obligations or to establish, maintain or defend a legal claim, we are not obliged to delete your personal data.
Right to restriction
In certain cases, you have a right to restrict the processing of your personal data to storage. In these cases, we are only entitled to process the personal data with your consent or to determine, maintain or defend a legal claim.
Right to data portability
In certain cases, you have a right to receive personal data, which you have given to us, in a structured, ordinarily used and machine-readable format as well as the right to transfer data to other data controllers.
Right to object
You always have a right to object to our processing of your personal data for direct marketing purposes, including any profiling carried out in order for us to target our direct marketing. Furthermore, you have a right to object for personal reasons to the processing of your personal data carried out by us on the basis of our legitimate interests as mentioned in sections 3 and 4.
Right to withdraw consent
You always have a right to withdraw the consent you have given us for a specific processing of your personal data.
However, withdrawal of the consent does not affect the legality of our processing of your personal data in the period until the withdrawal.
In general, withdrawal of your consent does not affect any processing of your personal data that is not based on consent.
Right of complaint
You always have a right to complain to the Danish Data Protection Agency if you are dissatisfied with the manner in which your personal data is processed. Please see www.datatilsynet.dk for a complaints form and contact information.
7. Deletion of personal data
Data collected in connection with your subscription to our newsletter, cf. section 3.3. is deleted when your consent to receive the newsletter is withdrawn unless we have another basis for the processing of your personal data. However, we may store the documentation showing your consent for 2 years after the last electronic marketing sent to you in order for us to be able to prove that we had valid consent to the electronic marketing.
Data collection in connection with your purchases on the website, cf. section 3.2, will in general be deleted 2 years after the expiry of the calendar year in which you have made your purchase. However, this information may be stored for a longer period if we have a legitimate need for longer storage, e.g. if it is relevant to determine, maintain or defend a legal claim or if the storage is necessary for us to be able to comply with legal requirements. Bookkeeping materials are stored for 5 years until the expiry of an accounting year, cf. the provisions in the Danish Bookkeeping Act.
Data collected in connection with your enrolment in and membership of our customer club, cf. section 3.5, will be deleted automatically 3 years after your last login to your user profile or if you cancel your membership of our customer club.
8. Security measures
We have carried out suitable technical and organisational security measures to prevent the accidental or illegal destruction, loss, alteration or deterioration of personal data and to prevent unauthorised access or abuse.
Only employees with a legitimate need to access your personal data to carry out their work have access to the data.
In connection with the completion of the payment transaction, your payment details will only be stored until the completion of each payment transaction. Your payment and card details are only stored with our external payment server where your data is encrypted. We use an approved and PCI (Payment Card Industry - Data Security Standard) certified payment server which encrypts all your card details with an SSL (Secure Socket Layer) protocol which means that your data is not readable and the data is thus stored in a safe, PCI-certified environment which complies with international security standards until the payment transactions have been completed. When you use your payment card on www.hairlust.com only our PCI-certified partner has access to your card details and not Hairlust ApS. Consequently, the processing of your card details is only a matter between you and our PCI-certified partner even though the processing takes place when you make a purchase on www.hairlust.com.