PRIVACY POLICY
Crema is committed to protecting your privacy and being transparent about the information collected on our website. This privacy policy provides a summary of how we collect and process information when you visit our website and purchase our products.
1. Data Controller
Name: PPL Media Oy / Crema
Business ID: FI19724199
Address: Hämeentie 155 A, 6th floor, 00560 Helsinki, Finland
Email: [email protected]
Phone number: +358 10 322 4480
Website: www.cremashop.eu
2. Contact Person for Data Protection Matters
Name: Samuli Seppävuori
Email: [email protected]
Phone number: +358 10 322 4484
3. Collected Personal Data
We collect the following information about the customer: name, address, email address, phone number, payment method, IP address. For corporate customers, we also collect the business ID and company name. For orders, we collect order information, order number, purchase event, and delivery details. Information is collected from users during the order process. IP addresses and other similar technical information are collected automatically using cookies and other tracking technologies. Collected information can be updated by the user or through customer service. Registered users can update their information on the website through their user profile.
4. Purpose and Legal Basis of Processing Personal Data
Purpose of processing:
• Information is used for orders and customer service. When registering as a user, information is used to enable login to your personal page in the online store, to allow you to track your order history, and to save information for future purchases.
• With the help of cookies, marketing consent is collected, and information from customers who have given their consent is used for marketing via email and post, as well as for advertising on the internet.
• With the help of cookies, statistical and tracking consent is collected, and information from customers who have given their consent is used to improve the customer experience and develop the business (e.g., anonymized data).
Legal basis:
• Contract and legal obligation (orders and customer service)
• Consent (marketing)
5. Disclosure and Transfer of Data
Disclosed data and recipients:
• Our payment service provider is Adyen, and they handle all payment information in their system.
• For invoice payments, the customer's and order's information is transferred to the invoicing company (e.g., Klarna). For corporate invoicing, the customer's credit information is checked by a third party, e.g., Suomen Asiakastieto Oy. Overdue receivables are forwarded to a collection agency.
• Information is also disclosed to logistics companies for delivery.
• For deliveries outside the EU, order information is transferred to the destination country's customs / tax authorities.
• Information may be disclosed to authorities in legally mandated situations.
• In the case of possible direct deliveries from the wholesaler, the order information is disclosed to the product supplier.
• We use HelpScout software for customer service.
• We use Mailchimp software, Google, Meta, and Pinterest for marketing.
Transfer of data outside the EU/EEA:
• Mailchimp, Google, Meta, Pinterest, and HelpScout may transfer data outside the EU. We have ensured that these companies maintain an adequate level of data protection by using the European Commission's standard contractual clauses and ensuring that the companies comply with EU data protection laws, e.g., the EU-U.S. Data Privacy Framework.
Data is not disclosed to third parties without the user's consent, except in the aforementioned cases.
6. Data Retention Periods
Data is retained for 6 full calendar years after the customer's most recent order. Retention periods are based on legal obligations and business needs. Data retention periods are reviewed regularly, and data is deleted when it is no longer necessary to retain it.
7. Data Subject Rights
The data subject can exercise their rights under the GDPR legislation:
• Right of access: The data subject has the right to access the data that has been stored about them.
• Right to rectification: The data subject has the right to request the correction of incorrect data.
• Right to erasure: The data subject has the right to request the erasure of their data in certain situations.
• Right to restriction of processing: The data subject has the right to request the restriction of the processing of their data in certain situations.
• Right to object: The data subject has the right to object to the processing of their data in certain situations.
• Right to data portability: The data subject has the right to have their data transferred from one system to another.
If you wish to exercise these rights, please contact the data controller or the contact person for data protection matters via email (sections 1 and 2). To process the requests, we need identification information such as an email address and order number, as well as information about which right is being exercised. Additionally, the data subject must attach identification information (e.g., a copy of an ID) to their request to ensure information security. The data subject also has the right to lodge a complaint with the data protection authority if they believe that their personal data is being processed unlawfully.
8. Cookies and Tracking Technologies
We use cookies, and customers can manage them with the help of Cookie Information. Data is collected according to the customer's consents for the following purposes:
• Analytics: Google Analytics 4
• Marketing: Google, Meta, Pinterest
• Website functionality: Functional cookies
You can manage your cookie settings at any time by clicking the Cookie Information icon in the bottom left corner of the website. The user can also manage and delete cookies from their browser settings regardless of the settings chosen on the website.
9. Information Security
Information security measures:
• To protect personal data, we use appropriate technical and organizational measures, such as data encryption, access control, and regular security audits.
Information security measures are evaluated and updated regularly to address new threats and legal requirements. Staff is regularly trained in information security and data protection practices.
10. Changes to the Privacy Policy
Changes to the privacy policy:
• We will inform you of any changes to the privacy policy on our website. For significant changes, we will also notify our customers via email. Changes will be announced at least 30 days before they come into effect to give the user time to familiarize themselves with the changes.
11. User Responsibilities
The website user is responsible for keeping their contact information up to date. Information can be updated by contacting the data controller, contact information in section 1.