1. Do you have any questions? Want to get in touch?
The contact person and controller as defined by the EU General Data Protection Regulation (GDPR) for the processing of your personal data during visits to our website and app is
Øvre Dynnersmauet 7
Tel: +47 46748688
1.2. Data protection officer
For any questions about the topic of data protection in relation to our products or the use of our website and our app, please do not hesitate to contact our data protection officer. You can reach our officer at the mailing address above (please include “Data Protection Officer” in the address block) or at the following e-mail address (keyword: “c/o Data Protection Officer”): [firstname.lastname@example.org].
2. What is personal data?
Personal data is information relating to an identified or identifiable person. This primarily includes information that reveals your identity, such as your name, telephone number, address, and e-mail address. Statistical data that we collect when you visit our website, for instance, and cannot be used to identify you, is not considered personal data.
3. What data does SMÅKASSEN process?
3.1 Visits to our website and our app
When you visit our website or use our app, we collect data that your browser or device sends to us automatically. This data that is sent to our server is known as log files:
- Date and time of request,
- Address of the website accessed and the requesting website,
- IP address of the requesting device,
- Information about the browser used and the device's operating system.
Data processing is necessary to enable the visit to our website and the use of our app, and in order to ensure the regular functionality and security of our systems. To this end, the aforementioned data is stored temporarily in internal log files in order to generate statistical information about the use of our website and our app, so that we can further develop them in line with the usage habits of our visitors and perform general administration and maintenance for our website and our app. The legal basis is Art. 6 (1) (1) f) GDPR.
The information stored in the log files cannot identify you directly. Note that we store the IP addresses in abbreviated form only. The log files are stored for 30 days and then archived after anonymization.
You can register for our login area in order to access all the functions of our website and app as well as our offers. The data you will be required to enter includes:
- Your e-mail address
- The password you choose
- Your preferences with regard to brands, product types, or styles, for example
- Information about your person
You cannot register without this data. Your e-mail address and password will then be your login information. The legal basis for processing is Art. 6 (1) (b) GDPR.
When you place an order with us, we collect the following information for contract performance:
- First and last names
- Date of birth
- Your preferences with regard to brands, product types, or styles, for example
- E-mail address
- Autopilot setting (where you can manage the regular receipt of orders)
- Billing and mailing addresses
- Social security number (only in Norway, Sweden, and Denmark)
- Payment information (such as PayPal or credit card, the actual payment details like credit card number are not stored on our systems, only non sensitive information)
You can also provide optional information (such as telephone and fax numbers, individual notes about your order, requests for a certain product, photo uploads and appointment for a styling consultation over the phone). The legal basis is the contract that you conclude with us upon order placement, Art. 6 (1) (1) b) GDPR.
3.4 Contact form and other interactions
You have various options for contacting us. We provide a number of contact methods, such as our contact form, our customer hotline, and communications with our stylists. When you get in touch with us, we collect your contact information. Depending on the contact option you use, your contact information can include your name, mailing address, telephone number, e-mail address, reason for contacting us, your individual message and details about your profiles on social networks (for instance, we receive your Facebook ID if you contact us on Facebook), user name and similar contact information. You also have the option to include the order number or upload an attachment.
The legal basis is Art. 6 (1) (1) b) GDPR if the information is needed to answer your query or initiate/perform a contract. However, the legal basis is Art. 6 (1) (1) f) GDPR if data is processed for marketing purposes.
If you are not a customer of ours, the aforementioned data collected from our contact options will be deleted after no more than one year after we have handled your request. If you are a registered customer of ours, this data will be stored as long as you have a customer account. Once your customer account is deleted, only the data subject to a legal retention period will still be kept.
3.5 Marketing communications
You can subscribe to our marketing communications by e-mail and/or text message. In this case, we collect the following data:
- E-mail address
- Domain used (website)
- Opt-in status
- Telephone number (only for marketing communications by text message)
- Log files for registration (date, time, “location” and customer number)
We also use other data from your customer account in order to personalize our marketing communications for you. The legal basis for data processing is your consent and our legitimate interest in offering your personalized marketing communications, Art. 6 (1) (1) a) and f) GDPR.
3.6 Employment applications
You can apply for available jobs using our candidate management system at https://www.smakassen.com/jobs/ We collect the following data to receive and process your application:
- First and last names
- E-mail address
- Application documents (such as references, c.v.)
- Earliest start date
- Desired salary
The legal basis for processing your employment application documents is Art. 6 (1) (1) b) and Art. 88 (1) GDPR.
3.7 Information about the app
3.7.1 Downloading and installing the app
Before you can download and install our app from an app store (such as Google Play store or Apple app store), you must register for a user account with an app store provider and conclude a user agreement with this provider. We have no influence on this; in particular we are not a party to any such user agreement. When you download and install the app, the necessary information will be sent to the respective app store, especially your user name, e-mail address and customer number of your account, the time of download and the IMEI. We have no influence on the collection of this data and are not responsible for it. We process this data as provided only if required to download and install the app to your mobile device (such as smartphone or tablet). In this case, the legal basis is Art. 6 (1) (1) f) GDPR.
3.7.2 Push notifications
The app can send you push notifications even if you are not currently in the app. The notifications can be sounds, messages (such as screen banners) and/or symbols (a picture or number on the app icon). To avoid this, you can deactivate push notifications in your device settings at any time.
The legal basis of the aforementioned data processing is Art. 6 (1) (1) b) GDPR if the push notifications relate to contract performance (e.g. shipment notification, information about your order). Otherwise, the legal basis is Art. 6 (1) (1) f) GDPR, pursuant to our legitimate interest of sending you product recommendations.
To use the app to the full extent, it is necessary to access certain functions of your device. Depending on the operating system you use, this sometimes requires your express consent. You can change the access settings in your device’s system settings at any time. Below we explain what access the app will request, and why it is needed:
Push notifications: access is needed in order to send you push notifications. The legal basis is described under 3.7.2.
Contacts: access is needed so that the app can access your contacts in order to suggest contacts for you to recommend SMÅKASSEN to others. The legal basis is Art. 6 (1) (1) f) GDPR, pursuant to our legitimate interest of receiving recommendations.
Camera: access is needed so that the app can use your device’s camera function and allow you to send photos to our stylists. The legal basis for the aforementioned data processing is contract performance under Art. 6 (1) (1) b) GDPR.
4. What data is used when logging on via social media?
4.1 Login with Facebook Connect (website and app)
Our website and our app allow you to log in with your existing Facebook profile data. For this purpose, we use Facebook Connect, a service of Facebook Inc., 1601 Willow Road, Menlo Park, California, 94025, USA (“Facebook”). Once you have signed on with Facebook Connect, you do not need to register further.
If you want to use this function, you will first be directed to Facebook. There you will be asked to log in with your user name and password. We receive only your login name; naturally we do not receive your password. If you are already signed on to Facebook, this step will be skipped. Then your e-mail address and your public profile information (especially name, profile picture, date of birth, gender, language and country, friends’ list and likes) will be sent to us once you confirm the process with the “Sign in with Facebook” button. If personal data is transferred to the US, Facebook abides by the EU-US Privacy Shield. The legal basis is Art. 6 (1) (1) f) GDPR, pursuant to our legitimate interest of providing convenient, user-friendly registration.
For more information, see the data policy of Facebook.
4.2 Login with LinkedIn (website)
Our website offers the option to “Sign in with LinkedIn.” Sign In with LinkedIn is a service by the LinkedIn Corporation, 2029 Stierlin Ct. Ste. 200 Mountain View, California 94043, USA (“LinkedIn”). If you want to use this function, you will first be directed to LinkedIn. There you will be asked to log in with your user name and password. Of course we do not receive this login information. By confirming the process with the “Login and allow” button, LinkedIn data from your LinkedIn profile is transferred to us. This includes your profile overview (especially your LinkedIn user name, name, information about your profession, profile picture URL, number of LinkedIn contacts and other profile information) and – if you have permitted this in your LinkedIn settings – the primary e-mail address on file with LinkedIn. LinkedIn receives information from us about your visit to our website (e.g. date, time and length of session). Your customer account and your LinkedIn account will be permanently linked. The legal basis is Art. 6 (1) (1) f) GDPR, pursuant to our legitimate interest of providing convenient, user-friendly registration.
5. Cookies on the SMÅKASSEN website
5.1 What are cookies?
Cookies are small text files that are stored by your web browser and that save certain settings and data on communication with our server.
There is a general distinction among two types of cookies: session cookies, which are deleted once you close your browser, and persistent cookies, which are stored for a longer period of time. This helps us design our websites and services for you accordingly and provides user convenience, for instance by storing certain information from you so that you do not have to enter it repeatedly.
Most browsers have a default setting to accept cookies. However, you can change your browser settings so that cookies are rejected or stored only upon your consent. If you block cookies, you will not be able to access all of our functions in full.
These services are based on our legitimate interest to provide you with a convenient and customized experience on our website. The legal basis is Art. 6 (1) (1) f) GDPR.
5.3 Cookies from advertising partners
SMÅKASSEN uses a number of advertising partners that help make the internet services and SMÅKASSEN website more interesting for you. For this reason, when you visit the SMÅKASSEN website, cookies from partner companies will also be stored on your hard drive. These are persistent cookies that will be deleted automatically after a certain time period (see above). The cookies from our partner companies do not contain any personal data either. Only pseudonymous data will be collected under a user ID. For instance, it includes data about what products you viewed, whether something was purchased, what products were searched for, etc. Some of our advertising partners also collect information outside the SMÅKASSEN website about what pages you visited prior to that, or what products you were interested in, for instance, in order to show you advertising that matches your interests as closely as possible. This pseudonymous data is never combined with your personal data. The only purpose is to allow our advertising partners to show you advertising that may actually interest you.
This data processing is also based on our legitimate interests. The legal basis is Art. 6 (1) (1) f) GDPR.
6. What does SMÅKASSEN use your data for?
6.1 Handling of the order process and provision of our services
We process your data to fulfil the contract concluded with you and to provide our services, which includes:
- the provision, personalization and custom design of our online service and the SMÅKASSEN shop.
- the performance of purchase contracts and customer service, including shipping and payment processing, along with the handling of returns, complaints, and warranty issues.
- the provision of our stylist communications under the contract regarding your individual style consultation. This is done either by e-mail or phone. You can change your customer account settings to choose which method of communication you would like with our stylists.
We offer you the following payment options: afterpay, credit card, Vipps, Sofort, PayPal or iDEAL. SMÅKASSEN reserves the right to refrain from offering certain payment types, or to offer them for certain orders only. We work with various payment service providers:
- for PayPal payments: PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg.
- for Afterpay payments: Arvato Finance AS, Postboks 331 Sentrum, 0101 Oslo, Norway.
- for all other payments: Adyen B.V., Simon Carmiggeltstraat 6-50, 1011 DJ Amsterdam, Netherlands.
The above companies will not transfer any information that you provide to them for payment processing. We are informed only that payment has been made.
6.3 Marketing communications
We use your data to communicate with you about certain products or marketing offers and to recommend products or services that may interest you. This includes, but is not limited to, the following purposes:
- The performance of direct advertising, such as with our marketing communications.
- The analysis of how our services are used.
You can subscribe to our marketing communications by e-mail and/or text message if you wish to be notified on a regular basis about our new products and special offers.
To subscribe to our marketing communications, we use the single opt-in procedure, i.e. we will not send you e-mails or text messages until you have consented to the receipt of marketing communications. If you confirm that you want to receive marketing communications, we will store the following data: customer ID, time stamp, campaign ID, link ID and landing page information until you unsubscribe from our marketing communications. This storage is used solely to send you marketing communications and document your registration. You can unsubscribe from marketing communications at any time. Each e-mail contains an unsubscribe link. You can opt out of text messages by replying STOP to the text message, for instance. Of course, you can also send a message (by e-mail or letter) to the contact information above or listed in the e-mail. The legal basis for processing is your consent under Art. 6 (1) (1) a) GDPR.
We use standard market technologies in our e-mails and text message technologies that can measure interactions with the e-mails and text messages (e.g. e-mails opened / text message links clicked on). We use this data in pseudonymous form for general statistical evaluations and to optimize and further develop our content and customer communications. We use small graphics embedded in the messages to do this (pixels). The data is collected in pseudonymous form only; the IDs are not linked to your other personal data. You cannot be identified directly. The legal basis is our legitimate interest under Art. 6 (1) (1) f) GDPR. If you do not want your usage behavior to be analyzed, you can opt out of the e-mails and/or text messages. The aim of our marketing communications is to share the most relevant content for our customers and better understand our readers’ genuine interests.
The data on interactions with our marketing communications will be stored in pseudonymous form for up to two years and then made completely anonymous.
6.4 Use of your data for interest-based advertising on our website
The information sent by you and automatically generated (especially your e-mail address, the last website visited, all data from previous orders, status of consent to our marketing communications, responses to special offers published) will be used to make the advertising tailored to you and your interests more useful and interesting (interest-based advertising). We use this information only in anonymous form. Sometimes, we also transfer the data to third parties for this purpose (such as to social networks). By analyzing and evaluating this information, we can improve our website and our internet offers, and show you individual advertising on our website – meaning advertisements recommending products that could genuinely interest you.
The legal basis is Art. 6 (1) (1) f) GDPR. We have a legitimate interest in offering you individual advertising.
6.5 Use of your data for analytical purposes on our website and app
In order to improve our website and our app, we use various technologies to analyze user behavior and evaluate the related data. The data collected can include in particular the IP address of the device, the date and time of access, the ID number of a cookie, the device ID for mobile devices, and technical information about the browser and the operating system. However, the data collected is stored only in anonymous form, so that no direct personal identification is possible.
The legal basis for this data processing is Art. 6 (1) (1) f) GDPR. We want to provide you with convenient, custom use of our website and our app.
6.6 Right to object to our analysis and advertising activities
Under Section 7.1 you will find a list of the providers we work with for purposes of analysis and advertising on our website, including the options for objecting to our analysis and advertising activities.
Under Section 7.2 you will find a list of the providers we work with for purposes of analysis and advertising in our app, with information on how to object to our analysis and advertising activities.
7. Our partners for analysis and advertising activities
The following is an explanation of the technologies and providers we use for the analysis and advertising activities on our website.
7.1.1 Bing Ads
You can prevent storage of cookies by setting your browser accordingly (as described above); however, please note that in this case you may not be able to use all functions of the website in full. You can also prevent the transfer of the data generated by the cookies and your use of the website to Microsoft and the processing of this data by Microsoft by deactivating the personalized ads on the privacy dashboard of Microsoft. Please note that after deleting all cookies in your browser or using another browser and/or profile at a later time, you must opt out again.
For more information, see the privacy statement of Microsoft.
7.1.2 Facebook Custom Audience (Pixel process)
For marketing purposes, our website uses remarketing tags (also known as “Facebook Pixels”) from the social network Facebook, a service by Facebook Inc., 1601 Willow Road, Menlo Park, California 94025, USA (“Facebook“). We use these remarketing tags without the “advanced matching” feature. When you visit our website, the remarketing tags create a link between your browser and a Facebook server. In this way, Facebook receives the information that our website was accessed using your IP address. If personal data is transferred to the US, Facebook abides by the EU-US Privacy Shield Facebook uses this information on the one hand to provide us with statistical and anonymous data about the general use of our website, and the effectiveness of our Facebook advertising (“Facebook ads”) and on the other hand to optimize the ad placement and target group selection within the Facebook services.
EU-US Privacy Shield If you are a member of Facebook and have permitted Facebook to do so in the privacy settings of your account, Facebook can also link the information collected during your visit with us to your member account and use this for the targeted placement of Facebook ads. You can view and change the privacy settings of your Facebook profile at any time. If you are not a member of Facebook, you can prevent data processing by Facebook by going to the above-mentioned TRUSTe website and clicking on the “deactivate” button for Facebook.
If you deactivate data processing by Facebook, Facebook will show only general Facebook ads that are not chosen based on information collected about you.
For more information, see the data policy of Facebook.
7.1.3 Facebook Conversion Tracking
For more information, see the data policy of Facebook.
7.1.4 Google AdWords Conversion Tracking
7.1.5 Google Universal Analytics
Google will process the information obtained from the cookies in order to evaluate your use of the website, to compile reports about the website activities for the website operators and to perform other services relating to website use and internet use.
7.1.6 Google Remarketing
If you use a Google account, depending on the settings in the Google account, Google can link your web and app browser use to your Google account and use information from your Google account to personalize ads. If you do not want this link to your Google account, you will have to log out of Google before opening our contact page.
The following is an explanation of the technologies and providers we use for the analysis and advertising activities in our app.
7.2.1 Google Mobile App Analytics
Google Mobile App Analytics is provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google Mobile Analytics”). Google Mobile Analytics enables the analysis of anonymous behavior data, particularly the tracking of active users and activity events (e.g. what keys were used, what pages were opened).
If personal data is transferred to the US, Google abides by the EU-US Privacy Shield. We use Google Mobile Analytics with the additional function offered by Google to anonymize IP addresses: the IP address is usually already abbreviated by Google within the EU and only in exceptional cases is not abbreviated until the US; in all cases it is stored only in abbreviated form.
8. Facebook Social Media Plug-Ins
Our website and our app use social media plug-ins (such as the “like” button) from the social network Facebook Inc., 1601 Willow Road, Menlo Park, California, 94025, USA ("Facebook"). The plug-ins are deactivated by default so they do not transfer any data. Only if you interact with the plug-ins, e.g. click on the Facebook “like” button, will you be asked to log in to your Facebook account. This information is sent by your browser or device directly to the social network, where it is stored.
If personal data is transferred to the US, Facebook abides by the EU-US Privacy Shield. Facebook is notified that you have accessed the relevant page of our website. This occurs regardless of whether you have a Facebook account and are logged in there. If you are logged on to Facebook, this data is linked directly to your account. If you use the activated plug-in and link the page, for instance, Facebook will also store this information including the date and time in your user account, and share this with your contacts. If you do not want any association with your Facebook profile, you must log out before activating the plug-in.
Facebook will store this data as a usage profile and use it for purposes of advertising, market research and/or custom design of its website and other offers. An analysis of this kind is performed especially (even for users not logged in) to show personalized ads and to inform other users of the social network about your activities on our website and in our app. You can object to the creation of this user profile. As a Facebook member, you can deactivate ads on this basis in the Ad choices. You can also completely block the Facebook social media plug-ins with additional programs for your browser, such as the Facebook Blocker.
For more information, see the data policy of Facebook.
9. Inclusion of videos on our website
We have included videos in our website that are stored by YouTube and can be played directly on our websites. YouTube is a multimedia service of YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (“YouTube”), a group company of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google“). If personal data is transferred to the US, Google and group company YouTube abide by the EU-US Privacy Shield. The legal basis is Art. 6 (1) (1) f) GDPR, pursuant to our legitimate interest of providing video and image content.
When you visit our website, YouTube and Google are notified that you have accessed the relevant page of our website. This will occur regardless of whether you are logged on to YouTube or Google. YouTube and Google use this data for purposes of advertising, market research, and customization of their websites. If you access YouTube on our website while logged into your YouTube or Google profile, YouTube and Google can also link this to the respective profiles. If you do not want this link, you will have to log out of Google before opening our website.
As explained above, you can configure your browser to block cookies or you can prevent the tracking of the data generated by the cookies and relating to your use of this website (including your IP address) and the processing of this data by Google by going to the Google Ad Settings and setting Ads Personalization Across the Web to “Off.” In this case, Google will show you only non-personalized ads.
We have included videos in our website that are stored on the Vimeo video platform and can be played directly on our websites. Vimeo is a multimedia service of Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA (“Vimeo“). The legal basis is Art. 6 (1) (1) f) GDPR, pursuant to our legitimate interest of providing video and image content.
When you visit our website, Vimeo is notified that you have accessed the relevant page of our website. This will occur regardless of whether you are logged on to Vimeo. Vimeo can use this data for purposes of advertising, market research, and customization of their websites. If you access Vimeo on our website while logged into your Vimeo profile, Vimeo can also link this to the respective profiles. If you do not want this link, you will have to log out of Vimeo before opening our website.
10. How we protect your data
We are committed to protecting your data. We have current technical measures to ensure data security, particularly to protect your personal data from risks during data transfer and access by third parties. This will be adjusted to the current state of the art. To secure the personal data provided by you, we use Transport Layer Security (TLS), which encrypts the information entered by you.
11. Who receives your data apart from us
The data collected by us is shared only if this is needed to perform the contract or provide technical functionality of the website or our app, or if there is another legal basis for data sharing.
Data may also be shared in relation to official inquiries, court orders and legal proceedings if needed to assert or enforce legal rights.
12. Location of data processing
We generally process your data in Germany or the EU or within the European Economic Area (“EEA”). Sometimes your data is processed on servers outside the EU, especially in the US. To ensure the protection of your data in this case as well, we ensure there are sufficient guarantees. Therefore, the providers we use either abide by the EU-US-Privacy-Shield or we have concluded contracts (standard EU contractual clauses) with them.
13. How long does SMÅKASSEN store your data?
13.1 General information on storage
In general, we store personal information only as long as needed to comply with contractual or legal obligations for which we have collected the data. Afterwards, we delete the data immediately unless we need the data until the end of the legal limitation period for purposes of evidence in claims under civil law, or due to legal retention periods.
For purposes of evidence, we must retain contract data for three years from the end of the year in which the business relationship ended with you. After the legal limitation period expires, any claims will expire no earlier than this date.
Even after this, sometimes we must retain your data for accounting purposes. We are required to do so under legal documentation requirements that can relate to the Commercial Code, the Fiscal Code, the Banking Act, the Anti-Money Laundering Act, and the Securities Trading Act. The periods of limitation for storing documents under these laws are between two and ten years.
13.2 Customer account
In general, we store your data from your existing customer account as long as you have a business relationship with us. If you have requested the deletion or cancellation of your customer account, we will delete it. Data that we need until the end of the legal limitation period for purposes of evidence in the event of claims under civil law, or due to legal retention requirements, will be deleted after this period ends.
14. Your rights
You have the right at all times to obtain information about the processing of your personal data by us. We will explain data processing to you and give you a list of the data stored on you. If the data stored by us is incorrect or no longer current, you have the right to the correction of this data. You can also request the deletion of your data. If deletion is not possible in exceptional cases due to other legal requirements, the data will be blocked so that it is available only for this legal purpose. You can also have the use of your personal data restricted, for instance if you doubt the accuracy of the data. You also have the right to data portability, meaning that on request we will give you a digital copy of the personal data you have provided.
To assert your rights described here, you can contact us using the information listed above at any time. This also applies if you want copies of guarantees to document an adequate level of data protection.
15. Right of withdrawal and objection
You have the right at any time to withdraw consent previously granted to us. If you do so, we will not continue to process your data based on this consent in future. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
If we process your data on the basis of legitimate interests (Art. 6 (1) (1) f) GDPR) you have the right to object to the processing of your data at any time for reasons relating to your particular situation. In the event of an objection to data processing for purposes of direct advertising, you have a general right of objection, even without providing a reason, that we will comply with.
If you wish to exercise your right of withdrawal or objection, you can send an informal message to the contact information listed above.
16. Contact to the supervisory authority
You have the right to lodge a complaint with the data protection supervisory authority responsible for us. You can exercise this right with a supervisory authority in the member country of your residence, your workplace or the location of the alleged violation. In Bergen, where SMÅKASSEN has its registered office, the responsible supervisory authority is:
Postboks 458 Sentrum
Version: 1.1 / Stand: January 2019