1. General
This policy regarding the handling of personal data (Personal Data Policy) describes how Ciha IvS (“Ciha”, “us”, “our”, “we”) collects and processes information about you.
The Personal Data Policy applies to personal data that you provide to us or that we collect via Ciha’s website, ciha.shop (“the Website”).
Ciha is the data controller for your personal information. All inquiries to Ciha can be made via the contact information listed under point “Contact information”.
2. What personal data do we collect, for what purposes and the legal basis for the processing
When you visit the Website, we automatically collect information about you and your use of the Website, such as the type of browser you use, the search terms you use on the Website, your IP address, including your network location, and information about your computer.
The purpose is to optimise the user experience and function of the Website, as well as carry out targeted marketing, including retargeting via Facebook and Google. This processing of information is necessary for us to safeguard our interests in improving the Website and show you relevant offers.
The legal basis for the processing is Article 6 (1), point f., of the EU General Data Protection Regulation.
When you buy a product or communicate with us on the Website, we collect the information you yourself provide, e.g. name, address, email address, telephone number, payment method, information about which products you buy and may have returned, delivery requests.
The purpose is for us to be able to deliver the products you have ordered and otherwise fulfill our agreement with you, including to be able to manage your rights to return and to complain. We can also process information about your purchases to comply with legal requirements, including for bookkeeping and accounting.
The legal basis for the processing is Article 6 (1) of the EU General Data Protection Regulation, points b, c and f.
When you sign up for our newsletter, we collect information on your name and email address.
The purpose is to safeguard our interest in being able to deliver newsletters to you.
The legal basis for the processing is Article 6 (1), point f., of the EU General Data Protection Regulation.
3. Recipients of personal data information
Information about your name, address, email, telephone number and order number and specific delivery requests are passed on to PostNord, DAO, GLS or a carrier who delivers the purchased goods to you. When purchasing non-stocked goods, the aforementioned information can be passed on to the manufacturer or seller of the product in question, who in that case will be responsible for the delivery.
Information may be passed on to external partners who process the information on our behalf. We use external partners for, among other things, technical operation and improvements to the Website, distribution of newsletters and targeted marketing, including retargeting, as well as for your assessment of our company and products. Among other things, information about your name and email is passed on to TrustPilot so that an invitation can be sent on our behalf to evaluate us on TrustPilot’s website. If you choose to write a review, TrustPilot will be data controller for the information provided. These companies are data processors under our instruction and process data for which we are data controller. The data processors may not use the information for any purpose other than fulfilling the agreement with us, and are subject to confidentiality regarding these data. We have entered into written data processor agreements with all data processors that process personal data on our behalf.
Three of these data processors, Google Analytics v/Google LLC, Facebook Inc. And Mailchimp v/The Rocket Science Group, LCC are established in the USA. The necessary guarantees for the transfer of information to the United States are secured through the certification of the data processor under the EU-U.S. Privacy Shield, cf. EU General Data Protection Regulation Article 45.
A copy of Google LLC’s certification can be found here: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI
A copy of Facebook Inc.’s certification can be found here: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
A copy of The Rock Science Group, LLC’s certification can be found here: https://privacy.truste.com/privacy-seal/validation?rid=9a1ea7c0-f899-4ae9-af44-ead9f9bc6ca7
4. Your rights
In order to create transparency regarding the processing of your information, we, as the data controller, must inform you of your rights.
Right of access
You are at all times entitled to request information from us, including what information we have registered about you, what purpose the registration serves, what categories of personal information and recipients of information that may be, as well as information on where the information comes from.
You have the right to receive a copy of the personal data that we process about you. If you want a copy of your personal data, you must send a written request to info@ciha.dk. You may be asked to document that you are who you claim to be.
Right to correction
You have the right to have incorrect personal information about yourself corrected by us. If you become aware that there is an error in the information that we have registered about you, you are encouraged to contact us in writing so that the information can be corrected.
You have the opportunity to correct information that we have collected in connection with your customer club registration by logging in to your user profile.
The right to erasure
In certain cases, you have the right to have all or some of your personal data deleted by us, e.g. if you revoke your consent and we do not have another legal basis to continue processing. To the extent that continued processing of your information is necessary, e.g., for us to comply with our legal obligations, or for legal claims to be established, asserted or defended, we are not obliged to delete your personal information.
The right to limit processing for storage
In certain cases, you have the right to have the processing of your personal data limited to storage only, e.g., if you believe that the information we process about you is incorrect.
The right to data portability
In certain cases, you have the right to have personal data that you have provided us given to you in a structured, commonly used and machine-readable format and have the right to transfer these data to another data controller.
The right to object
You have the right at any time to object to our processing of your personal data, with a view to direct marketing, including the profiling carried out in order to be able to target our direct marketing.
You also have the right at any time, for reasons relating to your personal situation, to object to the processing of your personal data, which we carry out on the basis of our legitimate interests, cf. point 2.1 and 2.3.
The right to withdraw consent
You have the right at any time to revoke consent you have given us for a given processing of personal data, including for the profiling carried out by you as a member of the customer club. If you wish to revoke your consent, please contact us at info@ciha.dk
The right to complain
You have the right to submit a complaint to the Danish Data Protection Agency, Borgergade 28, 5, 1300 København K, at any time, regarding our processing of your personal data. Complaints can, among other things, be submitted by email dt@datatilsynet.dk or telephone +45 33 19 32 00.
5. Deletion of personal data
Data collected about your use of the Website, cf. point. 2.1., will be deleted when you have not used the Website for 5 years at the latest.
Data collected in connection with your subscription to our newsletter will be deleted when your consent to the newsletter is withdrawn, unless we have another basis for processing the information.
Data collected in connection with purchases you have made on the Website, cf. point 2.2., will in principle be deleted 2 years after the end of the calendar year in which you have made your purchase. However, information can be stored for a longer period of time if we have a legitimate need for longer storage, e.g., if it is necessary for legal claims to be established, enforced or defended, or if storage is necessary for us to meet legal requirements. Accounting material is stored for 5 years until the end of a financial year to meet the requirements of the Danish Accounting Act.
6. Security
We have implemented appropriate technical and organisational security measures against the accidental or unlawful destruction, loss, alteration or deterioration of personal data and against the disclosure or misuse of unauthorised persons.
Only employees who have a genuine need to access your personal data in order to carry out their work have access to these.
7. Contact information
Ciha IvS is responsible for the personal data collected via the Website.
If you have any questions or comments regarding this Personal Data Policy or would like to make use of one or more of your rights described in section 4, you can contact:
Ciha ApS
Skovstjernvevej 33
8920 Randers NV
Phone no.: 88 44 43 44
Email: info@ciha.shop
8. Changes to the data policy
If we make changes to the Personal Data Policy, you will be informed of this on your next visit to the Website.
If you have signed up for our customer club, you will be notified of the policy changes via emails containing the information sent to your registered email address.
This is version 1 of Ciha’s Personal Data Policy, dated 21.09.2018.