• Home
  • Us
  • Shop
  • Blog
0
  • Home
  • Us
  • Shop
  • Blog
Candy-n-chill-63b6f5385c67d
0

 

Candy´N´Chill-Privacy Policy

Welcome to our policy on how we protect your personal data and privacy. Candy ´N´Chill only collects and processes your personal data in accordance with this privacy policy, and always in accordance with the General Data Protection Regulation 2016/679 (hereinafter “GDPR”).

 

We are the data controller for the processing of the personal data that we process about you, by Candy N´Chill with registered address at Lindealle 29, 5230 Odense M., Denmark. Candy ´N´Chill is the data controller (as defined in Article 4, paragraph 7, cf. GDPR) for all processing activities in connection with our products and services (the "Services"). These services include any interaction you may have with us through our websites, blog, over the phone, through social media platforms, or other channels.

 

Us

This privacy policy covers the processing activities in all the countries where we operate in the EU, and in case of country specific requirements we therefore add an additional section, “country specificity”.

 

The privacy policy structure

Global overview of the data processing activities of Candy ´N´Chill (section 1)

In more detail - which data, for which purposes do we process your personal data and on which legal basis(s)? (section 2)

What is our retention policy? (section 3)

What is our Cookie Policy? (section 4)

Where do we store your personal information? (section 5)

When can we disclose your personal information? (section 6)

What are your rights as a data subject? (section 7)

How do you contact us? (section 8)

What are the country specifics (if applicable)? (section 9)

 

Section 1 - Global overview of the data processing activities at Candy ´N´Chill

First of all, the terms "data", "personal data" and "personal information" all refer to the definition of "personal information" in Article 4, para. 1, of the GDPR, which is any information that allows us to directly or indirectly identify you. It can be your name, your phone number, your member ID, blog, your order numbers and e-mail address.

 

The data that we process is mostly data that you submit when you use our services. For example, when you order a box of candy from the webshop, you may provide your name, email address, and transaction and billing information (eg credit/debit card or other banking and delivery information).

 

It is the same when you contact us (for example when you contact our customer support, Team Candy, on social media or other platforms) and when you participate in online competitions, surveys or add a product review to your member account. Sometimes we also collect your data when you visit our websites (for example, technical devices and access data collected when you interact with our services), and depending on your cookie preferences and consent, we may use tracking technologies to see which Candy ´N´Chill - pages you have visited or if you have opened our newsletter.

We always rely on a legal basis to collect and process your personal information. The purposes that require your consent are the following:

  • Processing of your candy profile for the special data categories, such as your birthday, allergy or taste type.
  • Subscription to our newsletter
  • Participation in surveys, online contests or advertising campaigns
  • Transfer of your data to third parties or third countries (i.e. located outside the EEA) if adequate safeguards are not in place (e.g. if you log in with Facebook Connect)
  • Cookies and tracking technologies (eg which pages you have looked at on our websites and if you have opened our newsletter).

 

Protection of children's personal data - Please note that our websites are not intended for and should not be used by children under the age of 18. We therefore do not knowingly collect personal data about persons under the age of 18, unless we have received the consent of the legal guardian. Another part of our priority is to add protection for children while they use the Internet. We encourage parents and guardians to observe, participate in, and/or monitor and guide their online activity.

 

If you want the full detailed overview, we advise you to read section 2 below, which lists the cases where Candy ´N´Chill collects and processes your data together with the purpose and legal reasons for doing so. Otherwise, you can skip directly to our storage duration policy (section 3), the information about your Cookies (section 4), storage of your data (section 5), the cases in which we may pass on your information to third parties (section 6), your rights as registered (section 7), how to contact us (section 8), and country specifics (when applicable) (section 9).

 

Section 2 - What data does Candy N'Chill process, for what purpose and on what legal basis?

Use of our websites

We use your data to give you access to our websites. Depending on your settings, we may collect the following data during each visit:

  • User data: technical information about your device, including device-specific information such as your hardware model, operating system version, unique device identifiers, language settings and system authorizations; details of your visits, including your Uniform Resource Locator (URL) clickstreams to, through and from our Services (including date and time);

 

Analysis data: your IP address, operating system, and browser type; page visits, visit length and page interactions (such as scrolling, finger movements, clicks and mouse-overs).

 

Advertising data: Information about the origin of how you visit us, for example from social media or a search engine, may be shared with our partners along with a random ID assigned to your browser session on each visit.

 

Purpose: to give you access to our websites, improve your user experience and/or ensure proper use of our services. In any case, we never use this data to identify you.

 

Legal basis: legitimate interest (Article 6, paragraph 1, letter f cf. GDPR) / consent (Article 6, paragraph 1, letter a cf. GDPR)

 

Creating a member account

When you create an account, we collect the following information about you: your full name, email address, password, and phone number.

Purpose: to provide you with a member account and the ability to subscribe and receive our services.

Legal basis: fulfilment of a contract (Article 6, paragraph 1, letter b cf. GDPR) / legitimate interest (Article 6, paragraph 1, letter f cf. GDPR)

 

Log in with Facebook Connect or Google

You have the option of logging into your member account with your Facebook credentials and/or your Google account. If you do this, you agree to share some public profile information with us. Please note that Facebook and/or Google may also process some of your data and we are not responsible for this data processing. Before using these logins, we advise you to check their privacy policies as available here (Facebook / Google).

 

Purpose: to allow you to easily log in and use our services without using your membership information.

 

Legal basis: legitimate interest (Article 6, paragraph 1, letter f cf. GDPR) / consent (Article 6, paragraph 1, letter a cf. GDPR)

 

Completing the candy profile

When you create your member account and/or subsequently, you have the opportunity to add additional information, including information about your age (including your date and month of birth), flavor types, consistency types, specific sugar tolerances, allergy preferences, favorite products and favorite brands. If you do this, we treat this information with particular sensitivity and security, as we understand that it may contain certain information that falls under the "special categories" of personal data (as defined in the GDPR), for example information about your ethnicity . The Candy profile is optional and you do not need to provide us with this information to receive our services. You can also remove or update it at any time.

 

Purpose: to maintain and market our services to you. We are always striving to learn more about our members and customers to deliver the best products and experiences. We may use your data to customize your experience on our websites and sometimes customize the products we offer you so that it becomes more interesting and relevant to you.

 

Legal basis: legitimate interest (Article 6, paragraph 1, letter f cf. GDPR) / consent (Article 9, paragraph 2, letter a cf. GDPR) for the processing of special categories of personal data.

 

Subscription to Candy ´N´Chill and shopping information

If you subscribe to our monthly/quarterly boxes, we process shopping and delivery information such as your order number and tracking number, the details of the boxes purchased, your payment method details and preferred delivery method, your delivery and billing addresses, any notifications and communications relating to purchases (including complaints or messages sent to our Team Candy), delivery and payment status (completed, sent), return status (if applicable) and all relevant information about third party service providers involved in the provision of our services. Candy ´N´Chill also offers the option of buying products online through a store. In this case, the same types of personal data may be collected and processed.

 

Purpose: to provide you with our services (ie process your order and deliver our products according to your information).

Legal basis: fulfillment of a contract (Article 6, paragraph 1, letter b cf. GDPR) / legitimate interest (Article 6, paragraph 1, letter f cf. GDPR)

 

Placing an order and payment information

When you subscribe to our monthly boxes or buy products online, you can use common payment methods such as your credit/debit card, PayPal and direct debit options such as Ideal, Google Pay and MobilePay. We process your payment information to process the payment and may receive additional information from the external payment service providers we work with. This may include your transaction and billing information; eg. credit/debit card information and delivery information. However, please note that we do not store your credit card details. These are located on a specifically encrypted server in our so-called payment gateway, which is PPC certified. In case of unsuccessful registration (ie your payment did not go through) Candy ´N´Chill reserves the right to try to withdraw the payment again or send you a payment link (According to our terms and conditions)

 

Purpose: to perform the purchased agreement and deliver our products.

 

Legal basis: fulfillment of a contract (Article 6, paragraph 1, letter b cf. GDPR) / legitimate interest (Article 6, paragraph 1, letter f cf. GDPR)

 

Left basket emails and SMS

When you navigate on our websites, you can add products to your shopping cart. Sometimes it happens that members think they have completed their purchase, but some information is missing, and therefore Candy ´N´Chill does not process the sale and does not deliver the box or product. To avoid such an unpleasant situation, we can process the products you put in your shopping basket when you are logged into your member account together with your name and e-mail address and/or telephone number.

 

Purpose: to contact you and remind you that you have an excellent product in your shopping cart and to ensure that the lack of completion is not due to an error. We may contact you if you were close to completing a transaction but did not complete it (for example, if you selected a product but did not complete the transaction, or if you entered some information during checkout that leads us to believe, that you were interested in buying the product despite the fact that the transaction has not been completed).

 

Legal basis: legitimate interest (Article 6, paragraph 1, letter f cf. GDPR). You may, for reasons attributable to your specific/particular circumstances, object to such processing at any time by writing to us by email (as explained in section 7 below).

 

Using Candypoints

Sometimes when you complete an action (such as, but not limited to, writing a product review), you may be credited certain loyalty points ("Candypoints") at the Company's sole discretion. Your collected Candypoints can be used for a variety of things, including but not limited to purchasing products/boxes for free or at a discounted price (when available through our online store). When you decide to use your Candypoints, we can therefore look at your member account to check your allocated Candypoints, their allocation date and expiry date (if applicable).

 

Purpose: to create loyal members and customers and thank them for their loyalty. We use the submitted data when you use your Candypoints to check and process the order. This also includes recording and processing the data linked to the use of Candypoints, in particular for the prevention of fraud.

Legal basis: fulfillment of a contract (Article 6, paragraph 1, letter b cf. GDPR) / legitimate interest (Article 6, paragraph 1, letter f cf. GDPR)

 

Use of gift cards

When you use a gift card to order a box or other available products, we may process information about the gift card, such as the date of issue and expiration, the value, the code assigned along with the selected boxes or products to be shipped, the name of the gift card holder, their delivery address (for personal vouchers), their billing address and Member Account ID of the account used for redemption, as well as both their emails. If you are the purchaser of the gift card and are entitled to a refund, we may also ask for your bank details. If you have a complaint about the box you received, we may award you Candypoints in accordance with our terms and conditions, and we may also process your membership account information.

 

Purpose: to send you the selected boxes or products, to exchange the gift card, to refund the gift card (if applicable), to award Candypoints to you in the event of a complaint (if applicable), or fraud prevention.

 

Legal basis: fulfillment of a contract (Article 6, paragraph 1, letter b cf. GDPR) / legitimate interest (Article 6, paragraph 1, letter f cf. GDPR)

 

Interactions, messages, conversations

We love our members and always want to treat our members as our best friends. It is important to us that we can communicate on a real and human level, with sincere and personal conversations, so that we can help as best as possible, regardless of whether it is a problem with a box or just a chat about everything or nothing. We may therefore collect personal data when you contact us via chat, by telephone, via our social media platforms, blog or in other available ways. This may include conversation content, your name, email address, address, telephone number and/or profile name on the social media platforms. Please note that we do not record the telephone conversations and if we do so in the future it will only be based on your prior consent, and you will be informed of your right to withdraw such consent at any time with immediate effect. Please also note that Candy ´N´Chill is not responsible for the terms of use of social media platforms that you may use to contact us.

 

Purpose: to ensure a proper follow-up to any complaint or comment you may have and to improve our services. We may also use your contact information to send you a new box in the event of a product problem (if applicable).

 

Legal basis: fulfillment of a contract (Article 6, paragraph 1, letter b cf. GDPR) / legitimate interest (Article 6, paragraph 1, letter f cf. GDPR)

 

Campaigns, feedback, product reviews and surveys

If you decide to participate in a campaign, give us feedback, review a product, or if you participate in a survey and/or online competition, we collect and process some of your personal data. This may include your name and email address along with your product settings and any comments you may have added.

 

Purpose: to analyze whether you are satisfied or dissatisfied with our services and to assess your overall experience. This is a fundamental resource for us to improve your user experience and adapt our actions to your needs. Sometimes you may be offered to participate in a campaign, as a member or as an influencer on the social media platforms. This helps us grow and increase the visibility of our brand. Surveys and member reviews are useful for improving our product selection and predicting our members' wishes.

 

Legal basis: legitimate interest (Article 6, paragraph 1, letter f cf. GDPR) to improve your user experience and adapt our actions to your needs. Under no circumstances will we use the collected data to identify you / fulfilment of a contract (Article 6, paragraph 1, letter b cf. GDPR) when the processing is necessary for the performance of a contract (for example, participating in a campaign) / consent when the other two legal grounds do not apply (Article 6, paragraph 1, letter a cf. GDPR or Article 9, paragraph 2, letter a cf. GDPR) for processing special categories of personal data.

 

Information collected on online media platforms.

We maintain online media platforms (such as, but not limited to, Facebook, Instagram, Messenger, Tiktok, YouTube, WhatsApp, Snapchat, Pinterest, Google - etc.) and regularly post content, offers, promotions and organize online competitions (see specific subsection below). When you use these online media, the network operators may process your information, e.g. your age, gender and geographic location. Remember that we are not responsible for the way they collect and process your personal data for their own purposes. We have no influence on these data processing activities and advise you to read their own privacy policy if you want to know more. Candy ´N´Chill is only responsible for the data you provide during your visit to our online websites (for example, the information you provide to us directly when you post something on our pages or when you send us private messages) . If you have a public account, we may also be able to see your public information (such as your username and the content you have published and shared with a public audience).

 

Purpose: to better understand how members and customers view our products and identify candy trends and tendencies, to increase our visibility in the market and continuously develop our brand.

Legal basis: legitimate interest (Article 6, paragraph 1, letter f cf. GDPR)

 

Online competitions

From time to time, we organize online contests through our online media platforms where participants are encouraged to, for example, but not limited to, vote, share, like, comment, or otherwise interact with a post or invite a friend to follow us to perhaps win prizes or awards. We may therefore process personal data such as entrants' usernames and ask the winner of such online competition for additional information such as their name, email address, and delivery details to send the prize. Sometimes Candy ´N´Chill takes care of the delivery itself, while sometimes the brand that cooperates with us in the competition delivers the gift directly. If this is the case, we will inform the winner in advance that their information will be shared with this brand for the sole purpose of delivering a prize. We have data processing agreements with all the brands we collaborate with, and the shared personal information is only used for the above purposes.

 

Purpose: to increase the engagement of our members or to make our followers discover our services. The processing of the above data is necessary to carry out the online competition and deliver the prize to the winner.

 

Legal basis: fulfilment of a contract (Article 6, paragraph 1, letter b cf. GDPR) / legitimate interest (Article 6, paragraph 1, letter f cf. GDPR)

 

Signing up for our newsletter, blog, receiving advertising emails or other marketing material

Depending on your marketing preferences, we may use your personal data to send you marketing content via e-mail, telephone (call/SMS) or post. Some of these messages may be tailored to you based on your past browsing or purchase activity, or other information we may have collected about you. If you no longer wish to receive marketing communications from us or an individual product recommendation, or if you instead want to subscribe again, you can change your settings at any time by contacting us or by clicking on the "Unsubscribe" link in an email from us. If you opt out of our marketing, please note that we may still contact you with service messages (e.g. order and delivery confirmations, payment methods and information about your legal rights).

 

Purpose: to receive direct marketing (products and services). You can change your marketing preferences at any time using the link at the bottom of each marketing email or by sending an email with your request to unsubscribe.

 

Legal basis: legitimate interest (Article 6, paragraph 1, letter f cf. GDPR) / consent (Article 6, paragraph 1, letter a cf. GDPR)

Match products to members' candy profile and preferences

We may collect some data about the products, product types and brands we collaborate with, and match them to our members' candy profile.

 

Purpose: to perform pseudonymised statistics and improve weekly/monthly/quarterly subscription boxes and additional product offers, by analysing how well members like previous products from the boxes and how well this fits with their candy profile.

 

Legal basis: legitimate interest (Article 6, paragraph 1, letter f cf. GDPR) to improve your customer experience and adapt our actions to the needs of our members. Under no circumstances will we use the collected data to establish your identity and you may, for reasons arising from your specific/particular circumstances, at any time object to such processing by writing to us by e-mail (as explained in section 7 below)

 

Use of product reviews for statistical purposes.

You have the option to add product reviews to your member account, and when we evaluate them, we may process some personal data (for example, the personal data you have included in the content of your review (if applicable) together with your username (if applicable), your geographical location and time and date of the review). We never use the reviews to identify you.

 

Purpose: we process pseudonymized data to perform aggregate statistics (such as ratings or preferences for certain products) and may present such summary statistics to our brand partners, always on an anonymized basis.

 

Legal basis: the processing is necessary for statistical purposes, and we can only provide our brand partner with anonymized and summary statistics from which identification of a specific natural person is impossible (Article 9, paragraph 2, letter j cf. GDPR). Our legitimate interest in processing data for these purposes is to provide our partners with an overview of trends and preferences so that they can improve the products we offer you. You may, for reasons attributable to your specific/particular circumstances, object to such processing at any time by writing to us by email (as explained in section 7 below).

 

Monitoring use of our websites to improve and maintain them, ensure correct use and successful receipt of our transactional emails.

When using our services, or when receiving service messages (transaction mails), we can collect and process the following data: device ID, IP address, operating system and browser type, duration of visits to certain pages and your page interaction information such as scrolling, finger movements , clicks and mouse-overs, geographic location, time and date, checked products, boxes previously looked at, and start creating a member account.

 

Purpose: to ensure correct receipt and to evaluate the service in order to improve it and to ensure correct use and successful receipt of transactional emails.

 

Legal basis: legitimate interest (Article 6, paragraph 1, letter f cf. GDPR). Under no circumstances will we use the collected data to identify you. You may, for reasons attributable to your specific/particular circumstances, object to such legitimate processing at any time by emailing us (further details in section 7 below).

 

Optimizing our marketing initiatives

When you use our services or receive our marketing e-mails, we may collect and process the following data: IP address, operating system and browser type, length of visit on certain pages and page interaction information such as scrolling, finger movements, clicks and mouse-overs, geographical location, time and date and order information.

 

Purpose: we may use limited user data to track your page interaction and analyze data to optimize our marketing initiatives. We may also process your order information to better assess the impact of our marketing initiatives by encrypting it before sharing it with our API partners. (We do not use the data to determine your identity)

 

Legal basis: consent (Article 6, paragraph 1, letter a cf. GDPR). When it comes to tracking your page interaction. You can adjust your tracking settings at any time by editing your consent/Legitimate interest (article 6, paragraph 1, letter f cf. GDPR) When it comes to processing your order information. Under no circumstances do we use the collected data to determine your identity. You can, due to special situations, object to such legitimate processing of data by writing us an e-mail (further information on this under section 7)

 

Development of our own products

When using our services, we may process some of your information for our own brand, Experience app, which is exclusively part of the Candy ´N´ Chill group. This may include the following data: name and email address along with your product settings and any comments you may have added.

 

Purpose: to send you relevant information about our brand, ensure that you have the opportunity to participate in customer research (e.g., surveys) and receive the right marketing information (including marketing of our own products).

 

Legal basis: legitimate interest (Article 6, paragraph 1, letter f cf. GDPR) to improve your user experience and adapt our actions to your needs. Under no circumstances will we use the collected data to identify you, and you may, for reasons arising from your specific/particular circumstances, at any time object to such processing by writing to us by email (as explained in section 7 below). You can also change your marketing settings at any time by using the link at the bottom of each marketing e-mail or by sending your request for it via e-mail / consent when the other legal grounds are not relevant (Article 6, paragraph 1, letter a cf. GDPR) or Article 9, subsection 2, letter a cf. GDPR for processing special categories of personal data.

 

Performance reports

When navigating on our websites, we can also collect and process the following data: errors, crash reports, IP address, URL, geographic location, time, and date of navigation.

 

Purpose: to ensure the functionality of our services; our websites cannot function properly without this processing.

 

Legal basis: legitimate interest (Article 6, paragraph 1, letter f cf. GDPR). Under no circumstances will we use the collected data to identify you.

Security, fraud prevention, and choice of payment methods

Your security is our highest priority, and to avoid or detect any data security breaches, our services are encrypted in transmission with the code system SSL ("Secure Socket Layer"). This means that data is encrypted when you leave our websites, and during this process information or data is converted into a code to prevent unauthorized access. We have technical and organizational measures in place to secure our systems against loss, destruction, and unauthorized access. This involves processing your data, including your name, device, and access data (IP address and member ID), your purchase information (delivery and billing address) and payment information. While we do everything, we can to ensure that personal information is always protected on our websites, we cannot guarantee the security and integrity of the information sent to our websites

 

Purpose: to detect fraud patterns and prevent fraud.

 

Legal basis: legitimate interest (Article 6, paragraph 1, letter f cf. GDPR)

Cancellation of the subscription and/or deletion of the member's account

At Candy ´N´Chill, you can cancel your subscription at any time in accordance with our terms of use and directly via your member account or by contacting us. If you decide to do so through our Team Candy, we may ask for information to verify your identity. For example, we may ask you to confirm your email address, date of birth, delivery address, telephone number and/or bank details. Please note that when you intend to request cancellation of the subscription or deletion of the member account on behalf of someone else, we may request additional information to confirm your eligibility to request such cancellation or deletion (in accordance with our Terms and Conditions). We may save your name and your relationship to the member (parent, appointed administrator, bank owner).

 

Canceling your subscription does not delete your account but deactivates it (you have the option to come back at any time by simply logging in again and reactivating your subscription). If you request deletion of your account, you will no longer have access to your member account and your history will also be lost.

 

Purpose: to confirm your identity in order to cancel your subscription and/or delete your membership account

 

Legal basis: fulfilment of a contract (Article 6, paragraph 1, letter b cf. GDPR) / legitimate interest (Article 6, paragraph 1, letter f cf. GDPR)

 

Job application

Candidates can apply to join our team when there are open positions via our "Careers" link available at the bottom of our home pages. When applying for a position, candidates may be asked to provide information such as their name, email address, phone number, geographic location (city), resume, LinkedIn profile (optional), which we may collect along with the time and date of the application.

Purpose: to check the candidate's suitability for the position (or other vacancies in Candy ´N´Chill).

 

Legal basis: to take the first steps before entering a contract (Article 6, paragraph 1, letter b cf. GDPR) Participation in Candy ´N´Chill help initiatives Candy ´N´Chill aims to empower female entrepreneurs and others creative in offering financial support and business support through programs/grants and competitions. When applying for such an opportunity, applicants may be asked to provide information such as full name, e-mail address, telephone number, geographical location (Country, city), CV, Biography, or other forms of information within the given business in order to receive support from Candy ´N´Chill. Purpose: To review the applications and ultimately award the 'winner' financial support / or business support.

 

Legal basis: Legitimate interest (Article 6, paragraph 1, letter f) GDPR) / Consent (Article 6, paragraph 1, letter a) GDPR)

 

Section 3 - how do we store and process your personal information?

We store your personal data for the period necessary to fulfil the purposes described in section 2 above and until you request the deletion of your member account, in accordance with the data minimization principle.

If your personal data is used for more than one purpose, we will store it until the purpose for the longest period expires. We will stop using them for the purpose of the shorter period as soon as the shorter period expires (to comply with the purpose limitation principle). We limit access to your personal information to those persons who need it for the relevant purpose(s), in accordance with the principles of integrity and confidentiality.

If your member account remains inactive for more than 30 months, we will contact you to check whether you want to continue using our services. If you then leave your member account unused for another 6 months, we will restrict access and/or delete it.

 

When the processing of your personal data is no longer necessary for any purpose, we can either irrevocably anonymize it or securely delete it.

As an exception, we retain your personal data for a longer retention period if required or permitted by law for legal, tax, regulatory reasons (for example, to establish, exercise or defend against legal claims) or for other legitimate business purposes reasons. This can go up to ten years, depending on local specifics and business needs.

Below you can see our retention period for specific purposes:

 

Purpose: marketing purpose

Retention period: 3 years after your last activity, for example, purchases, communication activities, or visits to our websites.

Purpose: order history and obligations to fulfill orders on our websites

Retention period: 7 years from your last order or as long as we have to fulfill the legal requirements.

Purpose: customer service for our services

Retention period: 3 years or as long as we have to fulfill the legal requirements.

Purpose: fraud and risk assessment

Retention period: 3 years after your last activity, for example purchases, communication activities, or visits to our websites, or as long as we have to fulfill the legal requirements.

Purpose: compliance with legislation relating to our services

Retention period: as long as we are obliged to comply with the legal provisions according to the specificities of the individual countries.

 

Purpose: performance report and monitoring of usage data to ensure correct use, function, maintenance and improvement of the services and transactional emails.

Retention period: 30 days unless a security-relevant event occurs (eg a Distributed Denial of Service attack). If a security-relevant event occurs, the logs are stored on the servers until the security-relevant event is completely eliminated and resolved.

 

Purpose: optimization of our marketing initiatives

Retention period: your data is stored until it is no longer necessary for the purpose for which it was collected or you revoke your consent. The data we process for tracking purposes is removed within 180 days at the latest.

 

Purpose: commercial and tax legislation

Retention period: as long as we are obliged to comply with the legal provisions according to the specifications of the individual countries, up to ten years.

 

Purpose: job application

Retention period: in case of rejection, candidate data is deleted after 6 months. If you have agreed to further storage of your personal data, we will add your data to our application pool. Data is deleted after two years from that moment. If you are offered a job in connection with the application process, the data is transferred from the computer system to our HR information system.

 

Section 4 - Cookies

Our websites use so-called "cookies". Cookies are text files that are saved in the internet browser or by the internet browser on your device (computer, tablet or phone). We use the term "cookies" to refer to all tools that can collect your indirect/pseudonymized personal data on our websites, such as your IP address, place and time of your visit. These cookies and similar technologies help us deliver certain website features, understand and measure performance, and display targeted ads. The processing of this information is always carried out on a legal basis and, when required by law, based on your consent. For detailed information about the cookies we use, for what purposes we use them and to manage your cookie settings, see our cookie policy.

 

Section 5 - Where do we store your personal information?

The personal information we collect from you is stored in the EU at the registered Google Cloud Services + address. However, we use suppliers worldwide and therefore your personal data may be processed by processors and/or sub-processors operating outside the European Economic Area (EEA). These processing activities are always based on a data processing agreement, and only if the additional requirements in Article 44 et seq. cf. GDPR, for the processing of personal data in third countries is met (e.g. if under the processor can provide appropriate protection measures according to Article 46 cf. GDPR, such as but not limited to standard clauses on data protection, binding corporate rules, approved code of conduct or exceptional circumstances pursuant to Article 49 cf. GDPR), and any additional supplementary measures based on assessments on a case-by-case basis. Please contact us if you would like further information on the specific security measures applied when exporting your personal data outside the EEA.

 

Section 6 - Disclosure of Your Personal Information

We may share your personal data within the Candy ´N´Chill group between subsidiaries as long as this is necessary for the operation of our websites, direct products and/or to provide our services. Access is always controlled on a need-to-know basis. Our subsidiaries are not intended to be considered “third parties” and are all GDPR compliant.

Your personal data may be transferred to our trusted third party suppliers in the following circumstances:

  • it is necessary to operate our websites, e.g. technical service providers;
  • it is necessary to provide you with our services, e.g. payment processors, logistics companies/shipping companies;
  • it is necessary for our business, e.g. professional and legal advisers,
  • we have obtained your consent to do so.

 

Technical service providers

We work with technical service providers to operate our websites and provide you with our services. These technical service providers act as our processors, based on a data processing agreement, and can therefore process your data under special conditions, always in accordance with section 3 above. This concerns, for example, our CRM, IT services such as our platform providers, hosting services, maintenance and support on our databases.

 

Payment service provider

At Candy ´N´Chill, you have several payment options for purchasing our products, such as payment by credit/debit card, via PayPal, direct debit solutions (such as, but not limited to, Google Pay and MobilePay). We may therefore transfer some of your data to your chosen payment service provider in order to provide you with our services. Note that we are not responsible for the payment service providers' way of processing your data, so before choosing one, we encourage you to read their own privacy policy.

 

Logistics companies/shipping companies

We work with external shipping companies (e.g. DAO) to deliver our products. These shipping companies receive the following data to execute the relevant order:

  • Your full name
  • Your delivery address
  • Your postcode (if applicable)
  • Your e-mail address if relevant (if the shipping company wants to notify you of the provisional delivery date via e-mail)
  • Your telephone number if relevant (you can receive an SMS about delivery - whether it has been delivered to either your home address or to a parcel shop)

We also work with warehouses that receive the branded items that are in your boxes, but they do not receive any of your personal information.

 

Professional and legal advisors

In the event of conflict or dispute resolution, we may work with external agents and legal advisors who may receive your personal data. If this becomes the case, we will make sure to have a data protection agreement with such professionals and legal advisors in advance.

 

Service providers processing personal data on our behalf outside the EEA (or "third countries") will only be used if such recipients have received a decision from the European Commission on appropriateness, if there are appropriate safeguards for the third country, or if we have received your prior consent. Candy ´N´Chill undertakes to ensure that your data is not transferred to a country with a lower data protection standard than the European Union.

 

In addition, we will not transfer your personal information to any third party, except where relevant for the following purposes:

  • If we sell or buy a business or assets: we may disclose your personal data to the prospective seller or buyer of such business or assets. Likewise, if we or all of our assets are acquired by a third party, personal data about our members will be one of the transferred assets. In these cases, the disclosure of your personal information will depend on our legitimate interest (Article 6, paragraph 1, letter f cf. GDPR), except for the processing of special data categories (e.g. your candy profile, which may include sensitive information), where consent can be required by law (Article 9, paragraph 2, letter a cf. GDPR);
  • If we are required to disclose or share your personal data with the police, any public authority or any other competent authority in order to comply with our legal obligations such as to ensure information security at all times or to defend against any fraud attempts;
  • If we are required to disclose or share your personal information with law enforcement authorities, other public authorities or on the basis of EU law in the law of a Member State. We will base ourselves on our legal obligation to do so (Article 6(1)(c) cf. GDPR).

 

Section 7 - Your rights as a data subject

According to the GDPR and as "registered", you have various rights in relation to your personal data, e.g. the right to be informed, to deletion, to correction, to restriction of processing, to data portability, to lodge a complaint with a supervisory authority, to withdraw your consent and to object to certain data processing activities. If you have any questions about it, or if you want to exercise one or more of them, please send us an email at info@candynchill.com

 

 

Note that we may ask for some additional information to verify your request (such as verifying your email address associated with your Member Account, proof of ID or other information) to ensure that you are the owner of the Member Account, or that you are entitled to make such a request on behalf of the member and avoid passing on data to third parties in connection with e.g. a request for information.

 

Right to withdraw your consent at any time: Where the processing of your personal data depends on your prior consent, you have the right to withdraw such consent at any time subject to Article 7 para. 3 cf. GDPR. Note that this will not affect the lawfulness of processing based on consent up to the point of withdrawal.

 

Right to object to the processing: You can object to the processing of your personal data under the conditions of Article 21 cf. GDPR as follows:

  • When you wish to object to the processing of your personal data for advertising purposes, including direct marketing, you can do so at any time and without any reason.

 

When we process your data under our legitimate interest or when we make anonymous statistics based on your pseudonymised data: as data subject, you have the right to object for reasons relating to your specific/particular circumstances at any time to the processing of your personal data, which is based on Article 6 para. 1 letter e or f cf. GDPR, including profiling based on these provisions. In the event of an objection regarding your specific/particular circumstances, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims. The same applies if the interruption of such processing is likely to make impossible or seriously impair the realization of statistical purposes, and the continuation of the processing is necessary to fulfil statistical purposes.

 

Right to be informed: as registered, you have the right to access and information under the conditions specified in Article 15 cf. GDPR. This means that you have the right to receive confirmation from us as to whether we are processing your personal data. In that case, you also have the right to access the personal data and the information listed in Article 15, paragraph 1 cf. GDPR. This includes information about the purposes of the processing, the categories of personal data processed and the recipients or categories of recipients to whom the personal data has been or will be disclosed. Note that you can find most of your information directly in your member account.

 

Right to remove: as registered, you have the right to remove (“right to be forgotten”), under the conditions specified in Article 17 cf. GDPR. This means that you generally have the right to have your personal data deleted from us, and we are obliged to delete your personal data without undue delay when one of the reasons listed in Article 17, para. 1 cf. GDPR applies. Exceptionally, the right to erasure does not apply if the processing is necessary for one of the reasons listed in Article 17, paragraph 3 cf. GDPR. This can e.g. be the case if the processing is necessary to comply with a legal obligation, or so that legal claims can be established, asserted or defended (Article 17, paragraph 3, letter b and e, cf. GDPR). Thus, the relevant data is not deleted, but blocked for further processing (i.e. data is stored securely with different access rights and technical and organizational measures to ensure that only a few employees can access such relevant data when necessary). Before we delete your information, we may anonymize it for statistical purposes.

 

Right to restriction of processing: as registered, you have the right to restriction of processing under the conditions stated in Article 18 cf. GDPR. This means that you have the right to obtain restriction of processing if one of the following circumstances in Article 18, paragraph 1 cf GDPR applies. This can e.g. be the case if you dispute the accuracy of personal data. In such a case, the limitation of processing lasts until we can verify the correctness of the personal data (Article 18, paragraph 1, letter a, cf. GDPR). Restriction means that stored personal data is marked with the aim of limiting their future processing (Article 4(3) cf. GDPR).

 

Right to data portability: as registered, you have the right to data portability under the conditions of Article 20 cf. GDPR. This means that you have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format, and to transfer this data to another data controller without hindrance from us, where the processing is based on consent ( in accordance with Article 6, paragraph 1, letter a cf. GDPR), or Article 9, paragraph 2, letter a cf. GDPR) or on fulfilment of a contract (in accordance with Article 6, paragraph 1, letter b cf. GDPR), and where the processing is carried out automatically (Article 20, paragraph 1 cf. GDPR). When exercising your right to data portability, you also have the right to have your personal data sent directly from us to another data controller, where this is technically possible (Article 20, paragraph 2, cf. GDPR).

 

Right to rectification: as registered, you have the right to rectification under the conditions of Article 16, cf. GDPR. This means that you have the right to have incorrect personal data about you rectified without undue delay and the right to have incomplete personal data made complete.

Right to lodge a complaint: as registered, you have the right to lodge a complaint with a supervisory authority under the conditions of Article 77 cf. GDPR. The supervisory authority responsible for us is the Norwegian Data Protection Authority. You can contact any data protection authority in any Member State (in your country of residence); your complaint is then sent to the competent authority.

 

Section 8 - Contact

You are always welcome to contact us. We will do our best to answer any questions you may have. You can e-mail us at info@candynchill.com or write to mail to the following address:

Candy 'N' Chill

ATT: data protection advisor

Lindealle 29,

5230 Odense M, Denmark

 

Last update: July 1, 2023

 

 

 

 

Candy N Chill

Lindealle 29

5230 Odense M

CVR 36171286

  

  • Home
  • Subscribe
  • Privacy Policy
  • About
  • Contact
  • FAQ

All rights reserved @Adele

Powered by Subbly and designed by Sandbox Agency